Meta Faces Legal Complaints Over AI Data Use in Europe

Meta is encountering significant legal challenges in 11 European countries over its newly introduced AI training data plans. The controversy stems from Meta’s updated privacy policy, which permits the use of both public and non-public user data collected since 2007 for training AI models. The company asserts that this practice is permissible under current privacy legislation. Specifically, Meta claims that under the UK’s Data Protection Act and the EU’s General Data Protection Regulation (GDPR), it will rely on ‘Legitimate Interests’ as the legal basis for processing certain first and third-party data in the European Region and the United Kingdom to enhance its AI capabilities. The company maintains that individuals have the option to object to this data processing through a form available in their Privacy Centre. Meta argues that this approach is consistent with the methods used by other tech companies to develop and improve their AI experiences in Europe.

However, the privacy campaign group Noyb contends that Meta’s new policy is not as compliant with GDPR as the company claims. Noyb has filed complaints in 11 European countries, urging their data protection authorities to initiate an urgency procedure to prevent the policy from being implemented on June 26. Noyb’s primary concern is that the data being utilized includes dormant Facebook accounts, additional information from third parties, and data scraped from online sources. They highlight that only private chats between individuals appear to be exempt from this data collection. Furthermore, Noyb asserts that Meta fails to provide users with adequate information about the specific purposes for which their data will be used, a requirement under the GDPR. This lack of transparency is particularly alarming given that it involves the personal data of approximately four billion Meta users worldwide.

Noyb criticizes Meta for essentially claiming the right to use any data from any source for any purpose under the broad term ‘AI technology’. Max Schrems of Noyb argues that this broad categorization lacks real legal limits, making it unclear whether the data will be used for benign purposes like a simple chatbot, aggressive personalized advertising, or even potentially harmful applications like military drones. Additionally, Noyb is concerned that Meta’s policy allows user data to be shared with any ‘third party’, effectively making it accessible to anyone globally. Schrems underscores that this approach is fundamentally opposed to GDPR compliance.

In response to these concerns, Noyb has appealed to data protection authorities in Austria, Belgium, France, Germany, Greece, Italy, Ireland, the Netherlands, Norway, Poland, and Spain. Given the imminent implementation of Meta’s new policy, Noyb has requested an “urgency procedure” under Article 66 of the GDPR, which allows data protection authorities to issue preliminary halts. Schrems expressed hope that authorities outside of Ireland will act swiftly to stop the project pending a full investigation. He pointed out that the European Data Protection Board (EDPB) has previously issued two urgency decisions against Meta and the Irish Data Protection Commissioner, indicating that such measures are necessary once again.

Meta has been approached for comment on these developments. As the legal battle unfolds, it remains to be seen how the data protection authorities will respond to Noyb’s complaints and what implications this will have for Meta’s AI training data plans in Europe.