The comment says "there's no way." I can think of at least one which involves a user manually downloading the data and then manually uploading it to another service.
The problem is that if I export my social graph and share it with another company, it includes information about who my friends are -- at the very least, it shows that they are my friends. That violates their privacy. Maybe they did not want their relationship with me to be known outside the social network where they established it.
Im trying to understand, are you violating a friend's privacy now if you tell a random third party that you are friends with them?
Example, you are chatting at a party with someone and they ask you if you know Bob since he works at your company. You say yes and you say you are good friends with him. You violated Bob's privacy here?
There is a difference between someone mentioning, with intention (that they happen to know X and implying they could offer to make that introduction), and an automated system just bulk sharing a whole address book.
If the question were framed more like:
"Do you consent to sharing your entire address book, so that we can better market to you and your friends and offer targeted ads based on that data to our real customers?"
If your friend isn't a user of the company to which the data is exported, then maybe that friend's data could be served from FB's servers, or your own, and only decypted client side. This of course cuts them off from being able to monetize swaths of user data which isn't unilaterally owned by one user, but it would be privacy respecting to your friend wouldn't it? Open protocols with medical-data like regulation right?
What's to prevent the other company from simply saving the user data which is decrypted by their client? You think Cambridge-Analytica didn't store offline backups of all the data they gathered from the Facebook graph APIs?
When I wrote that, I was thinking of a dns-over-https like system and browsers being the client. You're right. A company could pipe the data back to their servers even if it was only decrypted on the user's device and it was illegal.
> To further strengthen the control over his or her own data, where the processing of personal data is carried out by automated means, the data subject should also be allowed to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller.
