''AI Innovation and Personal Information Protection: How Far to Allow?''
In spring 2025, Meta officially announced plans to use EU user data without explicit consent for AI model training — collecting public posts, comments, and Meta AI interactions from adult EU users on Facebook and Instagram for AI training beginning May 27. Users were notified via in-app alerts and email, with opt-out via web form. Meta cited GDPR's "legitimate interest" provision as legal basis, excluded under-18 content, private messages, and opted-out data. NOYB (None of Your Business, Austrian data protection NGO) responded on May 14 with an official "cease and desist letter" to Meta Ireland, calling the data use "clear GDPR violation" without explicit opt-in consent, threatening injunctions and class action in Ireland and EU member states. Additional civil society actions: six EU data protection authorities from Germany, France, Italy, Spain, Netherlands, and Austria issuing joint warnings; European Data Protection Board (EDPB) and digital rights organizations demanding temporary suspension. Meta's GDPR challenge: "legitimate interest" as legal basis for AI training requires balancing against users' rights and legitimate expectations — using social media posts users shared for connection purposes for commercial AI training may fail the balancing test even if individual posts are public. The power asymmetry: while opt-out mechanisms exist, the default is participation, creating consent by inaction; GDPR generally requires affirmative consent for processing sensitive data for new commercial purposes. Broader implications: the Meta-EU confrontation is testing whether GDPR's principles — purpose limitation, data minimization, legitimate interest balancing — are compatible with large-scale AI training on social media data at all, or whether training AI on social media requires a different legal framework.
