Meta's Ray-Ban smart glasses, pitched as an AI assistant, are facing scrutiny in Sweden over data privacy concerns. The core issue: what data the glasses collect, and how Meta and its subcontractors handle it, especially under GDPR.
The Incident
A joint investigation by Swedish newspapers Svenska Dagbladet and Göteborgs-Posten details significant failures in the data annotation pipeline. The reports center on Sama, a Meta subcontractor in Nairobi, Kenya, tasked with reviewing video and audio clips to train the glasses' AI. Sama workers described viewing highly sensitive material from private settings, including "sex acts and toilet visits" and people in states of undress. While Meta claims to use automated blurring, workers reported these safeguards "do not always work" and failed often enough to expose identifiable material. This raises critical questions about the integrity of Meta's data anonymization process.
The Mechanism
The glasses capture images, video, and audio, which Meta processes for AI training and service improvement. This data is transferred, stored, and processed across Meta's infrastructure, including data centers in Sweden, Denmark, and Ireland. The core technical challenge lies in the limitations of automated redaction algorithms, which can fail to consistently identify and obscure faces, unique environmental details, or other personally identifiable information (PII), creating a significant risk of re-identification. Meta's privacy policy remains ambiguous on specific data retention periods for AI-processed content and lacks a clear, streamlined process for users to execute their right to be forgotten for this specific data category.
The Impact
The privacy risk extends to anyone captured and processed by the glasses, not just the owner. This incident also highlights the complexities of GDPR compliance for international data transfers. As of early 2026, Kenya is in advanced adequacy dialogues with the European Commission, a process that began in May 2024 to assess if its Data Protection Act provides a level of protection essentially equivalent to the GDPR. Should it succeed, Kenya would be the first African nation to receive such a designation. However, the decision is not yet finalized, meaning additional safeguards like Standard Contractual Clauses are still required for data transfers from the EU.
This is not the first time the relationship between Meta and Sama has been scrutinized. Sama has a history as a content moderation contractor for Meta in the region and has faced lawsuits alleging poor working conditions, union busting, and inadequate mental health support for moderators reviewing graphic and traumatic content. This prior history adds weight to questions about the firm's data handling practices and Meta's oversight of its subcontractors.
Meta's Stated Privacy Measures (Counterpoint)
Meta emphasizes user privacy and data security, citing end-to-end encryption for some features, data minimization, and user controls. They also offer privacy policies and settings. However, privacy advocates and tech journalists have questioned the effectiveness of these measures, particularly regarding the practical implications of data annotation processes.
The Response
A Meta spokesperson stated the company takes data protection "very seriously" but did not provide specific answers to detailed questions from the Swedish press. This incident occurs amid broader regulatory pressure on Meta in the EU. The company's "Pay or Okay" model, which requires users to either consent to tracking for personalized ads or pay a monthly fee, has been challenged by privacy advocates and regulators as a potential violation of the GDPR's standard for freely given consent. This larger context informs the intense scrutiny of any new data collection initiative.
In response to the smart glasses investigation, Members of the European Parliament from 17 countries, representing the S&D, Greens, the Left and Renew political groups, have submitted a formal written question to the Commission regarding Meta's GDPR compliance in this matter. GDPR mandates transparency on personal data processing. Meta should immediately clarify the anonymization techniques used, the criteria for selecting data for manual review, the security protocols for protecting data during annotation, and the specific legal basis for processing data in countries without a current adequacy decision.
Sources
- Svenska Dagbladet: Meta's smart glasses and privacy
