Data protection officer finds Meta's AI training with user data "unbelievable"

Since Tuesday, Meta has been able to use the data of all adult European users of Facebook and Instagram to train its AI applications, such as the large language model LLaMA, if those affected have not objected. Federal Data Protection Commissioner Louisa Specht-Riemenschneider has to "take a deep breath" in the face of this. "I find this unbelievable", the lawyer explained at the re:publica internet conference in Berlin. She described the urgent decision by the Cologne Higher Regional Court, which dismissed an application by consumer protection groups against the parent company of Facebook and Instagram on Friday, as "inappropriate".

Shortly beforehand, the Irish Data Protection Authority (DPC) had confirmed that Meta can rely on its own legitimate interest for training purposes and that the opt-out option is therefore sufficient. Specht-Riemenschneider also considers this statement to be "misguided", at least "in this sweeping manner". In general, the lawyer shares the opinion of the European Data Protection Board (EDPB) in the field of artificial intelligence, according to which the training of AI models with personal data is possible based on "legitimate interest". However, this requires a careful balancing of interests.

Specht-Riemenschneider says that she is on the same side as her colleagues when it comes to research interests, such as curing people. However, when it comes to earning money with user data, her assessment is different. If an AI is to be built, "there must be legal requirements for this", she emphasized. In the area relevant to fundamental rights, which is affected by the Meta case, she is therefore now calling for a "legislative decision" whether this practice should be permitted or not. Personally, she believes that specific consent is necessary, at least for the use of data that has already been collected.

Cartel office was involved in Facebook consents

If the opt-out solution remains in place, users should not need half an hour to find the opt-out button, Specht-Riemenschneider clarifies. This position is shared by the President of the Federal Cartel Office, Andreas Mundt. He only realized on Monday that the deadline had expired, he reported. He then wanted to object "very quickly", but it took him around 30 minutes to find the relevant button on Facebook.

Mundt should be familiar with the social network operator's settings dashboard, as Facebook only simplified it in the course of years of proceedings brought by the Cartel Office against the US company. The head of the Bonn authority recalled that this procedure had involved numerous courts, including the European Court of Justice. In the end, an amicable agreement was reached with the operator. In the process, Facebook "designed the entire dashboard for consent together with us". However, this was probably "not sufficient".

Mundt considers an easy-to-find button to be necessary for an objection, without instructions. He left open the possibility of renewed intervention by the Cartel Office: "I'm not saying yes or no" whether it would make sense to take up the Meta approach under competition law. However, it is worrying that the data of 3.2 billion users worldwide is now flowing into the training of AI models. The group's market power depends on this personal information of its members, which in principle opens the door for the authority to intervene.

Tracking information: birth defect of the GDPR

Specht-Riemenschneider also described it as a "birth defect" of the General Data Protection Regulation (GDPR) that service providers do not have to provide relevant information to data subjects when obtaining consent for tracking, for example for personalized advertising. The standards only contain an optional provision here. In addition, many users would be forced to give their consent due to a lack of effective alternatives. Certainly, not all tracking declarations are permissible, but the supervisory authorities have "incredible demarcation problems" here. Here, too, the legislator would have to make improvements. Regulatory control comes too late in 99 percent of cases anyway, so better advance consultation and strategic forecasts should be given more space.

The national enforcement of the Digital Services Act (DSA) is also often on fire, added the President of the Federal Network Agency, Klaus Müller. In some cases, – is in danger, for example when it comes to securing the integrity of elections –. However, the DSA is more of a marathon and much will depend on the rulings of the highest courts. Due to the lack of a budget for 2025, the regulatory authority is currently only working with a quarter of the staff allocated by the Bundestag in the area of DSA. Last year, only a fifth of the platform supervision positions were filled.

(wpl)