2025-W22 Replica with EUR 5M Fine, Meta Wins Big, EU Commision Indecisive

Garante Slams Replika with a EUR 5M FineThe Italian Data Protection Authority (Garante) has imposed significant corrective measures, including EUR 5M fine and a potential ban on processing Italian users' data, against Luka Inc., the company behind the AI chatbot Replika.According to the decision, the Garante found multiple GDPR breaches:Lack of Legal Basis: Particularly for processing sensitive data inferred from user conversations, including emotional and health-related information (violating Articles 6 and 9).Transparency Failures: Insufficient information provided to users about how their data, especially chat content, would be used for training AI models (Article 13).Risks to Minors: Inadequate age verification systems, leading to the unlawful processing of children's data (Article 8).No DPIA: Failure to conduct a Data Protection Impact Assessment for what is clearly high-risk processing activity (Article 35).Data Protection by Design/Default Deficiencies: Principles of Article 25 not adequately implemented.The "black box" nature of some AI models won't fly if the fundamentals of GDPR – legal basis, transparency, risk assessment, and data protection by design – are not robustly addressed from the outset.For AI companions and similar services, inferred data is increasingly seen as sensitive, requiring explicit consent.Meta Pushes Ahead with EU User Data for AI TrainingThis is the first time we report privacy news in favour of Meta. It’s odd. It seems that legitimate interest could be the way to go, after all, for AI trainingFirst, the Cologne Higher Regional Court in Germany made a significant ruling concerning Meta's use of publicly available user data for training its artificial intelligence systems. The court found that Meta's actions were lawful under Article 6(1)(f) of the General Data Protection Regulation (GDPR).The court recognized Meta's interest in training its AI as a legitimate aim. A key point in the ruling was the acknowledgement that training effective AI models requires vast quantities of data.Additionally, Meta has signaled its intention to train its AI with user data to the Irish DPC, which is the leading DPA. Again, Meta is expected to rely on "legitimate interests" (Article 6(1)(f) GDPR) as the legal basis for this processing.The Irish DPC issued a statement confirming it is engaging with Meta on these plans.Using opt-out for AI training data is raises many questions. Once data is ingested and used to train a foundational model, can it truly be "unlearned" or its influence fully erased if a user objects later?How to opt out?If you haven't already, here is how to opt out from Meta using your personal data for AI training.Here’s the direct link to submit your request to Meta.If for some reason the link doesn't work make sure to go to Privacy > Privacy Center > Privacy Topics > Submit an objection requestYou will have to do the same for each social media platform you use...Yes, it's infuriating. It's called malicous compliance.EU Commision Suggests EU AI Act Pause and GDPR SimplificationWhile the EU AI Act is formally adopted and its phased entry into force continues, the path to full practical implementation is hitting some turbulence.Recent reports indicate that the development of harmonized technical standards, which are vital for companies to demonstrate compliance for high-risk AI systems, is taking longer than initially anticipated, with some now expected in 2026. Similarly, the Code of Practice for General-Purpose AI (GPAI) models has faced pushback and delays in finalization.Separately, but related to the AI ecosystem, on May 21, 2025, the European Commission announced a series of simplification measures aimed at reducing administrative burdens and cutting red tape for EU businesses, particularly Small and Medium-sized Enterprises (SMEs).