In January 2019, I closed my Facebook account because it was no longer of any professional use to me. As a European resident, the GDPR directive gives me the right to request the data Facebook has about me, and ask for its deletion. Unsurprisingly living up to its reputation, Facebook refuses to comply with my GDPR Subject Access Requests in an appropriate manner. This page is tracking my communication with Facebook and their responses, with the aim of attracting attention to their unlawful practices and fixing the process for everyone. It provides interesting insights into the curious “legal” maneuvers by Facebook, and would at times even be funny—if only it wasn’t so sad.

On this page, you will find links to the full text to all emails sent by Facebook and by myself. There is quite some sarcasm and cynicism in my replies, which hopefully makes the dull legal stuff a tiny bit entertaining.

If you’re a Facebook user, you might like to know that Facebook considers you too stupid to understand your own data. If you’re a lawyer, you’re probably going to cringe at their very peculiar bending of European law.

Facebook’s strategy is dissuasion. They will purposely overload you with a lot of technical, legal, or other nonsense, with the aim of making you give up. They bet on you giving up. They will send you wrong, confusing, and conflicting information, and will reply as late as they think they can get away with, even outside of legal boundaries.

Understand that the whole thread below comes from a company that has had a GDPR department for years, so their lack of appropriate action should be attributed to malicious intent rather than incompetence. Note how even some of their canned responses contain typos and grammatical errors, as if they somehow were not prepared.

Current status: awaiting reply (2019/11/16)

Facebook has not replied after three months, even though they are legally required to answer within one month.

I reminded them of their obligations.

Background: I want my data

In yet another attempt to further spread confusion, Facebook’s famous philanthropist and hypocrite Mark is calling for more regulation on the Internet. The irony of course is that Facebook does not even respect existing legislation—GDPR in my case. So Mark calling for more legislation is like a 3-year old asking for more Brussels sprouts: if you know you’re not gonna eat them, it’s only show. Whereas he surely would like shedding some responsibilities (I would like him to do that, too), we should consider his strategy to be one of smoke and mirrors. People remember Facebook asking for more regulation; they tend to forget the ton of legislation Facebook conveniently ignores.

For me, it’s simple: I want my data back. Every single piece of data Facebook has about me, I want it. I want to understand what they know about me and how they (potentially) use it. And when I have it, I will ask them to delete all of it. No hard feelings: I had some alright times on Facebook, but time has come to move on, and just like when moving places, I’m taking all of my stuff with me. After all, it is my legal right.

I am not a lawyer—I am a computer scientist specializing in Web data. So I can perfectly imagine and understand the kind of data Facebook has on me. I am also involved in an initiative to separate data from apps, so Facebook seemed like a very good test case.

History: my actions and Facebook’s answers

2019/01/14 – I try to get data out myself

Facebook has a Download Your Information tool, which is part of their aforementioned smoke and mirrors strategy to give people the feeling that they can always obtain their data (and to fake goodwill toward the EU to make it seem they respect GDPR).

Unfortunately, that tool only gives me all of the data I put on there myself. So nothing I didn’t already have. After all, why would I leave my only copy of a photo on Facebook? So no, this tool does not allow me to exercise my GDPR rights.

2019/01/14 – I send a Subject Access Request via form and email

I send an official sounding email to datarequests@support.facebook.com using a template I found online, which presumable contains the right legalese. Even though they do not need a copy of my passport, I did not want to give them any grounds for refusing my request after 1 month (which is their deadline).

Some minutes prior, I submitted the same request through the GDPR form on their website, which they are hiding deeply in their support section. This form is not accessible by everyone, and in particular does not seem to work from within the US.

2019/01/14 – Facebook sends an automated reply

Facebook automatically replies to my form submission (but not to my e-mail). They ask me to ensure I have provided sufficient detail, which my request indeed contains.

I am slightly surprised by their sloppiness when it comes to language and spelling.

2019/01/15 – Facebook pretends they will do their best

In an unintentional attempt at a self-fulfilling prophecy, Javier from Privacy Operations refers to my GDPR request as a problem [I am] experiencing with Facebook.

2019/01/15 – I tell Facebook to try harder

I tell Javier I don’t appreciate his stalling of my request and request to be put in touch with his supervisor.

2019/02/14 – I warn Facebook about the deadline expiration

It’s Valentine’s Day and I’m officially in a complicated relationship with Facebook. They did not answer within the legal term of 1 month, so I reminded them of their obligations.

2019/02/15 – Facebook lists all data they have (but don’t send)

A late Valentine’s Day present arrives from Sam. True to their tested smoke and mirrors strategy, Facebook sends me a list of all data they have about me, and then happily proceed with not giving me any of it. The audacity.

It took them over a month to send me a bad copy and paste of the information on their own website. The email instructs me to Go to the top right of Facebook and click, which is what you get if your image does not have an alt attribute.

2019/02/15 – I tell them to send me that data then

I call out Sam on their lack of action, and use their own list to tell them exactly what data I want. That seems clear and simple enough.

2019/02/15 – I contact DPO Stephen Deadman and others

Disappointed about the lack of appropriate action, I decide it’s time to directly contact Stephen Deadman, Facebook’s fresh Data Protection Officer (DPO). I also send it to some other prominent Facebookers, just to ensure it arrives well.

How did I obtain their email addresses? Turns out that the European Commission sometimes incorrectly censors documents in response to information access requests.

2019/04/01 – Facebook considers people too stupid

In their most fascinating move yet, Facebook comes up with a lot of ridiculous legal nonsense. They are obviously trying to overload me by giving the impression that they know what they are doing. Did they react on April Fools’ Day for plausible deniability?

On the one hand, they list a ridiculous amount of legal cases that have nothing to do with my request. I did not ask for raw data, but they reckon that misrepresenting my request will make me doubt myself. They even go as far as redefining GDPR.

On the other hand, they make a very interesting “legal” “argument”. GDPR contains provisions to ensure that companies return data in an accessible format, to avoid that they would overload people with meaningless data dumps. However, one of the creative legal geniuses at Facebook came up with this gem:

• Facebook says that GDPR requires their response to use clear language.
• This means that their response should be understandable by the average person.
• But they consider their data is too complex for that average person.
• Hence, they feel they are not obliged to give any data.

In other words: you are too stupid to understand your own data, and this includes things like your location and which device you have used when. You know, simple things you wouldn’t understand. Or how they turn their obligation to simplify what they need to send into an excuse for not sending anything at all.

Interestingly, they also acknowledge that multiple people from their senior leadership have received my forwards. That wasn’t very smart of them. You would almost think these people don’t know what they’re doing.

2019/04/01 – I’m not impressed by legalese

I send Alex a flaming reply in which I call his supreme leader a hypocrite for begging for more regulation, while at the same time instructing his interns to blatantly violate existing legislation like GDPR. I’m acting a bit snubby. I’m calling him out on all of his pseudolegal nonsense and demand my data—again.

Of course DPO Stephen Deadman and his friends are in CC, now that I know they are receiving my mails. I would send them a Facebook message, but I closed my account.

2019/05/02 – Facebook is satisfied

Facebook is satisfied. They are repeating themselves and act annoyed that I am still asking them concrete questions, even though they made it abundantly clear that they will not fulfill their legal obligations. Why am I bothering them? They are Facebook, they are above any law.

2019/05/04 – I am not satisfied

In my unsatisfied reply, I remind Alex that the future is private. To avoid him coming up with loads of excuses, I make him a very concrete request: give me my Network and Connections data, which clearly can be understood by the average person.

I am passionately curious how they will try to get out of this one.
I’m sure they’re creative, but Alex might need his manager here.

2019/06/04 – Facebook has issues and needs time

As if by magic, exactly one month later, Facebook replied they are delaying their answer by another two months as legally allowed by GDPR. This after an intentional delay of no less than 141 days already, mind you.

They pretend the delay is due to the complexity of the investigation, which again seems part of their strategy to make themselves appear disorganized so they can claim incompetence rather than malice. However, we should remain factual: I have asked them for very simple data points, which are technologically easy to retrieve. Their complexities are thus supposedly legal, but it is very hard to believe that a company the size of Facebook hasn’t already made up their mind about exactly what they’ll reply. They are thus buying time, and unfortunately, GDPR enables them in this, even unreasonably so.

2019/06/04 – I ask for more

I wish there were something better I could do in the meantime, but I simply told Alex I know his real reasons for stalling.

I guess we have to wait now, again. While smaller companies respect GDPR much more strictly, the larger companies for which GDPR was intended in the first place gladly continue doing as they please.

And just when he thought he’d gotten rid of me for now, I also requested more data, since, after splitting my initial requests into smaller parts, they were apparently giving it additional consideration (or at least pretending to). Let’s see.

2019/08/05 – Facebook sends a PDF

Facebook replied with a PDF attachment that had been stripped of all metadata. Turns out they care about privacy after all—their own, that is.

Elsa explains in excruciating detail how all the data one possibly might want to have is already available using their tools. It’s basically a long list of excuses.

2019/08/14 – I want more

I tell Elsa that she has conveniently ignored several of my requests and ask her to reconsider.

Let’s wait another month.

2019/11/16 – Three full months later

Facebook did not get back to me on time, even though they are legally required to do so. I gently reminded them.

I case they abandoned the specific case, I also started a new Subject Access Request asking for the same information.

How will this end?

This will only end with me getting my data, obviously.
And thereby giving you a clearer path to get yours.

Stay tuned for updates.