Having the law say your personal data is owned by you and not some company just because it's on their server may turn out to be a landmark in consumer friendly legislation!
You will note that GDPR does not use "ownership" terminology anywhere. The closest it has is Data Controller, but GDPR makes that nowhere near the same as ownership.
GDPR establishes that data subjects are stakeholders in their data. It doesn't mean that they own the data, but it also doesn't mean that they don't own the data. They have rights to the data, which the Controller has to respect, while the Controller also has their own rights.
It's probably possible to model this situation as ownership (property law is complicated), but I think it's easier not to. Data is not owned, it is controlled and processed. Activities related to data are restricted.
It takes two. Perhaps if these companies had taken that tact (mutual ownership), then there'd have been no need for a law to specifically allow users to get the data created with their own effort.
You can make a subject access request for CCTV footage.
Why not? Data is everywhere these days. You won't be able just quit e.g. social media in the future to avoid being tracked. One of your friends will tag you, your face will be indexed, your name will be correlated to your phone number, your phone number to your ip address and now they know everything you read anyway. If that isn't the future you want you can either come up with all sorts of rules for when and where you can and can't take pictures and collect data, which all the companies will try to avoid anyways. Or you can say that people own their own data and only reasonable usage is granted automatically.
Presumably reasonable usage of a security camera would be to, you know, ensure security. Maybe you can opt in to some consumer behavior survey. But they shouldn't just be able to sell the data to a data mining company for face recognition, location tracking and consumer intelligence.
Likewise, if you didn't exist, then the interaction data wouldn't exist either. I agree that the ownership is more complex in this case and is hard to attribute solely to one party. One party provides a system where interactions can take place, another party provides the interactions. Who owns the interactions? Clearly both parties are required for them to exist.
I recently visited the main station in Cologne, Germany. They literally had notices posted next to the time tables about CCTV being conducted and about your GDPR rights concerning CCTV footage taken from you.
While this wasn't a straight "you own the footage", they did acknowledge you have certain rights regarding the footage.
Taking your thought one more step, what happens to the data the store creates thru a facial recognition system tied to the footage? Is that covered? I don’t know, but there are thousands of further permutations on his thought. Another reason I hate the GDPR (great intent, horrible execution).
Don't use logic though. Logic is cold and hateful. ;)
A better analogy is this: if i install a video camera in my home and pay a service to store and process that data (think nest cam), but that i'm paying monthly for, then that data should be mine. Stuff going on in my living room (aka my music listening habits) should be mine and i should have access to my habits and restrict others from using it if i want to.
Update: more importantly, without having access to data stored by any service, i can't make an informed decision as to whether the service is storing dubious information about myself that it shouldn't. Services can no longer hide the data they store about people.
Nothing is as simple as a quip can make it sound.
I'm obviously not a lawyer or anything but I think that this would be more compeling if Spotify was open source. "You don't want to share this? Well just remove the code then."
Here not only can't I do that but I've been a paying customer of Spotify for years and I had no idea that they even collected 90% of that stuff. In these conditions how can it be argued that I gave them ownership of data I didn't even know existed?
Would you be willing to unpack this statement a bit, please? I'm not quite sure I understand.
You have rights to your personal data, you do not need to own it to have those.
Can they still sell it if it's owned by you?
They are collecting and storing it, for sure. What limitations do they have from there?
Also, how would the government patrol this without having access to all companies databases, servers, and policies?
As in many other cases you assume the companies are not doing illegal stuff and you act when someone reports them. A developer that is asked to do something illegal like hiding something from the exported data can report it .
For instance, if you simply observe the actions people take when they talk to you, that's obviously your observation. If you were to, say, journal it, it's still yours. It's a weird thing to do, but it's yours.
If you used the journal to optimize yourself, perhaps to make conversation with you more enjoyable, again, that's weird, but perhaps also merely a paper version of what already goes on inside your head.
What if talking to you were really enjoyable, so that while people could technically avoid it, they usually didn't want to?
At what magnitude does the volume of people you're observing reach a scale where the people you're observing start to believe your observations are theirs?
It's an indirect way to address the level of resources you have at your disposal, which is itself only important for the scale at which you can capture the data.
In general, for the things people are OK with citizens doing but not OK with corporations doing, they mean an individual could not do it at a scale that bothers them. I'm specifically curious about what that scale is.
Certainly for me, there exists a hypothetical scale at which an individual gathering and recording detailed observations of other people becomes a little unsettling. Perhaps not criminal, but it falls into a "wish it didn't happen" bucket.
"They even store the brand of headphone I use. How do you even get that data, digging deep in CoreBluetooth?"
Just imagine: you can track which kind of phone a user that likes to listen to Heavy Metal, for example, likes to use, or which phone is more popular at the moment. Based on this you can develop phones that is more likely to sell or use specific marketing campaigns depending of the kind of music a person listen.
https://www.dropbox.com/s/fx5yyrru1uvx6no/sarletter.txt?dl=0
Source (@mikarv on Twitter):
https://twitter.com/mikarv/status/1012386696934182912?ref_sr...
The British regulator considers the rules to apply to all people, not just European citizens, so I think the Swedish would have the same opinion.
In general, Europe has rights that apply to everyone, regardless of citizenship. This makes a difference when it comes to searches at the border, drone strikes, refugees and so on under the European Convention on Human Rights.
This should become a selling point for EU businesses.
Anyone remember the huge privacy-related outrage when Windows XP came out, because it forced users to do challenge-response activation? How times have changed...
I imagine some info was sent if you played those shoutcast(?) video streams listed in the media library, lots of cartoon channels from what I remember.
They only Bluetooth in the context of acquiring location data..
I understand that Spotify needs data to power Discover Weekly, but I'm not sure I'm comfortable with this amount of data.
It's interesting to think where this goes in the future. Can I demand my purchase history from physical McDonalds restaurants at some point? Why limit it to internet-related interactions? (Or maybe this is already included in GDPR and I'm just not aware?)
You've been able to for about 20 years, in some form with the previous laws.
(More commonly, you could demand the paper records your employer has about you.)
It's back to ocp and mods/classical music/occasional purchased for me I guess... (except on my phone of course which is a lost cause)
Also, CSV can’t easily handle nested objects. If the data model is even slightly more complex than a plain table, it doesn’t make much sense. I’d also argue that even if the source data is stored in an RDMS without exotic data types, a JSON with a nested object representation is probably going to be more friendly even to non-developers than multiple files with opaque foreign keys linking back and forth.
