Norway, Sweden, Denmark, UK

Privacy Corner

by Eva Jarbekk, Sofie Axelsson and Oskar Engman

Published:

Grafitti of a camera on a textured wall. Photo.

Privacy moves both fast and slow. Slow is how complaints and cases make their way through the legal system. Fast is how facts and technology change.

One of the articles in this edition discusses the US order requiring Anthropic to suspend the use of Fable in Europe. Before publication, however, Anthropic succeeded in having that decision reversed, meaning the service can still be used in Europe. Keeping up to date could be a full-time job in itself, but the point is to keep your eye on what really matters. In this case: the broader public debate remains: How do we handle that US services may be ordered to shut down services that European users want and rely on, and how do we deal with soverginty.

It is also clear that surveillance and data collection are increasing in many places. AI is one driver of this. Vast amounts of data exists, and there is strong pressure to use it: to train AI, to ensure that employees do what they are supposed to do, and to make money from reselling — hopefully anonymised — data.

A short newsletter is not the place for wide-ranging reflections on all of this. But I will repeat something I wrote at the end of this edition: I am convinced that the basic principles behind privacy law will become more and more important if many of the freedoms our society is built on are to endure. That is a big statement, so I will leave it there.

And with that, summer is nearly here. I wish you a slow summer — even if I am sure some fast-moving work emergencies may still find their way to you.

Trump v. Slaughter: What the us Supreme Court's ruling means for EU-US data transfers

Those who have been following this newsletter will recall that we covered the Trump v. Slaughter case earlier this year, before the decision came down. The question then was whether President Trump had the authority to remove FTC Commissioner Rebecca Slaughter from her position, bypassing the statutory requirement that commissioners could only be removed for inefficiency, neglect of duty or malfeasance in office. The answer, handed down on 30 June 2026 in a 6-3 decision, is that he did. The consequences for EU-US data transfers are significant, and the full picture is still unfolding.

What the Court decided

For 90 years, the legal position in the US rested on a 1935 precedent: Humphrey's Executor. The decision held that independent agencies like the FTC could be insulated from direct Presidential control, with their commissioners protected from removal except for cause. The Supreme Court has now thrown that precedent out. In a majority decision, the Court held that because the FTC exercises executive power, the President must be able to remove its commissioners at will. The FTC's independence from the White House is, as a matter of US constitutional law, gone.

Why this matters for the Data Privacy Framework

The EU-US Data Privacy Framework rests explicitly on the independence of the FTC as an enforcement authority, a body the European Commission's adequacy decision references as a core safeguard no fewer than 259 times. With the Supreme Court ruling that the FTC cannot be shielded from Presidential control, that structural independence no longer exists in any meaningful sense.

The DPF also relies on the Data Protection Review Court, a redress mechanism for Europeans seeking remedy against US government surveillance. That body was created not by statute but by executive order, specifically Biden's Executive Order 14086. Notably, Trump has already questioned the validity of Biden's executive orders, arguing that documents signed under Biden's so-called "autopen" are invalid. And even setting that dispute aside, an executive order offers little constitutional protection of its own, and under the logic of the Slaughter decision, it is challenging to see how the Court's independence could be defended either.

EU treaty law, by contrast, requires that oversight of personal data processing be carried out by an independent authority. That requirement sits at the constitutional level of the EU legal order and cannot be changed without the unanimous agreement of all Member States. The two legal frameworks are now, on their face, difficult to make compatible.

What happens next

It is important to be clear about what the ruling does and does not immediately change. The European Commission's adequacy decision remains formally in force until it is either repealed by the Commission itself or annulled by the CJEU. There is no automatic, immediate effect on data transfers. Companies currently relying on the DPF can, for the time being, may continue to do so.

That said, the pressure on the framework has increased considerably. NOYB, the European privacy advocacy organisation founded by Max Schrems, has written formally to the European Commission calling for an orderly withdrawal of the adequacy decision. Should the Commission fail to act, NOYB has indicated it will file a legal challenge before the CJEU, which would set the court on a path toward a third annulment in a Schrems III decision. Such proceedings typically take two to three years to reach a final decision.

The picture is not straightforwardly simpler for companies relying on Standard Contractual Clauses or Binding Corporate Rules rather than the DPF directly. Transfer impact assessments carried out under those mechanisms have typically relied on the independence of legal bodies whose independence is now equally in question under the Slaughter logic. Those assessments may need to be revisited.

Reflections

It is premature to say that EU-US data transfers are now unlawful. But it would be equally premature to say that nothing has changed. What the Slaughter decision does is remove one of the foundational legal assumptions on which the DPF was built, and it does so at the level of US constitutional law, not through a policy change that could be reversed by a future administration. The European Commission faces a difficult choice between acting proactively and waiting for the CJEU to force its hand, as has happened twice before. Whether the outcome is a "Schrems III", remains to be seen, but the direction of travel is not one that strengthens confidence in the framework's long-term durability.

For organisations with significant US data flows, this is a moment to review the legal basis on which those transfers rest, ensure that transfer impact assessments are up to date, and monitor developments closely.

You can read more about the matter here, and find the U.S. Supreme Court decision here.

New York's One Fair Price Act

For any organisation that uses personal data to adjust pricing, New York's One Fair Price Act is worth a careful read. The bill, passed on 5 June 2026 and now awaiting Governor Hochul's signature, would prohibit using personal data to set individualised prices for consumers. If signed, New York becomes the third US state to take this step, after Maryland and Connecticut, and the one with the strongest version so far.

From disclosure to prohibition

Last year, New York required businesses to display a notice whenever personalised algorithmic pricing was in use. The One Fair Price Act drops that disclosure requirement and replaces it with an outright ban. The compliance question is no longer "have you told customers?" but "are you doing it at all?"

The core line

Dynamic pricing as such is not banned — prices can still move based on inventory, demand or market conditions. What is prohibited is using a specific consumer's personal data to determine what that consumer is willing to pay, and charging accordingly. Loyalty programmes and standard discounts are preserved, but the line between a permitted loyalty mechanic and a prohibited personalised price is exactly where enforcement will land.

The economic case, and why regulators are pushing back

Personalised pricing is, in economic terms, a form of price discrimination. The textbook argument is not trivial: prices that respond to supply and demand allocate scarce capacity efficiently, and differentiated prices can allow sellers to serve price-sensitive consumers who would otherwise be priced out at a single uniform price. The reason regulators are nonetheless moving against the data-driven version is that this case relies on assumptions that increasingly fail to hold. A functioning market presupposes that buyers and sellers operate with broadly comparable information; modern data infrastructure pushes that balance to the opposite extreme, so that the price a consumer sees reflects what the seller has inferred about them rather than the underlying supply and demand. The result is a transfer of value from consumers to producers that falls hardest on the less price-aware or more vulnerable — and empirical work increasingly suggests it erodes trust in market exchange itself.

Reflections

In Norway, there was a survey showing that 90% of consumers were against personal pricing based on their digital footprint. See here. It appears that there is little personal pricing although there are many cases of dynamic pricing based on e.g. how many available airline seats and fluctuating demand. The survey also showed that ther was less personal pricing than expected. So it is fair to assume that few companies in Europe have the kind of personal pricing that one has seen in the US, so in many ways I believe this is a sign that the US is adopting practices that are common in EU. There is a limit to how intrusive profiling of customers may and should be. And that is good news.

Smart glasses and the consent problem nobody has solved yet

What if the person sitting across from you on the subway is filming you right now — and you would never know? That is not a hypothetical. It is the core privacy problem that smart glasses present, and European regulators are finally starting to treat it as one.

The trigger this time was a report in Swedish media that subcontractors for Meta in Kenya had been reviewing footage captured by the company's smart glasses to help train AI models. The recordings were not of street scenes or traffic. They included bathroom visits, banking details, and people having sex. The EDPB has since ordered a dedicated report on the "social acceptability" of smart glasses, due this summer. France's CNIL issued a stark warning in May, describing the risk of surveillance that is "almost invisible and omnipresent." Sweden's data protection authority has called for a broader societal discussion. The Norwegian Consumer Council has put it plainly: there is simply no meaningful way for people to consent to being filmed by someone wearing these glasses.

Meta's defence is that the glasses include an LED light that activates during recording, and that tamper detection prevents users from covering it. If that is enough to calm regulators, remains to be seen.

The broader picture is worth watching. Samsung, Google and Apple are all entering the market. Over 7 million pairs of Meta's glasses were sold globally last year, with European distribution still ramping up. A US class action is gathering steam and actively looking for European users to join. Someone has already built a private app — downloaded 120,000 times — just to alert people when smart glasses are nearby.

You can read more about the matter here.

An unsubscribe link that led all the way to the US — and back to SCHREMS II

It started with a routine marketing email. A subscriber to an Austrian magazine clicked the unsubscribe link, noticed it led to a US-owned marketing platform, and asked a straightforward question: on what basis was his data transferred to the United States? The answer was Standard Contractual Clauses, supplemented by additional technical and organisational measures such as encryption, terms of use, storage management systems. The Austrian Federal Administrative Court has now ruled that the measures taken were not enough.

The events in this case date from March 2022 — well before the EU-US Data Privacy Framework was adopted in July 2023. The DPF did not exist at the time of the processing, so it was simply not available as a transfer mechanism. The court therefore assessed the transfer entirely under the Schrems II and SCC framework, without the DPF in the picture.

The court followed the logic of Schrems II closely. SCCs can, in principle, constitute an appropriate safeguard. Additional measures can raise the level of protection. But no combination of contractual arrangements and technical measures can address the core problem: US surveillance law allows American authorities to access personal data held by US companies, and EU data subjects have no effective judicial redress. That gap is structural. Encryption in transit did not close it. A well-drafted data processing agreement did not close it. The transfer violated Article 44 GDPR.

Organisations that have since migrated to the DPF for their US transfers are in a formally different position. But it is worth being clear-eyed about what that means: the DPF addresses the judicial redress gap that Schrems II identified, and it holds for as long as it survives its own inevitable legal challenge. As we cover in this edition, that challenge may already be here. The US Supreme Court's ruling in Trump v. Slaughter has removed the constitutional foundation on which the Federal Trade Commission’s independence rested, and with it, one of the core pillars on which the DPF was built. As mentioned above, NOYB, founded by Max Schrems and the NGO behind both landmark CJEU rulings that struck down the previous EU-US data transfer frameworks — was quick to send a formal letter to the European Commission asking it to take the appropriate steps to repeal the EU-US data deal in an orderly way.

For readers of this newsletter, I hardly need to underline the consequences of this, should the DPF fall and all must rely on SCCs again. Another matter making this case worth paying attention to, is how unremarkable the facts are. The data transferred was a name and an email address. The processing activity was sending a subscription email. The third-party provider was a standard mass email marketing tool — the kind used by countless organisations across Europe without a second thought. If this configuration fails the Schrems II test, so does a significant portion of what still passes for compliant practice today among those who have not yet moved to the DPF, or whose processors have not.

You can read more about the matter here.

"This call may be recorded" — not good enough, says Austrian court

How many times have you called a company and heard the familiar automated message: "This call may be recorded for quality assurance purposes"? It is one of the most routine data processing practices in existence. An Austrian court has just examined that practice closely — and found it wanting on every legal basis the controller put forward.

The case involved a public broadcaster that recorded incoming calls to its service line and informed callers via an automated message that recordings could also be broadcast. A caller complained to the Austrian DPA. The broadcaster defended the recordings on three grounds: a legal obligation under national quality-assurance legislation, a task in the public interest, and legitimate interest. The Austrian Federal Administrative Court, in a decision from April 2026, rejected all three — and then rejected consent for good measure.

The thread running through each rejection was the same: necessity. National law required the broadcaster to operate a quality-assurance system, but it did not specifically require call recording. Audience surveys, studies and consultations could achieve the same purpose. The same logic dismantled the public interest and legitimate interest arguments — less intrusive alternatives existed, and the data minimisation principle under Article 5(1)(c) applied with full force. On consent, the court was equally firm: the fact that the data subject called back after hearing the recording notice did not constitute valid consent. Consent requires an active indication of agreement, and continuing to dial is not that.

What I find striking here is the gap between how widespread this practice is and how little legal scrutiny it typically receives. The quality-assurance purpose is legitimate — the court accepted that — but legitimacy of purpose is not the same as lawfulness of processing. If the purpose can be achieved through less intrusive means, recording every call does not meet the necessity test, regardless of which legal basis you reach for. Please check your routines when recording customer calls.

You can read more about the matter here.

The Anthropic episode and sovereignty as a risk management question

A handful of developments in May and June 2026 have moved the conversation about European technological sovereignty out of the strategy-paper category and into territory that privacy and compliance teams now need to engage with directly. For our readers, this is, at its core, a risk management question — and one that has become considerably more concrete over the past few weeks.

The Anthropic episode

On 12 June 2026, the US government issued an export control directive ordering Anthropic to suspend access to its most advanced AI models for foreign nationals. Distinguishing users by nationality is technically unfeasible, so Anthropic disabled Claude Fable 5 and Mythos 5 globally — for everyone, including European customers. The European Commission responded that "contingency measures should not be discriminatory against partners" and that the episode illustrates the case for strengthening European technological sovereignty. Other Claude versions remain available, so the immediate operational impact is limited. The risk-relevant point is structural: a US authority can switch off a specific capability for European users with little notice, and the customer's contract with the provider does not change that.

The wider context

The Anthropic episode is not an isolated event. Over the past months, sovereignty considerations have surfaced across a range of European regulatory and policy initiatives — in cloud procurement frameworks, in competition law actions targeting major non-EU providers, in national decisions about which communication tools public bodies are permitted to use, and in renewed scrutiny of the long-standing tension between US extraterritorial legislation and the GDPR. The specific instruments differ, but the underlying concern is the same: the extent to which critical digital functions used in Europe sit under the legal and operational control of jurisdictions outside the EU, and what that means when those jurisdictions choose to exercise that control.

The risk management lens

For our readers, the right frame here is the same one applied to any other operational risk. Which providers in your stack sit under non-EU jurisdiction, and what could that jurisdiction compel them to do? If access is cut tomorrow, do your contracts give you a real exit, or only one on paper? And are your AI and cloud dependencies treated as a sovereignty question in vendor due diligence, or still only as a GDPR transfer question?

These questions are not new, but they have changed character. Until recently, the answer was often that the risks were theoretical, the probabilities low, and the operational consequences manageable. The Anthropic episode is a useful data point because it adjusts the probability assessment. A scenario that compliance teams could reasonably treat as remote a year ago looks meaningfully less remote today.

Sovereignty in this context is not about isolation or about banning US technology. It is about identifying where dependency creates risk and ensuring that the organisation retains the ability to choose, switch or constrain when it needs to.

You can read more about the matter here, here, here, here, and here.

Elkjøp fined nok 20 million — what Norway's DPA took issue with

Norway's data protection authority, Datatilsynet, has issued a NOK 20 million fine against Elkjøp Nordic following an investigation that has been running since 2022. The case concerns the retailer's customer club, a loyalty programme used by a significant share of Norwegian consumers, and raises questions that are relevant well beyond Elkjøp itself.

The consent question

Elkjøp's customer club was structured so that customers who wanted access to discounts and exclusive offers joined a single package that also included newsletters, SMS marketing, profiling, personalisation and behavioural analysis. Datatilsynet took the view that this bundling rendered the consent invalid. In the authority's assessment, consent was not sufficiently specific, since sending general marketing communications, profiling for personalised advertising and analysing purchasing behaviour are distinct purposes that should have been presented separately. The authority also considered that consent was not freely given, since customers had no option to join for the benefits alone without accepting the broader package. Finally, Datatilsynet found that the information provided to customers before sign-up focused primarily on discounts and benefits, and did not clearly explain what profiling and behavioural analysis involved in practice.

How customer data was subsequently used

Datatilsynet also examined two further processing activities. The first concerned customer matching, where Elkjøp used contact details collected through the customer club to match customers with identifiers held by advertising platforms. In the authority's view, customers who had signed up for a loyalty club to receive discounts could not reasonably have been expected to anticipate that their data would be used in this way, and Elkjøp had not carried out the compatibility assessment required under Article 6(4) GDPR before repurposing the data. The second concerned offline conversion tracking, where transaction data from in-store purchases was shared with advertising platforms to measure the effect of digital advertising. Here, Datatilsynet did not rule out that a valid legal basis could in principle exist, but considered that Elkjøp's legitimate interest assessment had not addressed the relevant factors with sufficient depth.

Mitigating factors and the broader lesson

The fine reflects that the issues concerned core GDPR principles and affected a large number of people. At the same time, Datatilsynet expressly acknowledged that Elkjøp cooperated throughout the investigation, demonstrated increased privacy awareness, and had implemented improvements following the inspection. The authority also took the length of the proceedings into account as a mitigating factor.

The broader relevance of the case extends to any organisation operating a loyalty programme or customer club. Datatilsynet's reasoning makes clear that consent needs to be granular enough to cover distinct purposes separately, that the information provided to customers must reflect what the processing actually involves, and that repurposing data for advertising-related activities requires careful assessment before it begins rather than after.

You can read more about the matter here.

A parcel locker, a missing processing agreement, and a €205,000 fine

Spain's DPA has fined delivery company SEUR €205,000 for failing to put a proper data processing agreement in place with Citibox, the operator of the parcel lockers it used as an alternative delivery point for its customers. The legal issue is straightforward, but the case is a useful illustration of a mistake that is more common than it should be.

When an employee of the delivery company deposited a parcel in a Citibox locker instead of delivering it to the recipient's home address, the recipient's phone number was shared with Citibox so that she could be notified and collect it. The recipient had no prior relationship with Citibox and had not consented to her data being shared with them. SEUR and Citibox did have a contract in place. That contract, however, classified both companies as independent controllers. The DPA found that characterisation to be wrong. Citibox was simply providing a service to SEUR as part of SEUR's own delivery operation, with no independent purpose of its own. That makes Citibox a processor, not a separate controller, and without a compliant Article 28 processing agreement, SEUR was in breach.

The practical lesson is one worth keeping in mind when onboarding third-party service providers: how the parties describe their relationship in a contract does not determine how the GDPR classifies it. What matters is what the organisations actually do with the data. If a vendor is processing personal data solely to carry out a service on behalf of another organisation, it is a processor. In such cases, of course, a processing agreement is required regardless of what the contract says.

You can read more about the matter here.

Small fine with clear message: Emirates fined for health data handling

Italy's data protection authority has fined Emirates €180,000 for its handling of health data collected from passengers with reduced mobility. The case carries a reminder that is worth keeping front of mind: data that is no longer needed must be deleted, and "seven years" is not an automatically acceptable answer for sensitive health information.

The case began with a complaint from a passenger who was asked to fill in a medical form despite not falling within the categories for whom such documentation is required. Interestingly, the Garante did not find fault with the processing of health data as such. Collecting medical information to ensure safe transport and appropriate assistance was considered lawful. The violations lay elsewhere: Emirates had failed to provide sufficiently clear privacy information to passengers, and had retained health data from medical forms for seven years, which the authority considered excessive and disproportionate.

The retention point is the one most worth pausing on. Seven years may be a figure that organisations reach for by default, borrowed from tax or accounting retention rules. But those rules do not translate to health data collected in an entirely different context. The question is always whether the retention period reflects what is genuinely necessary for the purpose for which the data was collected, and for a medical form submitted before a flight, the answer is unlikely to be seven years.

You can read more about the matter here.

€18 million for repurposing traveller data — what went wrong at Amadeus

Amadeus is one of the world's largest Global Distribution System (GDS) providers. Its travel technology platforms enable airlines, travel agencies and other travel providers to search, book and manage travel services, resulting in the processing of personal data relating to millions of travellers worldwide.

In 2023, an anonymous complaint triggered an investigation by Spain's DPA into a pilot project in which Amadeus had taken booking data and repurposed it, without telling travellers, to build profiles for hyper-personalised marketing, shared with hotels and other travel companies. The result is an €18 million fine, the largest the AEPD has ever issued, and a case that carries some important lessons for any organisation thinking about doing something similar.

What actually went wrong

Two violations sit at the heart of the decision. First, Amadeus failed to inform travellers that their data was being used for a new and entirely different purpose. Amadeus is a B2B operator. It never deals directly with travellers, receiving their data through airlines and travel agencies instead. When it decided to repurpose that data for its own commercial pilot, it had no direct channel through which to communicate with the individuals affected. Rather than solving that problem, Amadeus pointed to vague language in its privacy policy about analytics and product improvement. The AEPD rejected that as wholly inadequate for a specific, large-scale profiling activity that travellers could not reasonably have anticipated.

Second, Amadeus had no valid legal basis for the processing. It attempted to rely on legitimate interest, but the balancing test it conducted, to the extent it conducted one at all, did not hold up. The processing was outside the reasonable expectations of travellers, there was no direct relationship between the parties, and the commercial interest of Amadeus in running a profiling pilot did not outweigh the fundamental rights of millions of individuals who had no idea it was happening. Amadeus had also retained PNR data beyond the statutory retention periods set out in EU law on computerised reservation systems, using both active and inactive booking data from 2019.

The lessons for data reuse projects

The Amadeus case is a useful reference point for any organisation considering repurposing data it originally collected for a different purpose, whether for AI development, product insights, or commercial pilots.

A few points stand out. Reusing data as a controller obligation applies even to service providers: the fact that Amadeus acquired the data while acting as a processor for its clients did not change the analysis once it started using that data for its own purposes. It became a controller and was held to controller standards. Equally, running something as a "pilot" does not exempt it from compliance obligations. Where a pilot involves real personal data at scale, the full GDPR compliance process applies before it starts, not after it is already running.

On transparency, the decision underlines that vague privacy policy language is not sufficient notice of a specific new processing activity. This applies particularly where there is no direct relationship with data subjects and no realistic mechanism through which they could become aware of what is happening to their data. And where further processing for a new purpose is contemplated, a compatibility assessment under Article 6(4) is not optional.

Amadeus has paid €14.4 million, a 20% reduction for voluntary payment, but without admission of liability, and has indicated it intends to appeal. The case is worth following.

You can read more about the matter here and find the original decision here.

EDPB presents a common data breach notification form for the whole of Europe

Organisations that have had to notify a data breach across multiple EU jurisdictions will know that each DPA has its own form, its own structure, its own preferred level of detail. The same incident, reported to three different authorities, may require three different formats. The EDPB has now adopted a draft common template to change that, and the public consultation is open until 5 August 2026.

What the template covers

Having reviewed the template itself, it is thorough. A few things stand out. The template requires not just a description of what happened, but a structured assessment of the nature of the breach, whether it is a confidentiality, integrity or availability breach, how the incident was discovered, what measures were in place at the time, and the organisation's own assessment of risk severity. It also asks specifically about whether the AI model or systems involved have changed, and whether protective measures could realistically be subverted. This is not a tick-box exercise.

Why this matters in practice

For organisations operating across borders, the practical benefit is significant. Under the current patchwork system, a breach affecting data subjects in multiple EU countries requires separate notifications to each relevant DPA, each in a different format. A harmonised template does not remove the multi-authority notification obligation, but it means the underlying document can be prepared once and submitted consistently.

There is also a longer-term dimension worth watching. The draft Digital Omnibus Regulation currently being negotiated at EU level separately proposes that a common template, once finalised, becomes mandatory across all EU DPAs. If that proposal is adopted, using the template will no longer be a convenience but a legal requirement.

The consultation closes on 5 August. For organisations with a view on how the template could be improved, or privacy teams who encounter its limitations in practice, this is a genuine opportunity to feed into the process before it is finalised.

You can read more and access the consultation here.

Employee tracking: Microsoft teams now knows when you are in the office — and Meta tracks keystrokes of own employees

Microsoft is rolling out a new feature in Teams that automatically updates users' work location when their device connects to the organisation's Wi-Fi network. It became generally available in June 2026, and there is a reasonable chance IT or HR teams are already considering enabling it. The legal side needs to weigh in before that happens.

While quite privacy intrusive from a European perspective, the privacy architecture has some essential safeguards. The feature is disabled by default, administrators must actively enable it, and individual employees can opt in or out at any time. That is a sensible starting point, but it is not the end of the story.

Enabling this feature almost certainly triggers a DPIA obligation. Systematically tracking employees' physical presence, even passively and within a corporate network, is the kind of processing that demands an impact assessment reflecting the organisation's specific purposes and risk profile. A documented legal basis will of course be required, and employees need to be genuinely informed, not merely pointed to a privacy policy.

Reflections

What makes this feature worth paying attention to beyond the immediate compliance checklist is what it represents more broadly. Functionality that would once have required a dedicated tracking system is now embedded in a platform most organisations already use for calls, documents and project management. The technical barrier to monitoring employee presence has effectively disappeared. Whether that is a problem depends entirely on how organisations choose to use it, and whether their legal and privacy teams are involved before the feature goes live rather than after.

You can read more about the matter here.

At the same time, Meta has put a controversial internal AI project on hold after employees raised concerns about privacy. The program collected detailed information from employees’ work activity such as keystrokes, mouse movements, and parts of what appeared on their screens. The objective was to help train AI systems using real-world work behavior. Around 1,600 employees signed a petition objecting to the level of monitoring and questioning their consent.

Reports say that information collected through the program — including internal conversations, transcripts, and performance-related data — became more broadly accessible inside the company than intended. Meta said it had no evidence that the information was misused but paused the initiative while it investigates what happened.

The broader point of the story is that AI companies of course want access to real human behavior to improve models, even though it creates tension with privacy and workplace trust. I have no answer to this, but I do believe that the principal ideas behind privacy legislation is increasingly important.

Do you have any questions?