21 April 2020

Exercising my Right to Access: When the Internet Knows where I Eat

Life definitely is becoming more and more digital. You want to make a restaurant reservation, and instead of calling over the phone, you just pull up a restaurant's website, and with a few clicks, you can book a table. In fact, there are a few apps for that, allowing you to essentially use the app as a portal and see what restaurants are available during the time window you desire. I finally registered and made an account for one of these apps one day, and when I did so, I was surprised. It seemed that they had records of me and my restaurant bookings all the way back from 2014. Somehow this didn't add up, and so I exercised my GDPR Right to Access (Aricle 15), demanding from them a copy of all personal data they have which are associated to me.

They responded a week or so later. And sure enough, they have a history of all the bookings I have made that involved their app. I wasn't registered as an account user until earlier this year, but of course you can reserve a table at a restaurant "as a guest", especially if this app is the only reservation method the restaurant uses. You go to the restaurant's website, which clearly points you toward this reservation portal, and you simply provide your name, email address, and telephone number. Without making an account with the reservation app, you can book a table. Voila, the restaurant knows that you are coming, and the app remembers your restaurant choices - and by extension, your eating behaviour - years after the food you have eaten in the restaurant you made a reservation with has long been digested and flushed out of your system.

And of course, even without registering for an account, the reservation app created a user profile for me, by saving my name, email address, and telephone number, which I have been using to reserve tables since 2014.

I must say, I am slightly perturbed by this. I understand that reserving online using an app is immensely convenient. It definitely works well especially in situations when you're in a foreign country, and you don't have a good grasp of the local language. Speaking over the telephone requesting a table would appear to be a challenge, yet it could easily be solved by a few clicks of the mouse through a multilingual app. From the perspective of the restaurant owner, they could focus on cooking, and the logistic administration of arranging table schedules could be done automatically, if they use the reservation app. Not to mention the fact that their visibility would exponentially increase, since they could utilise the marketing efforts of the app, creating opportunities to have more customers.

From a data-sharing perspective, what used to be a simple data-sharing event (X to Y: customer shares personal data directly to a restaurant to ensure the availability of a table) with a short life cycle (shared data is not needed anymore once the table has been occupied) has become a more complicated sharing event (X to Y via Z: customer shares personal data to a central app, who then delivers data to the restaurant) with a life cycle that seems to have long retention schedules (shared data can be stored longitudinally not only by the restaurant, but also by the central app). This opens up for unexpected (at least from the perspective of the data subject, i.e. the customer) uses of one's personal data. Suddenly, someone can create a profile of one's eating habits. If the app allows you to share certain dietary restrictions (so that the restaurant can hear of your limitations), then you can create customer profiles of these people's consumer behaviours. Of course you cannot eliminate the idea that restaurants would be interested in their competitors, and therefore would want to request from the central app eating behaviours of their customers. These use cases are now suddenly possible, something which wasn't possible back in the days when you simply called a restaurant to book a table.

And I am betting that people nowadays who simply find it convenient to reserve a table online using these apps don't even fully realise the ramifications of this slight modification regarding how they share data to restaurants.

In any case, I find this puzzling. I am a fan of technology, and I like convenience. But I also am a fan of transparency. There's a part of this setup that I find opaque, where it is rather unclear how exactly my data is being used. This is definitely something I'd like to know more in the future, and it'll most likely make me pre-occupied for quite a while.

No comments:

Post a comment