Meta has caused a lot of controversy in Europe with its recent privacy policy update. Starting June 26, 2024, the company will begin using users’ personal data, collected since 2007, to train its artificial intelligence technology. This decision has unleashed a wave of criticism and legal action across the continent, with privacy organizations and users concerned about the implications of this change.
The Austrian privacy advocacy organization Noyb (None Of Your Business), led by Max Schrems, has been one of the most critical voices against the company and has filed formal complaints with the data protection authorities of 11 European countries: Austria, Belgium, France, Germany, Greece, Italy, Ireland, the Netherlands, Norway, Poland and Spain.
These complaints argue that Meta is violating European data protection regulations (GDPR) by not requesting explicit consent from users for the use of their data.
In Spain, the Organization of Consumers and Users (OCU) had already registered a complaint with the Spanish Data Protection Agency (AEPD) on May 31, anticipating the measure. The OCU, like Noyb, argues that Meta should have asked users for explicit permission instead of forcing them to go through a complex opt-out process if they want their data not to be used.
Meta defends itself by relying on a “legitimate interest” to use user data in its AI technology. Howeverthis argument has previously been rejected by the Court of Justice of the European Union (CJEU) in the context of the use of personal data for advertising.
Noyb argues that using this argument for an even broader and more aggressive purpose is equally invalid.
Max Schrems has harshly criticized Meta’s stance, pointing out that “Meta is basically saying that it can use ‘any data from any source for any purpose and make it available to anyone in the world’, as long as it is done through ‘data technology’. AI’. This is clearly the opposite of complying with the GDPR.”
Furthermore, he highlights that the lack of specificity about how the data will be used and who will have access to it is especially worrying, as it opens the door to a use potentially unlimited and abusive of the personal data of approximately 4 billion Meta users.
Given the imminent implementation of these policies on June 26, Noyb has requested an “urgent procedure” under article 66 of the GDPR. This procedure allows data protection authorities to issue preliminary suspensions in critical situations and make decisions at EU level through the European Data Protection Board (EDPB).
Ireland’s Data Protection Commissioner (DPC), which is Meta’s main regulator in the EU, has been accused of making “illegal agreements” with Meta that allow circumvention of the GDPR. In the past, these agreements have resulted in significant fines against Meta after the EDPB intervened. Schrems has expressed his frustration with the DPC, suggesting that “it appears that the new DPC administration continues to make illegal deals with big US tech companies.”
Another recurring criticism is the process that Meta has designed so that users can opt out of the use of their data. Instead of requesting clear and direct consent (opt-in), the company has implemented an opt-out process that is described as complicated and unclear.
This process requires users to fill out an objection form, which could have been simple, but Meta has introduced numerous obstacles and distractions to discourage opposition.
Noyb has conducted a technical analysis of the opt-out process and found that the company even requires users to log in to view a page that should be public, adding further difficulty. Schrems summarizes the situation by stating that “passing the responsibility on to the user is completely absurd. The law requires Meta to obtain opt-in consent, not to provide a hidden and misleading opt-out form.”
