A few weeks back, Techdirt posted a story about a European campaign group called "Europe vs. Facebook", which is trying to find out exactly what information Facebook holds about its users. It is doing this using European data protection laws, thanks to the fact that Facebook' s international headquarters are in Ireland.
The group's founder, Max Schrems, received a reply to his request for the data Facebook held about him in the form of a CD-ROM storing over 800 pages. But looking through them, Schrems noticed that important information was missing, and so contacted Facebook again, asking for the extra details. But Facebook refused:
To date, we have disclosed all personal data to which you are entitled pursuant to Section 4 of the Irish Data Protection Acts 1988 and 2003 (the Acts).
Please note that certain categories of personal data are exempted from subject access requests. Pursuant to Section 4(9) of the Acts, personal data which is impossible to furnish or which can only be furnished after disproportionate effort is exempt from the scope of a subject access request. We have not furnished personal data which cannot be extracted from our platform in the absence of disproportionate effort.
It seems hard to believe that a sophisticated, leading-edge company like Facebook can't pullout all the information about one user – the basic node of the social network - without "disproportionate effort", but that's not the real issue here. Alongside all that terrible effort, Facebook cited another reason for refusing to give Schrems the missing details:
Section 4(12) of the Acts carves out an exception to subject access requests where the disclosures in response would adversely affect trade secrets or intellectual property. We have not provided any information to you which is a trade secret or intellectual property of Facebook Ireland Limited or its licensors.
Claiming that certain aspects of your personal data is "a trade secret or intellectual property of Facebook Ireland Limited or its licensors" seems pretty extraordinary. Schrems is not letting things rest there, though, and has contacted the Irish Data Protection Commissioner to pursue the matter further. Meanwhile, Facebook has released a statement on the matter:
We are cooperating fully with the Irish Data Protection Commissioner who will come to a view on Mr Schrems’ complaint in due course.
I can hardly wait for that view - and for Facebook's response if it requires the release of some "proprietary" data.
by glyn moody
from the you-thought-it-was-your-life dept
Wed, Oct 12th