Brings up a question about the GDPR: do you have to delete any data on someone, or just data they entered? If they get the facial recognition working so they can recognize people in instagram photos and whatnot, then they'll be able to have data on you even if you're not a user. It's part of why I never liked people "tagging" me in photos.
There is another big problem with the GDPR for international companies. I mean, how do we know you comply?
I work in the public sector in Denmark mind you, we have quarterly audits and despite having had a law that was pretty much GDPR levelalready, we’ve passed all audits. I don’t think we should have, I won’t go into details on this, but how do you audit 300+ systems, some of which the central IT department doesn’t even know exist because some rogue manager bought them? I have no idea, and I have even less of an idea on how you’d audit the cloud.
GDPR doesn't actually require that you delete date about anyone, it requires that you be able to dereference a user from their data after a defined period of time when you specifically request that your data is deleted.
This can include you having to directly contact the company in a way that isn't clearly visible within the app itself.
GDPR is red herring. Current laws already require opt-in when collecting biometric data. From 2011:
> The Hamburg data protection authority on Tuesday ruled that Facebook’s facial recognition feature, which attempts to identify people in photos uploaded to the site, violates German privacy laws.
> Johannes Caspar, the head of the authority, said Facebook should not be collecting users’ biometric data – such as their face shape and the distance between their eyes – without getting their explicit consent. He has demanded that the social networking site change or disable the feature. All data collected so far should be deleted.
> Mr Caspar has given Facebook two weeks to respond. If the company is unable to make changes, Mr Caspar said the Hamburg authority would consider bringing legal action against it.
???? nobody and nothing has made fb or google move about this like GDPR. Local laws are made to be broken. If a court in Hamburg tells fb to do something then they can easily play it along.
GDPR enforces fines of 4% of their global revenue so that's the only reason for them to respect it.
Of course penalties for non-compliance have gone up. But collecting biometric data without explicit and informed opt-in, is already against the laws of many EU member states, and has been for nearly a decade. Facebook is walking on thin ice.
It seems they ask for permission, so the title that users are auto-enrolled may be misleading. But if they do auto-enroll: It is against the privacy laws already, no need to wait for GDPR.
About respecting local laws, I find this a difficult issue. What to do with draconian local laws that forbid ridiculing a president? But if it has to be a yes-no: I'd say, yes, obey local laws when you serve users there. Remove comments from Turkish IPs that slander their president, but keep comments from German IPs that ridicule Turkey's leader.
What's even the point of opting out after that? That's some evil genius machinations.