TL;DR: The EU Court of Justice requires Facebook to limit the use of personal data for advertising. The ruling will impact many other companies and services.
đ Hi, Iâm Carlo, an Italian lawyer and privacy nerd. Welcome to the Privacy Newsletter! Sign up for bi-weekly updates, insights, and commentary on privacy law, made simple for everyone.
I read the last Schrems ruling so you donât have to. Youâre welcome.
Just kidding. You should definitely read it- if you speak legalese, that is. If not, just read the Courtâs press release and this blog. Especially this blog. It explains the ruling in plain English and only contains correct opinions.
The most interesting part of the ruling is about the boundaries of targeted advertising. Companies that monetize our data through advertising cannot reuse our data forever and must differentiate between âtypes of dataâ (more on that later). There are also some useful clarifications about sensitive data but they are very specific and somewhat technical, so I will leave them for another time.
Fair warning: I have strong feelings about this stuff and would love to see Europe ban targeted advertising altogether. It does more harm than good anyway.
Barring that, having some boundaries is still better than nothing. And the boundaries laid down in the ruling are no joke, either. So, letâs see the glass half full and dive into the ruling.
There we go again
This case is quite old. Back in 2014, Max Schrems (privacy activist of Schrems I and II fame and chairman of the noyb NGO) claimed that Facebook unlawfully collected very, very sensitive data about him and used them to target him with suspiciously specific ads. Schrems did not even provide Facebook with these data to begin with: Meta figured them out from other data, including his friend list and off-site activity monitored via cookies and tracking pixels.
Schrems claimed that the use of his sensitive data was illegal and required the company to stop. His request climbed through the Austrian justice system and eventually landed in the Court of Justice- one of the top EU regulators.
The Courtâs ruling deals with two separate questions about GDPR interpretation: a broader question about the boundaries of targeted advertising, and a narrower and more technical question about a specific use case for sensitive data. As I said, I will leave the sensitive data stuff aside for now.
By the way, Schrems is not exactly new to suing Meta. This is his six hundredth lawsuit against Meta by now and the third landmark privacy ruling bearing his name. So, naming this ruling is tricky: Schrems I and II are taken, Schrems III is reserved for a future ruling already, and Câ446/21 doesnât quite roll off the tongue. I will go with Schrems 2.1 for now but I am open to suggestions
(Really, drop any ideas in the comments. We will be referring to this case years down the line and we surely cannot call it 446/21. This is important.)
Squeezing predictions
In a nutshell, the core issue of Schrems 2.1 is whether Facebook can feed its targeted advertising system with undifferentiated personal data (as in: with no distinction between on and off-platform data, as well as first/third party data) and reuse these data forever for ad targeting.
As you probably know, Facebookâs revenue largely comes from targeted advertising. Facebook (and all major social networks, for that matter) monetizes personal data by collecting enormous amounts of fine-grained behavioral data about you (who your friends are, what content you engaged with, how long you viewed a post, and even what pages you visited outside of Facebook). These data are then merged with off-site data collected by tracking you around the Internet and âsqueezedâ for predictions about which ads you are most likely to click. All of these data are stored for an unknown time and quite possibly forever.
This compulsive hoarding and squeezing of personal data is, of course, at odds with the GDPR. The law requires companies to only process the data they actually need (data minimization) and erase them once they are not needed anymore (storage limitation). That is the exact opposite of what we see in practice from Meta and many other companies that made a business model out of abusing peopleâs data.
Data minimization is the heart of the ruling. The Court looks at how Meta uses personal data for advertising and concludes that it falls short of data minimization in at least two important ways: Meta merges data from different sources together for the purpose of advertising and indefinitely reuses these data.
This is bigger than Meta. The company's data practices are par for the course in the digital economy and many other companies will be impacted by the ruling.
This substack is proudly sponsored by Simple Analytics, the only privacy-first Google Analytics alternative.
Where did these data come from?
The Court states that Facebook cannot feed its targeted advertising âwithout distinction as to type of dataâ. So: no taking data from all possible sources and merging them into one big blob to squeeze for predictions.
The Court draws two distinctions between data types: first/third-party data and on/off-platform data.
Limiting the merging of first and third-party data for advertising could have a really good impact on user privacy. Seriously enforced limitations would make third-party data harder to monetize and, therefore, disincentivize data sharing for advertising purposes to some extent. This practice is completely out of check and only adds fuel to the privacy dumpster fire that is roasting us all.
Toning down data sharing for advertising is not the Courtâs reason for limiting the use of third-party data, mind you. Think of it as an added bonus. The magic wonât happen on its own, though: muscular enforcement is needed.
As for off-platform tracking, Meta uses some pretty invasive tools like the Meta Pixel and âlikeâ buttons that send information to Facebook when embedded in third-party websites. Limiting the use cases for these data sounds pretty good too.
It is hard to say how broadly the limitation for off-site data applies. Instagram, TikTok, and X look like a given to me and I would certainly make a case for Google as well. Other than that, your guess is as good as mine. Depending on interpretation, the limitation could impact a small number of large platforms, or many websites and services that use third-party cookies for retargeting. Letâs wait and see.
By the way, Meta and other social networks operators can only link off-platform and third-party data to a user profile with their consent. This was clarified last year by Bundeskartellamt, an important Court of Justice ruling that also involved Meta. Had the facts of Schrems 2.1 taken place after Bundeskartellamt, Schrems could have simply pointed out that he never consented to the linking of off-platform and third-party data with his Facebook profile.
A like is forever
The Court of Justice held that data cannot be reused forever for targeted advertising. This is all well and good: it is neither reasonable nor proportionate to keep squeezing information dating back to your high school metalhead phase.
But here is an instructive question: why does Meta still have those data?
My educated guess is that Meta is as good at storage limitation as it is at data minimization. This is why the Court repeatedly references the storage limitation principle even though it falls outside the scope of the ruling. The Court even politely suggests Austrian courts look into Metaâs data retention policies.
In case you are not familiar with the GDPR jargon, the principle of storage limitation means that personal data should not be stored longer than needed. So, an initially lawful use of data can become unlawful if the data are stored too long, as the Court not-so-coincidentally points out in Schrems 2.1.
None of this is new, by the way. Data minimization and storage limitation have been core principles of EU privacy law since the 1995 Data Protection Directive and havenât changed much since. Facebook has been breaking the law from day one.
Donât skip the motivation!
Before I wrap it up, letâs talk about the motivation- because it paints an unflattering picture of what Meta does with our data. Some passages are quite harsh and, dare I say, radical.
The Court doesnât mince words or beat around the bush: it takes a close look at Metaâs advertising practices and declares that they are incompatible with the GDPR and even with the fundamental right to data protection (as Schrems himself and many others have been saying all along).
As important as the conclusions of Schrems 2.1 may be, they almost feel underwhelming compared to the motivation. And I canât help but feel the conclusion could have been even stronger, had the questions been just a little broader in scope.
But the motivation matters in and of itself. The ad tech industry systematically downplays the privacy costs of the very privacy practices that the Court just condemned in Schrems 2.1. But this is hard to do after regulators call those practices out.
Privacy advocates have long been saying that surveillance advertising sucks. You donât need to take their word for it anymore: you can take that of the EUâs top court instead (or the Federal Trade Commission's, if you live across the pond).
Data minimization is awesome
All in all, Schrems 2.1 is good. Really good. As I explained, Metaâs data practices are commonplace. But the Court did not care and did not bend the law to accomodate for them.
The Court might not be willing to pull the plug on the monetization of personal data altogether but it certainly doesnât like reckless surveillance advertising one bit. And that is good to know.