A typical scenario: Your friends and acquaintances have your contact info stored on their mobile phones. Your phone number, an email address or two, maybe a photo and a birth-date so they don't forget to wish you happy birthday. They install Facebook/WhatsApp/Twitter, etc, all of which upload your personal data from the phones to their own servers without your knowledge or consent.
It's more complicated than deciding not to have a Facebook account, though that's a great first step.
Are you seriously proposing to ban uploading pictures that contain other people to third parties computers without consent? That would go way beyond Facebook. Would I need to track down everyone in a picture before annexing it to a Yahoo e-mail?
I'd think the most pro-privacy reasonable approach would be to stop companies from identifying them beyond "someone who did not consent to being tracked".
How about not maintaining shadow profiles, not allow tagging nor allow facial recognition to be applied to third parties on uploaded photos?
Facebook has such incredible smart engineers that they can file patents to identify you based on the dust of your camera lens [1]. It should be a cinch to them not to track such third parties in any way, shape or form.
The problem was that they gave zero fucks about the privacy implication to third parties, which have nothing to do - and no business relationship with Facebook. It seems quite the opposite: That the go through great length to maintain shadow profiles and track everybody.
I really hope that the GDPR forces them to clean up their act.
I think he's really proposing regulations that limit how such data can be used once uploaded.
For instance, it could still be legal for Facebook to slurp your friend's address book (and your profile, indirectly), but the regulation could require them to discard and purge that information if they can't immediately match it to an account.
Yes, I'm aware of this (and thankfully have never been stupid enough to entrust my address book to any such service), but what I'm really looking forward to is how Facebook and their ilk will be dealing with shadow profiles in relation with the GDPR.
Since I'm not a member of their service there's no valid reason for them to maintain personally identifiable data about me. Let alone that they never asked for my permission and that I never, ever consented to their gobling up of my data and that of other non-members.
At least according to my understanding this is a very clear violation of the GDPR, which - if the courts agree - could cost them dearly.
I wonder how Facebook intends to deal with that. If I interprete the directive correctly they are obliged to delete all such data since storing, mainting and proecssing it clearly violates the law.
It's more complicated than deciding not to have a Facebook account, though that's a great first step.