It hardly even matters if the company is put up for sale.
Assume a kitten-loving company that will rather die than let your data be abused. They take VC funding, hit a bad turn, take more VC funding. Now the board is controlled by VCs. You're now trusting the VCs with your data and not the company itself.
Assume a second kitten-loving company that will rather die than let your data be abused, and is run by only two co-founders. You give them all your data. The two co-founders end up in a plane crash. Their company is transferred to... who knows really? Your data is now sold off in liquidation to.. who knows really?
> Assume a second kitten-loving company that will rather die than let your data be abused, and is run by only two co-founders. You give them all your data. The two co-founders end up in a plane crash. Their company is transferred to... who knows really? Your data is now sold off in liquidation to.. who knows really?
At least in theory, that's possible to avoid. If you accepted the data only under a specific set of terms, and ensured either that the original terms under which data was obtained are those that apply, or that specific privacy and usage terms were required to survive into any successor agreement, then in doing so you'd bind any future owner of the company by the same terms. You can't sell (or liquidate) something you don't have the rights to yourself.
Assume the only surviving beneficiary of the company is a Chinese nationalist. All of the company and servers are transferred over to him. He quickly moves all the data over to mainland China and uses it for.. who knows?
Even if you had laws, I'm not sure they would help in this case.
Besides, even if you have perfectly written self-binding contracts, there's nothing stopping the next owner from being a scumbag and finding clever or illegal ways around the deal. eg, he could 'find' a million dollars on the pavement in the surprising position where he happened to 'lose' a hard drive with all the data. Exaggeration obviously, but if the data is in someones possession there are a lot of things that can be done with it without overtly breaching any agreement. Eg, he could start a new company himself that 'leverages' the data to provide all previous customers with 'incredible deals and benefits'.
You're now assuming the new owners are willing to commit illegal acts, or at the very least breach a contract. (And the newly started company would be breaching the contract as well, if it was written to exclude that.) That's at least a significantly higher bar than "the highest bidder can do whatever they want with the data", which is the current state of things.
But yes, even better protection would be never collecting data you don't need in the first place.
Since the concept was established in 1983 by the constitutional court, there's probably a body of knowledge around that, just in the 'wrong' language and hence less known in the anglo-saxon culture.
Britain has similar laws, of a similar age. We don't have a word for it, but I think there's an attitude that companies shouldn't be given more data than needed, and a suspicion when they ask.
"Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed." [2]
Which the guidance[1] explains as "So you should identify the minimum amount of personal data you need to properly fulfil your purpose. You should hold that much information, but no more. This is part of the practice known as “data minimisation”."
And how much data is google allowed to store about us?
And why isn't the user allowed to specify the amount of bits that google store about us?
There are 7 billion people on this planet. If I allow google to store at most 32 bits about me, then at least that data cannot uniquely identify me (roughly speaking).
The EU Data Protection Directive also pushes for that: "Member States shall provide that personal data must be (...) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes [and must be] adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed".
It's a pretty anti-science stance. Data is very rarely 'unnecessary'. The scientific method requires that you investigate and control as many variables as possible, because often things that you don't realize have far-reaching effects. Throwing that data away early is bad for your business, bad for your customers, and bad for society.
No, I don't think companies should be aggregating all data without regard for consequences of breach, but nor do I believe that cutting data is the answer. Consumers, nee, people, need to learn that 'their' data is not so special snowflake, and that aggregate data is a fantastic tool for making their lives better.
Actually, the scientific method involves coming up with a hypothesis first and then collecting data for it. What you are suggesting is called data fishing and is a major flaw in many so-called "scientific" studies...
It'll stop anyone unwilling to commit a breach of contract, which is a higher bar than "highest bidder can do whatever they like". Right now, most terms of service can be unilaterally changed by the company, which means the new owner can arbitrarily change them and then use the data however they like, without any contractual obligations binding them.
Right, and that's not going to be changing in a hurry. Stop giving people data that you don't want others to have.
If anybody who understands this issue says anything other than "Stop giving people data that you don't want others to have" then I have to question their judgement. If you do decide that something is incredibly valuable then hand over the data; but make sure you consider the data 'sold'.
The most important point here is that the company that originally collected the data isn't that relevant. If other laws don't support privacy protection, you must assume your data may end up just about anywhere & everywhere.
We do have laws that support privacy protection around here, and I still assume it may end up just about anywhere. Data is just too easy to copy around. What these laws give me is the power to tell those companies to delete it, and to get our National Commission for Data Protection to fine them if I ever get evidence that they didn't.
But I would never assume the data is actually protected.
Assume a kitten-loving company that will rather die than let your data be abused. They take VC funding, hit a bad turn, take more VC funding. Now the board is controlled by VCs. You're now trusting the VCs with your data and not the company itself.
Assume a second kitten-loving company that will rather die than let your data be abused, and is run by only two co-founders. You give them all your data. The two co-founders end up in a plane crash. Their company is transferred to... who knows really? Your data is now sold off in liquidation to.. who knows really?