The Austrian Supreme Court has delivered a landmark judgment against Meta, delivering a severe blow to the Facebook and Instagram owner’s data practices in Europe.
The ruling orders Meta to provide users with full access to all personal data collected about them, bans personalised advertising without valid consent, and exposes years of unlawful data processing involving third-party apps and websites.
The decision, stemming from a case brought by privacy activist Max Schrems in 2014, represents one of the strongest judicial rebukes of Meta’s data handling practices under the General Data Protection Regulation (GDPR). noyb.eu, a non-profit association, said in a statement.
Meta Ordered to Disclose All User Data Within 14 Days
The Austrian Supreme Court (Oberster Gerichtshof or OGH) ruled that Meta must provide complete access to all personal data it holds on a user within 14 days, far exceeding the partial disclosures Meta previously offered through its so-called download tools.
Under Article 15 GDPR, the court held that Meta must disclose:
Every single piece of personal data collected
The source of each data point
The recipients of the data
The specific purpose for which each item of data was processed
Meta’s arguments that trade secrets or technical limitations justified withholding information were fully rejected. The ruling is directly enforceable across the European Union and provides unprecedented transparency into Meta’s internal data processing systems.
Meta’s Ad Personalisation Model Declared Illegal in the EU
The court ruled that Meta has no valid legal basis to process personal data for personalised advertising unless users provide specific, informed, unambiguous, and freely given consent.
Meta had argued that personalised advertising was necessary to deliver its services. The Austrian Supreme Court rejected this claim, aligning its decision with earlier EU Court of Justice rulings, including the Bundeskartellamt case.
As a result:
Meta must stop serving personalised advertisements to Max Schrems
Similar advertising practices may be unlawful for millions of EU users
Opt-in consent is mandatory for tracking and ad personalisation
This finding confirms that Meta’s advertising model has violated EU data protection law for years.
Illegal Processing of Sensitive Personal Data
The court also addressed Meta’s handling of sensitive personal data, including information related to:
Political views
Health
Sexual orientation
Sex life
Under Article 9 GDPR, such data requires special protection. The Austrian Supreme Court ruled that Meta cannot avoid GDPR obligations by claiming it does not intentionally collect or cannot technically segregate sensitive data.
The court found that Meta unlawfully processed sensitive data obtained through:
Third-party apps
External websites
User activity on its platforms
Unless a valid legal basis under Article 9(2) GDPR exists, Meta is prohibited from processing such data alongside other user information.
€500 in Damages Sets a Benchmark for Meta Users
The court awarded €500 in non-material damages to Max Schrems for Meta’s violations, particularly the prolonged failure to provide full data access.
Legal experts believe this amount could serve as a realistic baseline compensation for many Meta users in Europe who experienced similar GDPR violations.
With numerous privacy cases pending across the EU, the ruling could open the door to widespread compensation claims against Meta.
An 11-Year Legal Battle Exposing Structural Failures
The case took 11 years, involved three Austrian Supreme Court rulings, and required two referrals to the EU Court of Justice. Total litigation costs exceeded €200,000, despite the damages claim being limited to €500.
Max Schrems criticized the systemic barriers facing individuals enforcing GDPR rights, accusing big tech firms of exploiting jurisdictional complexity and procedural delays to evade accountability.
Key Highlights From the Austrian Supreme Court Judgment
Data Protection and Social Online Networks
Personalised advertising and the use of personal data, including sensitive data, from social plugins are unlawful without user consent.
Users have the right to access all personal data processed about them.
Court Findings
The plaintiff, a user of Meta’s social network, filed 12 claims covering data protection roles, lawfulness of processing, access rights, and damages.
The Supreme Court had already ruled in 2021 on liability and awarded €500 in damages.
The latest ruling addresses the remaining claims following EU Court of Justice guidance.
Unlawful Data Processing Identified
Use of personal data for advertising personalisation, aggregation, and analysis without consent is prohibited.
Processing data collected via social plugins is unlawful unless strictly required for technical display or backed by user consent.
Sensitive data collected through plugins cannot be justified under contract necessity.
Right to Full Access
The GDPR access right includes all processed personal data, not just selected or summarised information.
The court clarified that its assessment was based on the factual situation as it stood in 2020.
A Major Setback for Meta in Europe
The Austrian Supreme Court’s ruling represents a decisive defeat for Meta, reinforcing strict GDPR standards and rejecting years of resistance to transparency. The judgment not only exposes systemic flaws in Meta’s data practices but also strengthens the legal position of millions of European users seeking accountability from big tech.
For Meta, the message from Europe’s top courts is now unmistakably clear: full transparency, explicit consent, and strict separation of sensitive data are not optional.
BABURAJAN KIZHAKEDATH