Two complaints to Irish Data Protection Commissioner regarding Facebook
I have just filed two complaints with the Irish Data Protection Commissioner regarding Facebook. One is focused on Custom Audience data, the other on Pixel Audience data. In both cases I tried to access a copy of my personal data from Facebook, as the law forces Facebook to give me the possibility. Facebook engaged in long conversations that didn’t resolve my original requests successfully, so I am now escalating the matter to the Irish Data Protection Commissioner, given that Facebook is headquartered there for non-North American users.
Since the two requests are very similar, I have folded them into one here, with curly brackets to indicate the two alternatives.
If you want to read the original exchanges, you can do so here and here.
Dear Irish Data Protection Commissioner,
I would like to reopen a case with you initiated Feb 1st 2017, and on hold (at your request) since late April, concerning a request for access to Facebook Pixel data {Custom Audiences data}.
My request with you dated Feb 1st concerned a Subject Access Request to some of my personal data from Facebook, initiated Dec 15 2016. All the exchanges associated to that request are attached, and visible here:
https://manual.PersonalData.IO/r/57 {or here: https://manual.PersonalData.IO/r/58 }
You had invited me to reopen the case with you if Facebook’s eventual response was not satisfactory. This is the case, given that Facebook’s last response was still a refusal, dated early May.
Facebook essentially refuses my Subject Access Request, based on the claim that providing me with this information would represent “disproportionate effort”.
Several factors should come into this balancing assessment: how much effort this would represent by Facebook, against what interests it is balanced, etc. I trust that the Irish DPC can make Facebook come to its senses in this balancing exercise.
Concerning the effort this would represent from Facebook:
- previously, Facebook has claimed something was “impossible”, that
it would represent “disproportionate effort”, etc, only to revert that
decision when enough interests were in the balance on my side (this
concerned accessing my individual information on whether I was part of
their Facebook Emotion Manipulation Experiment).
Concerning the balancing interests on the other side:
- As you know, Facebook has been accused of contributing to the
propagation of fake news, or to direct manipulation of communities in
an electoral context. Transparent and accountable election processes
are vital to democratic interests. - In contrast, Mark Zuckerberg with his controlling shares of
Facebook was still in public denial until long after the US election
of the impact his platform could have had on the electoral process
itself. - Since, Facebook has changed tack, producing a report on
“information operations” on the Facebook platform and a few other
top-down transparency efforts. However, this effort fails in a few
predictable ways, given that it mostly amounts to a public relations
effort by Facebook. For instance, this report barely mentions other
elections than the US ones (Germany, France, UK), or offers little
details in terms of the targeting that might have taken place. Note
that this effort was purely voluntary. - Facebook has resisted calls by civil society to disclose more
information, for instance refusing to release copies of all political
ads shown on the platform. More damningly, Facebook opposes to those
calls for transparency dubious privacy rights for the advertisers on
the other sides. I do not believe this balancing of rights on both
sides should be Facebook’s prerogative, and instead ask you to help on
this matter, as is your duty in Irish law. - There are now reports that Facebook has provided similar
information to what I am requesting to some of the inquiries currently
taking place in Washington DC. I do not believe Facebook would provide
a similar amount of data to other countries who would find themselves
in a similar situation. - There are now reports some of the DC-based investigations are
focusing on the company Cambridge Analytica.
Note that all of the interests expressed above only concern the public
interest, not my own. To help assess one in light of the other, please
additionally consider:
- I have collaborated with journalists since June 2016 on reporting
about the company Cambridge Analytica, leading to several articles
with significant impact (Guardian, DasMagazin/Vice, etc) - I have tried to attract the attention of the UK ICO in August 2016
to the company Cambridge Analytica, but with little success at the
time. Following the reporting referred to above, the UK ICO finally
opened an investigation in March 2017. It is still not clear that this
investigation covers the US election, and particularly processing of
personal data for political purposes by a company established in the
UK. It is also unclear that the ICO will ask questions on
transatlantic transfers of some of this data. - I have tried since Dec 2016 to access the data associated to this
request at my own individual level exclusively, through a Subject
Access Request that I would find significant into informing what
happened in the US, UK (Brexit/General Election), French and German
elections. Indeed, I have intentionally behaved on Facebook in ways
that would invite specific forms of targeted advertising. - I have convinced a few journalists to engage in similar behaviours.
Presumably, if Facebook did react to my request appropriately, they
would do so as well for those journalists, thereby increasing from my
own individual case the general public interest in Facebook disclosing
more information about this.
This summarizes my request for the Irish DPC to reopen a case
concerning Facebook’s non-compliance in light of my SAR dated Dec 15th
2016.
Please do not hesitate to ask if you need additional information.
Sincerely,
Paul-Olivier Dehaye
That’s it, let’s see how it goes!
Paul-Olivier Dehaye is co-founder of PersonalData.IO, a startup helping individuals regain control of their personal data, through innovative products built around the GDPR. PersonalData.IO also offers compliance solutions, business innovation and consulting services to companies, as well as expert advice to educators, regulators and journalists.
