That was an excellent response. I'd just like to add that financial institutions themselves have taken up a sort of quasi-enforcement activity whereby they engage in a process known as de-marketing or de-risking. They wind up using the intelligence that's garnered through police transactions within their own institutions and then adjudicate and remove from their client roster individuals who exceed their risk tolerance based on that.
That's another particular way data is being used, but it's quite outside the legal framework that's prescribed.