
My Data Request: Request your data from over 100 companies - mikece
https://mydatarequest.com/
======
dangold
It concerns me that the site providing information about privacy policies,
data subject rights, and privacy laws has a privacy policy that doesn’t even
comply with the law. The policy states that they collect “non-identifiable
information... which is collected passively using various technologies.” But
that’s an incorrect statement of law. Information collected passively
generally includes IP addresses, which falls within the definition of
personally identifiable information under the GDPR and certain US privacy
laws. Also missing a lot of other stuff...

~~~
usr1106
> Information collected passively generally includes IP addresses, which falls
> within the definition of personally identifiable information under the GDPR
> and certain US privacy laws.

Your argument is at least formally wrong, the GDPR does not contain any such
concept as personally identifiable information. It covers personal data.

An IP address can be personal data under some circumstances.

IANAL, but I would be more than surprised if the interpretation of personally
identifiable information and personal data ends up to be identical in legal
practice. I'd assume that even lawyers are not sure yet, because there isn't
any practice yet.

~~~
dangold
I used a broad term to encompass laws of various jurisdictions, but my
statement is correct. Personal data is any information relating to an
identified or identifiable natural person. Thus, personal data by its
definition includes PII. But not all personal data is PII. Personal data also
includes other data such as pseudonymized data (such as hashed IDs). In any
event, the company needs to revisit its privacy policy.

------
toxicFork
I was initially expecting to enter my email for it to make requests, but it
instead gives info on how I can request for information from sites
individually. A bit more effort but makes me feel a bit safer as a result.

I see that there's a way to suggest it to "request for me" as well, so that
covers all bases!

------
a_imho
While it is great, there are many instances where you can't make a data
request without making an account first including facebook and google services
(Alphabet is not on the list btw) which quickly brings up the question,
especially if you are European, how to report GDPR violations[1]?

[1][https://news.ycombinator.com/item?id=17318773](https://news.ycombinator.com/item?id=17318773)

~~~
Gasp0de
I have actually written to facebook (without having an account) and requested
my personal data, worked fine. I believe the adress I used was
support@facebook.com. They replied that they do not have any data on me. They
requested a copy of my ID though, if I remember correctly.

~~~
paulie_a
I have no doubt they straight up lied to you.

~~~
simsla
Don't see how the gain from that would be worth the risk.

~~~
hedora
They certainly did lie.

When I created a new (my only) facebook account a few years back, it was clear
they already knew that about 90% of my friends knew me.

They probably interpreted “what information do you have” as “give me a copy of
my account”. If they still do this, someone in a GPDR country (but without a
FB account) should go through this exercise, then report the violation.

------
ocdtrekkie
I love the idea here, but I submitted some feedback before: Specifically, I
think they should provide a clear notation of which have automated export
tools and which do not, and a news feed for when the methods of data access
become available. The site would be much more useful if I could quickly use it
to locate export tools.

------
BillinghamJ
Hmm, shame it doesn't automatically submit the request to all 100 companies on
my behalf...

~~~
curiousgal
That usually requires having access to the account in question. Are you
willing to grant that?

------
davisr
I really like the idea, but a part of your program should check the links for
contact forms to ensure they remain up-to-date. The one for IKEA didn't work
for me.

------
jaxn
As a company, what format should we supply user data if requested?

~~~
toxicFork
See:

[1] "So Your Startup Received the Nightmare GDPR Letter " which contains

[2] "Is there amy regulation about how the data has to be formatted? Say I
send a json string like "this is LITERALLY the data we use", but the avergae
Joe is left irritated and annoyed, am I in trouble?"

\---

From the ICO: (the UK regulator)

How should we provide the data to individuals?

If an individual makes a request electronically, you should provide the
information in a commonly used electronic format, unless the individual
requests otherwise.

The GDPR includes a best practice recommendation that, where possible,
organisations should be able to provide remote access to a secure self-service
system which would provide the individual with direct access to his or her
information (Recital 63). This will not be appropriate for all organisations,
but there are some sectors where this may work well.

However, providing remote access should not adversely affect the rights and
freedoms of others – including trade secrets or intellectual property.

Ref: [https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/individual-rights/right-of-access/)

\---

[1]
[https://news.ycombinator.com/item?id=17177817](https://news.ycombinator.com/item?id=17177817)

[2]
[https://news.ycombinator.com/item?id=17178125](https://news.ycombinator.com/item?id=17178125)

------
ericintheloft2
Great service, thank you!

------
azinman2
Seems down...

