GDPR requests expose exploitative contracts for content moderators in Kenya and Nigeria, showing BPOs and their tech clients routinely deny basic labour rights; EU data-protection law can pierce corporate secrecy and strengthen accountability for offshore moderation work.

Main Finding

The authors show that European data-protection law (the GDPR) can be used as an investigatory, enforceable audit tool to obtain employment documents (contracts, NDAs, etc.) from BPOs that employ African content moderators. Using Subject Access Requests under Articles 15 and 20 of the GDPR, workers and their union partners recovered documents that provide legally grounded evidence of systematic structural disadvantages and exploitative working conditions in the AI data-work supply chain (lack of clear task descriptions, restrictive NDAs often not provided to workers, short/rolling contracts, intensive surveillance and performance monitoring, and attendant health risks). The paper contributes both a transferable methodology and empirical documentary evidence about labour practices that are typically concealed behind claims of technological exceptionalism.

Key Points

• Technological exceptionalism: The tech industry’s narrative of exceptionalism helps obscure standard outsourcing dynamics and shields BPO-mediated data labour from scrutiny and legal accountability.
• BPOs as AI supply-chain actors: Many AI firms externalize large volumes of low-wage human labour to BPOs in the Global South; that labour is central to AI model development yet hidden from public view.
• Contractual opacity: Employment contracts often omit clear descriptions of tasks and working conditions; workers were frequently denied copies of NDAs or required to sign restrictive confidentiality terms.
• Surveillance & precarity: Work is tightly monitored (time, accuracy, throughput), with heavy performance thresholds, short-term contracts, and mechanisms (NDAs, visa-dependency) that suppress worker voice and collective action.
• GDPR as a practical audit tool: The GDPR’s extraterritorial scope (processing of data flowing into/out of the EU) enables workers in jurisdictions with weaker protections to exercise data subject rights and compel disclosure of employment-related personal data.
• Two contributions: (1) Methodological/legal — demonstrating GDPR-based audits of AI labour; (2) Empirical — providing document-based evidence from four real cases that reveal contractual and organisational practices in BPOs.
• Participatory approach: Research was co-led with the African Content Moderators Union (ACMU) and PersonalData.IO, centring workers in the audit process.

Data & Methods

• Project and methodology: Part of the Data4Mods project; used the Digipower methodology — a data-rights-driven, participatory audit approach enabling workers to exercise GDPR rights.
• Legal basis: Subject Access Requests under GDPR Article 15 (right of access) and Article 20 (data portability) with statutory one-month response window (possible two-month extension).
• Jurisdictional logic: Relied on GDPR extraterritoriality — applicability when organisations are established in the EU or process personal data flowing to/from the EU — to compel disclosure by BPOs operating in Kenya and Nigeria.
• Cases and evidence: Four cases in which companies provided employment-related documents in response to SARs; the returned documents were analysed to assess contractual terms, NDAs, and evidence of surveillance/working conditions. (The paper reports document-derived legal evidence; exact company identities and full document lists are detailed in the article.)
• Research design: Participatory/co-led with workers and unions to ensure ethical engagement and centre worker perspectives; situates contract analysis alongside interviews and literature on BPO labour organisation, surveillance, and occupational health.
• Limitations/notes: GDPR enforcement heterogeneity and company responses vary; data protection law is not a panacea for all labour-law issues, but provides a pragmatic transparency mechanism where local protections are weak.

Implications for AI Economics

• Externalised labour costs are underestimated: The AI industry’s apparent technological productivity masks substantial, outsourced human labour costs and negative externalities (health, precarity) that are currently off-balance-sheet for many AI firms.
• Reallocation of bargaining power and auditability: Data-rights instruments (like GDPR) reduce informational asymmetries in global AI supply chains. Increased transparency can strengthen workers’ bargaining positions and enable civil-society or regulator-driven interventions, which may raise labour costs for firms that currently rely on opaque outsourcing.
• Compliance and cost effects: If GDPR-style transparency is enforced broadly (or imitated globally), platforms and BPOs may face higher compliance costs, liability risk, and reputational risk. Firms might internalize certain operations, renegotiate supplier contracts, or substitute some human annotation with paid internal teams or automated/synthetic alternatives—each option shifting cost structures.
• Incentives for automation vs. better human conditions: Faced with higher labour/accountability costs, firms may accelerate automation of annotation tasks, increasing capital intensity. Alternatively, firms could raise wages and improve conditions to maintain human labour quality—implying higher recurrent operating costs but potentially better data quality and lower turnover.
• Global labour-arbitrage dynamics: GDPR-driven audits weaken one side of global labour arbitrage by exposing poor working conditions that had been concealed; this could compress wage differentials or change where and how data work is contracted, with macro effects on employment in outsourcing hubs.
• Data quality and model performance: Poor working conditions (stress, high turnover, insufficient breaks) likely degrade annotation quality, implying that internalizing labour-rights costs might deliver gains in data quality and model reliability—but at higher monetary cost.
• Policy leverage for redistribution: Data protection rights can function as indirect labour-policy tools in jurisdictions with weak employment protections, offering a channel to improve standards in AI supply chains without relying solely on domestic labour law reforms.
• Broader market effects: Greater transparency and enforcement could increase the effective price of “cheap” labeled data, slow some low-cost model training projects, and alter competitive dynamics—advantaging firms able to absorb higher upstream labour costs or those investing in improved working conditions and reputational differentiation.

Overall, the paper demonstrates a practical mechanism to reveal and legally substantiate hidden labour inputs in AI production. For AI economists, that implies that previously invisible labour externalities can be quantified and internalized via regulation and market pressure, with downstream effects on model costs, firm strategies, labour markets, and welfare distribution across the AI supply chain.