Meta Faces Legal Backlash Over AI Training Plans: NOYB’s Cease and Desist Sparks Potential EU Class Action

Meta Platforms Inc., the parent company of Facebook and Instagram, is under intense scrutiny in Europe following its announcement to use personal data from European users to train its artificial intelligence (AI) systems starting May 27, 2025. The Austrian privacy advocacy group NOYB (None of Your Business), led by renowned privacy activist Max Schrems, has issued a cease and desist letter to Meta, challenging the legality of this data usage under the General Data Protection Regulation (GDPR). This move could pave the way for a significant class action lawsuit, potentially resulting in billions of euros in damages.

Meta’s plan involves utilizing public content from European users such as posts, comments, and interactions with Meta AI to train its generative AI models. The company asserts that this data processing is justified under the ‘legitimate interest’ clause of the GDPR, which allows data processing without explicit consent under certain conditions. Meta has stated that users will receive notifications with a link to opt out of this data usage and that data from minors and private messages will be excluded.

However, NOYB contends that Meta’s reliance on ‘legitimate interest’ is a misapplication of the GDPR. Schrems points out that the European Court of Justice has previously ruled against Meta’s use of this justification for targeted advertising, questioning its applicability to AI training. NOYB argues that Meta should instead seek explicit opt-in consent from users, as required for processing sensitive personal data under the GDPR.

Legal Actions and Potential Consequences

NOYB’s cease and desist letter is a precursor to possible legal actions under the EU Collective Redress Directive, which allows qualified entities to initiate collective lawsuits on behalf of consumers. If Meta proceeds without addressing these concerns, it could face injunctions requiring the cessation of data processing and deletion of any AI models trained on unlawfully obtained data. Furthermore, Meta could be liable for non-material damages to users, with estimates suggesting potential claims amounting to billions of euros, considering the vast number of European users affected.

In addition to NOYB’s actions, other consumer protection groups, such as Germany’s Verbraucherzentrale NRW, have also sent cease and desist letters to Meta, indicating a growing coalition against the company’s data practices.

Meta’s Response and Ongoing Debate

Meta has defended its approach, stating that it complies with GDPR guidelines and that users have been provided with clear options to object to their data being used for AI training. The company emphasizes that only public data from adult users will be used and that private messages and data from users under 18 are excluded.

Despite these assurances, privacy advocates argue that the opt-out mechanism is insufficient and that the default should be opt-in consent. They express concerns that users may not fully understand or be aware of the data usage, potentially undermining their privacy rights.

10 Recommendations to Mitigate Similar Privacy Risks

1. Implement Opt-In Consent Models: Organizations should prioritize obtaining explicit consent from users before processing personal data, especially for purposes like AI training.
2. Enhance Transparency: Clearly communicate data usage policies and purposes to users, ensuring they are informed and can make educated decisions about their data.
3. Simplify Opt-Out Processes: If opt-out mechanisms are used, they should be straightforward and easily accessible to all users.
4. Regular Privacy Audits: Conduct periodic reviews of data processing activities to ensure compliance with privacy regulations and to identify potential risks.
5. Data Minimization: Collect and process only the data necessary for specific purposes, reducing the risk of overreach and potential misuse.
6. User Education: Provide resources and guidance to help users understand their privacy rights and how their data is used.
7. Engage with Regulators: Maintain open communication with data protection authorities to align practices with regulatory expectations and address concerns proactively.
8. Develop Ethical AI Guidelines: Establish internal policies that govern the ethical use of AI and data, ensuring respect for user privacy and rights.
9. Anonymize Data When Possible: Use anonymization techniques to protect user identities when processing data for AI training or other purposes.
10. Monitor Legal Developments: Stay informed about changes in privacy laws and regulations to adapt practices accordingly and maintain compliance.

Conclusion

Meta’s initiative to use European users’ data for AI training without explicit consent has ignited significant legal and ethical debates. The actions taken by NOYB and other advocacy groups highlight the importance of adhering to privacy regulations and respecting user rights in the digital age. As AI technologies continue to evolve, companies must balance innovation with responsibility, ensuring that user trust is maintained through transparent and lawful data practices.