Austrian Supreme Court (OGH): Meta must provide full access to all personal data of user within 14 days, including the sources, recipients and purposes for which each information was used. All of Meta's claims of trade secrets or other limitations were rejected, leading to unprecedented access to the inner workings of Meta. Meta was also illegally collecting data from third party apps and websites and may only provide personalised advertisement if a user provided “specific, informed, unambiguous and freely given” consent. Meta must also ensure that data revealing sensitive information (such as political views, sexual orientation, or health) is not processed together with other data unless a valid legal basis according to Article 9(2) GDPR applies. Meta may not avoid the application of Article 9 GDPR by arguing that it does not intentionally collect such data or that it cannot technically distinguish or segregate it. The case, brought by Max Schrems in 2014, originally lasted 11 years and hit the Austrian Supreme Court three times and the CJEU two times. Mr Schrems was awarded €500 in damages.
Full access to all personal data & other information within 14 days. Under Article 15 GDPR, Meta must provide not just a full 1:1 copy of all personal data to any user that requests it, but also provide information as to the purposes this data was processed for, the sources and recipients of each bit of information. Since 2011 the plaintiff (Max Schrems) has tried to get full access to his personal data, but Meta only provided partial access. For average users, Meta only referred to a “download tool” that contained what it called “relevant” information and otherwise referred to its generic privacy policy. The Austrian Supreme Court now decided that Meta must disclose all personal data (each and every bit) and also provide specific information on all data, such as the source, recipient or purpose of processing, all within a 14-day deadline ending on 31.12.2025. The default deadline under the law is one month – which has lapsed already years ago. Meta's claims on alleged limitations of any full right to access (such as trade secrets and alike) were not properly argued by Meta and hence fully rejected. The final and directly enforceable ruling by the Austrian Supreme Court will therefore lead to unprecedented access by Mr Schrems to Meta's practice of processing his (and in reality anyone else's) user data.
Katharina Raabe-Stuppning, the Austrian lawyer representing the plaintiff: “It took 11 years, but now there is a final ruling that Meta must provide unprecedented access to all data it has ever collected about Mr Schrems. This goes far beyond the download tool or information on the website. For more than a decade, Meta has resisted to grant full transparency on what data it processes on European users. The ruling is directly enforceable throughout the EU.”
Meta Advertisement model unlawful in EU for years. The Austrian Supreme Court also held that Meta must stop providing personalised advertisements to Mr Schrems, given that they never had a legal basis to process his personal data for this purpose. In this respect Mr Schrems’ claims were largely overtaken by the CJEU case in C-252/21 Bundeskartellamt, where the CJEU already held that Meta does not have the necessary legal basis to process European’s personal data for advertisement.
Katharina Raabe-Stuppning: “The Austrian Supreme Court – again – made clear that Meta needs opt-in consent to track people and use their data for advertisement.”
Separation of “sensitive data” from other data. Under Article 9 GDPR, certain “sensitive” data is specially protected. This includes information relating to health, political views, sex life or sexual orientation. Meta categorically rejects that it must treat such data – which it receives through third-party apps, website or through user activity on its platforms – differently than other data. The Austrian Supreme Court made is clear, however, that even if Meta would not intentionally use such data (a claim that was disputed in the procedure) it nevertheless has to comply with the law.
Max Schrems: “Platforms like Facebook or Instagram have huge influence, for example via pushing political views on users. It was always absurd for Meta to claim that it does not process such data and must not comply with the law. The decision makes clear that Meta must not use such user preferences without explicit consent by each user.”
Damages of €500 realistic for most Meta users. A previous partial decision already granted Mr Schrems damages of € 500 for the delay in answering his access request. Mr Schrems also relied on the other violations of the GDPR for this claim. The ruling seems to be unclear as to the grounds for the awarded damages, but it seems that a damage of at least € 500 was seen as definitely justified by the Austrian Supreme Court for violations that almost any Meta user has experienced. Mr Schrems did not ask for more, so the Court was bound by € 500 as the upper limit.
Katharina Raabe-Stuppning: “It seems realistic for data subjects to at least claim € 500 in non-material damages for the extensive violations of the GDPR that Meta engaged in. This could be good lower-end marker for many other cases pending in Europe.”
11 years, 3 Supreme Court and 2 CJEU rulings needed. Overall, this case took 11 years. The initial Regional Civil Court in Vienna (Landesgericht für Zivilrechtssachen) had refused to hear the case twice, even by arguing that Mr Schrems is not a “consumer” for his private Facebook account. Later it cited uncertainty about jurisdiction under the GDPR. The Austrian Supreme Court decided on the case three times, including by making two references to the EU Court of Justice. While the final ruling on costs is reserved, the overall litigation costs so far exceeded € 200.000 – for a financial claim of about € 500.
Max Schrems: “The reality of GDPR litigation is that, for an average person, it takes a decade and is ruinous. Big tech companies hide behind jurisdictions like Ireland, bring up 100 reasons why cases should be dismissed, and sabotage procedures at every corner. We must urgently work on making the GDPR enforceable in practice.”
Some claims were dropped. During the course of the procedure, Mr Schrems gave up a number of claims for costs and procedural reasons. Certain claims were also brought as alternative claims (so only one of the claims could have been successful). The case was massively prolonged by very unfavourable rulings in the first instance, as under Austrian law it is for example very hard to overturn factual findings in the first instance. Many legitimate claims therefore had to be dropped.
