Update: I followed up with both organizations. See Facebook: The law reasonably states you can't have all your data and Europe versus Facebook: The law protects program logic, not data.
An Austrian group called Europe versus Facebook has so far made 22 complaints regarding the social network's practices. In the process, the organization has stumbled upon an important tidbit: Facebook says it is not required to give you a copy of some of your personal data if it deems doing so would adversely affect its trade secrets or intellectual property.
On its website, Europe versus Facebook shows how to request a copy of your personal data on the social network. It explains that because of Ireland's 1988 Data Protection Act (DPA), Facebook has to send you your data on a CD within 40 days of a request.
The organization managed to accidentally get Reddit involved, whose users recently overwhelmed Facebook with data requests by following a slightly altered version of the instructions. The company was forced to e-mail all users requesting data to say it was experiencing a significant delay in processing the requests and will be unlikely to respond within 40 days of the initial request.
Before Reddit found out about Facebook's request tool, Max Schrems of Europe versus Facebook managed to receive a reply to his request. It was in the form of a CD-ROM storing over 1,222 pages. As he looked through the ridiculously long document however, Schrems noticed that important information was missing, and so he contacted Facebook again asking for the remaining data. Here's Facebook response:
Dear Mr. Schrems:
We refer to our previous correspondence and in particular your subject access request dated July 11, 2011 (the Request).
To date, we have disclosed all personal data to which you are entitled pursuant to Section 4 of the Irish Data Protection Acts 1988 and 2003 (the Acts).
Please note that certain categories of personal data are exempted from subject access requests.
Pursuant to Section 4(9) of the Acts, personal data which is impossible to furnish or which can only be furnished after disproportionate effort is exempt from the scope of a subject access request. We have not furnished personal data which cannot be extracted from our platform in the absence of is proportionate effort.
Section 4(12) of the Acts carves out an exception to subject access requests where the disclosures in response would adversely affect trade secrets or intellectual property. We have not provided any information to you which is a trade secret or intellectual property of Facebook Ireland Limited or its licensors.
Please be aware that we have complied with your subject access request, and that we are not required to comply with any future similar requests, unless, in our opinion, a reasonable period of time has elapsed.
Thanks for contacting Facebook,
Facebook User Operations Data Access Request Team
When Reddit users started getting e-mails from Facebook about a delay for their data requests, Schrems got one as well. He also got the response above, but I only picked up on it now, after TechDirt linked to the a PDF of both e-mails.
It's worth noting that also last month, Billy Hawkes, Ireland's Data Protection Commissioner, announced that he will conduct a privacy audit of Facebook's activities. Since Facebook's international headquarters is in Dublin, all users outside the US and Canada could be affected by his findings.
His office decided to investigate the company after Europe versus Facebook's 22 complaints were covered repeatedly in the media. For reference again, here are all the complaints:
- Pokes are kept even after the user "removes" them.
- Facebook is collecting data about people without their knowledge. This information is used to substitute existing profiles and to create profiles of non-users.
- Tags are used without the specific consent of the user. Users have to "untag" themselves (opt-out). Note: Facebook has announced changes for this.
- Facebook is gathering personal data e.g. via its iPhone-App or the "friend finder". This data is used by Facebook without the consent of the data subjects.
- Postings that have been deleted showed up in the set of data that was received from Facebook.
- Users cannot see the settings under which content is distributed that they post on other’s pages.
- Messages (incl. Chat-Messages) are stored by Facebook even after the user "deleted" them. This means that all direct communication on Facebook can never be deleted.
- The new face recognition feature is an disproportionate violation of the users right to privacy. Proper information and an unambiguous consent of the users is missing.
- Access Requests have not been answered fully. Many categories of information are missing.
- Tags that were "removed" by the user, are only deactivated but saved by Facebook.
- In its terms, Facebook says that it does not guarantee any level of data security.
- Applications of "friends" can access data of the user. There is no guarantee that these applications are following European privacy standards.
- All removed friends are stored by Facebook. This was reconfirmed recently.
- Facebook is hosting enormous amounts of personal data and it is processing all data for its own purposes. It seems Facebook is a prime example of illegal "excessive processing".
- Facebook is running an opt-out system instead of an opt-in system, which is required by European law.
- The Like Button is creating extended user data that can be used to track users all over the internet. There is no legitimate purpose for the creation of the data. Users have not consented to the use.
- Facebook has certain obligations as a provider of a "cloud service" (e.g. not using third party data for its own purposes or only processing data when instructed to do so by the user).
- The privacy settings only regulate who can see the link to a picture. The picture itself is "public" on the internet. This makes it easy to circumvent the settings.
- Facebook is only deleting the link to pictures. The pictures are still public on the internet for a certain period of time (more than 32 hours).
- Users can be added to groups without their consent. Users may end up in groups that lead other to false impressions about a person.
- The policies are changed very frequently, users do not get properly informed, they are not asked to consent to new policies.
The Irish Data Protection Commissioner will have a tough time going through all of these complaints. Still, I would argue it will be even more difficult for Facebook to show that sending you certain parts of your personal data "would adversely affect trade secrets or intellectual property."
I have contacted Facebook for more information about this issue and will update this article if I hear back.