On 1 June 2024, Meta informed millions of users that its privacy policy is changing once again, revealing plans to use personal data for training its artificial intelligence (“AI”) models. This has sparked significant controversy, leading to the non-profit privacy advocacy group None of Your Business (“NOYB”) to take action. On 6 June 2024, NOYB filed 11 complaints against Meta with data protection supervisory authorities in Austria, Belgium, France, Germany, Greece, Italy, Ireland, the Netherlands, Norway, Poland and Spain. NOYB has now requested that these data protection supervisory authorities launch an urgency procedure to stop this change immediately before it comes into force on 26 June 2024. This article will delve into the details of these complaints and the implications of Meta's policy change.
Meta’s AI data usage
NOYB claims that Meta's proposed privacy policy changes aim to use all public and non-public user data collected since 2007 for training any “undefined” type of AI technology. This data encompasses personal posts, private images and online tracking information, including data from dormant accounts. NOYB highlights that Meta's approach goes beyond the existing practice of using certain public data for specific AI systems, such as chatbots. Instead, Meta intends to leverage a vast array of user data for any undefined current and future AI technologies.
Additionally, Meta states that it can collect additional information from any “third party” or scrape data from online sources. The only noted exception is private chats between individuals, though chats with companies remain included.
According to NOYB, Meta's lack of transparency about the specific purposes of the AI technologies being developed contravenes the requirements of the European Union’s General Data Protection Regulation 2016/679 (“EU GDPR”). The breadth of data usage proposed by Meta is especially concerning as it involves the personal data of approximately 4 billion users, which could be used for experimental AI technologies without clear limitations.
Legitimate interest for AI data processing
According to NOYB, Meta's proposed privacy policy changes indicate Meta’s intention to rely on legitimate interest as the legal basis for processing personal data to train AI technology, rather than seeking user consent. NOYB argues that under the EU GDPR, processing personal data in the EU is generally illegal unless justified by one of the six legal bases outlined in Article 6(1).
While opt-in consent would be the logical choice, Meta claims it has a "legitimate interest" that supersedes users' fundamental rights. This approach mirrors Meta's previous justification for using personal data for advertising, which was previously rejected by the Court of Justice in July 2023. NOYB contends that Meta is now using the same legal basis to support an even broader and more aggressive use of personal data for AI training, raising significant privacy concerns.
Lack of transparency and complicated opt-out procedures
Another issue raised by NOYB is that Meta fails to provide users with the transparent and easily accessible information required under Article 13 of the EU GDPR. Additionally, while Meta offers an objection form for users who do not want their data used, NOYB has assessed it and found it to be extremely complicated, requiring users to provide personal reasons for their objection.
In theory, an opt-out process could be as simple as a one-click 'unsubscribe' button commonly found in newsletters. However, Meta's process is far more complex. A technical analysis of the opt-out links revealed that users must log in to access an otherwise public page. This process effectively requires around 400 million users to object individually, rather than Meta seeking their consent upfront.
Additional EU GDPR violations
NOYB alleges that Meta's introduction of its AI models violates multiple EU GDPR provisions, including Articles 5(1), 5(2), 6(1), 9(1), 12(1), 12(2), 13(1), 13(2), 17(1)(c), 18(1)(d), 19, 21(1) and 25.
NOYB highlights that Meta struggles to differentiate between various types of personal data between European Economic Area (“EEA”) personal data and personal data from users in other countries, where EU GDPR protections do not apply. Meta has admitted to its technical inability to distinguish special category data under Article 9 of the EU GDPR—such as ethnicity, political opinions and religious beliefs—from other types of personal data. This inability is problematic since the "legitimate interest" basis cannot be used for processing sensitive data.
NOYB contends that Meta's AI technology introduction has resulted in numerous violations of EU GDPR principles, transparency rules and operational requirements.
Next steps and update
NOYB has requested an urgency procedure under Article 66 of the EU GDPR, which would enable data protection supervisory authorities to issue preliminary halts and prompt an EU-wide decision by the European Data Protection Board (“EDPB”). Additionally, NOYB plans to file complaints in the remaining EU Member States. The data protection supervisory authorities will need to decide whether to initiate the urgency procedure or manage the complaints through the standard procedure.
The Irish data protection supervisory authority, the Data Protection Commission (“DPC”), has announced that Meta has agreed not to process EU/EEA user data for “undefined AI techniques." Previously, Meta had claimed a "legitimate interest" in using this data and provided users with a misleading opt-out option. Initially, the DPC had approved Meta's AI plans, but reversed its stance following pressure from public reactions to the complaints. The DPC stated that Meta would pause its plans to train its AI using public content from Facebook and Instagram users in the EU/EEA, following engagement between the DPC and Meta. While Meta emphasised that EU/EEA users would not access AI services for now, the EU GDPR allows for such technology if valid opt-in consent is obtained, suggesting Meta could pursue this route instead of avoiding opt-in consent.
Aria Grace Law CIC
At Aria Grace Law CIC, our data privacy team is dedicated to staying at the forefront of data protection and privacy law. We are committed to providing our clients with comprehensive legal advice in all matters related to both UK and EU GDPR compliance. We work diligently to ensure that our clients remain confident and secure in the evolving regulatory environment. If you have any questions or need more information, please feel free to reach out to us at privacy@aria-grace.com.
Article by Puja Modha (Partner) and Sarah Davies (Trainee Solicitor) – 26 June 2024