Irish Data Protection Commissioner to investigate Facebook refusing Subject Access Request.
Under the GDPR, EU residents have a fundamental right to demand a copy of the personal data held on them. Organisations are legally required to comply within 30 days, and if requested, by providing a copy of users’ data in a portable format. Failure to comply will result in a financial penalty.
Following a complaint made by a UK academic, the Irish Data Protection Commissioner is to investigate Facebook’s failure to comply.
A similar legal right was in force before the GDPR became law on 25th May 2018. However, Subject Access Requests (SAR) can now be made free of charge. Subsequently, EU residents have been swift to take steps to test the effectiveness of the new law.
The focal point of the issue is that users’ data is collected and stored via Facebook Pixel system. Pixel – a widely used tracking tool, running on multiple websites. During the Cambridge Analytica scandal this tracking code was the subject of a great deal of debate.
The complainant, Michael Veale is an academic working at University College London. Veale submitted a Subject Access Request to Facebook on 25th May requesting that the company hand over the personal information collected from his browsing history and activities whilst on Facebook.
Facebook refuses Subject Access Request … What??
When a giant tech company like Facebook refuses Subject Access Request from one of its users, you would be forgiven for thinking “this must be a mistake!” Incredibly, Facebook refused to comply with the SAR request, claiming that it was “too difficult to locate the information” within its massive data repository.
Veale countered that the firm’s response was “unsatisfactory” (and frankly, illegal in our opinion – Ed) on the basis that his data could be used to signify medical history, sexual orientation or religion. These data are deemed highly personal and sensitive information. Consequently Mr Veale lodged a formal complaint to the Irish DPC to ascertain whether Facebook had acquired browsing history on him in medical domains, as well as his sexuality.
Both of these concerns have been triggered and exacerbated by the way in which the Facebook platform targets adverts in highly granular ways, and I wish to understand fair processing.
Veale added that he had used the public tools Facebook offers, but that they had proved “insufficient”.
The Irish DPC has now opened a statutory inquiry into the matter, telling Veale that it anticipated the case will be referred to the European Union’s brain trust, the European Data Protection Board, as it involves cross-border processing.
Veale told The Register:
I hope to refute emerging arguments that the data processing operations of big platforms relating to tracking are too big or complex to regulate. By choosing to give user-friendly information (like ad interests) instead of the raw tracking data, it has the effect of disguising some of its creepiest practices. It’s also hard to tell how well ad or tracker blockers work without this kind of data.
What is in Facebook’s Vacuum Bag?
For the benefit of the uninformed, Facebook basically ‘hoovers up’ information about your device… be it a smart phone, tablet or PC, and which websites you visit. It also records which apps you use and any ads you have seen. Facebook achieves this via business tools and plug-ins, such as the ‘Like’ button, on partner sites.
The data captured is stored alongside a unique identifier for each user, irrespective of whether you have an account or not.
Following Zuckerberg’s rather awkward testimony recently, Facebook claimed that this information is used for safety and security purposes. The firm also stated that it was to improve both its own and its partners’ services.
However, in an email response, which was shown to the House of Commons Digital Committee, the company said that it can’t share this data with its users. Facebook explained that the data is stored on a Hive data warehouse, primarily for data analytics and backup purposes. The firm went on to say that data stored in Hive is separated from the databases that powers Facebook. – and is “primarily organised by hour, in log format.”
Facebook also claimed the information “is not readily accessible” because it is not held on a per user basis, but is in fact log data, stored in tables split into partitions. Therefore in order to extract a particular user’s data from Hive, they would ned to search each partition for all possible dates in order to locate data relating to a specific user’s ID.
Facebook staff stated:
Facebook simply does not have the infrastructure capacity to store log data in Hive in a form that is indexed by user in the way that it can for production data used for the main Facebook site.
Unfortunately for Facebook, this argument doesn’t cut much ice with privacy campaigners. As Michael Veale pointed out in his complaint to the Irish DPC, this is “very clearly personal data”.
“Web browsing history is staggeringly sensitive…”
Veale further commented that personal data can be used to infer information on sexuality, purchasing habits, health information or political leanings. He added that, even if the data was not stored against a specific user ID, research has revealed that it is entirely possible to identify the web browsing history of individual data subjects using only publicly available data.
Veale went on to say…
Any balancing test, such as legitimate interest must recognise that this data is among the most intrusive data that can be collected on individuals in the 21st century.
Interestingly, Facebook’s refusal came a month after the 30-day deadline imposed on organisations under the GDPR.
The Irish Data Protection Commissioner’s office said it had initiated a formal statutory inquiry into Mr Veale’s complaint. This will involve an examination into whether Facebook properly met its obligations and whether its actions had contravened the GDPR.