Once the export is done and I see something I don't want to exist anymore, where do I request that data be permanently removed (GDPR style)? Asking as I honestly don't know.
> If you do not normally deal with data protection requests, please forward this email to your Data Protection Officer, or relevant member of staff. Please note that you have 30 days to comply with this request.
Options are GDPR which applies to European Union residents and CCPA which applies to Californians. Is there anything for people within the US who are residents of the other 49 states?
Exactly. Unfortunately GDPR failed to realize that most data companies hold about us is inferred. Data takeouts usually provide you with all data you willingly provided (uploads, reviews, likes, playlists, etc). But most interesting information is missing. How often did I watch each video? When did I open each e-mail? There's so much data that companies collect about your behaviour that is never given back to us.
It's entirely possible to collect information to identify a unique human without it being considered PII - combine it all together and maybe add a sprinkle here and there (perhaps public domain info, buying "anonymized" info) and boom, you know who it is.
Yet, if you're audited, it's just a series of IDs and numbers, nothing identifying there...Right?
If you ask Spotify for your data dump, you'll notice in a lot of the .JSON files the information is encrypted such that you can't understand it (it's just numbers). It's impossible to say whether it's actually stored like this or if they encrypt it before they provide the archive to you.
Meta data is almost impossible to legislate against, and as far as I can see, is entirely legal to collect and use as you see fit.
How many people in the world are on hackernews, named "lopis", use Firefox 65, have an IP address in $country, use this screen resolution etc etc
You are identifiable by combining multiple factors, even if every individual factor is not enough to be identifiable.
If I understand it correctly, the EU 'personal data' (PD) concept is much wider than the US 'Personally Identifiable Information' (PII) concept. You are touching one of the differences here.
For GDPR purposes, data is PII if it can be used in combination with any other data to identify an individual. Doesn’t matter if the individual data points are not themselves identifying.
One thing I’ve been curious about is whether AI and algorithms that can potentially take a huge amount of anonymous data and “identify” a user (but not explicitly), only identify in the sense that the output of the AI was only possible by correlating individuals granularity enough. I’m almost certain the answer is yes. I’m not clear on whether GDPR addresses that issue or not.
> For GDPR purposes, data is PII if it can be used in combination with any other data to identify an individual.
By that definition, all data is PII. There is no information available on this planet that has not been influenced by people.
I'm not trying to be obtuse. I worry about this problem a lot. Obviously we need to keep companies from doing stupid stuff like storing the first digit of a Social Security number (can't identify someone by that!) and then the second digit (also not uniquely identifying!), etc.
On the other hand, what if I have web log files that only store URL, timestamp, and status code? Is that OK? If I get hits for two specific pages within a couple of minutes of each other, and there's only one person on the planet who would know about both those pages, I know they were visiting my site at that time.
People influence the world around them and it feels like privacy laws are trying to prevent companies from understanding that influence. At the same time every other incentive is pushing those companies to understand more.
> By that definition, all data is PII. There is no information available on this planet that has not been influenced by people.
I think that is a step too far. For example, it seems quite clear that a dataset of daily average temperatures from the top of Everest is not personally identifying information.
Black hair = PII, address = PII, drives black BMW = PII, any of this information together with other information could be used to identify an individual and that is exactly the issue. It is like saying that one brick is a house just because multiple bricks can make a house. If you gather enough data you can potentially point to specific individual. Just like unique PC fingerprinting - gather enough data points so that the fingerprint is unique.
AFAIK according to the GDPR, knowing each individual fact is fine. Only the combination is PD.
Hence, installing a camera that counts black-haired people, another that counts people entering some location, a third counting people having a BMW is perfectly fine. Merging the 3 recorded tapes to identify a person is not. Giving the 3 tapes to someone else is only OK if you guarantee somehow they wont do the merge.
Privacy laws are mainly aimed at allowing those whose data is being used to be aware of this, understand what is used for which purpose, and to elect to control this should they object.
My gdpr requests have usually included inferred data. I'm not sure if it was facebook or tinder's that showed a giant list of categories they thought I fitted in, which was btw hilariously wrong (I'm a 30 y/o single male and I was categorised as a single mom, for example).
GDPR does cover inferred data. Source doesn't matter. Only whether this is data about a specific identifiable person and whether it's covered by the list of protected types of data.
Right answer: You can go to [1] and [2] and [3] and ask them to delete your information. It's important to retain a copy in writing that they have removed your information. If a copy is ever found online (in a data breach or otherwise) you would be able to enact legal rights as a result of their GDPR breach. I would encourage people who upload data to leave "fingerprints" in their accounts, such as certain photos, emails, and other data that you have ONLY created on this service (for example, email your own gmail account a unique email, if it's ever leaked, you know where it came from).
It's the same way Spotify's GDPR tool does NOT give you all the information they store, yet if you ask via their DPO (usually privacy@) you get a lot more data, rather sneaky way of hiding their true data collection.
ALWAYS use email or a physical letter, ALWAYS get a reply by the organization when enacting your GDPR rights, your lawyer/legal authority will be very thankful ;)
AND NEVER EVER USE AUTOMATED TOOLS! The chances are, there is data that isn't included within them. For example, go ahead right this second and submit a SAR for "technical log information" to Google, this data is NOT included in their official tools and you will be amazed how much they're storing!!
