Skip to main content
WAIMAKERS
About UsCareersContact
|
Schedule Free Call
Back to overview

Meta Llama

Meta

PartialEU: AvailableOpt-out AvailableCustomMulti-region

Business Plan Price

Free (self-hosted) + API $0.10-0.90/M tokens

Enterprise Features

Self-hosted deployment, full data control, Llama API, commercial license

Last Updated

March 23, 2026

Meta Llama - GDPR & Data Privacy Overview for European Clients

Version: March 2026 - prepared by WAIMAKERS B.V.

1 Purpose

This overview explains how Meta Llama (open-source large language models) handles data in relation to GDPR, with a focus on European customers. Llama is fundamentally different from traditional SaaS AI tools: it is an open-source model family that can be self-hosted, giving users complete control over data and infrastructure. However, Meta also offers Meta AI chatbot and Llama API hosted services that raise significant GDPR concerns.

Critical distinction: Self-hosted Llama models vs Meta-hosted services have completely different privacy profiles.

2 Comparison of Llama Deployment Options (EU focus)

Deployment Training on your data? Data retention EU residency Compliance Price
Self-Hosted Llama Models ✅ No (complete data control) User-controlled ✅ User choice (deploy anywhere) User responsibility Free (license restrictions apply)
Meta AI Chatbot (Free) ⚠️ Yes (as of May 27, 2025) Undefined ❌ Likely US Meta controls $0 (100k tokens/month)
Meta AI+ Subscription ⚠️ Yes (as of May 27, 2025) Undefined ❌ Likely US Meta controls $10/month
Llama API (launched LlamaCon, Apr 2025) ⚠️ Likely Yes Per API ToS (Apr 2025) ❌ Likely US DPA available $0.10-$0.90/M tokens
Third-Party Hosting Depends on provider Provider-dependent Provider-dependent Provider responsibility Varies (e.g., AWS, Azure, Replicate)

Notes for Europe

  • Self-hosted = GDPR-friendly: When you download and deploy Llama models yourself, Meta has ZERO access to your data. You control infrastructure, data residency, retention, and processing. This is the recommended approach for EU organisations.
  • Meta-hosted services = HIGH RISK: As of May 27, 2025, Meta announced it will use EU users' Facebook and Instagram public data to train Llama and Meta AI systems, relying on "legitimate interest" rather than consent. This triggered:
    • Complaints filed by noyb in 11 EU countries
    • Investigation by Irish Data Protection Commission
    • Widespread regulatory concern about GDPR compliance
  • Training policy controversy: Meta claims "legitimate interest" under GDPR Art. 6(1)(f) as legal basis for training on EU user data. Many privacy advocates and regulators dispute this. Opt-out available but criticised as insufficient.
  • Llama 4 EU ban (confirmed, remains in full effect): Llama 4 (fully multimodal) is completely banned for EU-based developers due to Meta's training data policies. As of March 2026, this ban remains in full effect with no announced timeline for lifting it. Exception: non-EU companies may build Llama 4 products that serve EU customers, but EU-headquartered developers may not use Llama 4 at all.
  • Llama API launched (LlamaCon, April 2025): Meta launched its hosted Llama API at $0.10-$0.90 per million tokens depending on model size.
  • Irish DPC cleared Meta (May 2025): The Irish Data Protection Commission cleared Meta to use EU public data for AI training, citing "legitimate interest" - but this remains contested by noyb and other advocates.
  • noyb cease-and-desist (May 2025): noyb sent a formal cease-and-desist letter to Meta over AI training on EU data, with European class action described as a potential next step. As of March 2026, noyb's class action threat remains active; no settlement has been announced.
  • Hamburg DPA urgency proceedings: The Hamburg Data Protection Authority filed Article 66 urgency proceedings; a German court subsequently denied the injunction request.
  • EU Digital Omnibus: The EU Commission proposed amendments to GDPR via the Digital Omnibus package to ease AI training on publicly available data - outcome pending.
  • Licensing: Llama uses "Community License Agreement" (not true open source). Free for commercial use unless you have 700M+ monthly active users, then requires separate license from Meta.
  • No enterprise compliance tier: Unlike commercial AI vendors, Meta does not offer SOC 2, ISO 27001, or formal DPA for self-hosted Llama models (not applicable to downloadable software).

3 Is Llama GDPR-Compliant?

Short answer: It depends entirely on deployment method.

✅ Self-Hosted Llama Models: YES (user-controlled)

Why it's GDPR-friendly:

  • Meta never sees your data; it's just software you run locally
  • You control data residency (deploy in EU data centers)
  • You control retention policies
  • You control access, encryption, and security
  • No third-party subprocessors involved (unless you choose them)
  • You are both Controller and Processor

What you need to ensure:

  • Secure infrastructure (your responsibility)
  • Proper access controls and logging
  • Compliance with Acceptable Use Policy
  • License compliance (commercial use restrictions if 700M+ users)

⚠️ Meta-Hosted Services (Meta AI, Llama API): HIGH RISK

Why it raises concerns:

  • Active GDPR controversy: Meta's May 2025 announcement to train on EU Facebook/Instagram data sparked multiple regulatory complaints
  • Legitimate interest disputed: Meta relies on Art. 6(1)(f) "legitimate interest" instead of consent; many regulators and advocates challenge this legal basis
  • Lack of transparency: Retention periods, data flow, and subprocessors not clearly documented for Meta AI chatbot
  • US infrastructure: No EU data residency option available for Meta-hosted services
  • Training by default: Unlike commercial AI vendors offering no-training tiers, Meta trains on user data by default (opt-out required)

What Meta provides:

  • Opt-out mechanism (via privacy settings, criticised as insufficient)
  • Llama API Terms of Service (updated April 29, 2025)
  • Claims to exclude private messages and under-18 accounts from training

Regulatory actions:

  • June 2024: noyb filed GDPR complaints in 11 EU countries
  • 2024: Irish DPC raised concerns; Meta paused implementation
  • May 2025: Meta resumed plans to train on EU data starting May 27, 2025
  • May 2025: Irish DPC cleared Meta for EU AI training on public data using "legitimate interest" basis
  • May 2025: noyb sent cease-and-desist letter to Meta; European class action flagged as potential next step
  • 2025: Hamburg DPA filed Article 66 urgency proceedings; German court denied the injunction
  • Ongoing: Multiple investigations and potential enforcement actions; EU Digital Omnibus GDPR amendments proposed to ease AI training

Recommendation by deployment:

Use Case Recommended Approach GDPR Status
Internal AI tools, EU personal data Self-hosted Llama on EU infrastructure ✅ Compliant (with proper controls)
Customer-facing chatbot, EU data Self-hosted Llama or commercial vendor (OpenAI/Anthropic Enterprise) ✅ Compliant (with DPA, SCCs)
Non-sensitive experimentation Meta AI chatbot with opt-out ⚠️ Risky (active regulatory scrutiny)
Any use of EU personal data Avoid Meta-hosted services ❌ Not recommended

4 Details by Offering

Self-Hosted Llama Models (Recommended for EU)

What it is: Download Llama model files from Meta and deploy on your own infrastructure (on-premises, AWS, Azure, GCP, etc.)

Models available:

  • Llama 2 (7B, 13B, 70B parameters)
  • Llama 3 / 3.1 (8B, 70B, 405B parameters)
  • Llama 4 Scout (up to 10M token context) - EU-based developers: BANNED from use
  • Code Llama (specialised for programming)

GDPR considerations:

  • ✅ Complete data control: Meta has zero access to your data
  • ✅ EU data residency: Deploy in EU data centers of your choice
  • ✅ No training on your data: Models are pre-trained; your inference data stays with you
  • ✅ No subprocessors: You control the entire stack
  • ✅ User-defined retention: Delete data per your policies

License requirements:

  • Free for commercial use if <700M monthly active users
  • Must comply with Acceptable Use Policy (prohibits illegal use, misinformation, etc.)
  • Attribution to Meta required in some contexts
  • License available at llama.com/license

Pricing: Free (infrastructure costs are yours)

When to use: Any EU personal data processing, regulated industries, proprietary data

When not to use: If you lack infrastructure/ML expertise to deploy and maintain models

Meta AI Chatbot (NOT Recommended for EU)

What it is: Consumer chatbot accessible via meta.ai, Facebook, Instagram, WhatsApp

GDPR concerns:

  • ⚠️ Trains on your conversations: Meta uses chats with Meta AI to train models (as of May 27, 2025)
  • ⚠️ Trains on social media data: Public Facebook/Instagram posts, photos, comments used for training
  • ⚠️ Legitimate interest legal basis: Meta claims Art. 6(1)(f) GDPR; many dispute validity
  • ⚠️ Opt-out required: Must manually object to processing (not opt-in consent)
  • ⚠️ Active regulatory scrutiny: Multiple GDPR complaints and investigations ongoing
  • ❌ No EU data residency
  • ❌ Undefined retention periods
  • ❌ No formal DPA

Pricing:

  • Free tier: 100,000 tokens/month, ads, 30-day memory, 3 images/prompt, 60 voice exchanges/day
  • Meta AI+ ($10/month): Enhanced speed, Llama 4 Scout, 10M token context, priority access

When to use: Never for EU personal data or GDPR-regulated use cases

When not to use: Any EU organisation processing personal data

Llama API (Meta-hosted)

What it is: API access to Llama models hosted by Meta

Status: Launched at LlamaCon (April 2025). API Terms of Service published April 29, 2025. Pricing: $0.10-$0.90 per million tokens. Limited public documentation on GDPR specifics.

GDPR considerations:

  • ⚠️ Likely subject to same training policies as Meta AI (unclear)
  • ⚠️ US infrastructure (no EU residency confirmed)
  • ⚠️ Retention policies not publicly documented
  • ✅ API ToS available (requires review)
  • ❓ DPA availability unknown

Recommendation: Self-host instead, or use commercial alternatives (OpenAI, Anthropic, Mistral) with clear GDPR frameworks.

Third-Party Llama Hosting

What it is: Cloud providers (AWS Bedrock, Azure AI, Replicate, Together AI, etc.) host Llama models

GDPR considerations:

  • ✅ Subject to cloud provider's DPA and compliance certifications
  • ✅ EU data residency typically available (AWS Frankfurt, Azure West Europe, etc.)
  • ✅ No Meta involvement in data processing
  • ✅ Commercial DPAs with SCCs available
  • ⚠️ Training policies vary by provider (most offer no-training for paid tiers)

Pricing: Varies by provider (typically $0.20-$2.00 per million tokens depending on model size)

Recommendation: Good middle ground between self-hosting and Meta-hosted services. Verify provider's GDPR compliance.

5 Data Processing Flow

Self-Hosted Deployment (GDPR-Friendly)

[User prompt]
  ↓
[Your Application Layer] 🇪🇺
  ↓
[Llama Model (running on your infrastructure)] 🇪🇺
  ├─ EU data center (your choice)
  ├─ Your security controls
  └─ Your retention policies
  ↓
[Response to user]
  ↓
[Data stored per YOUR policies]

❌ Meta has ZERO access to your data
✅ You control everything

Meta-Hosted Services (HIGH RISK)

[User prompt or Facebook/Instagram activity]
  ↓
[Meta Platform (US infrastructure)] 🇺🇸
  ↓
[Meta AI / Llama API]
  ├─ OpenAI (potential subprocessor)
  ├─ Anthropic (potential subprocessor)
  └─ Other undisclosed subprocessors
  ↓
[Training Decision Point]
  ├─ Default: Data USED for training Llama models
  └─ If opted out: Unclear if data still retained/processed
  ↓
[Response to user]
  ↓
[Data retention: UNDEFINED publicly]

⚠️ Active GDPR controversy (noyb complaints, DPC investigation)
⚠️ Legal basis disputed (legitimate interest vs consent)
❌ No EU data residency

6 Recommendations (GDPR-first)

For EU Organisations:

  1. Self-host Llama models on EU infrastructure for full GDPR control
  2. Never use Meta AI chatbot for EU personal data or work purposes
  3. Avoid Meta-hosted Llama API until GDPR compliance is clearly established and regulatory controversies resolved
  4. Use third-party Llama hosting (AWS, Azure) with proper DPA and EU residency if self-hosting not feasible
  5. Monitor regulatory developments: The May 2025 training controversy is ongoing; enforcement actions may follow

If Self-Hosting:

  • Deploy in EU data centers (Frankfurt, Amsterdam, Paris, etc.)
  • Implement proper access controls, encryption at rest/transit, and logging
  • Document as Processor in Art. 30 records
  • Ensure compliance with Llama Community License and Acceptable Use Policy
  • Consider managed Llama hosting (AWS Bedrock, Azure) for easier compliance

If Considering Meta-Hosted Services:

  • DO NOT USE for any EU personal data until regulatory clarity achieved
  • Monitor noyb complaints and Irish DPC investigation outcomes
  • Wait for formal DPAs with SCCs and clear retention policies
  • Even with opt-out, legal basis remains disputed

7 EU Rollout Checklist (Self-Hosted)

  1. Download Llama models - Accept Community License at llama.com
  2. Deploy on EU infrastructure - AWS Frankfurt, Azure West Europe, OVH, Hetzner, or on-premises
  3. Implement security controls - Encryption, access controls, logging, monitoring
  4. Document processing - Add to Art. 30 records as Controller/Processor
  5. Review Acceptable Use Policy - Ensure your use case complies with Meta's restrictions
  6. Set retention policies - Define how long you store user prompts and model outputs
  7. User transparency - Inform users you're using Llama models (if processing personal data)

8 Procurement Quick Answers (EU)

Is Llama GDPR-compliant?

✅ Yes, when self-hosted with proper controls. ❌ No, when using Meta-hosted services (active GDPR controversy).

Can we use it for EU personal data?

✅ Yes, if self-hosted on EU infrastructure with proper security. ❌ No, if using Meta AI chatbot or Meta-hosted API.

Is there EU data residency?

✅ Yes, when self-hosted (you choose location). ❌ No, for Meta-hosted services (US infrastructure).

Does Meta train on our data?

✅ No, when self-hosted (Meta never sees your data). ⚠️ Yes, when using Meta-hosted services (as of May 27, 2025, with opt-out available but disputed).

What's the controversy about?

Meta announced in May 2025 it would train Llama on public Facebook/Instagram posts from EU users, claiming "legitimate interest" instead of consent. noyb filed complaints in 11 EU countries; Irish DPC investigating. Many consider this GDPR-non-compliant.

What are the licensing restrictions?

Free for commercial use if <700M monthly active users. Must comply with Acceptable Use Policy. Not true open source due to usage restrictions.

What about certifications (SOC 2, ISO 27001)?

Not applicable to self-hosted models (it's software, not a service). Meta-hosted services: no public certifications available. Use third-party hosting (AWS, Azure) for certified infrastructure.

9 Notes & Caveats

  • Open source ≠ no privacy concerns: While Llama models are open, Meta's hosting services have significant GDPR issues
  • Llama 4 EU developer ban (in full effect as of March 2026): Llama 4 is 100% multimodal and banned for EU-based developers. Non-EU companies may still build Llama 4 products for EU end users, but EU-headquartered organisations cannot use Llama 4 at all. No change to this restriction has been announced.
  • May 2025 policy change: Meta's decision to train on EU social media data is unprecedented and highly controversial
  • Irish DPC clearance (May 2025): The Irish DPC cleared Meta's use of public EU data for AI training on "legitimate interest" grounds - but this decision is itself contested
  • Hamburg DPA proceedings: Hamburg filed Article 66 urgency proceedings; a German court denied the injunction, but the legal dispute continues
  • Regulatory uncertainty: EU Digital Omnibus amendments to GDPR on AI training are pending; outcome could reshape the legal landscape
  • Opt-out criticised: Privacy advocates argue opt-out is insufficient; GDPR typically requires opt-in consent for sensitive processing
  • No right to deletion: Once data is used to train Llama, users cannot exercise "right to be forgotten" for that specific training data (models cannot "unlearn" individual data points)
  • License restrictions: Community License prohibits certain uses and requires separate agreement if 700M+ users
  • Third-party hosting recommended: If self-hosting is too complex, AWS Bedrock, Azure AI, or other managed services provide better GDPR compliance than Meta-hosted services
  • Llama 4 Scout context: 10M token context window (7.5M words) enables processing massive documents but also raises data minimisation concerns

10 Disclaimer

This overview is intended solely as an informative tool, particularly given the ongoing regulatory controversy surrounding Meta's use of EU data for AI training. The legal status of Meta's "legitimate interest" claim is actively disputed and under investigation. We strongly advise customers to:

  1. Avoid Meta-hosted services (Meta AI, Llama API) for any EU personal data until regulatory clarity is achieved
  2. Prefer self-hosting on EU infrastructure for GDPR-compliant Llama deployment
  3. Monitor regulatory developments - noyb complaints and Irish DPC investigation outcomes will significantly impact permissible uses
  4. Consult legal counsel before deploying any Llama-based solution processing EU personal data

WAIMAKERS applies this same principle internally; we self-host Llama models on EU infrastructure rather than using Meta-hosted services. Customers should always carefully evaluate official documentation, licensing terms, and regulatory guidance before deployment. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of this information; ultimate GDPR compliance responsibility rests with the customer.

Prepared and issued by WAIMAKERS B.V. - March 2026.

References

  • https://www.llama.com/llama3/license/ - Meta Llama 3 Community License
  • https://www.llama.com/llama3/use-policy/ - Llama 3 Acceptable Use Policy
  • https://noyb.eu/en/noyb-urges-11-dpas-immediately-stop-metas-abuse-personal-data-ai - noyb GDPR Complaints Against Meta (June 2024)
  • https://noyb.eu/en/noyb-sends-meta-cease-and-desist-letter-over-ai-training-european-class-action-potential-next-step - noyb Cease and Desist Letter (May 2025)
  • https://www.siliconrepublic.com/enterprise/meta-collection-ai-data-eu-response-irish-dpc-request - Irish DPC Requests Meta Halt EU Data Collection (June 2024)
  • https://ai.meta.com/responsible-ai/ - Meta Responsible AI Approach
  • https://www.facebook.com/privacy/genai/ - Meta Privacy Center: How Meta Uses Information for Generative AI

Need help navigating AI?

Schedule Free Call
WAIMAKERS

Learn. Lead. Make.

AI Transformation Boutique · Amsterdam

Make work exciting, make businesses unstoppable.

Who We Help

View all roles & industriesCEOs & Board MembersPE & Investment ManagersCFOs & Finance LeadersInnovation DirectorsCTOs & IT LeadersCommercial Directors

What We Do

View all servicesOur ApproachLearnTailored Training ProgrammesAI Champions ProgrammeAgentic Way of WorkingE-learningLeadMake

Company

About UsResourcesContactCareersPodcast ↗

© 2026 WAIMAKERS. All rights reserved.

Privacy PolicyCookie Policy