GDPR does not give you access to this data [on your usage of the card] in Europe because it is not personally identifying information.
Sorry, but that's simply not true: your payment history (assuming an compromised card, as most are) is a history of your personal behavior.
Although each individual data point cannot be used to identify you, the history of them can. There is only one single person in the whole world that would generate this exact series of data points: you. And if you take location into account, that means the length of history needed to uniquely identify you is considerably shorter.
This is why, under the GDPR, browsing history is personally identifying information. Yes, there are shared browsers. But as a very large part of web traffic these days is from mobile phones only ever used by one single person, the existence of shares browsers/devices is no longer relevant.
1) if I own the song, video, book, etc, and I choose not to sell it or make it available, it is my personal property and fuck you.
2) I am legally and ethically allowed to set any price I want. Your stolen sound track to the Harry Potter movies has yet to be determined to cure cancer. If I own the soundtrack and want to charge you a gazillion dollars to listen to it then fuck you. You do not have any rights to my Harry Potter movie sound track. If you dont have a gazillion dollars then you dont get to listen to it. Fuck you. [...] You have no ethical grounds or argument.
Yes we do: it's called the Universal Declaration of Human Rights. Specifically article 27, which states that “everyone has the right freely to participate in the cultural life of the community, to enjoy the arts and to share in scientific advancement and its benefits.”
Whether you like it or not, you and everyone else are not allowed to abuse copyrights to deny someone the option to "enjoy the arts and to share in scientific advancement and its benefits". So if you ever publish your copyrighted work, you're not allowed to suddenly deny any or all people access to it.
Now please note that this still doesn't excuse copyright infringement. But it does mean that rights holders, once they publish their work, are required to make it available at a price all members of the community can pay.
Wrong. Your premise is flawed. No one consents to advertising online, for the sole reason that advertisers DO NOT ASK FOR CONSENT.
I never said anything about consenting to advertising, for the very simple reason that advertisements can be safe for privacy (even if online they hardly ever are). Hence, consent is never required.
But some advertisers DO ask for consent for personalized advertisements (sites like e.g. slashdot are a good example). This is how you can recognize the good ones. Scumbags like Facebook never asks for consent, but collect personal information anyway.
When Proctor & Gamble comes to you and says "we'll pay $0.01 for you to play this paper towel roll ad, but ONLY three times to each person per week"... well uh. I just don't know how you would do that under the GDPR.
The correct response to Proctor & Gamble is: "we'll do this in every case where it's lawful to do so."
Note that even with an id in a cookie (that persons name in your system), you cannot rule out family members using the same computer, strangers using the same (library) computer, etc. Anecdotal evidence (I work for a fairly large webshop in the Netherlands) suggests that people who don't consent are about as many as the number of people who use the same computer: a few percent.
1) They don't ask for specific consent to do that, which is required under GDPR.
Consent is not necessary, if they can use one of the other 5 grounds for keeping the information. Some of them are related to government applying the law, or the public welfare, which obviously don't apply here. Netflix basically has 4 possible grounds:
1. Consent, which allows everything a customer can understand (!), but can also be revoked at any time
2. Legitimate use, where they have to prove the loss of privacy outweighs any possibly benefit to you, and you can object to this
3. Fulfilling a contract, which allows Netflix to store any necessary information for as long as necessary to fulfill their obligations (this is really quite limited)
4. Obeying the law, such as legal warranties, may force them to store certain information (mostly related to who bought what & when). It's unlikely this could ever apply to this case.
2) They keep the data indefinitely, without any kind of anonymization, for the claimed purpose of improving their storytelling. If they kept it for you benefit that might be different, but they are keeping it to help themselves... Forever, and without asking first.
Would it really be so hard for them to ask up front "can we store this forever and use it, or would you prefer us to delete/anonymize the data after a while, noting that your progress will be lost?"
Now here we have a good argument. It's really not necessary to store your choices after you've seen Bandersnatch: the next time you view it, you should be able to choose a different outcome. In fact, unless Netflix can prove a followup is already planned, there's really no reason to keep the (non-aggregated, personal) data. And hence it's illegal.
Why do people find it acceptable that valuable packages are just left on the doorstep?
Do they have a choice? Enough people like lower prices so much, that for others it's impossible to choose a delivery guarantee.
Luckily I live in the Netherlands, where the sender is responsible for the shipment until the recipient receives it. And the law specifically states that leaving it on your doorstep does NOT count as "delivered". Sadly this does not solve problems like (falsely) claiming nobody was home, but packages are never left outside for any random passerby to take.
I'm probably from a different country, so I don't know how these things work, but can you do that without paying postage, and do these shipping boxes fit in a typical post box?
It's called "Reply Paid", "Business Reply Mail", "Freepost", or even "International Business Reply Service", and exists in several countries. More information is on Wikipedia: Freepost.
In general, being able to return items without paying postage depends on where you live and who you bought the item from, but it certainly does exist. In the Netherlands, where I live, it's part of the competitive advantage of webshops: next day delivery is so ubiquitous that not having that actually means you lose customers, so your return policy becomes m ore important.
Specifically, I still use the following things I learned 15 years ago at university:
B--trees and other database fundamentals
Algorithm design (up to big-O notation)
Basics of programming (sure, experience also taught me this)
Asking the right questions
Make no mistake: the first two are what sets real senior developers apart from the rest. No amount of experience can replace this, as nobody lives that long. Also, asking the right questions is important, and something that many people overlook.
The only thing I did not learn at university is the importance of concise, natural, human language.
you must be young, almost nothing out of university is useful after a year or two in the IT industry. no you don't learn anything but the very basics of system design and architecture as 90% of architecture and design is experience. Anything you learnt in Uni will be supplanted by actually useful education from experience. The only thing you really learn at Uni is structured work, some terminology and a technical starting point for your real education.
At 40, I do indeed consider myself young. But that does not mean one doesn't learn anything at university that isn't obsolete in a few years. In fact, people who think that our industry moves at a fast pace would do good to listen to a talk given by Venkat Subramaniam: Spearheading the future of programming, especially the first 11 minutes or so:
When I hear people say things change really fast, I ask...
30 years working in IT industry, can say with complete honesty the only people grades mattered was for Grad intakes, anyone else I have never seen them even looked at as they just don't matter.
Grades indeed don't matter. what does matter however, is what kind of education you've completed. Was it a "memorize this and you'll pass" kind of education? Vocational training? Academic education?
In my experience, vocational training gets the most out of people given standard tasks, even for high-skilled tasks like programming, as this type of education better teaches the "how" of programming, and fast-forwards a person in their career by a few years (because it takes tat long to learn this on the job).
But you'll need an academic degree to avoid pitfalls when designing new systems. Because then you'll need to answer the "why" in addition to the "how". Without this understanding, your career will be limited. And only some people can learn this on the job, whereas more people can learn this while in school.
1.) You agree by contract to reveal your personal information and use habits to the vendor.
2.) Those vendors are, by way of the same contract, sharing with third parties.
3.) Those third parties are all the people you list and all the people you didn't list, except the people who are categorized as, "you?"
Anyone in Europe, as:
1. the data sale you mentioned is not reasonable for making the car work, it's just to get more money, and
2. even the car manufacturer itself doesn't need (and thus doesn't want) to use you personal information; anonymized driving habits are sufficient
As a consumer, I really love the GDPR. It's just a shame that enforcement is probably understaffed, like the police is as well.
I'd rather pay $50 for an item if that's 3% of my monthly net income, than $25 for an item if that means it's 5% of my monthly net income. I simply don't care for the actual prices of items. I only care for their prices in relation to my net income.
Because I'm not rich, living in a "socialist" country like the Netherlands is actually beneficial for me. Not because prices are lower (they're not), but because prices are lower relative to my net income. Oh, and because healthcare is significantly cheaper here than in the US. My health is more important than more money.
but you guys do not seem to care much about [privacy].
Or they just care about convenience more.
Remember, this is the country that uses a public identifier (SSN) as authorization. Sure, the IRS tells you you must keep it secret, but good luck getting a bank account, work, etc. if you do that.
Given the lack of persistent public outcry that could fix that -- or real change after the many data breaches the last few years, I think it's safe to say that those who do care about privacy either have left the country already or are silenced by other means, such as poverty (no time to protest) or exclusion (because they can't pay the bribes^H^H^H^H^H^Hcampaign contributions).
What innovation is there? What new technology? Just a recombination of existing ones [...].
A recombination of existing technology is precisely something that should be (and is) patentable. Not that it's sufficient, it must still meet all the usual criteria of course.
And although it may be novel and non-obvious that some greedy bastard actually has the guts to record medical information (i.e pulse) for a purpose I personally would never consent, but I wouldn't bet on it. Using this information for store optimizations is also not novel, as that's what store owners did before we had computers too. Except they did it by actually taking an interest in their customers, as opposed to just their wallet.
Sadly this is in the US, where using such a patent might actually be legal.
The duel income family is not a result of two parents having to work to meet needs. Its the result of two parents having to work to meet wants.
Tell that to people in the more populated countries in Europe. In the Netherlands, for example, there's been a housing shortage for decades (at least since WWII) and houses cost as much as the more prosperous people can afford. This naturally drives prices up to the point where you need at least a dual income to pay for a 300 sqft home.
I understand that in Germany or Switzerland, helichopper parents who drive their kids to school after age 9 or so are given a "talking to" by school authorities about kids needing independence. Much better model than the US hover-parent model.
Not just Germany or Switzerland. The Netherlands too, as any other country that has the best interest of children at heart. How can children learn to be responsible if you don't teach them (early)?
If an area's schedule could be rebooted, business and work times should center around mid-day if health is the primary concern.
Actually, business/work and leisure times would center around mid-day if health is the primary concern.
The reason many people (especially nearer the equator) prefer summertime / daylight saving is because it also provides them with daylight in their leisure time. This preference is obviously more prevalent in rich countries, because people don't have to work around the clock to sustain themselves and sitting in your garden in daylight is a lot better than at night.
You obviously don't have kids. Think of it this way: put your most prized possession alone out in public, and wait how long it is for something bad to happen, knowing it doesn't have to be that way. [...]
Why so pessimistic? Sure, there's often news about nasty stuff, and terrorists, pedophiles, bullies, inattentive drivers, etc. do exist. But of all dangers, traffic poses the biggest risk (by far), followed by bullies (which usually only cause emotional pain). The rest is negligible if you look at the numbers unhampered by fear.
If your children are attentive (like I teach my children to be) and self-confident, you as a parent are perfectly capable of teaching them to deal with it. And then even a 6 year old can safely navigate the streets of a residential area (on foot and by bike), and a 10 year old can safely cross the a main street (at the traffic lights, as taught) or take the bus to school 5 miles away. This is basic stuff where I live (The Netherlands, Europe).
[...] doesn't mean there was any timing applied. The overblown Privacy fiasco has been happening in the FULL PUBLIC VIEW. *cough*
Actually, there was timing applied. After the privacy fiasco, anyone with a bit of common sense should have seen this stock plunge coming. During this last quarter.
Grounds for lawsuit = NONE.
Exactly: by waiting a bit, any grounds for a lawsuit that might have existed are gone now.
If you're an existing company with an existing customer base, you have more people intersecting with your "legitimate business interest," allowing you to ignore most of the effects of GDPR when it comes to lead generation (non-customer communications).
This is not correct: generating leads, i.e. future profits, is not a 'legitimate interest' with respect to GDPR compliance. You'll need consent for that.
Customer data is needed to fulfill (existing) contracts. But having data for one purpose does not allow you to use the same data for another purpose: you'll need a separate justification for using customer data for that new purpose. In that sense, the GDPR levels the playing field by giving large established companies the same options as startups to gain new customers. Large companies only have the advantage of their brand being known.
The user still had to sign in and grant access for the API to be useful.
Except that's not the issue here. Some user granting access to his/her own data is perfectly fine (I'm deliberately not going into whether it's smart or not).
The problem here is that data belonging to other people was accessible, even when these people did not grant access.
From the summary:
Facebook allowed the device companies access to the data of users' friends without their explicit consent, even after declaring that it would no longer share such information with outsiders.
Facebook essentially violated its own privacy policy.
The summary sounds as if it was written by someone who had the idea of an API explained to them, didn’t really understand it, and so they tried to explain it in less technical terms by referring to it as a “data sharing agreement”, giving it a very different connotation.
Whether an API or other (private) “data channel” (a term from the original article) was used is irrelevant. The story is about unauthorized use of personal data by third parties.
Google is within its rights to collect whatever it wants from traffic going through its servers.
No, it's not. This is why, for example, the EU has privacy laws and is tightening them (the GDPR will come into effect next May).
Nobody is required to use Google. Therefore it has no monopoly.
Sadly, this is not true. By using (for example) Google Analytics, it's the website owner chat chooses my information to be collected, not I. I have no choice in this. At most, I can try to find websites that don't track me, but these are increasingly rare these days and not a viable choice.
This lack of choice for information subjects is the reason that privacy laws exist: the people choosing for the privacy violations are not the people whose privacy is violated.
We see this in the US with sales tax on online sales. While you could argue that the sale takes place in the retailers server, according to the law it takes place in the customers home. This is why retailers (assuming sufficient presence, i.e. nexus) must pay sales tax where thew customer lives. The same applies in the EU by the way, for purposes of consumer protection, VAT, etc. Where the company (and its employees) are located does not matter.
FALSE: Customers pay sales tax, retailers collect sales tax on behalf of the government, but the tax liability is the purchasers, not the sellers (see use tax). The argument becomes whether a government can require a citizen of a different state to operate on it's behalf by requiring them to collect this tax. (answer: they cannot -this is why establishing nexus becomes relevant.)
While you are correct that retailers do not pay sales tax, this does not invalidate my argument: the sales tax must be paid where the transaction takes place. This is where the customer is. Who must pay the tax (in this case the customer) is irrelevant.
Slashdot Mirror
GDPR does not give you access to this data [on your usage of the card] in Europe because it is not personally identifying information.
Sorry, but that's simply not true: your payment history (assuming an compromised card, as most are) is a history of your personal behavior.
Although each individual data point cannot be used to identify you, the history of them can. There is only one single person in the whole world that would generate this exact series of data points: you. And if you take location into account, that means the length of history needed to uniquely identify you is considerably shorter.
This is why, under the GDPR, browsing history is personally identifying information. Yes, there are shared browsers. But as a very large part of web traffic these days is from mobile phones only ever used by one single person, the existence of shares browsers/devices is no longer relevant.
1) if I own the song, video, book, etc, and I choose not to sell it or make it available, it is my personal property and fuck you.
2) I am legally and ethically allowed to set any price I want. Your stolen sound track to the Harry Potter movies has yet to be determined to cure cancer. If I own the soundtrack and want to charge you a gazillion dollars to listen to it then fuck you. You do not have any rights to my Harry Potter movie sound track. If you dont have a gazillion dollars then you dont get to listen to it. Fuck you.
[...]
You have no ethical grounds or argument.
Yes we do: it's called the Universal Declaration of Human Rights. Specifically article 27, which states that “everyone has the right freely to participate in the cultural life of the community, to enjoy the arts and to share in scientific advancement and its benefits.”
Whether you like it or not, you and everyone else are not allowed to abuse copyrights to deny someone the option to "enjoy the arts and to share in scientific advancement and its benefits". So if you ever publish your copyrighted work, you're not allowed to suddenly deny any or all people access to it.
Now please note that this still doesn't excuse copyright infringement. But it does mean that rights holders, once they publish their work, are required to make it available at a price all members of the community can pay.
Wrong. Your premise is flawed. No one consents to advertising online, for the sole reason that advertisers DO NOT ASK FOR CONSENT.
I never said anything about consenting to advertising, for the very simple reason that advertisements can be safe for privacy (even if online they hardly ever are). Hence, consent is never required.
But some advertisers DO ask for consent for personalized advertisements (sites like e.g. slashdot are a good example). This is how you can recognize the good ones. Scumbags like Facebook never asks for consent, but collect personal information anyway.
When Proctor & Gamble comes to you and says "we'll pay $0.01 for you to play this paper towel roll ad, but ONLY three times to each person per week"... well uh. I just don't know how you would do that under the GDPR.
The correct response to Proctor & Gamble is: "we'll do this in every case where it's lawful to do so."
Note that even with an id in a cookie (that persons name in your system), you cannot rule out family members using the same computer, strangers using the same (library) computer, etc.
Anecdotal evidence (I work for a fairly large webshop in the Netherlands) suggests that people who don't consent are about as many as the number of people who use the same computer: a few percent.
It's really not necessary to store your choices after you've seen Bandersnatch:
Nto true. There are like additional endings after "the ending" if you play it more than once.
In which case you haven't reached the (real) end, and my comment does not yet apply...
The issues are:
1) They don't ask for specific consent to do that, which is required under GDPR.
Consent is not necessary, if they can use one of the other 5 grounds for keeping the information. Some of them are related to government applying the law, or the public welfare, which obviously don't apply here. Netflix basically has 4 possible grounds:
2) They keep the data indefinitely, without any kind of anonymization, for the claimed purpose of improving their storytelling. If they kept it for you benefit that might be different, but they are keeping it to help themselves... Forever, and without asking first.
Would it really be so hard for them to ask up front "can we store this forever and use it, or would you prefer us to delete/anonymize the data after a while, noting that your progress will be lost?"
Now here we have a good argument. It's really not necessary to store your choices after you've seen Bandersnatch: the next time you view it, you should be able to choose a different outcome. In fact, unless Netflix can prove a followup is already planned, there's really no reason to keep the (non-aggregated, personal) data. And hence it's illegal.
Why do people find it acceptable that valuable packages are just left on the doorstep?
Do they have a choice? Enough people like lower prices so much, that for others it's impossible to choose a delivery guarantee.
Luckily I live in the Netherlands, where the sender is responsible for the shipment until the recipient receives it. And the law specifically states that leaving it on your doorstep does NOT count as "delivered". Sadly this does not solve problems like (falsely) claiming nobody was home, but packages are never left outside for any random passerby to take.
I'm probably from a different country, so I don't know how these things work, but can you do that without paying postage, and do these shipping boxes fit in a typical post box?
It's called "Reply Paid", "Business Reply Mail", "Freepost", or even "International Business Reply Service", and exists in several countries. More information is on Wikipedia: Freepost.
In general, being able to return items without paying postage depends on where you live and who you bought the item from, but it certainly does exist. In the Netherlands, where I live, it's part of the competitive advantage of webshops: next day delivery is so ubiquitous that not having that actually means you lose customers, so your return policy becomes m ore important.
Specifically, I still use the following things I learned 15 years ago at university:
Make no mistake: the first two are what sets real senior developers apart from the rest. No amount of experience can replace this, as nobody lives that long. Also, asking the right questions is important, and something that many people overlook.
The only thing I did not learn at university is the importance of concise, natural, human language.
you must be young, almost nothing out of university is useful after a year or two in the IT industry. no you don't learn anything but the very basics of system design and architecture as 90% of architecture and design is experience. Anything you learnt in Uni will be supplanted by actually useful education from experience. The only thing you really learn at Uni is structured work, some terminology and a technical starting point for your real education.
At 40, I do indeed consider myself young. But that does not mean one doesn't learn anything at university that isn't obsolete in a few years. In fact, people who think that our industry moves at a fast pace would do good to listen to a talk given by Venkat Subramaniam: Spearheading the future of programming, especially the first 11 minutes or so:
When I hear people say things change really fast, I ask...
what are they smoking?
-- Venkat Subramaniam
...
30 years working in IT industry, can say with complete honesty the only people grades mattered was for Grad intakes, anyone else I have never seen them even looked at as they just don't matter.
Grades indeed don't matter. what does matter however, is what kind of education you've completed. Was it a "memorize this and you'll pass" kind of education? Vocational training? Academic education?
In my experience, vocational training gets the most out of people given standard tasks, even for high-skilled tasks like programming, as this type of education better teaches the "how" of programming, and fast-forwards a person in their career by a few years (because it takes tat long to learn this on the job).
But you'll need an academic degree to avoid pitfalls when designing new systems. Because then you'll need to answer the "why" in addition to the "how". Without this understanding, your career will be limited. And only some people can learn this on the job, whereas more people can learn this while in school.
Who the simple fuck needs a backdoor when:
1.) You agree by contract to reveal your personal information and use habits to the vendor.
2.) Those vendors are, by way of the same contract, sharing with third parties.
3.) Those third parties are all the people you list and all the people you didn't list, except the people who are categorized as, "you?"
Anyone in Europe, as:
1. the data sale you mentioned is not reasonable for making the car work, it's just to get more money, and
2. even the car manufacturer itself doesn't need (and thus doesn't want) to use you personal information; anonymized driving habits are sufficient
As a consumer, I really love the GDPR. It's just a shame that enforcement is probably understaffed, like the police is as well.
I'd rather pay $50 for an item if that's 3% of my monthly net income, than $25 for an item if that means it's 5% of my monthly net income. I simply don't care for the actual prices of items. I only care for their prices in relation to my net income.
Because I'm not rich, living in a "socialist" country like the Netherlands is actually beneficial for me. Not because prices are lower (they're not), but because prices are lower relative to my net income. Oh, and because healthcare is significantly cheaper here than in the US. My health is more important than more money.
but you guys do not seem to care much about [privacy].
Or they just care about convenience more.
Remember, this is the country that uses a public identifier (SSN) as authorization. Sure, the IRS tells you you must keep it secret, but good luck getting a bank account, work, etc. if you do that.
Given the lack of persistent public outcry that could fix that -- or real change after the many data breaches the last few years, I think it's safe to say that those who do care about privacy either have left the country already or are silenced by other means, such as poverty (no time to protest) or exclusion (because they can't pay the bribes^H^H^H^H^H^Hcampaign contributions).
What innovation is there? What new technology? Just a recombination of existing ones [...].
A recombination of existing technology is precisely something that should be (and is) patentable. Not that it's sufficient, it must still meet all the usual criteria of course.
And although it may be novel and non-obvious that some greedy bastard actually has the guts to record medical information (i.e pulse) for a purpose I personally would never consent, but I wouldn't bet on it. Using this information for store optimizations is also not novel, as that's what store owners did before we had computers too. Except they did it by actually taking an interest in their customers, as opposed to just their wallet.
Sadly this is in the US, where using such a patent might actually be legal.
The duel income family is not a result of two parents having to work to meet needs. Its the result of two parents having to work to meet wants.
Tell that to people in the more populated countries in Europe. In the Netherlands, for example, there's been a housing shortage for decades (at least since WWII) and houses cost as much as the more prosperous people can afford. This naturally drives prices up to the point where you need at least a dual income to pay for a 300 sqft home.
I understand that in Germany or Switzerland, helichopper parents who drive their kids to school after age 9 or so are given a "talking to" by school authorities about kids needing independence. Much better model than the US hover-parent model.
Not just Germany or Switzerland. The Netherlands too, as any other country that has the best interest of children at heart. How can children learn to be responsible if you don't teach them (early)?
If an area's schedule could be rebooted, business and work times should center around mid-day if health is the primary concern.
Actually, business/work and leisure times would center around mid-day if health is the primary concern.
The reason many people (especially nearer the equator) prefer summertime / daylight saving is because it also provides them with daylight in their leisure time. This preference is obviously more prevalent in rich countries, because people don't have to work around the clock to sustain themselves and sitting in your garden in daylight is a lot better than at night.
You obviously don't have kids. Think of it this way: put your most prized possession alone out in public, and wait how long it is for something bad to happen, knowing it doesn't have to be that way. [...]
Why so pessimistic? Sure, there's often news about nasty stuff, and terrorists, pedophiles, bullies, inattentive drivers, etc. do exist. But of all dangers, traffic poses the biggest risk (by far), followed by bullies (which usually only cause emotional pain). The rest is negligible if you look at the numbers unhampered by fear.
If your children are attentive (like I teach my children to be) and self-confident, you as a parent are perfectly capable of teaching them to deal with it. And then even a 6 year old can safely navigate the streets of a residential area (on foot and by bike), and a 10 year old can safely cross the a main street (at the traffic lights, as taught) or take the bus to school 5 miles away. This is basic stuff where I live (The Netherlands, Europe).
[...] doesn't mean there was any timing applied. The overblown Privacy fiasco has been happening in the FULL PUBLIC VIEW. *cough*
Actually, there was timing applied. After the privacy fiasco, anyone with a bit of common sense should have seen this stock plunge coming. During this last quarter.
Grounds for lawsuit = NONE.
Exactly: by waiting a bit, any grounds for a lawsuit that might have existed are gone now.
If you respected its predecessor law chance is that you are fully golden.
Although many companies are loath to admin it, this is spot on!
If you're an existing company with an existing customer base, you have more people intersecting with your "legitimate business interest," allowing you to ignore most of the effects of GDPR when it comes to lead generation (non-customer communications).
This is not correct: generating leads, i.e. future profits, is not a 'legitimate interest' with respect to GDPR compliance. You'll need consent for that.
Customer data is needed to fulfill (existing) contracts. But having data for one purpose does not allow you to use the same data for another purpose: you'll need a separate justification for using customer data for that new purpose. In that sense, the GDPR levels the playing field by giving large established companies the same options as startups to gain new customers. Large companies only have the advantage of their brand being known.
The user still had to sign in and grant access for the API to be useful.
Except that's not the issue here. Some user granting access to his/her own data is perfectly fine (I'm deliberately not going into whether it's smart or not).
The problem here is that data belonging to other people was accessible, even when these people did not grant access.
From the summary:
Facebook allowed the device companies access to the data of users' friends without their explicit consent, even after declaring that it would no longer share such information with outsiders.
Facebook essentially violated its own privacy policy.
The summary sounds as if it was written by someone who had the idea of an API explained to them, didn’t really understand it, and so they tried to explain it in less technical terms by referring to it as a “data sharing agreement”, giving it a very different connotation.
Whether an API or other (private) “data channel” (a term from the original article) was used is irrelevant. The story is about unauthorized use of personal data by third parties.
Google is within its rights to collect whatever it wants from traffic going through its servers.
No, it's not. This is why, for example, the EU has privacy laws and is tightening them (the GDPR will come into effect next May).
Nobody is required to use Google. Therefore it has no monopoly.
Sadly, this is not true. By using (for example) Google Analytics, it's the website owner chat chooses my information to be collected, not I. I have no choice in this. At most, I can try to find websites that don't track me, but these are increasingly rare these days and not a viable choice.
This lack of choice for information subjects is the reason that privacy laws exist: the people choosing for the privacy violations are not the people whose privacy is violated.
We see this in the US with sales tax on online sales. While you could argue that the sale takes place in the retailers server, according to the law it takes place in the customers home. This is why retailers (assuming sufficient presence, i.e. nexus) must pay sales tax where thew customer lives. The same applies in the EU by the way, for purposes of consumer protection, VAT, etc. Where the company (and its employees) are located does not matter.
FALSE: Customers pay sales tax, retailers collect sales tax on behalf of the government, but the tax liability is the purchasers, not the sellers (see use tax). The argument becomes whether a government can require a citizen of a different state to operate on it's behalf by requiring them to collect this tax. (answer: they cannot -this is why establishing nexus becomes relevant.)
While you are correct that retailers do not pay sales tax, this does not invalidate my argument: the sales tax must be paid where the transaction takes place. This is where the customer is. Who must pay the tax (in this case the customer) is irrelevant.