This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Transparency on Trial: How LinkedIn and X Misused User Data to Train AI – And Why the EDPB Says We Were Right
The use of personal data in training generative AI models has raised profound ethical and legal questions, particularly around transparency and user consent. Following our complaints, the DPC initiated investigations into LinkedIn and X (formerly twitter), ultimately suspending their practices.
The use of personal data in training generative AI models has raised profound ethical and legal questions, particularly around transparency and user consent. In June and August, we filed two formal complaints with the Data Protection Commission (DPC) of Ireland against LinkedIn and X (formerly Twitter), challenging their data practices related to the training of their generative AI (GenAI) systems. These cases highlighted significant issues with how companies use user data for AI development without clear disclosure.
- Notably, X, without adequate notification, implemented automatic data sharing policies to harvest posts for training its GenAI systems. This covert approach bypassed user awareness, exploiting the content people shared on the platform.
- LinkedIn buried disclosures about data usage for AI training deep within its privacy policy. Users would need to navigate several layers of documentation to discover that their photos, personal information, posts, invitations, comments, and even private messages were utilized to train LinkedIn’s GenAI tools.
These practices violated fundamental principles of data protection, including transparency, fairness, and purpose limitation, as enshrined in the GDPR.
Following our complaints, the DPC initiated investigations into both companies, ultimately suspending their practices. The DPC also sought guidance from the European Data Protection Board (EDPB), which issued an opinion that validated our concerns. Released today, the EDPB opinion underscores several key points that directly address the lack of transparency and user awareness.
The EDPB emphasized that transparency is not merely a formality but a critical component of lawful data processing. Companies must provide clear, accessible, and meaningful information about how personal data is collected and used, particularly in complex contexts like AI training. The opinion stressed that users must not be forced to dig through multiple layers of privacy policies to uncover hidden practices. Instead, they should be informed proactively and in straightforward terms.
The opinion also underlined the necessity of informing users not just about the collection of their data but also about the specific purposes for which it is being processed, including its use in AI training. Both LinkedIn and X failed in this regard, as their data practices were not transparently communicated to users, and in the case of X, entirely absent from user notifications.
A key takeaway from the opinion is the emphasis on aligning data practices with users’ reasonable expectations. Users of social media platforms like LinkedIn and X would not reasonably expect their private messages, invitations, or posts to be repurposed for AI training without any specific, clear and unambiguous information. This discrepancy between practice and expectation exacerbates the breach of trust and undermines the principles of fairness and transparency.
The opinion makes it clear that opaque or hidden data processing practices, like those employed by LinkedIn and X, are inherently unfair and non-compliant with GDPR. Companies must adopt proactive measures to ensure users are well-informed.
Our complaints against LinkedIn and X were not just about isolated cases of data misuse: they represent broader concerns about corporate accountability in the age of AI. The EDPB’s opinion validates our position and marks a step forward in ensuring that innovation in AI respects the fundamental rights of individuals.
The clear emphasis in the opinion on transparency and the duty to inform users is a reminder that companies cannot operate in secrecy when handling personal data. Information must be provided in a manner that is both accessible and actionable, ensuring that users are fully aware of how their data is being used and why.
Now, we expect the DPC to take the next step and impose fines on both companies for their actions. Furthermore, consumers who were affected during the period their data was used without transparency should be entitled to redress. This accountability is vital to restoring trust and ensuring that user rights are upheld.
Share:
