AI and Personal Data | How may ANPD’s decision against Meta’s Privacy Policy affect you?

AI and Personal Data | How may ANPD’s decision against Meta’s Privacy Policy affect you?

Do you or your company use Facebook, Instagram, Messenger, Threads, or other Meta products? Does your business use AI and process personal data? Then do not miss reading this article, whether to learn about your rights as a personal data subject or to protect your company from risks of inspection and condemnation by the Brazilian National Data Protection Authority (ANPD). 

In the first week of July 2024, the personal data protection community was quite stirred up by ANPDs decision to provisionally suspend Meta´s Privacy Policy in its latest version (effective from 6/26/2024). According to the Policy, Meta began collecting personal data shared by Brazilian citizens on Meta´s platforms to train and refine its generative artificial intelligence (generative AI) systems. 

  • What does Meta´s Privacy Policy say?

The collection of data by Meta for training Generative AI can include, for instance, information in photographs, audio files, and images shared throughout the companys services, potentially involving data subjects who are not users of Meta´s platforms. Here are some relevant excerpts from Metas Privacy Policy regarding the use of personal data, including that of non-users of its products: 

"We use information that is publicly available online and licensed information. We also use information shared in Metas products and services. This information may include posts or photos and captions. We do not use the content of your private messages with friends and family to train our AI." 

"When we collect public information from the internet or license data from other providers to train the models, this may include personal information. For example, if we collect an open blog post, it may include the authors name and contact information." 

"Even if you do not use our products and services or do not have an account, we may still process information about you to develop and improve AI at Meta. For example, this may happen if you appear anywhere in a shared image on our products or services by someone who uses them, or if someone mentions information about you in posts or captions shared on our products and services." 

  • What is Generative Artificial Intelligence?  

Generative artificial intelligence refers to AI systems designed to create content such as images, texts, music, videos, among others, autonomously. These systems can learn patterns and features from large datasets and subsequently generate new content that resembles the input data. 

Generative AI systems are used in a wide range of applications, such as creating digital art, generating creative texts, composing music automatically, producing videos, and even creating new drugs through simulating molecules. 

In summary, generative AI enables machines to learn and create original and creative content, expanding the possibilities of automation and innovation in various fields. 

  • What is the issue with collecting personal data to train Generative AI?  

Any operation that characterizes "personal data processing" requires compliance assessment with LGPD (Brazils General Data Protection Law) and with the fundamental right to personal data protection (LGPD, arts. 1 and 5, X; CF/1988, art. 5, LXXIX). Therefore, the use of personal data to train generative AI must comply with legal and regulatory requirements regarding personal data protection. 

In the case of Meta´s Policy, ANPD´s evaluation identified four potential irregularities in the processing of this data to train generative AI:

  1. Lack of adequate legal basis to process personal data
  2. Processing personal data of children and adolescents without due safeguards, violating their best interests  
  3. Restriction on the exercise of rights by data subjects
  4. Lack of transparency in the disclosure of new information to data subjects

  • Legal Basis 

The lack of a proper legal basis for the processing of personal data or the inadequacy of the data to achieve the intended objectives renders the practice illegal under personal data protection norms.  

Meta cited legitimate interest (LGPD, art. 7, IX) as its legal basis. However, this was deemed inadequate due to the processing of sensitive personal data, failure to observe legitimate expectations of data subjects, and non-compliance with the principles of purpose limitation and minimization (LGPD, arts. 10, II and 6, I and III).  

For example, a Facebook user who seeks to maintain relationships with friends, communities, etc., likely does not expect everything they shared throughout their life to be used to train generative AI, especially the first users, who may not even have heard of generative AI when they joined Facebook.

  • Transparency

According to ANPD, Meta´s Policy does not provide sufficient and necessary information to data subjects, making it difficult for them to understand the potential consequences of processing their personal data for the development of generative AI models. 

Transparency in data processing is required to ensure that data subjects have access to clear, accurate, and easily accessible information about the processing (LGPD, art. 6, VI). In Meta´s case, the change in the Privacy Policy was implemented in Brazil without transparency to data subjects, whereas in Europe, users were informed in advance via e-mail and notifications in apps.

  • Personal data of children and adolescents

Meta´s Privacy Policy does not address the processing of data from children and adolescents, who are also subject to having data being collected and used to train generative AI. As these data subjects are a specially protected category under LGPD due to their vulnerability, the processing of their data must observe appropriate safeguards and risk-mitigating measures, always in the best interest of the child or adolescent (LGPD, art. 14). 

Greater caution is required from the controller for such processing, which ANPD believes was lacking in this case, compared to Meta’s practices in Europe. While in Europe Meta announced that it would not process data from children and adolescents, there was no adequate communication in Brazil.

  • Exercise of rights by data subjects

The opt-out option offered to Brazilian users of Meta´s products is not presented clearly, making it difficult for them to object to the processing of their personal data, contrary to LGPD Article 18 of LGPD. Additionally, the process to exercise this option is complex, which has been widely discussed in social media. For example, Instagram users need to take eight different actions to inform the company of their objection to the use of their data and to exercise the rights provided by LGPD.

  • Decision: Serious and irreparable or difficult to repair damage 

ANPD understood that the occurrence of the four aforementioned irregularities presents an "imminent risk of causing serious and irreparable or difficult to repair damage to data subjects, including children and adolescents" (Vote No. 11/2024/DIR-MW/CD). Metas conduct was classified as a serious infraction that results in a high degree of harm. 

Meta vaguely mentions the future benefits of generative AI in its Privacy Channel, without adequately detailing how personal data are used for this purpose. This results in a significant information gap, especially for third parties who are not platform users, increasing the disparity of information between data subjects and the company. Additionally, Meta´s products have a very high number of users, which contributes to increasing the risk of harm. 

In this context, ANPD ordered the suspension: (i) of the validity of Meta´s new privacy policy regarding the use of personal data to train generative AI systems; (ii) of Meta´s processing of personal data for this purpose, a measure essential to prevent serious and potentially irreparable harm to data subjects whose personal data have been included in Meta´s generative AI models.

ANPD granted Meta a five-day period to demonstrate compliance with the preventive measure, under penalty of a daily fine of BRL 50,000.00 for each day of non-compliance. Meta will need to provide documentation attesting to the adequacy of its privacy policy, excluding the section on processing data to train generative AI, and provide a statement confirming the suspension of the processing in question.

  • How to take precautions?

In addition to periodically assessing whether your business complies with LGPD rules, ANPD regulations, and market best practices, it is important to consider ANPD´s guidance publications. In the case of this precautionary measure, ANPD relied on several sections of its Guidelines on Legitimate Interest, as well as on its Guidelines on Cookies and Personal Data Protection.

Although not considered regulations, these Guidelines have guided the Authority´s oversight activities, including in the case under review herein, where ANPD mentioned that its general guidelines are fully applicable. For example, where ANPD details practical examples and design standards for cookie banners, it expects companies to observe these guidelines, which are aligned with LGPD for the exercise of data subject rights.

  • Next Steps

As the measure imposed by ANPD on Meta is preventive in nature, within a precautionary process, aimed at ensuring the prevention of serious and imminent damages that are difficult to repair to the affected data subjects, the analysis is not yet final. Therefore, a monitoring process will follow to obtain clarifications from Meta and to monitor compliance with the decision.

The Technology, Media, and Telecommunications (TMT) team at Azevedo Sette Advogados is closely following the development of this issue and is available for questions and contributions.