[karmajunkie]

FTA:

> The new draft of APRA also creates a massive loophole for personal data collected and used on an individual’s device. Tech companies would be able to do almost anything they want with data that stays on a personal device–no data minimization rules, no protections for kids, no advertising limits, no transparency requirements, no civil rights safeguards, and no right to sue for injured consumers. As AI and computing become more powerful, allowing more processing to occur on a device, this loophole will grow. As a result, this draft of APRA is weaker than state laws it is preempting.

That hardly amounts to an uncontroversial and obvious good—I would say regardless of your feelings on the anti discrimination provisions that it should be the uncontroversial to reject this legislation.

[spencerflem]

If it stays on your device, how is it a privacy violation? It sucks that this preemps stronger laws ofc.

[SamuelAdams]

It depends on how you define what data must stay on the device. You see this all the time with data processing.

Individual actions and usernames are recorded. Let’s call that personal data. That has to stay on the device.

But what if I also ran a “collect usage metrics” process that ran once a week and summarized your actions, removed your username and replaced it with a random GUID, and otherwise painted a profile of how you used my software over the last seven days?

Is that summary level data still considered protected? Can I send that back to my servers without telling you, or if I add a settings toggle for “share usage data to help improve our products”, is that ok?

At what point does data become generic enough to not be personal?

[lesuorac]

Also that data when it's anonymous might be done with a K-Means of 1 or 3 which is basically unanonymous.

https://en.wikipedia.org/wiki/K-means_clustering

[karmajunkie]

This guy GDPRs... ^^