Another privacy win for NOYB: Your data is up for grasps? Not so in the EU – not even for Meta's AI!
Meta's ‘legitimate interest' to use Facebook and Instagram user data to train its AI models meets with backlash in the EU.
On June 26th, Meta wanted to update its privacy policy so it could start using data from Meta users in the EU and UK to train its AI models. To the people’s benefit, this roll-out faced mass legal backlash with the activist group None of Your Business (NYOB) filing complaints in 11 European countries, and the introduction of Meta AI was - surprisingly – also opposed by authorities like the Irish Data Protection Commission (IDPC). As a result, Meta decided to pause its plan to use EU user data, and has also put the introduction of Meta AI in Europe on hold.
NOYB and Max Schrems – who sued Facebook already multiple times leading to combined fines of more than 1 billion euros in famous court decisions like Schrems I and Schrems II – has hit another time again the Silicon Valley tech giant. This time, NOYB stopped Meta from abusing EU citizens’ data for AI training purposes!
Max Schrems and his non-profit NOYB have become well-known privacy defenders in Europe and beyond. They not only took on Facebook, but have also fought a legal battle against Google in which the court ruled that using Google Analytics is illegal for European companies – leading to a surge in privacy-first analytics tools like Matomo and Piwik.
Interestingly enough, Google changed their privacy policy already in the summer of 2023 so Google most likely already uses your data to train its AI and it’s possible that Gemini even uses your Gmail emails for being trained. A similar question has also been raised about OpenAI’s famous solution: Is ChatGPT a privacy nightmare or a helpful tool?
In the case of Google and OpenAI no lawsuit based on the EU’s GDPR has been brought forward, but we’d be curious to see this happen!
Table of Contents
Meta AI faces backlash
Meta’s plan to introduce Meta AI in the EU/EEA was initially approved by the Irish Data Protection Commission (DPC). In May, Meta started notifying users of upcoming changes to their privacy policy planned to come into place on June 26th 2024. The new changes would have given Meta the right to use public content on Instagram and Facebook to train its AI models. Public content that could be collected included comments, status updates, interactions with companies, photos, and photo captions.
Meta’s plans raised data protection concerns that aren’t in accordance with the GDPR. One highlighted issue is the choice to opt in and opt out.
If user data is getting processed, users’ permission must first be asked and granted, rather than requiring the user to take action to refuse it, as it’s currently done by Meta. For these reasons, Meta’s new privacy policy was legally challenged by Austrian privacy organization NOYB. NOYB filed complaints to data protection authorities in 11 European countries - Austria, Belgium, France, Germany, Greece, Italy, Ireland, the Netherlands, Norway, Poland, and Spain.
It was then also opposed by authorities like the Irish Data Protection Commission who told Meta to delay its plans to use Facebook and Instagram user data for AI training. Following this decision, the big tech conglomerate has also paused the roll-out of its AI assistant in Europe.
Meta, who has already incurred multiple GDPR fines] for not respecting the EU’s data protection rules in the past and has been criticized for its approach of Pay or Okay for data privacy, cited legitimate interest under the EU General Data Protection Regulation as the reason justifying the plans to use user data for AI model training without asking users to opt in, or for true consent, so to speak. Claims of legitimate interest were backed with the the reason that Facebook and Instagram users choose their data to be public on their profiles.
”Under the UK’s Data Protection Act and the EU’s General Data Protection Regulation, we’ll be relying on the legal basis of ‘Legitimate Interests’ for processing certain first and third-party data in the European Region and the United Kingdom to improve AI at Meta,” said the firm. ”Specifically, we have legitimate interests in processing data to build these services and this means that people can object using a form found in our Privacy Center if they wish. This approach is consistent with how other tech companies are developing and improving their AI experiences in Europe.”
While legitimate interest can be a valid reason under GDPR law, in this case it’s extremely questionable. After all Meta wants to reap the benefits of all your data and use it in ways unknown to anyone.
The choice to consent to the data being processed for AI of several hundred million Meta users in the EU should be given priority above Meta’s business interests. NOYB believes that Meta’s privacy policy which would be applicable to Facebook, Instagram, and Threads is not as GDPR-compliant as the tech giant claims it to be. Consequently, NOYB filed complaints arguing that Meta was not in compliance with the EU’s GDPR.
The issue with Meta AI
Meta’s new privacy policy was very generous – for the tech giant and how they would have been able to use people’s data: If Meta’s new privacy policy had come into play on June 26th, they would have been permitted to use both public and non-public user data that has been collected since 2007(!) - that’s not a joke, but almost two decades of your data. The vast amount of data includes years’ worth of user images, posts, and tracking data that Meta could have used to train their AI models – in ways not known to anybody.
And the big issue at play here is that Meta wanted to use the data without asking for users’ consent and this is what NOYB is challenging.
”Meta is basically saying that it can use any data from any source for any purpose and make it available to anyone in the world, as long as it’s done via ‘AI technology’. This is clearly the opposite of GDPR compliance,” said NYOB’s Max Schrems.
Meta has rejected NOYB’s claims, saying that the data they plan to use is publicly available online, licensed information as well as information that people have publicly shared on its platforms.
Meta’s brazen attempts to violate your data rights continue
If Meta’s plans to use the past seventeen years’ worth of your data is a surprise to you, it shouldn’t be. Many a time Meta has come under scrutiny with their brazen attempts to drive profits through exploiting users and their privacy. In addition to this, Meta knows an astonishing lot about you, and your data is extremely valuable for them.
Fortunately, for people living in the EU, there are good laws in place like the GDPR which safeguard its citizen’s digital identities and data rights. This still doesn’t stop Facebook’s attempts to take advantage of user data or stop them from finding new, creative ways to comply with the GDPR – like their latest move with scraping user data for AI training without active consent is showing.
Data of Non-EU users is already used for AI training
Unfortunately, for people living in other countries like the USA, the laws and privacy protections aren’t as strong as, for instance, in Germany, which has some of the best data protection laws. In the US, since last year, Meta has been using user data for its generative AI-features. For these users there is no way to opt out of having their data used and abused. This again highlights the lack of protection of user data and privacy rights and the need for better data protection laws, also, and particularly, in the USA.
With that being said, and the endless scandals and fines that big tech companies receive, one can’t help but wonder if it’s finally time to delete their Facebook profile. And if not delete it, at least harden the privacy settings with this how to.
We at Tuta welcome the activism of None of Your Business and applaud their fight for privacy. While the GDPR is a great law, cases like the Meta AI one show that legal oversight is much needed to actually enforce the privacy rights of Europeans!