A tech policy researcher used GDPR to request information about all of his choices from Netflix.
When you gaze into Black Mirror’s Bandersnatch, it also gazes into you. It’s no secret that Netflix tracks what its users watch and how long they watch it, but Bandersnatch gave Netflix a unique opportunity to let the streaming giant learn what its users wanted in real time. Some people even speculated that Bandersnatch was largely a data-harvesting operation.
Michael Veale, a technology policy researcher at University College London, wanted to know what data Netflix was collecting from Bandersnatch. “People had been speculating a lot on Twitter about Netflix’s motivations,” Veale told me in an email. “I thought it would be a fun test to show people how you can use data protection law to ask real questions you have.”
The law Veale used is Europe’s General Data Protection Regulation (GDPR). The GDPR granted EU citizens a right to access—anyone can request a wealth of information from a company collecting data. Users can formally request a company such as Netflix tell them the reason its collecting data, the categories they’re sorting data into, third parties it’s sharing the data with, and other information.
Veale used this right of access to ask Netflix questions about Bandersnatch and revealed the answers in a Twitter thread. He found that Netflix is tracking the decisions its users make (which makes sense considering how the film works), and that it is keeping those decisions long after a user has finished the film. It is also stores aggregated forms of the users choice to “help [Netflix] determine how to improve this model of storytelling in the context of a show or movie,” the company said in its email response to him. The .csv and PDF files displayed Veale’s journey through Bandersnatch, every choice displayed in a long line for him to see.