Facebook: The law reasonably states you can't have all your data
Update: Max Schrems argues Facebook is wrong. Europe versus Facebook: the law protects program logic, not data.
After making 22 complaints regarding Facebook's various practices, the Austrian group Europe versus Facebook stumbled upon an important tidbit: Facebook says it is not required to give you a copy of some of your personal data if it deems doing so would adversely affect its trade secrets or intellectual property. I followed up with Facebook and learned the company insists the law places "reasonable limits" on the data that has to be provided.
On its website, Europe versus Facebook shows how to request a copy of your personal data on the social network (see how Reddit overwhelmed Facebook with data requests). It explains that because of Ireland's 1988 Data Protection Act (DPA), Facebook has to send you your data on a CD within 40 days of a request.
Max Schrems of Europe versus Facebook managed to receive a reply to his request. It was in the form of a CD-ROM storing 1,222 pages. As he looked through the ridiculously long document however, Schrems noticed that important information was missing, and so he contacted Facebook again asking for the remaining data. Facebook explained that the law includes "an exception to subject access requests where the disclosures in response would adversely affect trade secrets or intellectual property."
When I followed up with the social networking giant, I learned that Facebook believes it gave everything to Schrems that it had to by law. The company argues that it is doing everything it legally can to respond to Schrems requests.
"Facebook has sent over 1,000 pages of data to Mr Schrems in response to his subject access request and we believe that this meets the requirements of EU data protection law," a Facebook spokesperson said in a statement. "It is therefore nonsense to say that we are not willing to provide him with his personal data. Mr Schrems was not happy with all of this data that we provided to him and has asked for a range of additional data items. We replied to him to explain fully the relevant provisions in Irish data protection law that place some reasonable limits on the data that has to be provided. We are cooperating fully with the Irish Data Protection Commissioner who will come to a view on Mr Schrems' complaint in due course."
Last month, Billy Hawkes, Ireland's Data Protection Commissioner, announced that he will conduct a privacy audit of Facebook's activities. Since Facebook's international headquarters is in Dublin, all users outside the US and Canada could be affected by his findings.
His office decided to investigate the company after Europe versus Facebook's 22 complaints were covered repeatedly in the media. It will take quite a while for the Irish Data Protection Commissioner to go through all of the complaints, but it appears that Facebook remains confident he will not find any problems.
See also: