Europe versus Facebook: The law protects program logic, not data

Europe versus Facebook: The law protects program logic, not data

Summary: Facebook says it doesn't have to hand over all your personal data because that's how the law works. Europe versus Facebook argues that the law protects program logic, not data.


Facebook recently told the Austrian group Europe versus Facebook it is not required to give you a copy of some of your personal data if it deems doing so would adversely affect its trade secrets or intellectual property. I asked for further clarification, and Facebook told me that the law places "some reasonable limits on the data that has to be provided." When I got in touch with Max Schrems of Europe versus Facebook, however, he told me this is simply not true.

On its website, Europe versus Facebook shows how to request a copy of your personal data from the social network (see how Reddit overwhelmed Facebook with data requests). It explains that because of Ireland's 1988 Data Protection Act (DPA), Facebook has to send you your data on a CD within 40 days of a request.

Schrems received a reply to his request in the form of a CD-ROM with a 1,222-page document. As he looked through it however, Schrems noticed that important information was missing, and so he contacted Facebook again asking for the remaining data. Facebook explained that the law includes "an exception to subject access requests where the disclosures in response would adversely affect trade secrets or intellectual property."

When I followed up with the social networking giant, Facebook explained it gave everything to Schrems that it had to by law. In fact, the company said it is "nonsense to say that we are not willing to provide him with his personal data."

I talked to Schrems and he countered by saying Facebook is not making a distinction between the personal data it stores and the "logics in programs that process personal data." He explained the law only limits the access to program logic (such as Facebook's friend-matching feature) if there is a trade secret or intellectual property involved in the program logic.

In fact, Schrems says European laws do not limit access to the outcome of such processes (meaning your personal data) because of trade secrets or intellectual property. The only data limits the law outlines are backup-related or data that is too hard to hand over (for example, spread over thousands of files that would have to be put together manually).

I asked Facebook what kind of data it is not handing over to Schrems, but I did not get a response. Schrems was more than happy to give me examples: his Likes, his facial recognition data, and the data generated by the Like button was not in the package he received. He doesn't see how the law allows Facebook to skip this type of personal data.

Last month, Billy Hawkes, Ireland's Data Protection Commissioner, announced that he will conduct a privacy audit of Facebook's activities. Since Facebook's international headquarters is in Dublin, all users outside the US and Canada could be affected by his findings.

His office decided to investigate the company after Europe versus Facebook's 22 complaints were covered repeatedly in the media. Schrems says Facebook is going to get some bad news soon. "I am in almost daily contact with the DPC and they already announced that Facebook will have to give out much more information," he told me.

I have contacted Facebook to see what the company thinks about Schrems' claims.

Update: "Facebook provided Mr. Schrems and his group with all of the information required in response to their request," a Facebook spokesperson said in a statement. "Their request included requests for information on a range of other things that are not personal information, including Facebook's proprietary fraud protection measures, and 'any other analytical procedure that Facebook runs.' This is clearly not personal data, and Irish data protection law rightly places some valuable and reasonable limits on the data that has to be provided."

See also:

Topics: Social Enterprise, Data Centers

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Europe versus Facebook: The law protects program logic, not data

    I wonder, are they including all the pages they saw you visit with cookies that are tracked by any page that loads the "like" button? If you have a facebook cookie they know you've seen this page.
  • Trade Secrets???

    I never used ???Friend Finder??? or authorized Facebook to use any data under my page.
    I never shared my address book with FB to look for anyone I know.
    I never gave FB permission to access my Google contacts for any reason.
    1.) My son established a ???business??? page on FB.
    The following day, his FB showed up on my FB page suggesting my son's page for ???friending???
    My son's business email does not contain any information that could identify him as a relative.
    I have my son's email id in my mail address book and on gmail.
    How did FB establish a connection of my FB page with my son's business?
    The only way they could have done it is by ???mining??? my address books, without my permission!
    Looks like one of their ???trade secrets??? is a backdoor to my PC and/or to my gmail account.
    2.) I placed a new photo on my FB page.
    The Following day, this new picture showed up as my picture on other web services I use, Including my gmail account!
    How does that happen? That picture only exists on my PC and on my FB page.
    Yes I can see that revealing all email data they mined would reveal not ???trade secrets??? but their stealing of personal information!
    3.) I set up a phony FB page (non existing person).
    The following day, FB was offering to friend people from my address book on my PC.
    Where did FB get a list of ???suggested friends??? (that matched my personal address book) to a non-existing person????
    • RE: Europe versus Facebook: The law protects program logic, not data

      @slimer2:#1: Have you used Facebook's feature to look for friends by checking your email contacts? If not, I can't say for sure. You might have a lot more specific details in common than you think (places you've lived, etc).
      #2: Facebook shares stuff a bit more then you might want.
      #3: If you haven't cleared your browser cookies, then Facebook will see that you've visited it from the same computer on both accounts. They then assume those accounts might be related (maybe family). They might then suggest the same people as friends to both accounts.
      • Trade Secrets???

        @Natanael_L #1 Never used ???Look for friends??? exactly because I didn't want to give FB more info than needed.
        #2 ??? Shares all you give them + anything they can steal!
        #3 ??? Firefox (private browsing and scripts blocked) for my real FB page and Chrome (incognito window) for phony ID. Don't have a static IP and since private browsing and incognito are supposed to clear all cookies and cache, how is FB getting the data? - That's their TRADE SECRET!
  • Who is protecting non members?

    I signed up for facebook for the very first time a couple months ago. When I signed up I only gave my name, and email address, nothing else. Not where I live, not where I went to school, not where I work, NOTHING. I certainly did NOT give them access to any of my address books. However the first time I signed in, they had a list of "People I might know", and it was Incredibly accurate. Now I have a fairly common name, so they couldn't have generated that list from my name alone, so where did they get that information?

    The only thing I can figure is that the people listed either had my email address, and let Facebook know they had it, or they are "friends" with someone who has my email address.

    The point is that LONG BEFORE I signed up for Facebook, They knew who I was, and who I associate with, and where I'm from, and ... and ... and ...

    My question is who do I sue? Facebook for gathering information on me without my permission? or the people who gave Facebook my email address withoug my permission? or BOTH?