NOYB urges regulators to stop Meta’s use of personal data for AI

Action is needed to stop Meta’s unilateral actions before the processing of users’ data is possible later this month.

NOYB, the European Center for Digital Rights, has filed complaints in 11 European countries following news of Meta’s amendments to its privacy policy. It is now urging EU data protection authorities (EU DPA’s) to act urgently to stop this change before it comes into force on June 26.

Meta recently informed millions of European users that the company was changing its privacy policy – giving Meta the right to use years of personal posts, private images or online tracking data to develop and improve its proprietary “AI technology”.

“Meta’s new privacy policy basically says that the company wants to take all public and non-public user data that it has collected since 2007 and use it for any undefined type of current and future “artificial intelligence technology,” NYOB said.

Share data with third parties

With the changes, Meta will also be able to ingest personal data from any source, which means both public and non-public user data, and potentially share this with third parties.

“Meta is basically saying that it can use ‘any data from any source for any purpose and make it available to anyone in the world’, as long as it’s done via ‘AI technology’. This is clearly the opposite of GDPR compliance,” said lawyer and privacy activist Max Schrems.

Instead of asking users to opt-in and consent to these changes, NOYB points out that Meta’s argument is that “it has a legitimate interest that overrides the fundamental right to data protection and privacy of European users.”

To be able to opt out of this processing, users must fill out an objection form before June 26, 2024, and explain why they are doing so. After that date, users appear to have no option of being able to remove the data, NOYB added.

“The European Court of Justice has already made it clear that Meta has no ‘legitimate interest’ to override users’ right to data protection when it comes to advertising. Yet the company is trying to use the same arguments for the training of undefined ‘AI technology’,” Schrems continued.

NOYB has requested an “Urgency Procedure” as defined by GDPR Article 66, which would allow all of the EU DPAs to issue preliminary halts and make way for an EU-wide decision to be issued by the European Data Protection Board.

NOYB also alleges that by introducing such AI models Meta would violate EU GDPR Articles 5(1), 5(2), 6(1), 9(1), 12(1), 12(2), 13(1), 13(2), 17(1)(c), 18(1)(d), 19, 21(1), and 25.

11 complaints

The 11 complaints were filed with data protection authorities in AustriaBelgiumFranceGermanyGreeceItalyIreland, the NetherlandsNorway (with the Norwegian Consumer Council), Poland and Spain, and the NOYB has announced its intention to file complaints in the remaining EU Member States in the coming days. 

The Norwegian Data Protection Authority, Datatilsynet, called the legality of handling data this way ‘doubtful’.

“Meta is basically saying that it can use ‘any data from any source for any purpose and make it available to anyone in the world’, as long as it’s done via ‘AI technology’.”

Max Schrems

“We take the complaint seriously and give it high priority. We will work closely with our European colleagues in the further handling of the case,” said Line Coll, director of Datatilsynet.

According to the Norwegian regulator, the only information that would not be used to develop Meta’s AI under the proposed privacy policy changes are messages and pictures that are posted in a private profile, and data from accounts of users under the age of 18.