Artificial Intelligence

Meta Ai is hacking into our smartphones without consent, can it do that?

Many possible conflicts with European data protection rules: from lack of transparency to lack of explicit consent for data subject to special processing

by Chiara Ricciolini

4 April 2025

3' min read

Key points

A system inseparable from the app
Possible conflict with European regulations
All responsibility passed on to the user
An aggressive market strategy

3' min read

Meta Ai has entered our smartphones without asking permission. It is the virtual assistant of Zuckerberg's group that uses Llama 3.2, Meta's large language model. Now it has also landed in the European Union, where, however, it could come into conflict with the General Data Protection Regulation (GDPR), which governs the processing of personal data in the EU.

A system inseparable from the app

The virtual assistant Ai is integrated directly into the Whatsapp, Instagram and Facebook apps, and cannot be uninstalled. If the user does not wish to use it, he can only refrain from using the chat or uninstall the app completely. Meta Ai cannot read the private conversations of other chats, because the messages are encrypted. Its use, however, is for the purpose of assisting users in processing content for their own private chats. If you ask Meta Ai "how can I use you?" it will answer "I can help you generate texts such as emails, messages or even whole stories" or "I can translate texts from one language to another".

The possible conflict with European regulations

"An implicit automatism of use could be problematic for European regulations," comments Gabriele Faggioli, scientific head of the cybersecurity & data protection observatory at the Politecnico di Milano. "If the compulsory hook-up to the app is deemed incorrect, the authorities will have to intervene to force Meta to provide it.

Meta Ai collects personal data and shares it with selected partners, companies whose identity is unknown. The purpose would be to 'improve the responses of the language model', as the assistant himself stated when questioned on the subject. "More detailed information should be given on this. If there is no specific indication of the companies or categories of subjects with whom there may be sharing, this is another profile on which the authority could intervene'.

This system of data collection could then conflict with the principle of 'data minimisation', one of the pillars of the GDPR, according to which the user may only collect and use data necessary to pursue a defined purpose.

All liability passed on to the user

The user is solely responsible for sharing his or her personal data: if he or she does not want Meta to use it, he or she should not share it in the Ai chat. According to Faggioli, 'there could be a problem in terms of transparency and difficulty for the user to understand the complexity and consequences of using this tool'.

It is in fact an 'implied consent' because it is the user's actions that imply consent to the collection, use and sharing of data. "The authorities may not consider an automatic mechanism not based on explicit consent to be appropriate considering the power of the tool".

But in the chat with Meta Ai, the user could provide many of his or her 'data subject to special processing', such as racial or ethnic origin, political opinions, sexual orientation. It is precisely these data that according to the GDPR must be subject to 'explicit consent' obtained by a communication that the user actively provides through a clear and unambiguous statement.

An aggressive market strategy

Despite possible criticalities with European regulations, Meta's virtual assistant is now also available to us Europeans. "It is not uncommon for North American operators to move into the European market and only then for the authorities to consider their practices incongruous," Faggioli continues.

"Particularly for procedures that do not lead the user to consider well the invasive elements of the tool. One of the strategies of these companies is often to force the situation and then wait for the authorities to intervene and comply with the legislator's corrective measures. "Should the authority consider that the procedure adopted in data collection is not legitimate, at that point it will sanction," he concludes.