Meta’s AI Training and Data Subject Rights: Lessons for DPOs from the Latest EU Developments

Meta’s AI Training and Data Subject Rights: Lessons for DPOs from the Latest EU Developments

In a significant move, Meta has announced its plan to resume training its generative AI models on user data starting May 27, 2025. This decision comes after a pause and subsequent improvements in response to recommendations from the Irish Data Protection Commission (DPC) and other EU/EEA authorities. This blog post delves into the implications of these developments for data protection officers (DPOs) and privacy professionals, highlighting the evolving landscape of data subject rights in the EU.

Background

Meta’s initiative to train its AI models on user data was initially met with scrutiny, leading to intervention by the DPC. The pause allowed Meta to refine its approach, ensuring compliance with EU data protection standards. This move is particularly relevant amidst ongoing debates about AI, data subject rights, and GDPR compliance.

Transparency and User Rights

In response to regulatory feedback, Meta has implemented several transparency measures. These include updated notices, easier objection forms, and extended notice periods, empowering users to have greater control over their data. Such measures are crucial in building trust and ensuring that users are informed about how their data is being used.

Data Subject Controls

Meta has made it easier for users to object to their data being used for AI training. Practical steps have been taken to make this process accessible across Europe, ensuring that users can exercise their rights effectively. This development underscores the importance of user-centric data practices in the digital age.

GDPR Compliance

To align with GDPR requirements, Meta has updated its risk assessments, Legitimate Interest Assessments, and Data Protection Impact Assessments. These updates are vital for compliance best practices, providing a framework for other organizations to follow in navigating the complex regulatory environment.

Implications for DPOs

For data protection officers, these developments offer valuable lessons in proactive engagement with regulators, transparency, and empowering data subjects. DPOs can learn from Meta’s approach to anticipate regulatory changes and implement robust data protection strategies.

Broader Context

The changes at Meta occur within a broader regulatory environment, including the European Commission’s plans to simplify regulations for SMEs and ongoing enforcement actions against AI companies. These factors contribute to a dynamic landscape that DPOs must navigate to ensure compliance and protect user rights.

Conclusion

Meta’s new AI data practices set a precedent for transparency and user control in 2025. By understanding and adapting to these changes, DPOs and privacy professionals can enhance their strategies and ensure compliance with evolving data protection standards.

Other links on the web

• Fasken’s Noteworthy News: Privacy & Cybersecurity in Canada, the US, and the EU - May 2025
• DPC Statement on Meta AI
• DPAs Data Protection Bulletin - May 28, 2025
• Data Privacy News for May 2025
• Data Protection News Updata - 27 May 2025