Austria’s Supreme Court ruled on Thursday that Meta’s personalized advertising model practices violate EU data protection law, which requires a company to obtain consent with “clear and plain language,” about how one’s personal information is used—something Meta has failed to do.

The court held that Meta cannot rely on “contractual necessity” under the General Data Protection Regulation (GDPR) to process user data without consent for targeted advertising, concluding that personalized ads are a financing mechanism rather than an essential component of a social networking service. The court ordered Meta to provide plaintiff Max Schrems with a complete, one-to-one copy of all personal data it processes about them, including the precise sources of the data, the purposes for which it is used, and the specific recipients to whom it has been disclosed within 14 days of the decision.

In its judgment, the court rejected Meta’s argument that its existing “Download Your Information” tools satisfy the right of access under Article 15 of the GDPR, finding that summaries or filtered disclosures fall short of the regulation’s requirements. The court also dismissed Meta’s attempts to limit disclosure by invoking trade secrets, stating that the company failed to substantiate those claims during the proceedings.

The ruling also addressed Meta’s processing of sensitive personal data under Article 9 of the GDPR, including information relating to political opinions, health, and sexual orientation. The court held that Meta is prohibited from processing such data, including data collected through third-party social plugins, without the user’s explicit, informed, and freely given opt-in consent. The court rejected Meta’s defense that it does not intentionally collect sensitive data or that it is technically unable to separate sensitive data from other categories of information.

Reacting to the decision, privacy activist Max Schrems, who brought the case, said the ruling confirms that Meta must comply with EU law when handling user preferences. Schrems said, criticizing the company’s longstanding claims that it did not process such data, the decision makes clear that Meta must not use such user preferences without explicit consent from each user.

Katharina Raabe-Stuppnig, the Austrian lawyer representing Schrems, described the judgment as unprecedented in scope.  She said, “[i]t took eleven years, but now there is a final ruling that Meta must provide unprecedented access to all data it has ever collected about Mr. Schrems,” and added that “the ruling is directly enforceable throughout the EU.”

In addition to ordering compliance with data access obligations, the court upheld an award of €500 in non-material damages for Meta’s failure to provide timely and lawful access to Schrems’ data. Ms. Raabe-Stuppnig remarked that the amount establishes a realistic “lower-end market for many other cases pending in Europe.”

The decision brings to a close an 11-year legal battle that began in 2014 and was marked by repeated procedural obstacles, including early refusals by Austrian regional courts to hear the case and disputes over Schrems’ status as a consumer. The case reached Austria’s Supreme Court three times and prompted two preliminary rulings from the Court of Justice of the European Union before reaching final resolution, with total litigation costs exceeding €200,000.

Meta now faces a court-enforced deadline of December 31 to provide Schrems with full access to his personal data.