All non-public data for undefined future “AI technology”. Unlike the already problematic situation of companies using certain (public) data to train a specific AI system (e.g. a chatbot), Meta’s new privacy policy basically states that the company wants to take all public data and non-public user data it has collected since 2007 and use them for any undefined type of current and future “artificial intelligence technology”. This includes the many “dormant” Facebook accounts that users hardly interact with anymore, but which still contain enormous amounts of personal data. Additionally, Meta claims that it may collect additional information from any “third party” or scrape data from online sources. The only exception seems to be person-to-person chats, but even chats with a business are affected. Users are not provided with any information about the purposes of the “AI technology,” which goes against GDPR requirements. Meta’s privacy policy would theoretically allow any purpose. This change is particularly concerning because it concerns the personal data of approximately 4 billion Meta users, which will be used for virtually limitless experimental technology. At least EU/EEA users should (in theory) be protected against such abuse by the GDPR.
Max Schrems: “Meta actually says it can use ‘any data from any Source for any purpose and make it available to anyone in the world,’ as long as it’s through “artificial intelligence technology”. This clearly goes against GDPR compliance. The term “AI technology” is extremely broad. databases”, there is no real legal limit. Meta does not say what the data will be used for, so it could be a simple chatbot, extremely aggressive personalized advertising or even a killer drone Meta also specifies that user data can be made available to any “third party”, i.e. anyone in the world.
Do Meta’s interests trump user rights? Normally, the processing of personal data in the European Union is illegal by default. Therefore, Meta must rely on one of the six legal bases provided for in Article 6(1) of the GDPR to process personal data. Although the logical choice is explicit consent, Meta again claims that it has a “legitimate interest” that overrides users’ fundamental rights. Meta has already made this argument in the context of using all personal data for advertising purposes – and was rejected by the Court of Justice (see C-252/21). Today, Meta uses the same legal basis to justify even broader and more aggressive use of users’ personal data.
Max Schrems: “The European Court of Justice has already made it clear that Meta does not have a ‘legitimate interest’ to override users’ right to data protection when it comes to advertising. However, the company attempts to use the same arguments for training in undefined “AI technology”. It appears that Meta is once again blatantly ignoring the CJEU rulings.
The objection is a farce. Meta even attempts to make users responsible for protecting their privacy by directing them to an objection (opt-out) form that users are supposed to fill out if they don’t want Meta to use all their data. While in theory the opt-out could be implemented such that it only requires a single click (like the “unsubscribe” button in newsletters), Meta makes the objection extremely complicated, even for personal reasons. A technical analysis of exclusionary links even showed that Meta requires a login to view an otherwise public page. In total, Meta is asking some 400 million European users to object, instead of asking for their consent.
Max Schrems: “Putting responsibility on the user is completely absurd. The law requires Meta to obtain consent from the user, not to provide a hidden and misleading opt-out form. If Meta wants to use your data, it must asking permission Instead, it forces users to beg to be excluded. We were particularly surprised to find that Meta even went to the trouble of integrating tons of little distractions to ensure that only one. a tiny number of users would take the trouble to object”
The Irish DPC is complicit (once again). According to reports, this blatant GDPR violation is (again) based on an “agreement” with the Irish Data Protection Commission (the DPC is Meta’s European regulator). The DPC has already reached a deal with Meta that allowed the company to circumvent the GDPR – and which resulted in a fine of 395 million euros against Meta after the European Data Protection Board (EDPB ) overturned the decision of the Irish DPC.
Max Schrems: “It appears that the new leadership of the DPC continues to enter into illegal ‘deals’ with major US technology companies. It is mind-boggling that the DPC continues to allow free rein to misuse the non-public personal data of approximately 400 million of European users”
Deadline: June 26: Urgent procedure requested. Given that Meta’s treatment for undisclosed “artificial intelligence technology” is already scheduled to take effect on June 26, 2024, and Meta claims that there is no option to opt out at a later stage for your data is deleted (as provided for in Article 17 of the GDPR and the “right to be forgotten”), noyb requested an “urgent procedure” under Article 66 of the GDPR. The data protection authorities (DPAs) of 11 European countries (Austria, Belgium, France, Germany, Greece, Italy, Ireland, Netherlands, Norway, Poland and Spain) received such a request on behalf of local data subjects. Article 66 allows data protection authorities to issue preliminary judgments in situations such as the one described above and allows for an EU-wide decision through the EDPB. The Irish DPC and Meta Ireland have already been subject to two “Emergency Binding Decisions” from the EDPB (see Emergency Binding Decision 01/2023 and Emergency Binding Decision 01/2021) in situations similar.
Max Schrems: “We hope that authorities outside Ireland will take swift action and at least stop this project for a full investigation. The EDPB has already made two such emergency decisions against Meta and the Commissioner Irish Data Protection Authority It is sad to see that this measure seems to be necessary again and again.”
Other problems. Besides lacking a legal basis for vacuuming up more than a decade of user data, Meta has previously stated that it is technically unable to distinguish between EU/EEA user data and other countries where people do not benefit from GDPR protection. Meta also stated that it was unable to distinguish between sensitive data within the meaning of Article 9 of the GDPR, such as ethnicity, political opinions, religious beliefs (for which the “legitimate interest” argument is not available under the law), and other data for which “legitimate interest” could theoretically be claimed. With the introduction of its AI technology, Meta appears to have violated a number of other GDPR provisions, including the GDPR Principles, Transparency Rules and Operational Rules. Overall, complaints from noyb report violations of Articles 5(1) and (2), 6(1), 9(1), 12(1) and (2), 13(1) and (2), 17(1)(c), 18(1)(d), 19, 21, paragraph 1, and 25 of the GDPR.
Max Schrems: “With the approach of simply using any data for any purpose for any ‘AI technology,’ Meta has clearly left almost the entire GDPR framework. We have counted violations of at least ten articles of law.”
Next steps. The data protection authorities concerned will now have to quickly make a decision whether to launch an emergency procedure or to deal with complaints under a normal procedure. Two days ago, the Norwegian Data Protection Authority already published a blog post in which it states that it is “doubtful” (“tvilsomt”) whether Meta’s approach is legal. An emergency procedure could lead to a quick interim ban and a final decision by the EDPB within a few months. If the complaints filed today are a first step, it seems plausible that other organizations will follow up these complaints with injunctions, civil actions or even class actions, if Meta moves forward with its plans. The actions of noyb against Meta have so far resulted in administrative fines of more than 1.5 billion euros.
Complainants for other EU member states. noyb plans to file complaints in other EU member states in the coming days. Users from these Member States can report their interest in becoming a complainant via the following form.
*The complaint in Norway was filed jointly with the Norwegian Consumer Council (“NCC”). For more information, see www.forbrukerradet.no.
