Over The Counter Culture

I am on a little quest. A quest to get Facebook to show me what it knows about me. The thing about ‘Web 2.0’ businesses (how old hat that sounds now) is that their entire business models are focused on understanding you, profiling you, getting as much information about you from many relevant sources:

• - your conscious self, actively filling in your profile
• - your less conscious self, passively interacting with the site, browsing certain pages, ‘Liking’ pages around the Web (or not clicking the Like button and still telling Facebook what pages you’re on)
• - your social network, interacting with you – indeed, your social graph can be highly predictive of who you are.

But what constitutes ‘my information’ for the purposes of a Subject Access Request (SAR) under UK, Irish (indeed, Europe-wide) Data Protection legislation?

A subject access request is an order any person in the EU can send any EU-based business that collects their data. It’s an order along the lines of ‘show me what you got’.

So I sent one. Initially, and with infinitesimally little hope of a reply, through some of the Contact Us webforms on facebook.com – doubtless to join mountains of rubbish in there, despite being clearly marked ‘Legal request: please respond; subject access request under the Data Protection Acts’.

And yet I knew that an earlier brave soul had managed to use a different part of the Data Protection Act to get Facebook to properly delete his account (Facebook prefers you to ‘deactivate’ accounts so you don’t leave an information black hole in the picture they’ve built up of everyone around you.

This told me two things. One, that for some reason Facebook thought it was under DPA jurisdiction. Two, it considers your social graph to be very important data – data about you, but with wider implications than that. So it was worth pushing on.

Thanks to a good spot by eagle-eyed lawyer Andrew Sharpe (@TMT_lawyer on Twitter if you want to follow his developing thoughts on the implications of his find; and here’s me), the secret is out: unless you’re accessing Facebook from the USA, in which case you’re contracting with a business in California, under Californian law, if you’re dialling in from anywhere else you’re dealing with a business in… Ireland!

All hands to the typewriter, I boshed out a pitiful attempt at a serious sounding Subject Access Request Letter (which I will post later)(Edit: HERE) and dispatched it, airmail to be signed for on delivery, with haste.

I suppose technically Facebook’s 40 days for compliance started when I sent them my first SAR (through their website forms). That was 16 days ago. Whether I want to argue that or not probably depends how nasty I’m feeling 24 days from now. Facebook’s been under the privacy kosh recently and maybe they deserve the extra 16 days if we mutually were to consider my posted letter to be the first SAR.

Let’s see what happens now. I would love suggestions in the comments concerning what data I should insist upon receiving, and in what format.

I will also be posting a rough guide to use of European data protection legislation in the coming weeks. In the meantime, wherever you are, you can have a look at the EU pages on the subject.

Related:

Related posts brought to you by Yet Another Related Posts Plugin.

This entry was posted on Wednesday, May 26th, 2010 at 7:22 am and is filed under Lifestream, Musings. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.