The Court of Justice for the European Union (CJEU) has ruled that Meta Platforms, the owner of Facebook, must minimize the amount of people’s data it uses for personalized advertising.
“An online social network such as Facebook cannot use all the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data,” the CJEU said in a ruling last Friday.
The ruling comes in response to a complaint made by privacy campaigner Max Schrems, who said he was targeted with adverts aimed at gay people despite never sharing information about his sexuality on the platform.
The EU’s General Data Protection Regulation (GDPR) already requires companies to limit processing to strictly necessary data. Under the regulation, data relating to a person’s sexual orientation, race or ethnicity, or health status is classed as sensitive and subject to strict processing requirements.
The cybersecurity and privacy community has broadly welcomed the ruling. Adam Pilton, Senior Cybersecurity Consultant at CyberSmart, said that it is a “fantastic step to see that the EU has limited the use of our personal data by organizations such as Facebook, who use this for targeted advertising.”
Meta, however, has denied using so-called special category data to personalize adverts. It also stated that advertisers are not allowed to share sensitive data and highlighted a more than five-billion-euro investment to ‘embed privacy in its products”. The tech giant’s response has been met with criticism from the security community.
“Meta’s response, highlighting their investment in privacy, feels somewhat tone-deaf in the context of this ruling. It’s a bit like saying one has installed the finest locks on the doors while leaving the windows wide open,” said Javvad Malik, Lead Security Awareness Advocate at KnowBe4.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.