Meta Ruling Effects on EU Data Privacy Laws

One interesting aspect of the CJEU ruling against Meta today (using contract as a legal basis) seems to have been missed by everyone who has written about it so far. The ruling states that it is not in Meta's legitimate interest to conduct their processing activities in this way. This is important because even though the ruling was looking at contract the use of the words legitimate interest would seemingly mean that Meta would not be able to use legitimate Interest as a legal basis either (as the Court has stated it is not a legitimate interest) - which is the legal basis Meta recently switched to on Facebook and Instagram for targeted advertising and profiling. So effectively the Court has left only consent as a valid legal basis for Meta's processing of personal data for advertising/profiling purposes - this is much more significant than simply looking at Article 6(1)(b)... #privacy #cjeu #enforcement #law #gdpr #surveillancecapitalism #surveillance #compliance #ethics #bigdata #profiling #legal #facebook #instagram #meta #cookies #advertising #marketing #pixels #tracking

🚨 Can Meta Train AI on EU Citizens' Data Without Their Consent? Privacy Battle Heats Up A significant privacy battle is unfolding in Europe that could reshape how tech giants use our data for AI training. Meta plans to begin using Facebook and Instagram data from EU users to train its AI systems starting May 27th. The catch? They're not asking for permission first. Instead of asking for permission ("consent" as a legal basis), Meta claims a "legitimate interest" under GDPR. Legitimate interest is often seen by companies as a default solution when they can't find another legal basis for processing personal data. Except the European Data Protection Board clearly explained in their guidelines that strict conditions have to be met, and safeguards put in place. The non-profit organisation noyb.eu(None Of Your Business), led by Max Schrems, has issued a cease and desist letter, arguing this approach fundamentally violates EU privacy law. NOYB points to previous European Court of Justice rulings that already rejected Meta's "legitimate interest" claims for targeted advertising. As Schrems bluntly puts it: "This fight is essentially about whether to ask people for consent or simply take their data without it." The stakes are enormous. NOYB, as a Qualified Entity under the EU Collective Redress Directive, can seek an injunction that could force Meta to: - Stop all AI training with EU user data - Delete any AI models already trained with that data And potentially face massive class-action damages. Meanwhile, Meta maintains its approach is legal, stating they've provided users with "a clear way to object to their data being used for training." Precisely what NOYB denies, because Meta put a limit to objecting: before the training has started. This case raises fundamental questions about personal data use in the AI era: Who can do what with your social media content when it's full of personal data like pictures, videos? Should companies be required to get explicit permission before using your data to train AI? Is an opt-out system sufficient protection for privacy rights? Is it possible to limit the opt-out system in time? The outcome could establish crucial precedent for how all tech companies approach AI training in regulated markets. 💫 Regain your freedom online

🚨 BREAKING: noyb.eu has sent Meta a 'Cease and Desist' letter over its AI training practices, warning that a European Class Action could follow. Could the GDPR effectively BLOCK Meta AI in the EU? Here's what you need to know: These developments are related to Meta's recent announcement that, from 27 May onwards, it will use personal data from Instagram and Facebook, including from EU users, to train AI. The GDPR establishes that to process personal data, a company must rely on one of the lawfulness grounds established in Article 6. Meta could have chosen informed consent (and then asked for users' informed consent), but it decided to rely on legitimate interest instead. As I've been writing in my newsletter in the past 2.5 years, legitimate interest is not as simple as it looks, and companies must pass the three-part test. Recent guidelines from the European Data Protection Board show that, indeed, the bar is higher than AI companies had originally thought, and additional precautions must be implemented. Under legitimate interest, EU users could still exercise their right to object. Still, according to noyb, Meta is limiting this right, saying it only applies if people opt out before the training has started. noyb also adds that because Llama is made available as an open-source model and anyone can use it (*some disagree with this classification, check out my recent article on the topic), once it's published, it will be difficult to call back. What did noyb do noyb is Max Schrems' non-profit focused on the protection of privacy rights. They are also a "Qualified Entity" under the new EU Collective Redress Directive. As such, noyb can bring an injunction in an EU court. If this injunction is granted, Meta would have to: 1. Stop the processing of personal data from EU users 2. Delete any AI that was unlawfully trained In addition to an injunction, as a qualified entity, noyb could also bring a redress action. If this action were filed, it could lead to hundreds of millions of Euros in non-material damages. The cost would be prohibitive even for Meta and would likely result in an indefinite block of Meta AI in the EU until the company fixes non-GDPR compliant AI practices. noyb hasn't brought the injunction yet. As a first step, they've just announced that they sent a formal settlement proposal (the Cease and Desist letter). Will Meta AI survive in the EU? - 👉 Never miss my analyses on AI's legal and ethical challenges: join 61,400+ who subscribe to my newsletter (link below). 👉 To learn more, join the next cohort of my AI Governance Training.

Another US public holiday, another major CJEU decision. Personally, I find today’s decision Meta vs. Bundeskartellamt puzzling and counterproductive. Here’s why. *** 1.    The CJEU decides competition authorities may bring GDPR violations into consideration when adjudicating competition cases. First, this obviously throws a wrench into the already threadbare one stop shop mechanism. From now, not only the German DPA but also its competition authority – and for that matter, the competition authorities of 27 member states – can second guess the decisions of Meta’s lead DPA. And while the CJEU orders the authorities to “play nice” and “sincerely cooperate”, it sets no parameters for such cooperation, which has proven elusive even with the prescriptive cooperation and consistency mechanism of GDPR. *** Second, the court failed to provide any instruction for a competition authority’s “consideration” of GDPR. How does a company’s GDPR violation affect competition analysis? Many companies run afoul of competition law without violating GDPR; and many GDPR offenders have no market power whatsoever. So what does it even mean to consider a GDPR violation in an antitrust context? How does it play into the building blocks of an antitrust violation – market analysis, concerted action, restraints on trade, etc. No clue. *** 2.    The CJEU analyzes Meta’s processing of user data in both a first and third party context. Privacy pros know that Meta recently shifted from relying on “performance of a contract” to “legitimate interests” as its basis to tailor content and ads. The CJEU casts doubt on Meta’s ability to rely on either or both of these clauses. It reads the “contract” basis exceedingly narrowly, requiring a controller to show “there are no workable, less intrusive alternatives” to the processing of data. (Where is this grounded in GDPR?) It holds, without any explanation, that “personalised content does not appear to be necessary in order to offer that user the services of the online social network.” (Para 102). IMO this statement is completely divorced from reality. Users of social networks are there precisely *for* the personalized content that the Court presents as a side-show. *** 3.    Switching to “legitimate interests”, the Court holds that “despite the fact that the services of an online social network are free, the user of that network cannot reasonably expect that the operator of the social network will process that user’s personal data... for the purposes of personalised advertising.” (Para 117). This statement too is, IMO, manifestly suspect and in most cases wrong. In fact, users *do* recognize the “services for data” business model, and understand that when a service is free, they’re being presented with targeted ads. *** 4.    The decision presents other pitfalls and is riddled with logical holes. Happy to share thoughts in comments below or DM. (I ran out of space....)