GDPR and indeed any data protection laws may well be completely irrelevant in the context of Microsoft's services. Even if relevant, consent is unlikely to be a relevant as a processing basis under GDPR in the context of usage of MS services. Performance of contract or legitimate interests much more likely to be relevant...
I need to inform my customers what I do with their personal data. That includes to which companies I share that data with.
Having an excel with customer data is providing that data to Microsoft. So I need, as responsible of the data, to know how they will use it. Any use case that isn't obvious have to be cleared stated in the data privacy agreement. Including moving data outside EU into other countries like America (where US government can request that data without even informing us) or using their data to train AI.
Come'on. If we need to inform that we used chatgpt (just in case they provide PI), why we will not need to inform about Microsoft.
Key word is "may" be completely irrelevant! Of course, if you're providing an Excel of customer data, it will be relevant if the user is in the EU. But still, consent won't be relevant in that context.
User content may include personal data but may also not...so in some senses, better to include totality of use cases in a non-data protection related document.
To an extent, think about vested interests here. Mozilla has little to gain by showcasing how clear a rival's new service agreement is!
The AI services section seems pretty clear in terms of limiting the use cases of user content:
"iv. Use of Your Content. As part of providing the AI services, Microsoft will process and store your inputs to the service as well as output from the service, for purposes of monitoring for and preventing abusive or harmful uses or outputs of the service."
Admittedly, I haven't read other parts to understand the full picture though.
If I understand the below correctly then it seems they can use your data for whatever purpose they want. Also training AI even though it does not explicitly say so.
"2b. To the extent necessary to provide the Services to you and others, to protect you and the Services, and to improve Microsoft products and services, you grant to Microsoft a worldwide and royalty-free intellectual property license to use Your Content, for example, to make copies of, retain, transmit, reformat, display, and distribute via communication tools Your Content on the Services."
For first, Mozilla doesn't do this every week. And Mozilla has a history to keep in mind general population interests for privacy and security. On the other hand, we have a corporation with a history of cheating, lying, stealing, scamming people, from fighting standards, abusing positions of power, overwriting choices going against their shareholders interests. So yeah, vested interests, but also we need to keep in mind the history of both entities
Also Mozilla didn't say "Oh we have the MS new ToS and we keep them private", they're there, get a lawyer and see if they're obvious to understand?
That's the only mention of AI using content. So it can be read in a few ways:
1. They will sometimes use the data for training their RLHF stuff, to "prevent harmful use" of the services.
2. The clause is exhaustive and therefore they won't use it for training, as otherwise that'd be mentioned, and are just going to log stuff for the usual monitoring purposes.
This is a storm in a teacup. I don't even know why I should care. If MS crawl some web pages I've written and AI gets slightly smarter by reading them, or if I have a chat with the AI and some engineers use it to make the AI work better, great. It's very hard to imagine concrete, real harm from them being able to do this, though I can understand why companies might worry about it spitting out their source code verbatim in some cases.
> I don't even know why I should care. If MS crawl some web pages I've written and AI gets slightly smarter by reading them
Crawling public web pages is a separate issue⁰ – by putting something online you aren't explicitly agreeing to any of MS's policies, at least in the eyes of the law. This is the same for anyone crawling public content not just MS.
This privacy policy covers all the content you might use MS apps and services for, i.e. where you are¹ automatically agreeing to MS's policies: OneDrive, potentially any local-only documents in Office, code in VS and other tools, perhaps anything stored on your PC running Windows.
> I don't even know why I should care.
If you don't use any MS products or services, and no products/services you do use are backed by MS's services, then you don't need to care personally. Or indeed if you do but consider everything you output or otherwise work on to be public domain. Otherwise, maybe it is something you should form an opinion on?
----
[0] time to switch my robots.txt files to “User-agent: *
Disallow: /” – though it is very likely already too late for any existing content
[1] except where limited by law that you can afford to argue with MS's legal team over
I do use MS services. I still don't understand why I should care unless the AI starts simply repeating my private data in response to questions.
Now you could argue, what if I have documents with secret ideas or valuable IP that I don't want the AI to helpfully explain to others? That's definitely a valid concern! But for consumer uses, if it learns to draw better hands by looking at my holiday photos or whatever, then I don't see the problem.
> unless the AI starts simply repeating my private data in response to questions
That is a concern some have, particularly around CoPilot and the fact it has been trained with much copy-left covered code in public repositories.
They assure us that it is not possible for blocks of code to be regurgitated that would break things like *GPL, but they have yet to explain why, if that assurance is 100% definitely true, they have not included any of their private code in the training set. Surely they consider that their code is of good quality and would be valuable to include in the model.
> if it learns to draw better hands by looking at my holiday photos or whatever, then I don't see the problem
And if it gives an advertising firm working for a product you'd rather not be associated with an image of a family that look _very_ like yours? Again, the same assurance is given as per CoPilot, but again not everyone is assured by the assurance.
And of course it could happen anyway by chance even if your family is not in the training set. I don't not bother to lock my doors because someone with a good lock-pick could get in anyway.
And they are not doing it because of a great communal benefit (well, their individual coders may be, but the company certainly isn't), they are doing it for commercial benefit. I'd prefer they didn't with my data, or if they do I'd like my slice however small thankyouverymuch.*
> If you don't use any MS products or services, and no products/services you do use are backed by MS's services, then you don't need to care personally.
I beg to differ, wouldn't they be more inclined to care in case their data was being used in a product they do not interact with, rather than the one they do use - and in some way benefit from it?
That is a huge grey area of indirect use/agreement. If they don't interact with those services than someone else has given MS the data so from MS's PoV someone else has agreed to the policy and from the users PoV someone else has perhaps given their data to MS without permission. So yes, a concern, but not necessarily one relating to this policy except any clauses it has about removing data and its use when they are informed they shouldn't have it.
That paragraph says some things that they can do. It in no way says they won't use your content for AI training and any number of other things.
Mozilla's point is that the whole document is sufficiently vague that they could use it to defend pretty much whatever use of your content that conceive of now or in the near future.
To make it look, on cursory reading, like the policy is something you are comfortable to agree to. Legal theatre.
Also because those specific uses are mentioned in existing law and/or have been otherwise successfully defended. It gives their lawyers as many explicit tools as possible, before they need to argue around the implicit ones enabled by their policies & agreements being deliberately more vague elsewhere.
The point is that if they don't say that they won't, then they pretty much can if they choose to.
But a unique identifier doesn't necessarily identify a living person, particularly in isolation. It's just that it's frequently associated with a load of additional information that could eventually be used to identify someone (think advertising cookies when associated with a load of browsing data). So you can't escape from scope by saying you're using a unique ID rather than a name.
IP addresses are slightly different because that address can be used to identify the subscriber in certain cases (who in turn may or may not be an individual).
Suppose the government wants to know what a particular user was reading on your site. They can calculate the hashed ID for that user and then serve a warrant requesting the data for that ID.
Love the contrast between the title and the text. This isn't even about GDPR, it's about a completely different piece of legislation, the E-Privacy Directive. This is completely agnostic on personal data and so the post is largely flawed.
Even if you're not dealing with any personal data, if you're placing a cookie (or doing anything analogous device fingerprinting etc) you are in scope of the Directive and need consent, irrespective of GDPR.
The new E-Privacy Regulation is looking to implement an exception to consent for analytics but that would have providers like Google Analytics out of scope. Anyway, it's stuck in the mud at present...
I wouldn't trust any article that purports to be about GDPR that uses the term 'PII' a term which itself isn't anywhere to be seen in the regulation!
In reality an IP address is generally not PII, but it may be personal data - the case is Breyer which was decided on pre-GDPR law but still relevant. If you could use reasonable means to identify someone from the IP address then it will be personal data. I don't really agree with the outcome of the case because it implied it was easy to contact an ISP to get them to disclose details of the subscriber information associated with the IP address. In the UK at least it would require cause, and a court order.
No, they're implying that there's been a failure by pro-leavers to acknowledge that many of these roles have been in the recent past been performed by immigrants from Europe.
Now with the UK's departure, employers may struggle to fill vacancies (and indeed it appears they have been - see link below), so the poster was sarcastically suggesting that they can't wait to see pro-leavers performing these tasks because it seems like in many cases UK nationals aren't willing to perform these types of roles.
The nature of the role is irrelevant and the poster wasn't suggesting that pro-leavers should be subject to degradation!
All we know is that UK nationals aren’t willing to do those jobs at the wages being offered. If employers raise wages to something liveable and decent then it’s reasonable to assume employment in those areas will increase.
And this is precisely why the "output per hour" is likely to go up post-Brexit for such jobs, although admittedly there are also plenty of high earners leaving the UK (though they'll eventually be replaced by qualified immigrants or locals).
Well I think he was hostile and resentful and that’s not cool. I also sincerely and in good faith can’t wait to see less people exploited for cheap labor and more of my fellow Britons employed with a decent wage for once.
Hostile no, but I can see the market still needing unskilled labour of course, and I genuinely hope for your sake that it doesnt just cause the prices to increase dramatically.
I'm not from nor living in the UK but I sure hope things work out.
My post was a dig at the idea that all the UK needs to allow into the country is highly skilled people. I don't buy that argument.. But lets see.
You’re right, a relatively large influx of foreign workers of any skill level is harmful to all people, but especially the local people if it causes a reduction in wages.
If the cost of goods increases, it won’t likely be severe since it serves the entire population while only a small percentage of the population produce the goods. Also changing prices affects demand independently from cost of production.
The concept of processing necessary for the performance of a contract is interpreted extremely narrowly by data protection law. Rightly so, because otherwise it would give entities far too much latitude to stuff as many different processing activities as possible within that ground, even though certain processing activities aren't at all necessary to provide the service.
With Grindr, they only need to process data to provide the service by making it available to you and to other users. What they definitely don't need to do in order to provide the core service is to share your data with third parties who can then use it for their own purposes.
Any argument that the processing is necessary because it's an ad-funded service would not be acceptable under data protection law.
On that basis, performance of a contract would not be a relevant ground. You're also looking at e-Privacy Directive considerations in the EU where either a cookie or similar is essential to provide the service, or you need consent. Similar for location data, you will generally need consent.
So you not only have GDPR issues but also e-Privacy Directive issues where your processing grounds are actually incredibly limited anyway.
That was my point. People sign contracts where they consent to sharing. The advertising industry is not breaking the law because they don't use the data that is necessary for the performance but they use the data that is voluntarily shared.
And as mentioned above, the sharing aspect of those contacts is more or less void if the personal information sharing was implied to be required to use the service, and/or was not opt-in such that the option without opting in was not the prominent default.
