The average American, one study tell us, touches their phone 2,600 times per day. By the end of a given year, that's nearly a million touches, rising to two million if you're a power user.
Each one of those taps, swipes and pulls is a potential proxy for our most intimate behaviors. Our phones are not only tools that help us organize our day but also sophisticated monitoring devices that we voluntarily feed with interactions we think are private. The questions we ask Google, for instance, can be more honest than the ones we ask our loved ones -- a "digital truth serum," as ex-Googler and author Seth Stephens-Davidowitz writes in Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are.
Hoover up these data points and combine them with all of our other devices -- smart TVs, fitness trackers, cookies that stalk us across the web -- and there exists an ambient, ongoing accumulation of our habits to the tune of about 2.5 quintillion (that's a million trillion) bytes of data per day.
Sometimes that data gets spliced, scattered and consolidated across a web of collaborators, researchers and advertisers. Acxiom, for instance, claims 1,500 data points for each of the 500 million people in its database, including most US adults. Just in the past few months, Facebook was reported to have asked hospitals, including Stanford University School of Medicine, to share and integrate patients' medical data with its own (the research project has since been put on hold). In April, gay dating app Grindr was revealed to have shared customers' HIV status with two app-optimization companies. And who suspected completing an online personality test would pave the way for President Donald Trump's targeted political advertising?
In short, the close relationships we have with our devices are not monogamous. But what's a privacy-valuing citizen who still wants or needs to partake in our fabulously networked 21st-century society to do?
There likely could not be a more timely moment for the public to care about the General Data Protection Regulation (GDPR), the European Union's superlatively complex, contested, sweeping data-privacy law that came into force on May 25th.
Its key rights include access to personal data, explanations of the algorithms that shape citizens' lives, portability (or moving your data from one company to another) and deletion. Years in the making, it affects any global organization's business in the European Union, leading companies worldwide to spend millions of dollars bringing their privacy standards into compliance, in some cases standardizing their practices outside the EU too.
So we decided to test the system. A team of nine Engadget reporters in London, Paris, New York and San Francisco filed more than 150 subject access requests -- in other words, requests for personal data -- to more than 30 popular tech companies, ranging from social networks to dating apps to streaming services. We reached out before May 25th -- when previous laws for data access existed in the EU -- as well as after, to see how procedures might have changed.
The EU has had a data-protection directive since 1995, yet studies have repeatedly shown that its rights weren't well-enforced. The GDPR has been law since 2016, yet it only grew teeth this May, with companies now open to fines of up to 4 percent of global annual revenue.
The EU has had a data-protection directive since 1995, yet studies have repeatedly shown that its rights weren't well-enforced.
Indeed, the history of data privacy is really a tale of violation without meaningful justice. For example, hacked credit agency Equifax is still in business, and its customers can't even cut ties with it if they wish to. In the UK, Facebook was fined £500,000 ($640,000) for its role in the Cambridge Analytica scandal, the maximum sum under laws at the time of the incident -- but also equal to the amount of cash the company makes every 5.5 minutes.
If the same thing happened today, Facebook could be hit with fines potentially in the billions of dollars. Already, about 1,000 US-based news websites including the Los Angeles Times and Chicago Tribune are inaccessible in the EU, and in a recent Deloitte survey only about a third of organizations could say they were fully compliant.
The hope is that the GDPR will be a gold standard for how to feasibly check the power of big tech companies whose market value dwarfs the GDP of some of the countries trying to hold them accountable.
We contacted companies by email or through their websites when they specified a method in their privacy policies, or we sent a letter when they didn't. (Instagram, for instance, only added an email address for data requests on May 25th and didn't reply to our mailed request.) Our letter was a modified version of the template on the UK Information Commissioner's Office's website, quoting directly from the relevant laws. We asked for information on what data was held on us, where it came from, who it's been sent to and how we've been profiled, among other questions.
Our requests were made from personal email and home addresses, in an effort to be treated as much like regular consumers as possible. In most cases, we sent follow-up questions identifying ourselves as reporters.
"Data requests are a window into the soul of on organization," said Hadi Asghari, an assistant professor at Delft University of Technology in the Netherlands, whose research has shown how little EU access laws have been adhered to in recent years. And we made unexpected discoveries: the distorted, fun house mirror profile that Acxiom held on one reporter; a kink app with lax security practices; a dating service that sent us a stranger's data. But we also saw the wildly divergent extents to which companies are adjusting to the GDPR. Personal information is the commodity that fuels the big data economy, and like all commodities, there's a fight for its control.
How big tech manages your personal information