noyb urges 11 DPAs to immediately stop Meta's abuse of personal ...
Over the past few days, Meta has informed millions of Europeans that its privacy policy is changing once again. Only on closer inspection of the links in the notification did it become clear that the company plans to use years of personal posts, private images or online tracking data for an undefined "AI technology" that can ingest personal data from any source and share any information with undefined "third parties". Instead of asking users for their consent (opt-in), Meta argues that it has a legitimate interest that overrides the fundamental right to data protection and privacy of European users. Once their data in the system, users seem to have no option of ever having it removed ("right to be forgotten").
noyb has now filed complaints in 11 European countries, asking the authorities to launch an urgency procedure to stop this change immediately, before it comes into force on 26 June 2024. All non-public data for some undefined future "AI technology". Unlike the already problematic situation of companies using certain (public) data to train a specific AI system (e.g. a chatbot), Meta's new privacy policy basically says that the company wants to take all public and non-public user data that it has collected since 2007 and use it for any undefined type of current and future "artificial intelligence technology". This includes the many "dormant" Facebook accounts users hardly interact with anymore – but which still contain huge amounts of personal data.
Do Meta's interests override the users' rights? Normally, the processing of personal data in the European Union is illegal by default. Therefore, Meta must rely on one of the six legal bases under Article 6(1) GDPR in order to process personal data. Although the logical choice would be opt-in consent, Meta is again claiming that it has a "legitimate interest" that overrides the fundamental rights of users.
Irish DPC is complicit (again). According to reports, this blatant breach of the GDPR is (again) based on a "deal" with the Irish Data Protection Commission (the DPC is Meta's EU regulator). The DPC has previously had a deal with Meta that allowed the company to circumvent the GDPR – and ended with a € 395 million fine against Meta after the European Data Protection Board (EDPB) overruled the Irish DPC.
Concerns over Meta's New Privacy Policy
In addition, Meta says it can collect additional information from any "third party" or scrape data from online sources. The only exception seems to be chats between individuals – but even chats with a company are fair game. Users aren't given any information about the purposes of the "AI technology" – which is against the requirements of the GDPR. Meta's privacy policy would theoretically allow for any purpose. This change is particularly worrying because it involves the personal data of about 4 billion Meta users, which will be used for experimental technology essentially without limit. At least users in the EU/EEA should (in theory) be protected from such abuse by the GDPR.
Challenges with Meta's Legal Justification
The objection is a farce. Meta even tries to make users responsible for taking care of their privacy by directing them to an objection form (opt-out) that users are supposed to fill out if they don't want Meta to use all their data. While in theory an opt-out could be implemented in such a way that it requires only one click (like the 'unsubscribe' button in newsletters), Meta makes it extremely complicated to object, even requiring personal reasons.
Deadline 26 June: Urgency procedure requested. Given that Meta's processing for undisclosed "artificial intelligence technology" is already set to take effect on 26 June 2024, and Meta claims that there is no option to opt-out at a later point to have your data removed (as foreseen under Article 17 GDPR and the "right to be forgotten"), noyb has requested an "urgency procedure" under Article 66 GDPR.
Additional problems. In addition to the lack of any legal basis for sucking up more than a decade worth of user data, Meta has previously said that it is technically unable to distinguish between data from users in the EU/EEA and other countries where people don't enjoy GDPR protection. Meta has also said that it cannot distinguish between sensitive data under Article 9 GDPR, such as ethnicity, political opinions, religious beliefs (for which the "legitimate interest" argument is not available under the law), and other data for which a "legitimate interest" could theoretically be claimed.
Concerns about Meta's Data Handling
Next steps. The relevant DPAs will now have to make a quick decision whether to launch an urgency procedure or to deal with the complaints in a normal procedure. Two days ago, the Norwegian DPA has already published a blog post arguing that it is "doubtful" ("tvilsomt") whether Meta's approach is legal. An urgency procedure could lead to a rapid interim ban and a final decision by the EDPB in a matter of months. While today's complaints are a first step, it seems plausible that other organisations will follow up with injunctions, civil law cases or even class actions, if Meta goes ahead with its plans. This could potentially drown Meta in another round of legal troubles in the European Union. noyb's actions against Meta alone have so far resulted in administrative fines of more than € 1.5 billion.
Complainants for other EU Member States. noyb plans to file complaints in the remaining EU Member States in the coming days. Users from these Member States can report their interest in becoming a complainant via this form.*The complaint in Norway was filed jointly with the Norwegian Consumer Council ("NCC"). Find more information at www.forbrukerradet.no.
