[pluma]

There's a difference. But in practice the difference doesn't matter.

As a user you expect a reasonable level of privacy unless the software explicitly requests your consent for providing certain information or explicitly asks you to provide that information manually. If the software then hands that information off to a third party you expect that only to happen with explicit consent.

The problem in this case is that Google isn't interested in consent. It tries to get as much information as it can without needing to ask for consent and when it does ask for consent it's through coercion by tying that consent request to actions that are not reflective of the scope of the request ("You want to save your home location? Okay but in order to do that we need to be able to track your every move forever").

That's arguably far more malicious than explicitly saying "please let us share this info with company XYZ so we can continue offering this service for free". That most companies selling data to third parties aren't so explicit about it is irrelevant -- this is just about the claim that "selling data" is inherently more malicious than what Google is doing.

That said, no, selling does not mean "surrendering any and every control over it". GDPR and friends specifically address that by stating that the human being the data is about continues to own that data and can withdraw consent at any time (at any depth of sharing).

[mikejb]

There is a difference, and in practice as in theory, it matters a lot. You can delete your data on your Google account - that gets rid of your data. Deleting that data after it was sold to 3rd parties is like trying to delete your drunk party picture from the internet. Sure, you can try to invoke GDPR, but that's going to be hard when the data was sold to some Chinese company that doesn't operate financially in Europe.

[pluma]

You don't seem to comprehend the fact that in the scope of the GDPR they can't sell to "some Chinese company" without your consent.

If you can only explain why selling is worse by creating a scenario where the selling is done without consent or in an equally malicious/shady way, that doesn't demonstrate that selling is inherently worse.

Selling isn't worse. Selling without regard for a user's rights is bad. But Google is already engaging in abusive behavior as far as users' rights are concerned.

Also, I know this is hard to understand if you're not used to real privacy laws, but if a company sells your data and you invoke your rights against the company, it's the company's responsibility to go after whoever they sold the data to, not yours.

[mikejb]

I think this is a critical point of misunderstanding:

> if a company sells your data and you invoke your rights against the company, it's the company's responsibility to go after whoever they sold the data to, not yours.

Can you point me to more details on this? I have my doubts about it.

[pluma]

As a user your contract is with the company you give the data to. That's simply how contracts work. If the contract says they can give that data to someone else, that's fine. If it doesn't, they can't. That shouldn't be surprising.

The GDPR treats personal information as property of the user. Even if access to and processing of that data is permitted by the user, it remains the property of the user. If the company is permitted to also pass that data on, they're still responsible for ensuring the data is handled appropriately.

I'm not sure what you are doubting. The GDPR is (in)famous for this.

This is why GDPR compliance makes it nearly impossible to hand over information to third parties who aren't GDPR compliant and why EU companies are nervous about working with Google and other US companies (because the Privacy Shield is not any more trustworthy than Safe Harbor which died an extremely swift death).

As far as the user concerned there's no difference between you "selling" their data and you handing it over to a third party as a data processor. You can't "sell" it because it's not yours, you can just take money for handing it over -- but that's between you and the third party, the user isn't part of that transaction.

Think of it this way: users can't sell you their data (they literally can't) so the data isn't your property. You can't sell what isn't yours, so the data you hand over to a third party is still owned by the user who gave it to you with the (GDPR-backed) expectation that you're retaining the control necessary to comply with their requests.

FWIW I'm not sure how this works for third-party tracking (e.g. Facebook widgets). Google Analytics avoids this by requiring compliant websites to enable IP anonymization (which supposedly should be sufficient) but liability still resides with the website owner (and the Data Protection Agreement makes this perfectly clear).

As you want sources, here's what a quick Google yields:

https://iapp.org/news/a/threes-a-crowd-third-party-risk-unde...

https://martechtoday.com/gdpr-mean-third-party-data-processo...

https://www.out-law.com/en/articles/2017/november/stricter-c...

And especially this:

http://www.infocore.com/insights/data-privacy-a-marketers-lo...

> Under the GDPR, EU citizens must be given the easy ability to withdraw their consent, often called "the right to be forgotten". If consent is withdrawn, those data subjects have the right to have their personal data erased and no longer used for processing by the data collector, and by any other entity who has ever used or purchased that data.

So in other words: "selling" user data is no different from handing the data to a data processor.

The point of the GDPR is that personal information is something that taints your product's data and therefore something you want to avoid. Selling it to dodgy companies that abuse the heck out of it is exactly what the GDPR is meant to combat.

[mikejb]

Unfortunately none of your links referred to the actual legislation and only provide summaries and interpretations, but Article 17 (Right to erasure), Section 2 states:

Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

So there's an obligation to inform. Which makes sense: Assume you (with consent of the user) sell data to some company, you have to forward them the request of said user to be forgotten. But you have no authority over that company. You can report them to any and every authority if they ignore or actively refuse your request, but you as a company have no authority over them. Particularly if they don't operate within the reach of the European authorities, there's little you can do. And that's what I mean with "You surrender control of the data once you sell it".