[alkonaut]

What I’m saying is that the GDPR is irrelevant unless there is data collected that counts as PII. Collecting non PII isn’t covered by the GDPR.

So yes there are two things: GDPR which is irrelevant here, and storage of non-PII which should be done transparently because it’s polite to be transparent, but not a regulatory requirement.

[marcosdumay]

Well, to be fair, if there is no PII, the telemetry isn't relevant at all and nobody should be concerned by it. (Except for the people that are concerned they will A/B test their software into exhaustion and optimize it into an abomination; but that's not a loud crowd.)

All the complaints are about them collecting PII. Even if they say they don't, the concern is that they could be lying, or change easily, and nobody would know.

[krono]

False, I will rephrase: it is a regulatory requirement under the GDPR to disclose the fact that you are collecting data, to provide a detailed and easily accessible specification of the information contents, a precise definition of how this data is processed and used, and your legal justification(s) for doing so, and to do so for each separate type or kind of collection involving individuals, regardless of whether this includes any PII or not.

The few exceptions that exist are only applicable in cases where there is no potentially identifiable data collected at all, which is obviously not the case here.

Here is a very accessible (although non-official) GDPR resource that I've come across: https://gdpr-info.eu/

Obligatory "I am not a lawyer" disclaimer :)

[alkonaut]

> it is a regulatory requirement to disclose the fact that you are collecting data

Not if the data isn't PII, no. Not in any way shape or form.

> The few exceptions that exist are only applicable in cases where there is no potentially identifiable data collected at all

The whole point of collecting "anonymous usage data" (which is what telemetry usually does) is that it shouldn't be possible to attribute to a physical person, and thus not be PII. As an extreme example, you could take the most typical form of telemetry: a feature usage count. When a feature is used, the telemetry collects a (+1) for that feature. The only long term stored data is the total count N for each feature across the entire user base. Of course there is no PII stored.

> which is obviously not the case here.

Why do you say that it's "obviously" not the case, when there is no indication about what data it is, other than the Dropbox representative saying precisely that there is no PII collected so the GDPR isn't relevant? There may be PII (in which case they are both at fault for not disclosing, and complete asshats for lying in the support forum). But it would be a pretty uninteresting discussion once one assumes that...

Obligatory "I'm not a lawyer either but I've implemented telemetry in software and had those implementations thuroughly analyzed by lawyers a couple of times"

[krono]

Ah gotcha, yes, you're right, except that only holds when you are not collecting any other data from the "subject" at all.

The major differentiating factor here is that that Dropbox does in fact process PII - convenient storage and distribution of their customers digital life is their raison d'être, after all, it's precisely what those people expect of Dropbox and pay them their monthly fee for.

In this case, where telemetry is gathered by the same desktop application that is also a primary component of their legitimate and consented-to data processing activities no less, they would at minimum be required to specify what information goes where, how it is anonymised, and for what purpose they require it.

I'm not assuming ill intent or unsanctioned data mining activities or anything of the sort, but whatever it is that they are collecting and doing is not as clear as it should be.