Meta AI: How Facebook & Instagram Data Powers AI Training

Meta (formerly Facebook) plans to train its AI models with content shared by users on Facebook and Instagram, including text, images, and reactions. Important: Only public content from adult users (aged 18 and over) will be used. Content from minors is explicitly excluded. Private messages and non-public posts are also not affected.

The change is not being introduced quietly, but is being publicly advertised. Nevertheless, the central question remains: Were those affected ever really asked?

Consent? Not at Meta.

Instead of obtaining users' permission, Meta relies on the legal basis of “legitimate interest.” This may be convenient from a business perspective, but from a data protection perspective, it is highly problematic. The GDPR requires fair, transparent, and voluntary processing of personal data. There is not much of that here.

Criticism from across Europe

Organizations such as noyb and the BEUC (European Consumer Organization) are sounding the alarm. They have filed complaints against Meta for lack of transparency and undermining fundamental data protection rights. Public pressure is also growing: users want control over their data – especially in the context of AI.

Meta uses only publicly available content from adults, such as photos, captions, likes, and comments, to train AI models. Content from minors and private messages is expressly not used. What many people don't know is that even content posted “only” for friends is not considered public and is therefore excluded according to Meta's current information. Data protection experts point out that the technical distinction between “public” and “restricted visibility” (e.g., “friends only”) is not always clear. There is uncertainty as to whether such content could also be affected in individual cases. However, Meta officially emphasizes that only truly public content will be used for AI training.

The lack of transparency is also critical: Users must fill out a multi-step form to object to the use of their data, with unclear results.

How you can object to data processing for Meta AI

For anyone who does not want their data to be used for Meta's AI, there is an – albeit hidden – option to object:

1. Go to the special page on data use: Meta AI Opt-out
2. Select the form “Object to the use of my data.”
3. Enter the required data (name, country, email address).
4. Confirm your identity with a code.

Meta actively informs users about the new practice, both via app notifications and email. These notifications contain a direct link to the opt-out form. The process is deliberately cumbersome, but it's worth knowing about.

The crux of the matter: Meta claims that it is in its “legitimate interest” to improve AI models – and uses this as its legal basis. However, according to the GDPR, this is only permissible if the interests of the data subject do not outweigh these interests. With such sensitive data (face recognition, family photos, personal statements), this is highly questionable.

Data protection experts warn: “Meta's approach is in direct contradiction to the European data protection philosophy – and could end up setting a precedent.”

Important: The final assessment by the relevant data protection authorities is still pending. Complaints and investigations are ongoing, in particular by the Irish Data Protection Commission (DPC) and at the European level. The legal situation has therefore not yet been conclusively clarified.

Many companies use AI – often unknowingly with third-party data processing tools. The Meta case shows that transparency, control, and documented consent are mandatory.

heyData provides concrete support to companies in the following areas:

• An immediate audit tool for risk classification of your AI systems
• Individual roadmap with recommendations for action based on the EU AI Act
• Team training for responsible AI use & ongoing compliance assurance
• Automated, legally compliant documentation – we take care of compliance for you

Use case: AI project with data protection by design

A medium-sized company in the financial sector wanted to use AI to perform automated customer analyses. With the help of heyData, the data flows were documented, a data protection impact assessment (DPIA) was carried out, and clear opt-in mechanisms were set up. The result: The solution was not only legally compliant, but was also positively received by customers—a real trust advantage.

The EU AI Act introduces new rules for AI models, particularly with regard to biometric data, algorithmic decision-making, and transparency requirements. Companies that focus on privacy by design today will have a clear advantage tomorrow. The topic is also heavily regulated at the international level (e.g., in Canada and California).

AI and data protection worldwide: A comparison

• California (CCPA/CPRA): Allows objection to automated decision-making
• Canada (CPPA): Requires companies to conduct risk-based assessments of AI systems
• China: Introduces registration and disclosure requirements for generative AI

Europe is ahead with the EU AI Act – but global standards are evolving rapidly. Companies should therefore think internationally today.

The Meta case is just the tip of the iceberg. Anyone who uses AI must take responsibility. Not sometime in the future – but now.

Data protection is not a brake pad, but your seatbelt in an AI-driven future.

In summary

• Only public content from adults is used.
• Minors and private messages are excluded.
• The final decision of the data protection authorities is still pending.
• Meta is actively providing information and offering an (albeit cumbersome) opt-out option.