Symbolic image API

The big tech companies (Facebook, Google, Microsoft, etc.) have found a new way to undermine GDPR and users’ rights to own and control their personal data.

In the past all tech players offered free and powerful APIs that allowed users to access their data in real time. These APIs combined with a robust authentication layer (oauth) made it possible for startups like BitsaboutMe to build convenient consumer products based on user consent to extract and use personal data, i.e. allow data portability and make users true owners of their data.

Then the Cambridge Analytica Scandal hit and the Facebook Graph API that was way too generous was abused to exploit not only the consenting user’s but even other peoples (friends) personal data. A review of the scopes of such API and their privacy policies was overdue, but now large tech players have discovered a new to use it as a way to undermine data portability by drastically reducing the scopes of API access as a defensive move, to protect their data monopolies.

Facebook, LinkedIn, Amazon and now Google are all doing the same. They continue to offer powerful APIs to advertising clients that can data mine and target the user base at will to send more powerful advertising, but on the other hand greatly reduced the data the individual user can get through the API (for LinkedIn now only name and email). They still comply with GDPR data portability (Art. 7) by allowing users to extract huge data dumps to their local hard drives in manual processes of various shapes and forms, but with limited use for a typical user. They also built in artificial delays, that produce such a file in some case only after days or even weeks, but always within their legal 30 days limit. All compliant with today’s GDPR but resulting in a poor user experience.

Beginning of the year Google joined in by enforcing new rules for limited use of their Gmail APIs. Those rules greatly limit the ability to transfer Gmail data “All other transfers or sales of the user data are prohibited”. But they go a step further by stating “Note that the Limited Use restrictions apply even if you seek permission from your users”. High paid lawyers have clearly though about this, but it seems like gross violation of the data ownership concept, if Google can prohibit me to share or sell my data through an app of my choice.

Basically, Google prohibits App Developers all the things that Google is routinely doing with Gmail data (sharing, advertising, market research). To make things even worse, Google now requires a yearly security review of $15’000-$75’000 to use the Gmail API and hence taking all small players out of the market. With the effect that only large players and Google itself will offer additional services for your Gmail account in the future. Welcome back to the world of siloed data.

The regulator needs to quickly sharpen GDPR data portability: The same way the EU imposed PSD2 on its banks to provide backend services making them easy prey for fintech startups and GAFAs alike, there needs to be a requirement added to GDPR for large data controllers to offer free and unrestricted API access to users’ personal data. A machine-readable file after 30 days is just not good enough for data portability in today’s age.