ORG complaint to ICO about Meta privacy policy changes
Open Rights Group has submitted a complaint to the Information Commissioner’s Office (ICO) about Meta’s plans to take users’ information to “develop and improve AI”. The complaint has been submitted on behalf of five ORG staff members who are Meta users.
About the complaint
Meta emailed Facebook and Instagram users in the UK at the end of May to inform them of changes to their privacy policy that were due to come into effect on June 26. They claimed that Meta would now “rely on the legal basis called legitimate interests” to use individuals’ information for its AI development. In addition, while Meta told users they had the right to object, it did not commit to honouring objections as a matter of course. Once a user’s data had been used by the company, it would likely be irreversible so consent could not be applied retrospectively.
On June 6, the data rights group “None of Your Business” lodged GDPR regulatory complaints in 11 EU member states, asking Data Protection Authorities (DPAs) to immediately stop Meta’s abuse of personal data for AI. As a result, Meta announced plans to pause these changes on June 14, and the ICO posted that Meta “responded to our request to pause and review plans to use Facebook and Instagram user data to train generative AI”.
However, so far, there has been no official change to the Meta privacy policy that would make this stop to data processing for the development of Meta’s “AI technologies” legally binding. Thus, the complainants feel compelled to raise a formal regulatory complaint in the UK. With this, they want to ensure that Meta’s proposals are shelved , and that the ICO protects the rights of UK residents to the same standard that other DPAs afford in the European Union.
The complainants have called on the data regulator to:
- Issue an imminent and legally binding decision under Article 58(2) UK GDPR to prevent the processing of the personal data of the complainants – and over 50 million UK data subjects — without consent.
- Fully investigate the matter under Article 58(1) UK GDPR.
- Prohibit the use of personal data for undefined “artificial intelligence technology” without the opt-in consent form the complainants – and indeed other data subjects.
Mariano delli Santi, complainant and Legal and Policy Officer at Open Rights Group said:
“Meta’s plans to ingest its users’ data, posts and pictures will impact more than 50 million Instagram and Facebook users in the UK. It’s not acceptable that the company are making a half hearted attempt to enable people to opt out rather than give their consent to such intrusive data processing.
“The proposals appear to violate UK GDPR on a number of levels, and we urge the ICO to investigate thoroughly and stop them once and for all.”
How is Meta violating GDPR?
Meta appears to violate at least Articles 5(1) and (2), 6(1) 6(4), 9(1), 12, 13, 17(1)(c), 18, 19, 21(1) and 25 UK GDPR.
- Meta has no legitimate interest under Article 6(1)(f) UK GDPR that would override the interest of the complainants (or any data subject) and no other legal basis to process such vast amounts of personal data for totally undefined purposes.
- Meta actually attempts to get permission to process personal data for undefined, broad technical means (“artificial intelligence technology”) without ever specifying the purpose of the processing under Article 5(1)(b) UK GDPR.
- Meta has taken every step to deter data subjects from exercising their right to choose by pretending that data subjects would only enjoy a right to object (“opt-out”) instead of relying on consent (“opt-in”) and by entertaining extensive dark patterns to deter users from objecting under Article 21 UK GDPR.
- Meta fails to provide the necessary “concise, transparent, intelligible and easily accessible” information, “using clear and plain language”.
- Meta says itself that it is not able to properly differentiate (i.) between data subjects where it can rely on a legal basis to process personal data and other data subjects where such a legal basis does not exist and (ii.) between personal data that falls under Article 9 UK GDPR and other data that does not.
- Meta says itself that the processing of personal data is irreversible and it is unable to comply with the “right to be forgotten” once personal data of the complainants is ingested into (unspecified) “artificial intelligence technology”.
Email from Meta
Below is the email that was sent to Meta users:
We’re updating our Privacy Policy as we expand AI at Meta
Hi,
We’re getting ready to expand our AI at Meta experiences to your region. AI at Meta is our collection of generative AI features and experiences, like Meta AI and AI Creative Tools, along with the models that power them.
What this means for you
To help bring these experiences to you, we’ll now rely on the legal basis called legitimate interests for using your information to develop and improve AI at Meta. This means you have the right to object to how your information is used for these purposes. If your objection is honored, it will be applied going forward.
We’re including updates in our Privacy Policy to reflect these changes. The updates go into effect on June 26, 2024.
META WANTS TO MAKES US ITS AI GUINEA PIGS
The problem with Meta’s plans to process its users’ data to train AI
Find out more