The Court of Justice for the European Union (CJEU) has ruled that Meta Platforms, the owner of Facebook, must minimize the amount of people’s data it uses for personalized advertising.
“An online social network such as Facebook cannot use all the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data,” the CJEU said in a ruling last Friday.
The ruling comes in response to a complaint made by privacy campaigner Max Schrems, who said he was targeted with adverts aimed at gay people despite never sharing information about his sexuality on the platform.
The EU’s General Data Protection Regulation (GDPR) already requires companies to limit processing to strictly necessary data. Under the regulation, data relating to a person’s sexual orientation, race or ethnicity, or health status is classed as sensitive and subject to strict processing requirements.
The cybersecurity and privacy community has broadly welcomed the ruling. Adam Pilton, Senior Cybersecurity Consultant at CyberSmart, said that it is a “fantastic step to see that the EU has limited the use of our personal data by organizations such as Facebook, who use this for targeted advertising.”
Meta, however, has denied using so-called special category data to personalize adverts. It also stated that advertisers are not allowed to share sensitive data and highlighted a more than five-billion-euro investment to ‘embed privacy in its products”. The tech giant’s response has been met with criticism from the security community.
“Meta’s response, highlighting their investment in privacy, feels somewhat tone-deaf in the context of this ruling. It’s a bit like saying one has installed the finest locks on the doors while leaving the windows wide open,” said Javvad Malik, Lead Security Awareness Advocate at KnowBe4.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
