Project:Adtech

From Wikibase Personal data
Jump to navigation Jump to search

Interesting queries

GDPR Article 15 (Q845)-related questions

Tag management

Bidding process

Top-down, bottom-up, maximizing utility

The goal of SARs could be to maximize utility in understanding the ecosystem.

Hence the goal of litigation should be around expanding the reach of SARs, in order to "flatten" the ecosystem.

This has two advantages: better competition, more transparency.

In particular, for every role, there is a possibility of picking a small player with this role, a huge one, or one with dual roles. Each of those situations will lead to different outcomes for the SAR, all valuable.

Scaling effects

Indirect SARs sound complicated and unhelpful. I am not sure: you get a lot of allies in putting pressure on the service providers, who sometimes masquerade as GDPR data processor (Q841). The costs and effects have a completely different scaling factor, and also an impact on the choice of jurisdiction.

GDPR Article 20 (Q846)-related questions

  • All boils down to: what is provided by the data subject?
  • Why do this? Because then we can transfer more easily to researchers to understand better the ecosystem.

GDPR Article 26 (Q842)-related questions

GDPR Article 26 (Q842) gives the right to information about the "essence of the contract" in joint-controller situations. What does this cover?

Adtech experiments

Facebook's Replacement IDs

Consents

Consents are interesting data points, that should be within the scope of Access and (it seems) Portability.

Privacy Shield

Tremendous tool for choosing jurisdiction, at no cost.

Involves Europeans, but also Americans, whose data goes abroad. Drives a wedge between Facebook Ireland and Facebook Inc, etc.

What next?

Links to competition

Privacy is a dead-end for enforcement. It will always boil down to consent and design, and always be abused in unaccountable ways, in order to get the first users. And then it will expand progressively to everyone (cf. Facebook's experiments to get my consent in order to use facial recognition).

On the other hand, tracing data flows -- which is possible thanks to data protection law -- helps define exactly the assets that are being shared. It's not just about raw (personal) data, it's also about the consents associated to this data, as well as its identifiability. Once all this is taken into account, we will have a better understanding of the personal data market, and will be better able to assess dominance of some players over that market. This might open the door to a more reasoned antitrust action.


Observations on right of access

GDPR Art. 15 (Right of Access)
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
   * the purposes of the processing;
   * the categories of personal data concerned;
   * the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
   * where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
   * the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
   * the right to lodge a complaint with a supervisory authority;
   * where the personal data are not collected from the data subject, any available information as to their source;
   * the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. 
3. The controller shall provide a copy of the personal data undergoing processing. 2For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. 3Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.


Schema.org suggestion

Someone should suggest to schema.org to add GDPR related terms (like "data controller", "access request email endpoint", etc).

Observation on OpenWPM

OpenWPM has split up into a testbed for mass crawling, and a web extension which is separate (currently used in a second project, for mass reporting to Mozilla).

Relevant items

Interesting queries