Illegitimate Consent

This week, Facebook notified its users of its intent to roll out A.I. This includes using content from its userbase – ie, you – as learning material to train it. Meta (parent company of both Facebook and Instagram) describes this content thusly:

“Information you’ve shared on our Products and services could be things like:
– Posts
– Photos and their captions
– The messages you send to an AI

We do not use the content of your private messages with friends and family to train our AIs.”

The approach that Meta is taking is assuming that consent is implicitly granted unless you tell them not to. This feels counterintuitive, should they be allowed to do this? Here in the UK we left the EU but adopted GDPR regulations pretty much wholesale into domestic law (it’s now known as “UK GDPR”), does that not require opt-in rather than opt-out?

Well, yes and no. Under UK GDPR there are half a dozen clearly-defined reasons why a company is allowed to hold and/or process your data. One of them is obviously Consent: to wit, you’ve explicitly told them that they can.

The reason Meta is citing is “Legitimate Interest.”

Hang on a moment, haven’t we seen this somewhere before somewhere?

[I’m not picking on this particular cookie pop-up, it’s just an example]

Let’s take a step back a moment to talk about cookies. Here we see the second tab on a cookie consent request dialogue from a British newspaper which did have the Consent boxes correctly unselected by default as UK GDPR demands. So what’s Legitimate Interest, why was it hidden behind the “User Consent” tab and why are they preselected? Well, as it turns out this is a slipperier beast.

There are a number of points of interest here. Firstly, there are extensive rules as to when a company (called the “controller” in GDPR) can claim Legitimate Interest which aren’t really important for the purposes of this post, but (very) broadly speaking it’s a catch-all for when other criteria don’t apply. Assuming that they are abiding by the rules – and I expect plenty aren’t – then the upshot is that if that box is ticked then they can still process your data if they have justifiable reason even if you have not ticked the Consent box. In other words, if they can’t get your consent, but they think it’s important to them or a third party (or indeed, many third parties, if you want a shock go look at the vendor list on one of those cookie pop-ups) then they’re just going to go ahead and do it anyway.

It gets worse. If you Consent, you have an inherent right to revoke that consent at any time. If it’s Legitimate Interest then you have a right to object, which is somewhat different.

Back to Facebook. Handily, Meta provides a form to register your objection, buried deep in their systems (I know, I was surprised too). And here it is:

Of particular note here is there is a text box reading “Please tell us how this processing impacts you. (Required)” My first reaction was cynically that this is here simply to dissuade people from continuing, but remember we’re objecting not demanding. Regardless, I know a number of folk who have completed it now with variations on “I don’t consent” or “because of GDPR” and at time of writing I’ve yet to yet to hear of any request being denied.

Now, I’m not about to tell you whether objecting to Meta’s Legitimate Interest is something you should do or not, only you can decide that for yourself. My personal opinion is that I don’t want variations on my likeness popping up in AI images, and a privacy description of “…could be things like” is weaselly wording which makes me nervous.

Leave a comment

Your email address will not be published. Required fields are marked *