Austrian court gives one man total access to his Meta data after 11-year battle

After an 11-year legal struggle, the Austrian Supreme Court ordered Meta to provide unprecedented access to all personal data it collected from a single user—and hand over detailed information about where every piece came from, who received it, and why it was processed. The December 18, 2025, ruling marks a complete rejection of Meta's trade secret arguments and establishes a framework that could expose the inner workings of the platform's data processing to broader scrutiny.

The Austrian Supreme Court issued its final judgment on November 26, 2025, in case 6 Ob 189/24y, according to court documents published by the Oberster Gerichtshof. Privacy advocate Max Schrems initiated the case in 2014, seeking full access to his Facebook data and challenging Meta's advertising practices. The court awarded Schrems €500 in damages and mandated that Meta deliver complete data disclosure within 14 days—a deadline ending December 31, 2025.

Under Article 15 of the General Data Protection Regulation, Meta must provide not just a complete copy of all personal data but specific information about each data point's source, recipient, and processing purpose. The ruling explicitly states Meta cannot rely on its generic privacy policy or the limited "download tool" previously offered to users. Instead, the company must deliver comprehensive disclosure of "each and every bit" of personal data along with detailed metadata about its use.

Katharina Raabe-Stuppnig, the Austrian lawyer representing Schrems, emphasized the ruling's scope in the court announcement. The decision requires Meta to provide "unprecedented access to all data it has ever collected about Mr Schrems," she stated. This exceeds the download tool or website information Meta typically provides, forcing transparency that the company resisted for more than a decade.

The Supreme Court dismissed Meta's claims about alleged limitations on data access rights, including arguments based on trade secrets and other restrictions. According to the ruling, Meta failed to properly argue these limitations, resulting in their complete rejection. The decision carries direct enforceability throughout the European Union, creating immediate obligations for Meta's data processing operations across all 27 member states.

Meta's advertising model received particular scrutiny in the judgment. The court determined that Meta must cease providing personalized advertisements to Schrems because the company never established a legal basis for processing his personal data for advertising purposes. This finding aligns with the Court of Justice of the European Union case C-252/21 Bundeskartellamt, which previously held that Meta lacks the necessary legal basis to process Europeans' personal data for advertisement.

The Austrian Supreme Court made clear that Meta requires opt-in consent to track people and use their data for advertisement, according to Raabe-Stuppnig. The ruling addresses a fundamental tension in Meta's consent-based advertising model that privacy advocates have challenged across multiple jurisdictions. The platform's approach to obtaining consent has faced criticism from courts and regulators who question whether users face genuine choices or coercive alternatives.

Article 9 of the GDPR provides special protection for sensitive data categories including health information, political views, sex life, and sexual orientation. Meta categorically rejected that it must treat such data differently from other information received through third-party apps, websites, or user activity on its platforms. The Austrian Supreme Court contradicted this position, establishing that Meta cannot avoid Article 9 requirements by arguing it does not intentionally collect sensitive data or cannot technically distinguish it from other information.

The court specified that Meta must ensure data revealing sensitive information is not processed together with other data unless a valid legal basis under Article 9(2) GDPR applies. Even if Meta does not intentionally use such data—a claim disputed during proceedings—the company must comply with legal requirements. This addresses concerns about platforms like Facebook and Instagram influencing users through political content while claiming they do not process such information.

Schrems emphasized the implications in the court's press release. Platforms with huge influence over users through content recommendations cannot claim they do not process sensitive user preferences and must not comply with relevant laws. The decision requires Meta to implement technical and organizational measures ensuring sensitive data receives appropriate protection separate from general personal information processing.

The ruling's €500 damages award stems from violations that the Austrian Supreme Court deemed definitively justified for experiences common to nearly any Meta user. While Schrems sought only this amount, limiting the court's award ceiling, the judgment suggests this figure represents a realistic baseline for non-material damages claims related to extensive GDPR violations Meta engaged in across its user base.

According to Raabe-Stuppnig, data subjects could realistically claim at least €500 in non-material damages for the violations. This establishes a lower-end marker for numerous other pending cases throughout Europe. Germany has already seen €5,000 compensation awarded in similar circumstances involving Meta's tracking technologies, demonstrating that courts across different jurisdictions are establishing monetary thresholds for privacy violations.

The case's procedural history reveals the challenges individuals face when seeking GDPR enforcement against major technology platforms. The Regional Civil Court in Vienna initially refused to hear the case twice, first arguing Schrems was not a "consumer" for his private Facebook account and later citing uncertainty about jurisdiction under the GDPR. Three Austrian Supreme Court decisions and two references to the Court of Justice of the European Union preceded this final judgment.

Overall litigation costs exceeded €200,000 for a financial claim of approximately €500, according to court documentation. The 11-year timeline demonstrates what Schrems characterized as the reality of GDPR litigation for average persons: ruinous expenses and decade-long proceedings. Big technology companies hide behind jurisdictions like Ireland, present numerous dismissal arguments, and sabotage procedures at every stage.

Schrems argued there is urgent need to make the GDPR enforceable in practice. The ruling acknowledges this systemic problem while establishing legal precedents that may facilitate future enforcement. However, the procedural obstacles and costs involved suggest significant barriers remain for individuals seeking to exercise their data protection rights through litigation.

During the proceedings, Schrems dropped numerous claims for costs and procedural reasons. Certain claims were brought as alternative claims where only one could succeed. The case faced massive prolongation through unfavorable first-instance rulings, and Austrian law makes it difficult to overturn factual findings from initial proceedings. Many legitimate claims therefore had to be abandoned despite their merits.

The judgment addresses Meta's collection of data from third-party apps and websites, which the court found illegal. Meta may provide personalized advertisement only if users provided "specific, informed, unambiguous and freely given" consent—requirements the platform's practices failed to meet. This finding affects Meta's tracking infrastructure that extends across millions of websites through pixels and software development kits.

The ruling's implications extend beyond Schrems' individual case. The precedent establishes that Article 15 GDPR creates comprehensive access rights that technology platforms cannot limit through generic tools or policies. Users possess enforceable rights to detailed information about every aspect of their data's processing, not merely aggregate summaries or selective disclosures that platforms choose to provide.

Data access requests remain a contentious enforcement area where companies frequently provide incomplete responses. YouTube faced similar Austrian Data Protection Authority orders in 2025 after a five-year case involving inadequate data access provision. Chinese platforms including TikTok, WeChat, and AliExpress faced GDPR complaints in July 2025 for systematic violations of Article 15 requirements through incomplete or incomprehensible data exports.

The Austrian Supreme Court's decision fits within broader European regulatory pressure on Meta's data practices. The Irish Data Protection Commission previously imposed €390 million in fines for advertising consent violations, while French authorities levied €60 million for cookie-related infractions. Meta's Business Tools infrastructure has drawn particular scrutiny across multiple jurisdictions.

German courts have addressed Meta's tracking technologies extensively, with Leipzig Regional Court ruling in July 2025 that Meta Pixel and software development kits violated GDPR by collecting data from non-logged-in users without valid legal basis. These tracking tools combine technical identifiers with behavioral data, allowing Meta to personally identify and profile users in breach of European privacy law.

The Austrian ruling coincides with ongoing debates about Meta's AI training practices, where the company claims legitimate interest under GDPR Article 6(1)(f) to process European user data without explicit consent. Privacy organization noyb has challenged this approach, arguing Meta cannot use "any data from any source for any purpose" simply by labeling it AI technology. German courts have issued conflicting decisions on whether Meta possesses legitimate interest for AI training using public profile data.

Consumer attitudes toward Meta's data practices reveal significant disconnects between company claims and user preferences. A June 2025 survey found only 7% of German Meta users want the platform to use their personal data for AI training, while 66% actively oppose such processing. This disparity challenges Meta's legitimate interest justification, which requires balancing company interests against users' reasonable expectations and fundamental privacy rights.

The enforcement landscape for privacy violations continues evolving across European jurisdictions. Swedish authorities imposed 45 million kronor in fines on pharmacy chains Apoteket and Apohem for improperly transferring sensitive personal data to Meta through tracking pixels. These cases demonstrate that website operators implementing Meta's tracking tools may face liability for GDPR violations alongside the platform itself.

Belgian authorities fined a telecommunications company €100,000 for delayed data access responses, while Dutch regulators addressed cookie banner violations through targeted investigations. German data protection authorities face legal challenges over their reluctance to enforce GDPR provisions against media companies using "consent or pay" mechanisms that achieve 99% consent rates despite minimal user desire for tracking.

Marketing professionals operating in European markets must navigate increasingly complex compliance requirements. Google disabled conversion tracking for advertisers failing to implement consent mode version 2 as of July 21, 2025, eliminating remarketing and personalization functionality for European traffic. This enforcement represents the most significant action since Google's EU user consent policy introduction.

The Austrian Supreme Court judgment establishes concrete obligations that extend across Meta's European operations. The ruling's direct enforceability means Meta must comply with comprehensive data access requirements not just for Schrems but potentially for any European user making similar requests. While the court evaluated circumstances existing at the time of the 2020 first-instance trial closure, the legal principles apply to ongoing data processing activities.

The decision addresses fundamental questions about transparency in algorithmic systems that shape online experiences. Users cannot exercise meaningful control over their data without understanding what information platforms collect, how they process it, and who receives access. The Austrian Supreme Court rejected Meta's position that generic policies and limited download tools satisfy these transparency obligations.

Meta's resistance to full data disclosure reflects broader tensions between platform business models and privacy protection requirements. The company generates substantial advertising revenue through personalized targeting based on comprehensive user profiles. Providing complete transparency about data sources, processing purposes, and recipient identities potentially exposes competitive advantages and algorithmic methodologies that Meta considers proprietary.

However, the GDPR prioritizes individual privacy rights over commercial interests when platforms lack valid legal grounds for data processing. The Austrian Supreme Court emphasized this hierarchy, determining that trade secret claims cannot override fundamental access rights when companies fail to properly establish legitimate limitations.

The ruling's 14-day deadline for compliance creates immediate practical challenges. Meta must develop systems to extract, organize, and present comprehensive data about Schrems' personal information along with detailed metadata about sources, recipients, and purposes. This requirement exceeds typical data export functionality that platforms implement for standard user requests.

European courts are testing algorithmic transparency through multiple enforcement mechanisms including the Digital Services Act, GDPR, AI Act, and competition law. These frameworks collectively probe how platform architectures shape visibility, influence behavior, and impact democratic processes. The Austrian ruling contributes to this broader accountability infrastructure by requiring unprecedented disclosure of data processing details.

The case demonstrates the lengthy timeline required to achieve definitive legal resolution against major technology platforms. Schrems filed his initial access request in 2011, began litigation in 2014, and received final judgment in 2025. This 11-year period spans multiple regulatory frameworks, court decisions, and shifts in European privacy enforcement approaches.

Privacy advocates argue that effective GDPR implementation requires structural reforms beyond individual litigation. The procedural obstacles, costs, and delays inherent in court proceedings prevent most users from exercising their rights through judicial channels. Schrems characterized current enforcement mechanisms as accessible only to those with substantial resources and unusual persistence.

European regulators face criticism over their handling of technology platform oversight, particularly Ireland's Data Protection Commission, which serves as lead supervisory authority for many companies with European headquarters in Dublin. The extended timelines for completing investigations and issuing decisions have frustrated privacy advocates seeking more aggressive enforcement action.

The Austrian judgment may influence pending cases across European jurisdictions where users seek comprehensive data access or challenge personalized advertising practices. Courts can reference the decision's detailed analysis of Article 15 requirements and rejection of limitations based on trade secrets or technical complexity. This precedential value extends beyond Austrian borders through GDPR consistency mechanisms.

Marketing technology vendors must consider the ruling's implications for data processing practices that support advertising campaigns. The finding that Meta illegally collected data from third-party apps and websites affects broader ecosystem participants who implement tracking technologies without ensuring proper consent mechanisms. Website operators embedding Meta pixels or other tracking tools face potential liability exposure.

Consent management platforms have become essential infrastructure for European digital advertising as regulatory requirements expand. However, implementation challenges persist around ensuring consent mechanisms meet "freely given" standards rather than coercive choices between tracking acceptance or service denial. The Austrian court's emphasis on specific, informed, unambiguous consent reinforces these strict requirements.

The €500 damages award, while relatively modest, establishes a baseline that could generate substantial aggregate liability if applied across Meta's European user base. With approximately 274 million monthly active users in the European Union, even minimal per-user damages could reach billions in total exposure. This arithmetic explains regulatory and judicial focus on establishing appropriate compensation frameworks.

The judgment's requirement that Meta separate sensitive data processing from general personal information creates technical implementation challenges. Social platforms necessarily process vast amounts of content that may reveal political opinions, religious beliefs, health conditions, or sexual orientation through posts, interactions, and engagement patterns. Effectively segregating this information requires sophisticated classification and access control systems.

Meta argued it cannot technically distinguish between different data categories or identify sensitive information within its processing systems. The Austrian Supreme Court rejected this defense, establishing that technical limitations do not excuse legal obligations. Companies must implement systems capable of complying with GDPR requirements regardless of engineering complexity.

This principle extends to Meta's position that it cannot differentiate between European and non-European users in its social networks due to interconnected data points. Privacy advocates have challenged this claim, noting that effective GDPR compliance requires companies to implement technical capabilities enabling regional distinction and appropriate data handling based on user location.

The ruling addresses core questions about platform accountability that extend across the digital advertising ecosystem. Schrems achieved a definitive legal victory establishing comprehensive access rights and exposing unlawful advertising practices. However, the journey required extraordinary persistence, substantial financial resources, and over a decade of legal proceedings—barriers that prevent most users from pursuing similar claims.

Timeline

• 2011: Max Schrems submits initial access request to Facebook seeking complete personal data
• 2014: Schrems files lawsuit in Vienna challenging Meta's data processing and demanding full access to collected information
• 2020: Regional Civil Court in Vienna closes first-instance proceedings after multiple procedural obstacles
• June 23, 2021: Austrian Supreme Court issues partial judgment on points 1-5 of claims regarding data protection roles, awards €500 damages
• November 2022: Irish Data Protection Commission returns jurisdiction to Austrian authorities
• July 2024: Leipzig Regional Court rules Meta's Business Tools violate GDPR through unauthorized tracking
• August 2025: Hamburg Data Protection Authority confirms ongoing GDPR violations in Meta's AI training practices
• November 26, 2025: Austrian Supreme Court issues final judgment in case 6 Ob 189/24y requiring comprehensive data disclosure
• December 18, 2025: Court publishes decision establishing unprecedented access requirements
• December 31, 2025: Deadline for Meta to provide complete data access to Schrems

Summary

Who: Privacy advocate Max Schrems brought the case against Meta Platforms, represented by Austrian lawyer Katharina Raabe-Stuppnig. The Austrian Supreme Court (Oberster Gerichtshof) issued the binding judgment affecting Meta's 274 million European Union users who could seek similar comprehensive data access.

What: The court ordered Meta to provide complete access to all personal data collected about Schrems within 14 days, including specific information about sources, recipients, and processing purposes for each data point. The ruling also prohibits personalized advertising without proper consent and requires separation of sensitive data processing, while awarding €500 in damages for GDPR violations.

When: The Austrian Supreme Court issued its decision on November 26, 2025, with public announcement following on December 18, 2025. The case began in 2014 following a 2011 data access request, spanning 11 years of litigation including three Supreme Court decisions and two Court of Justice of the European Union references. Meta must comply by December 31, 2025.

Where: The Austrian Supreme Court in Vienna issued the directly enforceable judgment applicable throughout the European Union's 27 member states under GDPR consistency mechanisms. The ruling affects Meta's data processing operations across all European markets where the platform maintains user accounts.

Why: The court found Meta systematically violated GDPR Articles 15 and 9 by refusing comprehensive data access, processing personal information for advertising without valid consent, and failing to separate sensitive data revealing political views, health conditions, or sexual orientation. The judgment establishes that trade secret claims cannot override fundamental privacy rights when companies lack proper legal grounds for data processing.