It depends on how you define what data must stay on the device. You see this all the time with data processing.
Individual actions and usernames are recorded. Let’s call that personal data. That has to stay on the device.
But what if I also ran a “collect usage metrics” process that ran once a week and summarized your actions, removed your username and replaced it with a random GUID, and otherwise painted a profile of how you used my software over the last seven days?
Is that summary level data still considered protected? Can I send that back to my servers without telling you, or if I add a settings toggle for “share usage data to help improve our products”, is that ok?
At what point does data become generic enough to not be personal?
Individual actions and usernames are recorded. Let’s call that personal data. That has to stay on the device.
But what if I also ran a “collect usage metrics” process that ran once a week and summarized your actions, removed your username and replaced it with a random GUID, and otherwise painted a profile of how you used my software over the last seven days?
Is that summary level data still considered protected? Can I send that back to my servers without telling you, or if I add a settings toggle for “share usage data to help improve our products”, is that ok?
At what point does data become generic enough to not be personal?