Now suppose your product is personalized search. You need every piece of data about someone, for as long as possible, so that you can do ML on it and personalize their search results. You could even argue that targeted advertising is part of the product in the same way that vendors pay grocers for shelf space and yet the cereal they were paid to put in front of you is a product you might actually choose (especially given that the contrary would imply they're wasting their money paying for placement).
And never mind search, personalized anything based on ML.
Which of those things does that violate? You can specify the thing ahead of time, anything that isn't statistically independent from the outcome is relevant but the only way to know that is to have the data to analyze it and that relation could change at any time, there is no natural time limit on how long the data remains useful for that purpose, etc.
My claim is not that that would necessarily be the outcome in an EU court. They're apparently quite against the idea in general -- prohibiting that sort of bulk data collection seems to be what everybody puts out as the justification of the rules. What I'm asking is, by what reasoning does that ostensibly undesired behavior actually violate those rules?
Meanwhile on the other hand, are we sure we actually want it gone? If ML-driven personalized medicine ultimately gets good enough to extend your life by a decade or make it so that you don't spend the second half of it bedridden, it would be worth quite a lot of cost to have that benefit.
It seems to me we're going about this whole thing wrong. The problem is not the data, it's the centralization. Having your own data is valuable, but it should be yours, on your device, not Facebook's. And then you knock out a major category of mass data breach because all the data doesn't actually exist in any one place.
Then if you want to share it with your doctor, you should be able to do that. But if your boss wants it, or the government without a warrant, it's still yours -- nobody gets to demand it, and Facebook can't provide it to Cambridge Analytica without your consent, because they don't have it. You do. And the "personalized news feeds" most people don't actually want isn't enough to convince you to give it to them.
But that's a completely different thing. It's more of a technical solution -- a different architecture that protects privacy intrinsically, rather than a set of rules that corporations can try to weasel out of with lawyers and lobbyists and jurisdiction shopping and trade wars.
"By what reasoning does that ostensibly undesired behavior actually violate those rules?"
Under GDPR, it violates the principle of consent (the described scenario wouldn't meet the other ways that would allow you to use that data) - you're free to provide personalized search by collecting every piece of data about someone, for as long as possible, so that you can do ML on it and personalize their search results, as long as they freely give informed opt-in consent. Bulk collecting the data on everyone doesn't do that.
If you convince someone that they really want to allow you to collect all kinds of data (and they know what you're going to be collecting) because it'll allow them to receive better personalized service and they intentionally choose that this is what they desire, then that's okay. If not, then it's not okay.
If they're choosing not to give you that permission while knowing what it involves - well, that's their choice to make.
If they don't want to think or care about your offer and ignore it and don't opt in, then they obviously don't value the potential benefit enough to pay the price, so you can't collect and use their data. Tough luck.
An important additional component of the GDPR is that an individual can revoke their consent, and require all previously collected personal information be deleted.
And never mind search, personalized anything based on ML.
Which of those things does that violate? You can specify the thing ahead of time, anything that isn't statistically independent from the outcome is relevant but the only way to know that is to have the data to analyze it and that relation could change at any time, there is no natural time limit on how long the data remains useful for that purpose, etc.
My claim is not that that would necessarily be the outcome in an EU court. They're apparently quite against the idea in general -- prohibiting that sort of bulk data collection seems to be what everybody puts out as the justification of the rules. What I'm asking is, by what reasoning does that ostensibly undesired behavior actually violate those rules?
Meanwhile on the other hand, are we sure we actually want it gone? If ML-driven personalized medicine ultimately gets good enough to extend your life by a decade or make it so that you don't spend the second half of it bedridden, it would be worth quite a lot of cost to have that benefit.
It seems to me we're going about this whole thing wrong. The problem is not the data, it's the centralization. Having your own data is valuable, but it should be yours, on your device, not Facebook's. And then you knock out a major category of mass data breach because all the data doesn't actually exist in any one place.
Then if you want to share it with your doctor, you should be able to do that. But if your boss wants it, or the government without a warrant, it's still yours -- nobody gets to demand it, and Facebook can't provide it to Cambridge Analytica without your consent, because they don't have it. You do. And the "personalized news feeds" most people don't actually want isn't enough to convince you to give it to them.
But that's a completely different thing. It's more of a technical solution -- a different architecture that protects privacy intrinsically, rather than a set of rules that corporations can try to weasel out of with lawyers and lobbyists and jurisdiction shopping and trade wars.