In the EU the law just did crack down on this with the new EU Data Protection Directive[1]. The DPD covers not only EU based companies, but also any company that provides services for EU citizens in the EU (so, Facebook, LinkedIn etc. are covered by this..but also e.g. your little weather app).
The new DPD is strict compared to previous regulation, but there are two parts of the directive that a particularly interesting:
- The Data Portability concept: A company covered by the DPD is required to deliver to the user all data the company has on the user, in a standardised format. That means Facebook now has to hand out all your data (information, pics, likes, posts,...) for you to use freely - also in other services. I think this in effect means you own your data. I'm excited to see the effect of this one.
- The right to be forgotten: A company is required to delete all data they have on a user, if the user requests. Actually, if the user invokes this right, the company is not allowed make public, <b>store or process</b> any data related to the user.
From what I hear in discussions between american colleagues, american companies have no clue whats about to hit them. I know there is a mild panic here in Denmark, and the DPD is the most talked about subject in IT at the moment - and we've always been rather anal with the privacy stuff (e.g. cookie-law).
Edit: Oh, I forgot the fun part; this gets a lot of attention due to the sizes of the fines companies get for not adhering to the directive. Fines are up to EUR 20.000.000 or 4% of the company's global annual revenue, whichever is higher. Facebook made USD27.638.000.000 in 2016, so thats a fine of USD1.105.520.000 for not playing nice.
(I posted this in reply to another post, but seems relevant here too)
> The Data Portability concept: A company covered by the DPD is required to deliver to the user all data the company has on the user, in a standardised format. That means Facebook now has to hand out all your data (information, pics, likes, posts,...) for you to use freely - also in other services. I think this in effect means you own your data. I'm excited to see the effect of this one.
The problem here is that those companies use fingerprinting to collect data. This means that in theory they are not 100% sure who is the person they are collecting data from, but in practice they could be 99.99% sure. Still, this makes it impossible to hand out all this data, because there is still a 0.01% chance that the data does not belong to the person who requested it.
Not disagreeing, but I would certainly like some references if you could provide us any. In fact, it would be genuinely troubling if you cannot find any good sources. Here is why: this notion of fingerprinting seems to be an invention of the legal wing, to be brought out as a CYA when these requests were inevitably going to be demanded.
Time for some math:
Since it is only a 0.01% chance, it means you need 10000 discrete pieces of information collected on a single individual before there is a chance of error. If a company indeed has that many pieces of information on you, you first of all need to know that for a fact.
There is a chance the company will counter that this is aggregated probability, as in, with an uneven distribution of errors. If it is indeed aggregated probability, the companies which advertise on these platforms need to demand their money back because for all you known, none of the folks they are targeting are actually correct fits for their ads. Fingerprinting puts the burden of proof on the shoulders of the company that they are indeed allowing advertisers to target the audience they want. How can they be so sure if the errors are unevenly distributed?
In any case, everyone should demand the information anyway, and let us start using this fingerprinting theory as an excellent opportunity to get deeper into the practices of these companies.
The new DPD is strict compared to previous regulation, but there are two parts of the directive that a particularly interesting:
- The Data Portability concept: A company covered by the DPD is required to deliver to the user all data the company has on the user, in a standardised format. That means Facebook now has to hand out all your data (information, pics, likes, posts,...) for you to use freely - also in other services. I think this in effect means you own your data. I'm excited to see the effect of this one.
- The right to be forgotten: A company is required to delete all data they have on a user, if the user requests. Actually, if the user invokes this right, the company is not allowed make public, <b>store or process</b> any data related to the user.
From what I hear in discussions between american colleagues, american companies have no clue whats about to hit them. I know there is a mild panic here in Denmark, and the DPD is the most talked about subject in IT at the moment - and we've always been rather anal with the privacy stuff (e.g. cookie-law).
Edit: Oh, I forgot the fun part; this gets a lot of attention due to the sizes of the fines companies get for not adhering to the directive. Fines are up to EUR 20.000.000 or 4% of the company's global annual revenue, whichever is higher. Facebook made USD27.638.000.000 in 2016, so thats a fine of USD1.105.520.000 for not playing nice.
(I posted this in reply to another post, but seems relevant here too)