Update: I followed up with both organizations. See Facebook: The law reasonably states you can't have all your data and Europe versus Facebook: The law protects program logic, not data.
An Austrian group called Europe versus Facebook has so far made 22 complaints regarding the social network's practices. In the process, the organization has stumbled upon an important tidbit: Facebook says it is not required to give you a copy of some of your personal data if it deems doing so would adversely affect its trade secrets or intellectual property.
On its website, Europe versus Facebook shows how to request a copy of your personal data on the social network. It explains that because of Ireland's 1988 Data Protection Act (DPA), Facebook has to send you your data on a CD within 40 days of a request.
The organization managed to accidentally get Reddit involved, whose users recently overwhelmed Facebook with data requests by following a slightly altered version of the instructions. The company was forced to e-mail all users requesting data to say it was experiencing a significant delay in processing the requests and will be unlikely to respond within 40 days of the initial request.
Before Reddit found out about Facebook's request tool, Max Schrems of Europe versus Facebook managed to receive a reply to his request. It was in the form of a CD-ROM storing over 1,222 pages. As he looked through the ridiculously long document however, Schrems noticed that important information was missing, and so he contacted Facebook again asking for the remaining data. Here's Facebook response:
Dear Mr. Schrems:
We refer to our previous correspondence and in particular your subject access request dated July 11, 2011 (the Request).
To date, we have disclosed all personal data to which you are entitled pursuant to Section 4 of the Irish Data Protection Acts 1988 and 2003 (the Acts).
Please note that certain categories of personal data are exempted from subject access requests. Pursuant to Section 4(9) of the Acts, personal data which is impossible to furnish or which can only be furnished after disproportionate effort is exempt from the scope of a subject access request. We have not furnished personal data which cannot be extracted from our platform in the absence of is proportionate effort.
Section 4(12) of the Acts carves out an exception to subject access requests where the disclosures in response would adversely affect trade secrets or intellectual property. We have not provided any information to you which is a trade secret or intellectual property of Facebook Ireland Limited or its licensors.
Please be aware that we have complied with your subject access request, and that we are not required to comply with any future similar requests, unless, in our opinion, a reasonable period of time has elapsed.
Thanks for contacting Facebook, Facebook User Operations Data Access Request Team
When Reddit users started getting e-mails from Facebook about a delay for their data requests, Schrems got one as well. He also got the response above, but I only picked up on it now, after TechDirt linked to the a PDF of both e-mails.
It's worth noting that also last month, Billy Hawkes, Ireland's Data Protection Commissioner, announced that he will conduct a privacy audit of Facebook's activities. Since Facebook's international headquarters is in Dublin, all users outside the US and Canada could be affected by his findings.
His office decided to investigate the company after Europe versus Facebook's 22 complaints were covered repeatedly in the media. For reference again, here are all the complaints:
The Irish Data Protection Commissioner will have a tough time going through all of these complaints. Still, I would argue it will be even more difficult for Facebook to show that sending you certain parts of your personal data "would adversely affect trade secrets or intellectual property."
I have contacted Facebook for more information about this issue and will update this article if I hear back.