Top Court Ruling Imposes Data Retention Limits on Meta’s EU Ad Services

The recent ruling by the European Union’s top court (CJEU) has significant implications for Meta and other social networks regarding their data retention policies. The court determined that social networks like Facebook cannot indefinitely retain users’ personal data for ad targeting, emphasizing the need for limits in accordance with the data minimization principles outlined in the General Data Protection Regulation (GDPR). This ruling could have far-reaching consequences for how Meta operates in the EU, as breaches of GDPR regulations can result in hefty fines, potentially amounting to 4% of a company’s global annual turnover. Given Meta's existing struggles with GDPR compliance, this decision could expose the company to billions in additional penalties.

The CJEU’s decision was influenced by a referral from an Austrian court where privacy advocate Max Schrems challenged Facebook’s data collection practices and the legal grounds for its advertising methods. In response to the ruling, a Meta spokesman indicated that the company is awaiting the publication of the full judgment. He asserted that Meta takes privacy seriously, having invested over five billion euros to enhance privacy across its products, and emphasizes the availability of tools for users to manage their data.

Meta’s business model relies heavily on tracking and profiling users across its platforms and the broader internet, using cookies, pixels, and social plug-ins to deliver micro-targeted advertising. Consequently, any restrictions on its capacity to continuously profile users in the EU could adversely impact its revenue. The court’s ruling supports earlier opinions that stressed the need for limits on personal data retention, highlighting that the principle of data minimization is paramount.

The core issue revolves around the extent to which Meta can utilize the vast amount of data it has accumulated over the past two decades. The ruling restricts the amount of data that can be used for advertising purposes, even if users have consented to data collection. This decision not only affects Meta but also applies to other advertising companies lacking stringent data deletion practices.

The challenge to Meta’s advertising practices originated in 2014 and was fully heard in Austria in 2020. Subsequently, the Austrian Supreme Court referred legal questions to the CJEU in 2021, culminating in this latest ruling. Earlier this year, the CJEU issued a decision that invalidated Meta’s ability to justify its data processing for advertising based on a “legitimate interest.” The ruling reinforces the concept that online platforms cannot indiscriminately use all personal data for targeted advertising without restrictions regarding time and type of data.

A key takeaway from the CJEU’s judgment is the necessity for adtech companies to develop data management protocols that progressively delete unnecessary data or cease using it entirely. The court emphasized that allowing unrestricted use of data could lead to severe consequences for data protection rights.

In addition to its stance on data retention, the CJEU also addressed the use of sensitive data that individuals have “manifestly made public” for ad targeting purposes. The court ruled against such practices, reiterating the GDPR’s purpose limitation principle, which protects individuals' rights and privacy. This ruling was celebrated by Schrems’ privacy rights organization, noyb, which argued that allowing such practices could hinder free speech by penalizing individuals for publicly criticizing unlawful data processing.

Meta's spokesperson responded to inquiries about the company's handling of sensitive personal information by asserting that Meta does not utilize special category data, such as sexual orientation, health data, or religious beliefs, for ad targeting. The company has implemented policies to filter out sensitive information and prohibits advertisers from sharing such data.

The implications of the CJEU’s ruling extend beyond the operations of social media platforms. As tech giants, including Meta, explore using personal data for AI training, the court's emphasis on purpose limitation could impact these practices. Scraping the internet for vast amounts of data required for training AI models raises concerns about potential violations of GDPR principles.

In summary, the CJEU ruling signals a pivotal moment for data privacy regulations within the EU, establishing clear limitations on how long companies can retain personal data for advertising. This decision not only affects Meta’s operational model but also sets a precedent that may influence the practices of other online advertising companies and the broader tech industry as it navigates evolving data protection laws.