Did Facebook use my location data to recommend friends?

I just sent the following letter to Facebook’s Chief Privacy Officer, Erin Egan, as she is contact person for the Swiss Safe Harbor program. This is a transatlantic arrangement between Switzerland and the United States meant to ensure a consistent level of data protection as data leaves Switzerland to go to the U.S.

Dear Ms. Egan,

I live in Switzerland and am writing to you at eusafeharbor@support.facebook.com under the purview of the Swiss Safe Harbor program.

As I write this, Kashmir Hill (from Fusion) is releasing a string of stories about Facebook’s use of location data to recommend friends. In her first story, Hill quoted extensively a Facebook spokesperson on the matter, and she outlined some of the associated risks.

In a second story, following public outcry, Facebook tried to backpedal on that original statement. Indeed, Hill included the following quote in that second piece: “We ran a small test to use city-level location to better rank existing [“People You May Know] candidates and not all were aware that the test had ended,” said a Facebook spokesperson by email. “The test ran for four weeks at the end of 2015.” “ It involved a small percentage of Facebook users and stopped last year.”

In a separate public statement, Facebook had stated “[Facebook] show[s] you people based on mutual friends, work and education information, networks you’re part of, contacts you’ve imported and many other factors.” Hill also asked if she could have a list of those “other factors”, but she had not received it yet.

I believe it is my right under the (Swiss) Safe Harbor commitments of Facebook to ask for access to my personal data relating to this “small test”. I simply want to know whether I was in that “small percentage”. I also ask to receive an exhaustive list of these “other factors”, which I believe are part of the notice obligations in the Safe Harbor commitments. Last but not least, under the access clause, I also ask for any information relating to the suggestion of my profile to other Facebook users (delivered, of course, in a way that would be respectful of the privacy of others). Facebook has 30 days to comply with these three requests, and a delay in one should not affect the delivery of the others.

I will also add that I have been disappointed by several aspects of Facebook’s handling of its privacy obligations in the wake of the Schrems-CJEU decision. Firstly, EU Safe Harbor compliance is still promised in Facebook’s Data Policy, despite Facebook’s failing to renew its annual registration with the Department of Commerce (I have reported this grave failure to the FTC and the Irish DPC). Secondly, I have received an insufficient response to a separate but similar request for access to my personal data, which forces me to pursue that older matter through TrustE arbitration court. I am looking forward to Facebook’s response to the court’s questions, but hope I won’t have to go to the same great lengths in this additional case to get a serious response.

Sincerely,

Paul-Olivier Dehaye (Facebook handle: paulolivier.dehaye)