Facebook is Irish! (let the fun begin)
I am on a little quest. A quest to get Facebook to show me what it knows about me. The thing about ‘Web 2.0’ businesses (how old hat that sounds now) is that their entire business models are focused on understanding you, profiling you, getting as much information about you from many relevant sources:
- - your conscious self, actively filling in your profile
- - your less conscious self, passively interacting with the site, browsing certain pages, ‘Liking’ pages around the Web (or not clicking the Like button and still telling Facebook what pages you’re on)
- - your social network, interacting with you – indeed, your social graph can be highly predictive of who you are.
But what constitutes ‘my information’ for the purposes of a Subject Access Request (SAR) under UK, Irish (indeed, Europe-wide) Data Protection legislation?
A subject access request is an order any person in the EU can send any EU-based business that collects their data. It’s an order along the lines of ‘show me what you got’.
So I sent one. Initially, and with infinitesimally little hope of a reply, through some of the Contact Us webforms on facebook.com – doubtless to join mountains of rubbish in there, despite being clearly marked ‘Legal request: please respond; subject access request under the Data Protection Acts’.
And yet I knew that an earlier brave soul had managed to use a different part of the Data Protection Act to get Facebook to properly delete his account (Facebook prefers you to ‘deactivate’ accounts so you don’t leave an information black hole in the picture they’ve built up of everyone around you.
This told me two things. One, that for some reason Facebook thought it was under DPA jurisdiction. Two, it considers your social graph to be very important data – data about you, but with wider implications than that. So it was worth pushing on.
Thanks to a good spot by eagle-eyed lawyer Andrew Sharpe (@TMT_lawyer on Twitter if you want to follow his developing thoughts on the implications of his find; and here’s me), the secret is out: unless you’re accessing Facebook from the USA, in which case you’re contracting with a business in California, under Californian law, if you’re dialling in from anywhere else you’re dealing with a business in… Ireland!
All hands to the typewriter, I boshed out a pitiful attempt at a serious sounding Subject Access Request Letter (which I will post later)(Edit: HERE) and dispatched it, airmail to be signed for on delivery, with haste.
I suppose technically Facebook’s 40 days for compliance started when I sent them my first SAR (through their website forms). That was 16 days ago. Whether I want to argue that or not probably depends how nasty I’m feeling 24 days from now. Facebook’s been under the privacy kosh recently and maybe they deserve the extra 16 days if we mutually were to consider my posted letter to be the first SAR.
Let’s see what happens now. I would love suggestions in the comments concerning what data I should insist upon receiving, and in what format.
I will also be posting a rough guide to use of European data protection legislation in the coming weeks. In the meantime, wherever you are, you can have a look at the EU pages on the subject.
Related:
- The Facebook Data Protection Act letter
- Here is the letter I sent Facebook to ask for my data (for the background to this story, see this post) TO: Data Controller / Legal Compliance Facebook Ireland Ltd Hanover Reach 5-7 Hanover Quay Dublin 2 IRELAND RE: Subject Access Request (Data Protection Acts) Dear Facebook (Ireland), I wish to make a subject [...]...
- 13% would bank through Facebook
- In a pretty unscientific poll conducted through Facebook’s own polling mechanism, which 500 people responded to (responding is voluntary, so the numbers expressing an interest may not be indicative of true demand across an accurate cross-section of Facebookers), data from the 2008 Online Banking Report, reblogged by the NetBanker team, shows that 13% of respondents [...]...
Related posts brought to you by Yet Another Related Posts Plugin.