How to reclaim your data from Google, Facebook, Microsoft, Apple under GDPR
We reveal how the web's biggest data hoarders have responded to the new regulations and how you can take control of your privacy
Over the past couple of years, you've probably been inundated by emails and notifications asking if you're happy for companies to keep sending you marketing messages. The reason for this sudden obsession with small print is, of course, the General Data Protection Regulation (GDPR), which came into force in May 2018.
The regulation, which has been described as the most important change in data privacy regulation in 20 years, gives individuals greater control over their personal data that's held by third-parties, such as retailers or social networks.
Given how eager many firms have been in abiding to the sweeping privacy changes, we thought we'd look at exactly how web companies responded to the new rules and how you can now view, manage, and even reclaim the personal data that's been collected about you.
Following the arrival of GDPR, Facebook CEO Mark Zuckerberg declared his intention to uphold "the spirit" of the regilation. However, at the time of GDPR's enactment, the data of non-US Facebook users was held in Ireland and therefore automatically covered by the new law. Facebook decided to transfer 1.5 billion users out of the EU and inside the jurisdiction of the US, however, GDPR protections still apply to any residents of the EU, regardless of where their data is held.
Facebook also updated its terms and data policy to comply with GDPR, asking all of its users to "make choices" about whether they want to see ads based on data from Facebook's partners and continue to share 'sensitive' information (as defined by GDPR) in their profiles.
You can also now decide whether or not to turn on facial recognition, which allows Facebook to identify you in photos and videos so friends can instantly tag you. Previously, this feature was forbidden in Europe for privacy reasons, but the new regulation means Facebook can now offer the option to EU users, as long as it's transparent about what data is processed and why.
Reclaim your data:
Facebook already allows you to download all the information the company holds about you, and its Access Your Information tool lets you further review information you've posted or shared, such as likes, comments, videos, your location and your search history. Within your account, you can review and manage things you share your 'Activity log', and delete anything you don't like the look of. You can also delete your entire Facebook account and all the data it contains.
Usefully, all of these options are now available through a single hub, which you can access by clicking the down arrow in the top-right of Facebook and choosing Settings, then Your Facebook Information. This increased transparency seems just as much to do with the Cambridge Analytica scandal as with GDPR, but we're pleased that Facebook is finally addressing at least some long-standing privacy concerns.
Notoriously data-hungry Google made a number of changes to comply with GDPR, including limiting the data-processing of users under the age of 16 and supporting businesses who want to display non-personalised ads online. It also rolled out a password-protected option in Gmail, which limits confidential emails to 'read-and-reply' before they're deleted after a set time.
When it comes to obtaining explicit consent, Google is outsourcing this option to advertisers and publishers, stating in a blog post that "the revised policy will require that publishers take extra steps in obtaining consent from their users".
Reclaim your data:
You can review all the data Google has stored about you on your Dashboard, including your search history, saved locations, synced bookmarks, Android devices and much more. On the same page, you can stop it collecting certain information by turning off Location History, Web & App Activity and YouTube Watch History, and download a copy of your data as a ZIP or TGZ file.
To delete specific data Google has gathered, go to myactivity.google.com/myactivity and choose 'Delete activity by'. Alternatively, you can visit myaccount.google.com/deleteaccount to delete your entire Google account.
To comply with GDPR, Microsoft introduced parental-consent verification for children's accounts. This authentication process requires parents and guardians to grant permission for users aged under 16 to open a Microsoft account, so the child's data can be 'processed' legally under the new EU rules. Verification may involve charging a small non-refundable fee to your credit card or debit card - see here for details.
Microsoft also launched a Compliance Manager tool to help businesses prepare for GDPR, and added a new Data Privacy tab to its Office 365 and Azure suites that lets customers manage and execute requests from data subjects.
In November 2019, the company also carried out a major overhaul of its privacy provisions for commercial cloud contracts after a report from EU regulators last month questioned the company's ability to comply with data laws.
Reclaim your data:
To reclaim the data that Microsoft has amassed on you through tools such as Bing and Cortana, visit your 'Privacy dashboard' at account.microsoft.com/privacy - a site the company launched in 2017, likely in anticipation of GDPR.
As with Google's similar hub, this lets you view and delete information that's been collected about your activities, including your browsing and search histories, locations you've been to (gathered via GPS), voice commands you've used and even details of your interests. Click 'Download your data' at the top of the page to create an archive of this personal info.
The Dashboard also provides details of how to adjust your privacy settings for Microsoft products such as Windows, Skype and Xbox, and lets you switch off online ads that are "tailored to your interests based on your previous activities, searches and site visits".
Reclaim your data:
On Twitter, head to your 'Settings and Privacy' page, and you can review your current settings, such as who can tag you in photos, find you using your email address or phone number, and target you with personalised ads.
You can also review and download the data Twitter holds on you by opening the 'Your Twitter data' section of the 'Settings and Privacy' page. This eye-opening information includes your gender ("based on your profile and activity"), the places you've been, the browsers and devices you use, and what Twitter has inferred your interests to be - you can deselect any that don't "look right". Click the 'Request data' button at the bottom of the page to receive an email attachment containing all this data. Interestingly, you can also request a list of all the advertisers who target you.
If you use Amazon Web Services (AWS), you'll be pleased to know the secure cloud service is GDPR-compliant. This includes personal data encryption, updated data-processing agreements and improved processes for assessing data security. For every day customers who use Amazon's websites, apps and devices, such as the Echo smart speaker, things are less clear.
Incidentally, the only mention of smart speakers in the GDPR documentation is a point that says: "The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling". This suggests smart speakers such as the Echo and Google Home will need to seek their users' consent (possibly during setup) to process their data without breaching GDPR rules.
Reclaim your data:
Although unrelated to GDPR, you can see some of the data Amazon 'processes' about you by visiting Your Browsing History, including your recently viewed items, recent orders and public profile. To regain a degree of privacy, delete your browsing history, turn the feature off and tick 'Don't use for recommendations' next to items you've purchased.
As we explained in last issue's cover feature, it's possible but not easy to delete your Amazon account by contacting the company directly. However, you can't delete your Amazon order history, because the store treats it as a transaction record, just like your bank or credit card company.
It's currently unclear how this will be affected by GDPR. In the US, Amazon.com lets you download your entire order history, including details of how much you've spent, as a CSV file. You can get similar info in the UK by installing the unofficial Chrome extension Amazon Order History Reporter.
Apple has promoted itself as a privacy-first business for some time now and has been suitably unruffled by GDPR. When setting up a new Apple device, such as an iPhone, iPad, MacBook or Apple TV, you'll now see a new Data & Privacy screen that shows you precisely how Apple processes your information.
According to the tech giant: "When we use data to create better experiences for you, we work hard to do it in a way that doesn't compromise your privacy". In other words, Apple products operate a privacy-by-design policy, which is a core GDPR requirement.
Reclaim your data:
By the time you read this, Apple will have updated its web page for managing your Apple ID, with a new option that lets you download a copy of all your personal information stored by the company.
This includes your contacts, calendar, photos, songs you stream via Apple Music and preferences. The page will also let you correct specific details about you, and temporarily deactivate or completely delete your account. Previously, you could download your data and delete your account by contacting Apple directly.
Preparing for AI-enabled cyber attacks
MIT technology review insightsDownload now
Cloud storage performance analysis
Storage performance and value of the IONOS cloud Compute EngineDownload now
The Forrester Wave: Top security analytics platforms
The 11 providers that matter most and how they stack upDownload now
Harness data to reinvent your organisation
Build a data strategy for the next wave of cloud innovationDownload now