Privacy legislation has always been a bit iffy about the distinction between data and information. Depending on how this ruling treats that issue it could have knock-on effects.

Basically the issue here is that meta was almost certainly in possession of information on Max's sexual orientation and was using this information for advertising, but it's unclear if they had any data.

Privacy wise it is great that even partial information counts, but practically almost any data about a person is tainted with fractions of bits of information about their sexual orientation (or political views, or almost any of the protected classes of information). Without resorting to information theory I don't really see any way forward that doesn't end up in endless court cases over how much information is too much.

Then again we could just ban targeted advertising and avoid the whole issue in the first place. When differential privacy gets to a usable state we can worry about those instances where it would be nice to use some information for the public good without infringing privacy.

I don't think he even needed to prove that.

Rather it's that, in the course of evaluating this case, the court has been forced to make statements clarifying how certain rules and principles in GDPR are to be interpreted. And this has, in effect, narrowed the way Meta etc can use data.

Which for Schrems is really his ultimate goal anyway - his case is just a way to force the courts to rule / establish legal precedent on broader issues.

I'd guess that it's inferred from the content you interact with. If you spend a lot of time liking fireman calendar photoshoots and give no likes to women in swimsuits, there's a reasonable inference to be made.

I'd also guess that Facebook can do this pretty reliably for gender and age, martial status, parental status, and lots of other things.

To add one row of anecdata: I recently got an ad on Instagram (= Meta) for an "only for gay men" holiday resort. I'm straight. Took a screenshot of it because I thought it was funny and I'd never seen it (nor such a place) before.

Facebook (and others) don't just track you on their website. They do so on every website that includes their "like button", "analytics", "ads" and such

So, you claim that you're not interested in software development, but somehow according to this data we have here, you spend an hour a day reading Linux kernel mailing lists.

Curious.

FB trackers that phone home on various websites, for one.

Why do you think you can't buy that? These companies have been building up profiles on millions (billions?) of people for many years now. It is not unreasonable to think they could infer stuff that they don't directly measure. Nor that these profiles would be shared/sold.

They can infer it from your friends who do publicise it. Same as political views, etc

The GDPR does not care about the specifics of tech.

The GDPR does not care if FB has a database column for “sexuality” or if FB never gathers that information directly. All it cares about is the fact that Facebook process personal data, and, using some of the data Facebook processes, sexuality can be inferred.

I think we in tech get hung up on technicalities, while the GDPR was specifically written to be as citizen-focussed and tech-agnostic as possible.

Regardless, this specific ruling seems a bit odd-it implies that FB took a fact he mentioned in a panel discussion (not on the platform), and used that information to serve him targeted ads based on his sexuality.

I have no idea of the mechanisms he supposes led to this.

Sure, Schrems' claims seem to hinge on the fact that the only evidence of direct self-identification by Schrems is that one instance of a verbal claim on a panel discussion. (That is not how sexual orientation works, by the way: it necessarily involves conduct, activity or interests...)

But if advertising works on a recommendation engine basis, or groups similar tastes together, then if someone uses the Meta platform enough, there will be circumstancial evidence that this person's interests and activities coincide with other gay people.

Perhaps the merit of the case rested with Schrems barely using Meta/FB, not providing any direct data or engagement, and only to discover that advertising was targeted. Of course, Meta is a vast platform, including comments sections and widgets and third-party cookies across many websites.

But Meta takes Meta's privacy very seriously, so perhaps nobody but the court will ever see what Meta and their partners learned about Schrems, or how they learned it.

> Wait so someone at Meta entered somewhere that this person is gay? Or was this based on, say, cookies and general browsing habits?

General browsing habits - he interacted with ‘gay content’ - websites, facebook groups etc. so could be targeted by advertisers that wanted their ads shown to people who interacted with that content.

I don’t think FB have a gay checkbox for targeting now but advertisers can choose websites and FB groups. Im not sure if this ruling effectively kills FB targeted advertising using data from outside FB or just if you're gay or not

Article 9 of the GDPR says:

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

There is a list of exceptions, but I'm not sure any of them apply. I don't really see how what the court says matters all that much. They can't overturn the law.

You get targeted by advertisements for institutions offering degrees in Christian studies or some such thing, because you're an atheist.

I fixed that quote for you, because advertising is often targeted to the opposite demographic for various reasons.

Just try enjoying your favorite show on radio or regular TV, and you'll perceive ads for stuff you would never touch, but they are paying good $$$ to support that show you like, and to get in front of everyone possible, and perhaps wear you down with brand recognition and exciting jingles to influence your buying decisions in a moment of weakness.

However, targeted advertising may know exactly what you like, and be an effective means of call-to-action and conversion to sales.

On the back end, Meta advertisers fill out a list of audience interests and demographics. So yes, if the advertisements and their buyers were documented, Meta should also have sales info on the intended audiences.

It's a lawsuit because Schrems only needs enough of a basis to force the courts to consider certain issues, and to make statements about how GDPR should apply in principle in certain situations, in order to effectively restrict big tech's use of data.

It's a case brought strategically in order to trigger certain questions of interpretation of GDPR rules to be litigated.

Schrems' specific claim only needs to hold enough water to give him standing to get the case through enough filters in the court system to facilitate this.

Facebook didn’t determine he was gay, it’s just spray-and-pray by the algorithm exactly like you said. He’s just bringing the court case in bad faith to raise the issue and create another foothold for the EU to extract further billions in fines. The outcome will be more laws so nobody creates anything new in the consumer space or takes any risks that aren’t sanctioned by EU central planners ever again.

Knocking over US big tech companies for fines is literally the fastest growing EU industry by total profits.

As far as I understand CJEU does not, at least not on this type of case where their opinion regarding EU law is asked by national court. Damages & fines are left to national courts, in this case Austria's Supreme Court (who might send it back to lower courts, I do not have any specific knowledge of Austria's court system).

That's just basic PR-speak; it's apparently important to release a statement saying "we are and have always been very serious about not doing (thing that we do and got caught doing)" after you've been caught doing a thing.

I think the idea is there's some percentage of the public that will just uncritically accept the last thing they were told as gospel truth, and the rest don't believe you any less than they did before, so it's a net win.

> I wonder how Meta employees can keep a straight face lying their faces off.

Did you see that Social Dilemma documentary? People only find their conscience after they've checked a big bankroll.

I've been in tech for almost two decades now and I've seen many many many good people throw their values right out the window once the price was right.

Meta/Facebook kind of have a track record of strong claims that doesn't really hold up when scrutinized.

From https://www.llama.com/

> The open-source AI model [...] Llama is the leading open source model family

Then from https://huggingface.co/meta-llama/Llama-3.2-1B

> License: Use of Llama 3.2 is governed by the Llama 3.2 Community License (a custom, commercial license agreement).

In that license: Section 1(b)(i) requires you to display "Built with Llama" (branding requirements, really?). Section 2 has additional restrictive licensing requirements. Section 5(c) has retaliation that your license is terminated if you initiate legal proceedings. There is probably more too.

Pretty close to "Not Open Source". Yet, Meta continue marketing Llama as such.

> I wonder how Meta employees can keep a straight face lying their faces off.

We have created a dystopian system where honesty is punished and lying is incentivized. This is the only natural outcome anyone should expect.

Yes he is, please donate yearly to https://noyb.eu/.

They are taking privacy, very seriously.

Meta does take privacy seriously. It is an existential threat to their "business". Meta is serious about violating privacy for profit.

The article is short on details. Schrems alleges that Facebook somehow picked up his sexual orientation from a panel meeting, and then advertised to him based on that?

Is it not more likely that the group of people/profiles and activities he participated on Facebook are what "outed" him instead?

I had hoped for more details about how Schrems and/or a court were able to prove Facebook took his off-site meeting into account and based ads on that alone.

Schrems has launched several strategic court cases like this to push back on privacy issues, and even runs a non-profit focused on doing so.

I think "activist" is just giving him well-deserved credit for the amount of legwork he puts in to see these cases through.

He is absolutely doing this out of principle / for a cause, and not because of his own individual grievance - he just needs to be able to point to something affecting him personally to give him the legal footing to bring the case to court.

Perhaps the lesson is we should all be activists. We set activism as a civic duty, and teach it in primary school.

What does 2024 have to do with it?

That's always been a major component of activism, because legal compliance is never automatic or something you should take for granted. Nothing has changed.

Other major components include changing the law, and changing people's behaviors where law is irrelevant.

“You want justice? You’re a troublemaker.”

— <http://freefall.purrsia.com/ff2700/fv02673.htm>

Taking a company to court is definitely in the realm of activism.

This says more about the (low) quality of the AP and it's (mediocre) editorial staff than about TFA and EU citizens exercising their rights in a court of law under the GDPR.

Here is a provocative thought experiment that might help you get the point:

Replace the word gay with bone cancer, which just so happened that you’ve been diagnosed with. Would you feel comfortable with Meta inferring that from your activity and flood you with ads related to cancer?