Facebook may be violating GDPR by allowing employees to tag posts

Facebook may be violating the European GDPR privacy regulation by allowing employees of designated companies to look at posts to label them. Facebook does not specifically request permission for this.

Facebook confirms to Reuters that it allows users’ posts on Facebook and Instagram to be labeled by employees of companies it works with. “We make it clear in our data policy that we use information that people give to Facebook to improve the experience and that we may work with service companies to assist in this process,” a spokesperson said.

A specialist lawyer tells the news agency that Facebook may need to make it clearer in its texts that people are looking at the photos that people post, even if they are only shared with contacts. That’s not happening now. Also, there is no way to indicate that people don’t want other people to tag their posts.

Facebook has not confirmed the purpose of the labeling, but according to anonymous employees of an Indian company that does the work for the social network, it involves spotting trends. Each post is given labels about its form and content, such as whether it is a selfie, a landscape photo, or food. In addition, the people who tag the posts can also see privacy-sensitive information, such as usernames in screenshots of chats that people have posted. In India, 260 people have worked on labeling posts, but now there are far fewer.

It is not the first time that employees of partner companies of a large tech company have access to user data. Last month it turned out that people on behalf of Amazon listened in with voice commands to train the algorithm of digital assistant Alexa and had access to more data than necessary. Google and Apple also allow people to listen in on voice commands, but it is better to remove privacy-sensitive data.