Meta has backtracked on its plans to mass enrol the data of EU/EEA users into unspecified AI solutions. Meta has argued legitimate interest in using publicly shared data and had agreed a sweetheart deal with the Irish Data Protection Commission. However, after noyb contacted several European DPAs asking them to block this move by Meta, the company has been forced into a climbdown.

Max Schrems, Honorary Chairman, NOYB (Image Credit: Georg Molterer)
Max Schrems, Honorary Chairman, NOYB

Max Schrems, chair of noyb: “We welcome this development, but will monitor this closely. So far there is no official change of the Meta privacy policy, which would make this commitment legally binding. The cases we filed are ongoing and will need a determination.”

Forced opt-out breached EU GDPR

There were several issues that noyb identified with Meta’s plans. The first of these was that contrary to the GDPR, Meta required users to opt out of data usage. The principles of the GDPR require opt-in, not opt-out, as a default. Compounding this move, Meta also limited the users it contacted and advised them they could opt out. Even then, the process was described by noyb as deceptive and complicated.

The second issue with Meta’s plans is that once data had been enrolled, there was no way to have that data removed. The GDPR holds that users can withdraw consent at any point, and organisations must honour that. Additionally, there is a “right to be forgotten.” It ensures that data must be deleted upon request. With Meta admitting that neither of these could be met, it again fell foul of the GDPR.

Irish DPC forced to change its support for Meta

As Meta is headquartered in Ireland, it is the Irish DPC that is responsible for ensuring compliance with the GDPR. Over the past decade, it has come under fire several times for its favourable treatment of the company. Even when other European DPAs have found Meta has breached the GDPR, the DPC has been slow to issue judgement and fines.

In this case, it seems that the DPC once again failed to interpret the GDPR in terms of protecting user rights. Instead, it allowed Meta to proceed with its plan to mass enrol data. Now, like Meta, it, too, has had to change its position.

In a formal statement, the DPC said, “The DPC welcomes the decision by Meta to pause its plans to train its large language model using public content shared by adults on Facebook and Instagram across the EU/EEA. This decision followed intensive engagement between the DPC and Meta. The DPC, in co-operation with its fellow EU data protection authorities, will continue to engage with Meta on this issue.”

In its statement on Meta’s U-turn, noyb commented “There is so far no further context or information what this engagement looked like or why the DPC changed its mind.”

However, it goes on to say that it believes that the most obvious explanation for the DPC’s actions is the action of other DPAs and noyb itself. It commented, “The obvious explanation would be that after 11 complaints with various DPAs in Europe by noyb and other organizations, as well as public reactions by EU/EEA DPAs in reaction to these complaints the pressure on the DPC was mounting.”

UK Information Commissioners Office response

The UK ICO also issued a public statement on Meta’s actions. Stephen Almond, Executive Director, Regulatory Risk at the ICO, said:

“We are pleased that Meta has reflected on the concerns we shared from users of their service in the UK, and responded to our request to pause and review plans to use Facebook and Instagram user data to train generative AI.  

“In order to get the most out of generative AI and the opportunities it brings, it is crucial that the public can trust that their privacy rights will be respected from the outset.

“We will continue to monitor major developers of generative AI, including Meta, to review the safeguards they have put in place and ensure the information rights of UK users are protected.”

This statement talks about safeguards to protect the rights of UK users. However, there is no detail on what those safeguards might be or how they will be assessed. It would be interesting to see what the ICO sees as a minimum level of protection for UK users.

What is driving this data grab by Meta?

This is not the first data grab by Meta. The terms and conditions of using any of its tools give it a non-exclusive right to use the data uploaded to its platform. A user could opt to leave the platform and ask for their data to be deleted. However, given that the data will have been sold to advertisers getting all copies deleted is questionable.

Generative AI relies on vast quantities of data. Social media companies such as Meta and X (formerly Twitter) hold vast amounts of data on their users and want to monetise it. Having seen the success of OpenAI’s ChatGPT and other public generative AI solutions, they want a piece of that. The problem is that once data is inside an AI, it is difficult, if not impossible, to remove.

We know this is a problem because OpenAI has already publicly admitted that it cannot correct or delete information inside ChatGPT. That issue is also the subject of a complaint by noyb, but there has been no observable action on that complaint to date. One reason is the elections for members of the European Parliament that have just taken place.

Another is the need to find people capable of finding a way through the conflict between generative AI and privacy laws. It is likely to be some time before we see an outcome in that complaint, and without a resolution to this issue of privacy vs generative AI, platforms holding large amounts of public data will look to act while they see a window.

Enterprise Times: What does this mean?

We are at a crossroads when it comes to privacy. The GDPR set a global benchmark for privacy rights and several countries and territories have used that to inform their own legislation. However, the challenge now for lawmakers is whether to be seen as a blocking factor for a technology with the potential for substantial change.

In the case of Meta, we will have to wait and see what its next move is. It has made a number of attempts to circumvent the GDPR by trying to find loopholes that allow it greater use of users’ data. What will its next move be to try and acquire the data it wants for its AI plans?

While the current focus is on Meta, regulators must not ignore other social media platforms. They all face the same challenge as Meta and will be looking for their own ways to acquire data.


Please enter your comment!
Please enter your name here