GDPR

GDPR – a self-experiment: What Internet companies know about you

The new European Basic Regulation on Data Protection has now been in force for some time. But have you ever tried to access your private data at large companies such as Amazon or Facebook? We made the self-experiment and requested our data from Google, Amazon, WhatsApp, Facebook, Instagram and Apple.

How can you view your data according to GDPR?

The EU Data Protection Regulation gives you the right to control what happens to your data and what data is stored about you. In principle, data may only be stored for as long as necessary and only data that is absolutely necessary should be collected.

As a consumer, you also have the right to have a copy of the data sent to you. The request can be made informally, by post or electronically. You do not need a template or sample. The company should then reply within one month. And it must be possible, among other things, to have this data deleted. More detailed information can be found, for example, on the following website:

https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

Many large companies have ready-made forms for the request for data access, which should make it easier for the user. This is how it looks in practice:

  1. Google: Simply go to https://takeout.google.com, enter your data and wait.
  2. Amazon: At Amazon, the path is more complicated. Under “Contact”, select “Other” as the reason and then the topic “Request data protection information”. And wait…
  3. WhatsApp: WhatsApp has an appropriate function directly in the app under “Settings”, “Account”, “Request account info”.
  4. Facebook: If you are logged in, under “Settings”, “General account settings” you will find the option “Download a copy of your Facebook data”.
  5. Instagram: Simply confirm your e-mail address at https://instagram.com/download/request/, then “Request download”. And wait…
  6. Apple: Log on to https://appleid.apple.com, select “Manage data and privacy” and then “Request copies of your data”.

Does that really work?

We dared to try it ourselves and requested the data from all the companies.

At Google we were positively surprised and the data was amazingly available for download within a few hours. Less positively we were surprised by the collecting frenzy of the Internet giant: We received thousands of pages with search terms. Incl. picture searches and searches in the map service. You get a location history and at least we wondered what was listed there. Very frightening are then purchases, which are listed: Hotel bookings, flights, purchases at Amazon and more. One wonders where all these data come from. And another little tip: don’t print out the data. There are really tons of data!

At Amazon, the process is more difficult. First you have to confirm by e-mail that you really want to make the request. Then more e-mails are exchanged and at some point there was an announcement that all data would be available “soon”. Some data can also be viewed online at Amazon directly & at any time, e.g. all stored data from Alexa or information on personalized advertising. For the more exciting things Amazon needed a little longer. In some boards you can read that these data are sent via USB stick. After about four weeks we received this data via download – but all information is only available for download for about 90 days. But the information itself is very impressive: all account information, the complete communication history, all previous orders, all returns, everything that has ever been read or played on registered Kindle devices. Interestingly, all search terms used have only been listed since 2017.

At WhatsApp you can download your personal data package after a few days. The data is surprisingly sparse: profile photo, your own number, the numbers of all contacts and the names of all chat groups you participate in. No chats, nothing.

On Facebook, the data can also be viewed within a few hours. All companies in the Facebook group are really exemplary in this respect. However, the collecting frenzy of Facebook itself is much more comprehensive than with WhatsApp and Instagram: It lists everything that Facebook believes might be of interest to the user. It also lists all uploaded photos, videos, news, and comments. In addition, every login to Facebook, with date, time and IP address. You get the uncomfortable feeling what would happen if someone would capture this data.

Instagram is also fast. After a few hours you get a file with all uploaded photos & videos, all searches, all your own comments and likes. Very exemplary.

Apple will send you an email with a download link after a few days. You get information about all the phones you’ve used so far, the Internet pages you’ve visited, the e-mail addresses you’ve written to, information about calls and various locations. There remains an uncomfortable feeling.

Conclusion: All companies react at least very quickly. At Amazon it took a little longer and we only got access to the data after a few weeks. Some data collected by Apple, Amazon, Facebook & Co. is at least doubtful. Why does Apple need all the email addresses and web page views it receives? How does Google get the shopping? One wonders what the reason is for companies to collect this data…

And a little tip at the end:

Enter only the data you really need on the Internet. And, if possible, switch off automatic data collection, e.g. of whereabouts.