Open Rights Group has submitted a complaint to the Information Commissioner’s Office (ICO) about Meta’s plans to take users’ information to “develop and improve AI”. The complaint has been submitted on behalf of five ORG staff members who are Meta users.

About the complaint

Meta emailed Facebook and Instagram users in the UK at the end of May to inform them of changes to their privacy policy that were due to come into effect on June 26. They claimed that Meta would now “rely on the legal basis called legitimate interests” to use individuals’ information for its AI development. In addition, while Meta told users they had the right to object, it did not commit to honouring objections as a matter of course. Once a user’s data had been used by the company, it would likely be irreversible so consent could not be applied retrospectively.

On June 6, the data rights group “None of Your Business” lodged GDPR regulatory complaints in 11 EU member states, asking Data Protection Authorities (DPAs) to immediately stop Meta’s abuse of personal data for AI. As a result, Meta announced plans to pause these changes on June 14, and the ICO posted that Meta “responded to our request to pause and review plans to use Facebook and Instagram user data to train generative AI”.

However, so far, there has been no official change to the Meta privacy policy that would make this stop to data processing for the development of Meta’s “AI technologies” legally binding. Thus, the complainants feel compelled to raise a formal regulatory complaint in the UK. With this, they want to ensure that Meta’s proposals are shelved , and that the ICO protects the rights of UK residents to the same standard that other DPAs afford in the European Union.

The complainants have called on the data regulator to:

• Issue an imminent and legally binding decision under Article 58(2) UK GDPR to prevent the processing of the personal data of the complainants – and over 50 million UK data subjects — without consent.

• Fully investigate the matter under Article 58(1) UK GDPR.

• Prohibit the use of personal data for undefined “artificial intelligence technology” without the opt-in consent form the complainants – and indeed other data subjects.

How is Meta violating GDPR?

Meta appears to violate at least Articles 5(1) and (2), 6(1) 6(4), 9(1), 12, 13, 17(1)(c), 18, 19, 21(1) and 25 UK GDPR.

• Meta has no legitimate interest under Article 6(1)(f) UK GDPR that would override the interest of the complainants (or any data subject) and no other legal basis to process such vast amounts of personal data for totally undefined purposes.

• Meta actually attempts to get permission to process personal data for undefined, broad technical means (“artificial intelligence technology”) without ever specifying the purpose of the processing under Article 5(1)(b) UK GDPR.

• Meta has taken every step to deter data subjects from exercising their right to choose by pretending that data subjects would only enjoy a right to object (“opt-out”) instead of relying on consent (“opt-in”) and by entertaining extensive dark patterns to deter users from objecting under Article 21 UK GDPR.

• Meta fails to provide the necessary “concise, transparent, intelligible and easily accessible” information, “using clear and plain language”.

• Meta says itself that it is not able to properly differentiate (i.) between data subjects where it can rely on a legal basis to process personal data and other data subjects where such a legal basis does not exist and (ii.) between personal data that falls under Article 9 UK GDPR and other data that does not.

• Meta says itself that the processing of personal data is irreversible and it is unable to comply with the “right to be forgotten” once personal data of the complainants is ingested into (unspecified) “artificial intelligence technology”.

Digital Privacy

Hands Off Our Data

Find Out More