Meta faces EU complaints over plans to use personal data for AI

6 Jun 2024

Image: © Joao/

Meta wants to get access to more data to train its AI models, but Noyb says the plans are in breach of GDPR and also criticised Ireland’s DPC.

Meta is facing a fresh wave of complaints over its data practices, but this time the concern is about personal data being used for AI.

Noyb, the privacy advocacy group, has filed complaints against Meta to 11 data protection authorities, including Ireland’s Data Protection Commission (DPC). The complaint relates to updates to Meta’s privacy policy, which are scheduled to go into effect from 26 June.

According to the updates, Meta plans to use data from its products to train its various AI models – data that could include personal details of some users through “public and licensed data”. Noyb says the new policy will breach GDPR rules and wants the EU authorities to launch “an urgency procedure” to stop the change.

Instead of asking users for their consent, Meta is arguing that it has a “legitimate interest” to collect and process this data. The company used this same legal basis for its personalised advertising policies, but this basis was rejected by the European Court of Justice last year.

Noyb says Meta is using the same legal basis to justify an “even broader and more aggressive use of people’s personal data” to train its AI technology. Noyb founder Max Schrems argues that Meta’s use of ‘AI technology’ is “an extremely broad term” that has “no real legal limit”.

“Meta doesn’t say what it will use the data for, so it could either be a simple chatbot, extremely aggressive personalised advertising or even a killer drone,” Schrems said. “Meta also says that user data can be made available to any ‘third party’ – which means anyone in the world.”

Meta references various third parties it shares data with, including advertisers, marketing vendors, service providers, external researchers and other third parties that want to access data through legal requests.

Meta rejected NOYB’s criticism and said it uses publicly available online and licensed information to train AI as well as information that people have shared publicly on its products and services, Reuters reports.

But the update privacy notes that information may be processed on individuals even if they don’t use Meta’s products and services.

“For example, this could happen if you appear anywhere in an image shared on our products or services by someone who does use them or if someone mentions information about you in posts or captions that they share on our products and services,” Meta said in a blogpost.

Noyb has also issued complaints against Meta over its subscription model, which sees users either pay for an ad-free version of its apps or consent to targeted advertising. Opponents of this model such as Noyb have dubbed it a ‘consent-or-pay’ smokescreen that aims to justify a massive collection of data.

DPC criticism

Meanwhile, Noyb claimed this “blatant breach” of GDPR is being allowed due to a “deal” between Meta and Ireland’s DPC. The group referenced a recent article by The Journal on how users can opt out of having their Facebook data used to train Meta’s AI.

Noyb has been critical of the DPC in the past for how it deals with tech giants such as Meta and noted that one of its previous fines against Meta was increased after the European Data Protection Board stepped in.

“It is mind-boggling that the DPC continues to let the misuse of the non-public personal data of about 400 million European users go unchecked,” Schrems said.

The DPC did not respond to a request for comment from at time of publication.

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.

Leigh Mc Gowran is a journalist with Silicon Republic