Meta Can Train AI Model on Public Users' Profiles: German Regional Court Rules

In April, Meta Platforms Ireland Limited announced that starting May 27 it would use personal data from public profiles to train its AI model, the court noted. The Consumer Protection Organization of North Rhine-Westphalia sued for a preliminary injunction to stop it.

The court ruled that Meta violated neither the General Data Protection Regulation (GDPR) nor the Digital Markets Act, saying its assessment aligns with that of the Irish Data Protection Commission (DPC), which is the data protection authority responsible for Meta.

Meta's announced use of users' data for AI training purposes, even if considered to be without the consent of the data subjects, is legal under the GDPR because Meta is pursuing a legitimate purpose, the court said. That purpose can't be achieved with other equally effective, less drastic methods, it added.

AI training requires large amounts of data, which can't be readily anonymized, the court said. As part of the balance of users' rights versus Meta's, it said, the interest in data processing outweighs users' rights. This assessment rests, in part, on the December 24 opinion of the European Data Protection Board on training AI models, it added.

Meta will be processing only publicly available data, which is also found by search engines, the ruling noted.

The fact that large amounts of data, including that of third parties and minors and also sensitive data, is affected doesn't weigh against Meta processing, the court said. The company has taken effective measures which significantly mitigate the processing.

Meta announced its plan to train its AI model in 2024, and users have been informed about how to prevent their information from being used, the court noted. They have the option of switching their data to "non-public" or objecting to the use of it. In addition, the data used lacks unique identifiers, such as names or email addresses.

The Friday judgment can't be appealed to the Federal Court of Justice because Higher Regional Courts have primary jurisdiction over injunctive matters, it said.

The Irish DPC said May 21 that its approach to dealing with Meta's imminent AI training was to engage with the company before it rolled out its processing to ensure it complied with the GDPR (see 2505220047).

The Hamburg Data Protection Commissioner takes a different view of the processing, TaylorWessing privacy lawyers posted Friday. They cited reports that the office had issued urgent proceedings against Meta shortly before the company started its AI training, and that Meta must respond by May 26. They also noted that the Hamburg data protection authority intends to block Meta from providing AI training to German data subjects for at least another three months.

Privacy activist Max Schrems said his organization, Noyb, was "somewhat surprised about the outcome, given that Meta's breach is quite massive and obvious." However, he noted, while a preliminary injunction wasn't granted, that doesn't mean that it won't be in the main action.

While the German consumer group brought its case for Germany, Schrems added, "Noyb is also planning a case for the entire EU."

The Cologne verdict shows there's still "considerable uncertainty" around AI training, the TaylorWessing lawyers wrote. Above all, "the authorities in the European Union are not dealing with the emerging legal issues in a uniform manner."

At the same time, the attorneys said, the cautious approach of the Irish DPC and the decision of the Higher Regional Court "show that AI training with existing data is not per se inadmissible, even if personal data is involved."