CLOSE

close

CLOSE

EN

The Meta ruling that could change Europe’s data playbook

Recommended
The Meta ruling that could change Europe’s data playbook

The Meta ruling that could change Europe’s data playbook
Non-financial misconduct: what the FCA’s final guidance really changes and what firms must do next

Non-financial misconduct: what the FCA’s final guidance really changes and what firms must do next
Only 9% of organisations offer fully personalised compliance training, a VinciWorks poll reveals

Only 9% of organisations offer fully personalised compliance training, a VinciWorks poll reveals

Europe’s highest courts have delivered one of the largest rebukes yet to the digital advertising industry. In a landmark decision handed down in December, Austria’s Supreme Court ruled that Meta’s personalised advertising model breaches GDPR, and this judgment is immediately enforceable across the EU. It could also reshape how user data can be used for commercial gain.

 

The decision does not just criticise past conduct. It also declares that the legal foundations on which one of the world’s largest digital advertising systems was built were unlawful for years.

 

The case was brought by one person, Austrian privacy activist Max Schrems, but it will have a huge impact and the consequences will ripple beyond Facebook and Instagram. This ruling sets a precedent that applies across the EU and has serious implications for any organisation that profiles users, tracks behaviour or relies on personal data to fuel advertising. That includes many UK businesses who may assume Brexit has put distance between them and EU data protection law.

 

A case more than a decade in the making

 

The origins of the dispute actually date back to 2014, when Schrems asked Facebook for full access to his personal data. What he received instead was a partial download and generic references to privacy policies, a pattern familiar to millions of users across Europe.

 

What followed was a prolonged legal battle over how platforms collect, combine and monetise personal data. Over the next decade, the case was dismissed, revived, appealed, and referred up and out to the EU’s highest court, twice. Along the way, Meta consistently argued that its advertising model was lawful, necessary and technically unavoidable.

 

Austria’s Supreme Court has now fully rejected those arguments. Personalised advertising is not “necessary,” and never was

 

At the centre of the ruling is a finding that strikes at a long-standing industry assumption which is that personalised advertising is somehow inherent to the provision of a digital service. Meta had argued that it was entitled to use personal data for advertising personalisation, aggregation and analysis without user consent because such processing was “necessary for the performance of a contract.” The court firmly disagreed.

 

Following established case law from the CJEU or Court of Justice of the EU, tracking users across platforms, analysing their behaviour and targeting them with ads is not required to deliver a social networking service. The court has made it clear that personalised advertising is a commercial choice and not a contractual necessity.

 

The consequence of that distinction is huge. If personalised advertising is not “necessary,” then it requires opt-in consent and not implied or bundled consent or even consent buried in terms and conditions. Consent must be specific, informed, unambiguous and freely given.

 

The court essentially confirmed that Meta’s core ad model lacked a valid legal basis under GDPR for years.

 

Sensitive data cannot be wished away

 

Perhaps the most striking aspect of the judgment concerns sensitive personal data such as political views, health information, sexual orientation and similar categories protected under GDPR.

 

Meta argued that it did not intentionally process such data, or that it was technically impossible to separate it from other information collected through user activity, third-party apps and social plugins.

 

The court held that GDPR obligations do not disappear simply because data is inferred rather than explicitly provided or because compliance is inconvenient. If data revealing sensitive information is processed, the higher protections of GDPR apply, regardless of whether the controller claims not to use that data in a targeted way.

 

This is especially significant for any organisation that builds profiles based on browsing behaviour, engagement patterns or third-party tracking. The ruling confirms that inferred data can be just as legally sensitive as data directly disclosed by the user.

 

Transparency means real transparency

 

Beyond advertising, the judgment fundamentally reshapes expectations around data access rights.

 

Under GDPR, the court confirmed that users are entitled to far more than a curated download or a link to a privacy notice. Controllers must provide every piece of personal data they hold, along with detailed information about where it came from, who it was shared with, and why it was processed.

 

In Meta’s case, the court ordered full disclosure within 14 days, rejecting claims that trade secrets or internal complexity justified withholding information. The ruling grants what lawyers involved in the case described as “unprecedented access” to the inner workings of Meta’s data ecosystem.

 

For organisations accustomed to narrowly interpreting subject access requests, this aspect of the judgment may prove just as disruptive as the advertising findings.

 

Enforcement with consequences

 

This ruling is not symbolic. It is final, directly enforceable across the EU, and backed by meaningful sanctions. Depending on how enforcement plays out in different member states, non-compliance could result in daily fines or even personal consequences for senior decision-makers.

 

Schrems himself was awarded €500 in non-material damages, a modest amount only because the claim predated GDPR’s enforcement. Privacy advocates have been quick to point out that today’s courts may view similar violations as warranting far higher compensation, potentially opening the door to large-scale individual damages claims.

 

Why this matters far beyond Meta

 

Although Meta is the defendant, the court’s reasoning applies to a wide range of business models. Any organisation that relies on behavioural advertising, third-party tracking, or broad interpretations of “legitimate interest” or “contract necessity” should take note.

 

The ruling reinforces a trend already visible in EU enforcement of less tolerance for legal fictions that stretch GDPR’s lawful bases. Technical difficulty, industry norms and legacy practices are no longer persuasive defences.

 

Why UK businesses should take notice

 

For UK organisations, it may be tempting to treat this as an EU-only development. That would be wrong.

 

GDPR continues to apply extraterritorially to UK businesses that target or monitor individuals in the EU. At the same time, UK GDPR remains closely aligned with its EU counterpart, and UK regulators and courts continue to treat EU case law as highly persuasive.

 

In practical terms, this ruling raises expectations around consent, transparency and data access on both sides of the Channel. UK businesses embedded in EU advertising ecosystems, reliant on EU platforms or serving EU customers cannot assume they are insulated from its effects.

 

A turning point for GDPR?

 

Perhaps the most sobering element of the story is how long it took. Eleven years, more than €200K in legal costs, and multiple court battles, all to vindicate rights that GDPR was meant to guarantee.

 

But still, the outcome marks a turning point. The Austrian Supreme Court is indicating that GDPR is not merely a regulatory framework, but a set of enforceable limits on how personal data can be exploited at scale.

 

For organisations across Europe, and for UK businesses with EU exposure, the era of treating personalised advertising and opaque data practices as the default is coming to an end.

 

Vinciworks’ new conversational learning course on data protection’s rights and responsibilities puts you at the heart of data protection, turning policy into practical action. Guided by AI-powered experts, it explores how personal data should be handled, shared and stored through realistic workplace scenarios. Try it here.