r/dataprivacy

▲ 3.9k r/dataprivacy+4 crossposts

Data Center Infrastructure Expansion Enables Real-Time Behavioral Profiling While Local Meetings Limit Examination of Privacy and Autonomy Impacts

Data centers deliver the computing scale needed for continuous aggregation of location, behavioral, and biometric data into usable profiles for surveillance and predictive analytics.

These approval meetings allow public questions on privacy and environmental costs, yet interruptions during input sessions restrict examination of integration with broader monitoring networks.

Facilities advance under routine rules that rarely compel full disclosure of data partners or algorithmic applications, maintaining opacity around internal decision flows.

The resulting systems establish ongoing surveillance with few direct routes for people to inspect records or limit how information reaches operators and agencies, leaving individuals dependent on patent specialists and advocacy groups for accountability.

Sources

14-year-old girl removed by police from public Lowell data center meeting

https://www.masslive.com/news/2026/07/14-year-old-girl-removed-by-police-from-public-lowell-data-center-meeting.html

Documents the public meeting process for data center projects in Lowell where community input faced interruptions.

Lowell Police remove 14-year-old from data center public forum

https://www.lowellsun.com/2026/06/30/lowell-police-remove-14-year-old-from-data-center-public-forum/

Covers the June 2026 forum at Butler Middle School and documentation by 350 Mass of Greater Lowell.

7 Ways Data Centers Affect US Communities

https://www.wri.org/insights/us-data-center-growth-impacts

Analyzes governance gaps, NDAs, and limited public input in data center permitting that affect transparency on surveillance uses.

US government ramps up mass surveillance with help of AI tech, data brokers and your apps and devices

https://theconversation.com/us-government-ramps-up-mass-surveillance-with-help-of-ai-tech-data-brokers-and-your-apps-and-devices-277440

Details how data centers support bulk data collection and profiling with risks to privacy from commercial and government sources.

Government AI Is Coming for Your Data

https://epic.org/government-ai-is-coming-for-your-data/

Examines AI analysis of commercial data through data centers and the lack of effective mechanisms for individuals to challenge surveillance practices.

u/CollapsingTheWave — 1 day ago
▲ 1.5k r/dataprivacy+3 crossposts

Your car has been grading your driving and selling the report card

For a long time, careful drivers had a deal they could count on. Keep a clean record, skip the claims, and your insurance stayed reasonable. Your driving was judged on results. Did you crash? Did you get tickets? Did you cost the company money? If the answer was no, you were rewarded.

​

That deal got rewritten, and most people never got the memo. A lot of newer cars now keep a running log of how you drive (every hard brake, every fast start, every late-night trip). In case after case that log has been handed to insurance companies before the driver ever filed a claim. The scorecard grew a second page, and this one grades how you behave behind the wheel, moment to moment, then sells the result.

​

About 90% of new cars on the road collect information on how the person behind the wheel drives, according to Telemetry, an automotive advisory firm. Not all of it reaches insurers, and some drivers signed up on purpose for programs that promise a discount. But a good share of this happened to people who had no idea it was happening at all.

​

Full article https://www.freshfromcache.com/your-car-grades-your-driving/

freshfromcache.com
u/FreshFromCache — 2 days ago
▲ 30 r/dataprivacy+3 crossposts

'No hope of protecting it': inside the data oversight crisis facing the public service

One in three public-sector data professionals do not trust the data held within their own departments, a recent survey showed.

The survey of 133 public-sector data professionals between February and April 2026 suggested tools for tracking data assets, and more than half said departments did not document the reasons for collecting data.

---

As the person who ran this research (and an ex-public servant), do you agree with our findings? Do you think trust in data is higher, lower or were we about right?

archive.is
u/sam-at-aristotle_mdr — 3 days ago
▲ 23 r/dataprivacy+3 crossposts

'No hope of protecting it': inside the data oversight crisis facing the public service

One in three public-sector data professionals do not trust the data held within their own departments, a recent survey showed.

The survey of 111 public-sector data professionals between February and April 2026 suggested tools for tracking data assets, and more than half said departments did not document the reasons for collecting data.

Canberra-based Aristotle Metadata and public-sector platform Public Spectrum carried out the survey at the AusGov Data Summit, the annual collaborative forum for public sector data and technology leaders, held in April 2026.

The findings come amid several significant data management incidents in 2026, including an incident where 13 federal agencies engaged a transcription provider that shared sensitive court transcripts with unvetted offshore personnel in India.

Fewer than one-third of data professionals surveyed were familiar with their organisation's data governance policies and about half said they could not easily locate the data required for their duties.

The research also found 37 per cent of respondents didn't know their organisation was failing to give the true value of its data and 67 per cent said they could not easily find documentation describing what their organisation's data meant.

Aristotle Metadata owner Sam Spencer said the results showed a gap between high-level digital strategies and daily data management operations. He said without clear visibility into what data agencies held, it was difficult to ensure its protection.

"I stand by the fact that if somebody doesn't know what data they've got, they have no hope of protecting it. It's your social security data. It's not an abstract technical issue but 'how we know things get done', from public servants being paid correctly to patients receiving timely medical care," he said.

The federal government now relies on the Australian Government Data Catalogue, a centralised registry that contained more than 36,000 records drawn from various public databases for data governance.

An analysis of the registry by Aristotle Metadata showed that of those 36,000 entries, 99 per cent were duplicates from older platforms.

The data also showed that 505 unique assets had not been updated by nearly a dozen large agencies in more than two years.

To manage these records, the Office of the National Data Commissioner used a framework called ONDC26, which listed 26 metadata attributes.

Ten fields were designated as mandatory and 16 as optional, including fields describing the purpose of collection, who could use the data, who it was shared with and when it should be disposed of.

Although agencies were required by the Australian PSPF to use the fields, the Aristotle Metadata analysis showed agencies fell short on the 36 optional attributes – such as the underlying purpose of collection and data licensing rules – with even the largest four agencies, on-site across large agencies such as the education department and the Australian Taxation Office (ATO), showing four per cent completion rates for the optional fields.

A Finance department spokesperson said metadata in the Australian Government Data Catalogue had been published based on requirements for making data discoverable and accessible outside the agency that held the data.

"Mandatory fields are those which are most important for users requesting data, including security classification," the spokesperson said.

For Mr Spencer, treating these 36 optional fields as secondary overlooked their role in day-to-day security.

Classifying attributes like the purpose of data collection or licensing guidelines as optional left agencies without the baseline visibility needed to track how sensitive material was being handled, leaving it exposed to misuse and error, Mr Spencer said.

"There are seven areas about children in schools, not one of those records was written down who's allowed to use it, whether or not it's sensitive and when it's deleted," he said.

Mr Spencer said the ATO listed a single data asset in the catalogue. "Does that sound right to you?" he said.

A government spokesperson from Public Service Minister Katy Gallagher's office said that established data governance frameworks were in place and that accountable authorities were responsible for implementing them within their respective agencies.

The spokesperson said a biennial Data Maturity Assessment evaluated organisational capabilities and helped agencies identify capability priorities.

The inaugural 2024 assessment established an average public service data maturity rating of "developing", with a score of 2.02 out of five, identifying data quality, reference and metadata as the lowest-scoring focus areas.

Mr Spencer said advocating for improved data governance came with personal difficulties.

He had compiled the research and repeatedly taken it to the Office of the National Data Commissioner, ministers and chief data officers, but received little engagement in return.

"I have no budget, no mandate and now I have no friends, because I'm making people very annoyed about this, because I'm making a lot of noise," he said.

Mr Spencer said there was a tendency to invest in large international software products rather than the known work of foundational governance.

"We'll get squeezed over the smallest amount of money for infrastructure, but all of a sudden there's a blank chequebook for international big tech firms," he said. "It's like they're just going to fix anything with a flashy name."

canberratimes.com.au
u/sam-at-aristotle_mdr — 5 days ago
▲ 4 r/dataprivacy+1 crossposts

Built a privacy-first mental health screening tool , 12 clinically validated scales, 4 languages, zero backend

Been working on this for a bit — a self-screening site that runs entirely client-side. No database, no analytics, no tracking scripts. Answers live in memory and vanish when you close the tab.

A few things I focused on:

12 instruments, all real, validated clinical scales (PHQ-9, GAD-7, AUDIT, PCL-5, OCI-R, SPIN, EPDS, PSS-10, Rosenberg, AIS-8, PGSI, ASRS) — not made-up questions. Each result page cites the source instrument.

4 languages (EN/AR/FR/ES) — translations are functional for screening, not clinically re-validated, and I say that explicitly on results so nobody mistakes it for something it's not.

Strict CSP, no third-party scripts, connect-src: none — there's genuinely nowhere for data to go.

Built-in crisis interstitial: if someone answers a self-harm item, they get routed to help resources before results.

It's not a diagnostic tool and I'm upfront about that everywhere in the UI — just a low-friction first step for people who might not otherwise check in with themselves.

Would love feedback, especially on the translations (not a native speaker in all 4) or anything that feels off UX-wise.

[ https://lexio.ink/\]

reddit.com
u/Royal_Aioli9424 — 5 days ago
▲ 3 r/dataprivacy+2 crossposts

Academic Survey: How concerned are you about data privacy, AI, and how companies handle your personal information? (India, 3 minutes)

Hi everyone!

I'm a Grade 12 student conducting an independent legal research project on India's evolving data protection framework and corporate handling of personal data in the age of AI.

As part of my field research, I'm collecting public opinions on topics such as:

• Data privacy
• AI and deepfakes
• Corporate responsibility
• Trust in companies handling personal data
• Awareness of India's Digital Personal Data Protection Act

The survey is completely anonymous, takes around 3 minutes, and no personal identifying information is collected.

If you're willing to help, I'd really appreciate your participation!

Survey link:
https://docs.google.com/forms/d/e/1FAIpQLSeJQ-HGYJZA10zKfcutV4Bus4lI-veyITkKCLEqPuJL9061wg/viewform?usp=header

Thank you so much for your time! Every response genuinely helps my research.

u/sakuraa0707 — 5 days ago
▲ 1 r/dataprivacy+1 crossposts

Help regarding personal information

I think someone might publish personal information about me. I don’t know what to do. I tried reporting them and nothing happened. Can someone help me? I also don’t wanna go too much into details here.

reddit.com
u/higatooru — 8 days ago

Tech company known for privacy updated the terms of service to sell users data to 3rd parties

How legal is for tech companies to update the terms of service with a retroactive clause that completely changes the initial use of data? A company provided an update on its terms of service, but initially terms of service allowed the collected data for internal use only. With the new update they can now sell the data to 3rd parties and it includes the data they already have collected under the old terms of terms of service. While I will cancel the service, how is this allowed?

reddit.com
u/Itchy_Daikon7161 — 9 days ago
▲ 23 r/dataprivacy+1 crossposts

PSA: the Login.gov "front door" for your federal benefits is sharing your ID data with private firms

Was reading through the March 2026 privacy assessment for Login.gov (the thing millions of us are forced to use for VA, Social Security, student aid, IRS, etc) and some of it genuinely surprised me.

The identity info you hand over doesn't just go to the agency. It gets shared with two commercial data companies, LexisNexis and Socure. And Google is collecting behavioral stuff during sign-in via reCAPTCHA, including keystrokes and mouse movements, literally while you're uploading your ID and typing your SSN.

The LexisNexis part is what got me. They had a breach earlier this year that hit records on federal judges and DOJ staff

https://www.gsa.gov/system/files/Login_PIA_%28March_2026%29.pdf 
https://therecord.media/lexisnexis-says-hackers-accessed-legacy-data 

u/privacyovermatter — 12 days ago

Poisoning Publicly Available Personal Data

I have just discovered that lots of my personal information is available free online on websites like "fastpeoplesearch". I'm well aware that trying to get any of it off of the internet is impossible as it's already out there. What I'm looking to do is to make the information that is available so inaccurate that it's useless. Right now my current address and name are spot on, however there are a couple discrepancies when it comes to age and some other factors. Point being, I'd like to somehow increase these discrepancies so that for example, multiple junk phone numbers, multiple ages, and irrelevant addresses show up when I'm searched up. I'd like to extend this to my name as well, and potentially link myself to random people as relatives so that information becomes inaccurate and useless as well.

Aka I want to poison the well and make searches like these useless.

Obviously these websites have no way of uploading any information onto them, so should I just sign up for things with mixed info? For example, getting a cheap phone line with my real name, but fake age, and correct address? Then maybe getting another phone like with another number, slightly misspelled name, and completely different address?

Could I somehow upload a record of me living at an address that I never lived at?

Any help towards this goal would be greatly appreciated, and I don't mind spending a little money on things like phone plans if it successfully poisons my publicly available data. That, and if anyone can think of any other methods to achieve this goal, that would be appreciated too.

Any help would be appreciated, and I'm only posting in this sub because I have no idea where else to go with this question.

reddit.com
u/Opening_Permit6929 — 13 days ago
▲ 4 r/dataprivacy+3 crossposts

You probably have more data processors than you think

A quick confession. I usually stay away from technical implementation detail, because when it comes to actual engineering I am about as useful as a chocolate soldering iron. This post is different. Sub-processors and data flows are one of the very few areas where I genuinely know what I am talking about. So for once, consider me briefly competent.

At some point in the last year, someone on your team added an SDK. Then another one. A webhook. An error monitoring agent. An AI API where you pipe user input and get a response back. Each of those felt like a tool decision. Each of them is also a data governance decision. The two things rarely happened in the same conversation.

Under GDPR, every third party handling your users' personal data on your behalf is a data processor. You are legally responsible for them. If something goes wrong, regulators will ask you to account for the full chain, not just your own code. Most teams cannot do that, not because they are careless, but because the integrations accumulated faster than the documentation did.

Start with your network traffic, not a spreadsheet. Pull every outbound destination your application connects to. Then walk the codebase: every SDK, every API key, every webhook endpoint, every external call with a payload that could be linked back to a person.

Common places builders miss: error monitoring tools (stack traces contain more PII than you think), AI model APIs (their DPA terms have evolved: the version you accepted at signup may not reflect current terms), staging environments (often connected to the same third-party tools as production, sometimes with production data), and libraries with embedded analytics that phone home by default. "We did not know the library was doing that" is not a sentence that lands well in front of a regulator.

For each integration, three questions. Does it receive personal data? Do you have a signed DPA with this vendor? Where is the data processed? And if outside the EU, is there a valid transfer mechanism documented)?

Two things worth actually reading in any DPA before you accept it: whether the vendor can use your data to train their models, and what happens to your data when you stop paying. Both are frequently worse than the marketing copy implies. A vendor that refuses to sign a DPA entirely is a red flag, not a negotiating position.

Triage what you find, fix the highest-risk gaps first, and write it down. GDPR requires a Record of Processing Activities and what you just built is the foundation. Add a processor review to your integration checklist so you are never doing this retrospectively under deadline pressure.

Regulators are not auditing most startups. The real reason to do this is simpler: a breach involving data you did not know was being processed by a vendor you had not mapped is a different category of problem than one you can fully account for. One is an incident. The other is evidence that your data governance does not exist.

Do the audit. A few days of uncomfortable discovery, and then you know what you actually have.

Full step-by-step breakdown here: https://kolsetu.com/blog/your-processor-list-is-longer-than-you-think

Fancy to read more? Take a look at our blogs: https://kolsetu.com/blog

reddit.com
u/EdikTheFurry — 11 days ago