"CJEU declares Meta/Facebook's GDPR approach largely illegal", 4 July 2023

The GDPR allows for six legal basis to process personal data. In the case Meta v Bundeskartellamt, the CJEU has today ruled on all of them - further clarifying the interpretation of the GDPR. The CJEU has largely closed the doors for Meta to use personal data beyond what is strictly necessary to provide the core products (such as messaging or sharing content) - all other processing (like advertisement and sharing personal data) requires freely given and fair consent by users.

This first statement is based on the live stream of the judgment and the press release of the CJEU and will be updated once the full text of the judgment is available.

Max Schrems: "We welcome the CJEU decision. It further clarifies that Meta cannot simply bypass the GDPR with some paragraphs in its legal documents. This will mean that Meta has to seek proper consent and cannot use its dominant position to force people to agree to things they don't want. This will also have a positive impact on pending litigation between noyb and Meta in Ireland."

Meta's move to "legitimate interest" also failed. After the ruling by the EDPB, prohibiting the "bypass" under Article 6(1)(b), Meta has moved on to Article 6(1)(f) GDPR this spring. The CJEU seems to also trash Meta's hopes to just move to a so-called "legitimate interest" for advertisement under Article 6(1)(f) GDPR. While the CJEU has not ruled out that a legitimate interests can exist (e.g. for network security), the judgment clarifies that there is no "legitimate interest" that would override the users rights when controllers try to provide advertisement. This basically limits any EU controller from running advertisement other than on a freely given (yes/no) consent.

Max Schrems: "This is a huge blow for Meta, but also for other online advertisement companies. It clarifies that various legal theories by the industry to bypass the GDPR are null and void."