Europe versus Facebook: The law protects program logic, not data

Facebook says it doesn't have to hand over all your personal data because that's how the law works. Europe versus Facebook argues that the law protects program logic, not data.
Written by Emil Protalinski, Contributor

Facebook recently told the Austrian group Europe versus Facebook it is not required to give you a copy of some of your personal data if it deems doing so would adversely affect its trade secrets or intellectual property. I asked for further clarification, and Facebook told me that the law places "some reasonable limits on the data that has to be provided." When I got in touch with Max Schrems of Europe versus Facebook, however, he told me this is simply not true.

On its website, Europe versus Facebook shows how to request a copy of your personal data from the social network (see how Reddit overwhelmed Facebook with data requests). It explains that because of Ireland's 1988 Data Protection Act (DPA), Facebook has to send you your data on a CD within 40 days of a request.

Schrems received a reply to his request in the form of a CD-ROM with a 1,222-page document. As he looked through it however, Schrems noticed that important information was missing, and so he contacted Facebook again asking for the remaining data. Facebook explained that the law includes "an exception to subject access requests where the disclosures in response would adversely affect trade secrets or intellectual property."

When I followed up with the social networking giant, Facebook explained it gave everything to Schrems that it had to by law. In fact, the company said it is "nonsense to say that we are not willing to provide him with his personal data."

I talked to Schrems and he countered by saying Facebook is not making a distinction between the personal data it stores and the "logics in programs that process personal data." He explained the law only limits the access to program logic (such as Facebook's friend-matching feature) if there is a trade secret or intellectual property involved in the program logic.

In fact, Schrems says European laws do not limit access to the outcome of such processes (meaning your personal data) because of trade secrets or intellectual property. The only data limits the law outlines are backup-related or data that is too hard to hand over (for example, spread over thousands of files that would have to be put together manually).

I asked Facebook what kind of data it is not handing over to Schrems, but I did not get a response. Schrems was more than happy to give me examples: his Likes, his facial recognition data, and the data generated by the Like button was not in the package he received. He doesn't see how the law allows Facebook to skip this type of personal data.

Last month, Billy Hawkes, Ireland's Data Protection Commissioner, announced that he will conduct a privacy audit of Facebook's activities. Since Facebook's international headquarters is in Dublin, all users outside the US and Canada could be affected by his findings.

His office decided to investigate the company after Europe versus Facebook's 22 complaints were covered repeatedly in the media. Schrems says Facebook is going to get some bad news soon. "I am in almost daily contact with the DPC and they already announced that Facebook will have to give out much more information," he told me.

I have contacted Facebook to see what the company thinks about Schrems' claims.

Update: "Facebook provided Mr. Schrems and his group with all of the information required in response to their request," a Facebook spokesperson said in a statement. "Their request included requests for information on a range of other things that are not personal information, including Facebook's proprietary fraud protection measures, and 'any other analytical procedure that Facebook runs.' This is clearly not personal data, and Irish data protection law rightly places some valuable and reasonable limits on the data that has to be provided."

See also:

Editorial standards