This is deeply troubling. As a scientist who uses* Dropbox I gave no informed consent. I know they claim personally identifiable information was removed but still I gave no consent for this.
I can't speak to how informed you were when you gave the consent, but if you are using the service, you provided it.
"Law & Order and the Public Interest. We may disclose your information to third parties if we determine that such disclosure is reasonably necessary to: (a) comply with any applicable law, regulation, legal process, or appropriate government request; (b) protect any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or our users; (d) protect Dropbox’s rights, property, safety, or interest; or (e) perform a task carried out in the public interest."
I would assume that this research fell under the "task carried out in the public interest" clause.
Isn’t public interest a criteria for getting IRB approval? Having read all the recent AoIR threads on ethics, this doesn’t seem outside of the accepted norms.
"The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes." [1]
I imagine the work was carried out by a processor, which could be perfectly legal if the contract between the two entities had adequate data protection clauses. This is just a guess though, I'm sure its much more complex than that.
If they asked consent specifically for these types of studies, then it's legal.
As in: a form asking the user if their information can be used in this way and giving them the possibility of opting out. Adding one more clause to the privacy policy doesn't count.
opting-out is not OK via the GDPR. Only Opt-In is allowed or at least that's my reading
GDRP section 32
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
You are correct, however this is for when consent is relied upon as the legal basis for processing.
My guess is that they are using provision of service as the legal basis for processing, whilst relying upon the "public interest" clause in the ToS to justify the sub-processing by the third party.
That doesn't work, you need to have a legal basis for all processing. It's hard to argue that operating the service requires this sort of research, so you need another basis.
There's some public interest exceptions, but from my knowledge it's not established that stuff like this would work under it.
Yes, you are correct. I think it would be extremely difficult to justify that this kind of processing was necessary for the provision of service.
It seems to me that an organisation the size of Dropbox would have a fairly watertight justification. However if the legal basis for processing is neither consent nor provision of service, then they must have done a pretty good job of obfuscating all PII (as the article says "...we and Dropbox employees could view no personally identifiable information.". If this is the case then this sharing of information may not even be in-scope of GDPR.
I'm not sure if the public interest exceptions would be a safe route to go down. The EU has made it clear that, like 'Legitimate Interest', the get-out-of-jail-free justification is going to be highly scrutinised.
EDIT: I have just seen that the article has been edited to say that the anonymisation and aggregation was carried out by Dropbox before being transferred to the third party, which kind of kills the discussion.
They could be relying on the "public interest" part of their TOS, in which case they'd possibly argue that this processing was necessary as part of the provision of service, and therefore wouldn't require any further consent from the user.
For the record: I'm not suggesting that what they did was ok, just trying to think about it from a GDPR perspective. Anonymising account information is great and all, but how can you be sure you've obfuscated all PII from information saved to file storage, unless you audit all that information - which in and of itself seems ropey from a data protection point of view.
So it looks as though the article has been edited to say the anonymisation and aggregation was carried out before being transferred to a third party, which craps on our discussion a bit.
However, to answer your question anyway - I don't believe you could justify the work as being in the public interest. I think it would be an extremely tenuous link and I think you'd be a fool to try and rely on something as flimsy as public interest if you're not a government body, or processing data on behalf of one.
I suppose I was taking a stab at understanding what their thinking was to see if anyone else could provide me with something which I had not considered.
I wonder how they got approval from the Northwestern Institutional Review Board. Not having explicit consent from research subjects might indicate that they qualified for some form of exempt status. Did they sell them that Dropbox collects that data as part of their normal operation, therefore consent is not required? Did they say that Dropbox's anonymization was enough to guarantee subjects' anonymity? Did they say that Dropbox's user agreement already enrolls users into research projects?
As a Dropbox paying customer and never having heard of the Northwestern Institutional Review Board it's not them that pisses me off. I haven't reconsidered my usage of Dropbox for a very long time, since I made the decision to stay with them after their no-password fiasco. Today is the first day in a long time.
Imagine you have a folder in your Dropbox with 237 subfolders, and each of those subfolders has a certain number of files in it. The largest folder has 1,132 files, for example, the second largest has 916, the third-largest has 771, etc.
Then imagine you have a second folder with 117 subfolders with another pattern like above.
Now imagine that the first folder structure matches a torrent of embarrassing pornography and the second appears to be a superset of a project published to GitHub under your name (i.e. with some directories being gitignored)
I've stored non anoynmized data on Dropbox as part of my own research. IRB gave me permission to keep that data and my consent form explained it to participants. We were all working under the assumption this type of sharing by Dropbox was impossible. My school's IRB does not allow the use of Google drive for nonanonymized data storage based on just this type of concern.
Maybe the parent was performing a research project on Dropbox collaboration techniques and got scooped?
But seriously, as an example, I know people that share sensitive personal information with their accountants at tax time using Dropbox. Would suck for any of that to be made available to any third parties.
Given it was from universities, then prior disclosure of IP for patent applications could be a "harm". Even the directory names and structures could be key information in some applications.
The harm is that 1) data which seems anonymized can be de-anonymized due to carelessness or advances in analytical techniques, and 2) it’s mine. I have laptops in my house for example that I’ve not used in years and will never use again. That doesn’t give you the right to steal them even if there’s no explicit “harm” to me.
*not for long, perhaps