META has halted the release of its AI technology for the European Union and the United Kingdom

Beata Fecakova is a CGI Privacy Business Partner and DPO for the Czech Republic, Slovakia, and Eastern Europe. In her new blog, Beáta summarizes the known facts from the ongoing dispute between the noyb.eu (Not of Your Business) association and Meta , among others, the operator of the social network Facebook.

The nonprofit group noyb.eu ("Not of Your Business"), led by Max Schrems, succeeded in a legal dispute with Meta by filing 11 complaints with Data Protection Authorities in Austria, the Netherlands, Belgium, France, Germany, Greece, Italy, Ireland, Norway, Poland, and Spain. NOYB requested that the authorities, in an expedited procedure, prohibit META from using Facebook users' data for the new Meta AI. Such a ban would apply to the entire EU/EHP.

What exactly is the problem?

META planned to use both public and non-public user data to train a still undefined META AI technology. This includes data such as photos and posts from Facebook users dating back to 2007. The company already uses certain data to train specific AI systems (e.g., chatbots). Now, META would use all public and non-public user data for a yet undefined type of AI technology. These data would also include data from any third parties and data obtained from online sources. The exception would be private chat communications.

"META essentially says it can use any data from any source for any purpose and make it available to anyone in the world, as long as it is done through 'artificial intelligence technology'," summarized Max Schrems the goal of META. In this entire META plan, there are many ambiguities and questions, to which META has not yet specified anything in detail.

META user data is protected by GDPR in the EU, and the main, though not the only issue, is that for the use of non-public data, META uses legitimate interest. The use of legitimate interest has already been ruled unlawful by the European Court of Justice (see C-252/21). Another problem is that the company has not informed users about the intention to implement META AI, what data will be used, and what the overall purpose of using the data of 4 billion users (400 million in the EU) in META AI without scope limitation.

If Meta resumes activity, can data sharing be avoided?

If the user wanted to to avoid the company's use of their data, he had to fill out a form that was hidden on the Facebook site. This principle is just another violation of the GDPR, where the responsibility is shifted to the user to actively seek opt-out options. It is common to provide the user's "consent" for the use of the data right at the beginning and not the other way around, i.e. asking not to use the data in question or to opt out. Not only was this request hidden in a form that was difficult to access, but many times was this form linked to an email address that was either unused or no longer exist.

META has also changed the settings of the page where to access the form was to log in (in the past the page was publicly accessible). The pearl is that the company has exemplarily built several distractions into the process of finding the reporting form to reduce or discourage the number of users actually logging out.?

However, Meta announced this week that it is suspending its plans for European and English users to deploy META AI. It has caved to Supervisory Authorities in the EU and will focus on the American users.