[Profile picture of Ruben Verborgh]

Ruben Verborgh

Email: Contact the Data Protection Officer (DPO) #[case-number]

From
Facebook <case++[case-code]@support.facebook.com>
To
ruben@verborgh.org
Date
1 April 2019 at 16:43:17 GMT+2
Subject
Contact the Data Protection Officer (DPO) #[case-number]

Hi Ruben,

We refer to your access request under Article 15 of the General Data Protection Regulation 2016/679 (the “GDPR”) received on 14 January 2019, to which Facebook’s Privacy Operations team responded on 15 February 2019.

Our response contained instructions on how you can access and download your personal data on Facebook and set out the information required by Article 15(1)(a)-(h). Subsequently, you forwarded this response to a number of individuals at Facebook, including our senior leadership, and responded directly to our Privacy Operations team.

From your various communications we understand you are concerned that Facebook has failed to fulfill your subject access request by not providing you with all your data.

We are satisfied that our response on 15 February 2019 complies with our obligations under Article 15 of the GDPR. However, to address your concern we have provided an overview of the relevant provisions of the GDPR, together with relevant guidance and case law which has informed Facebook’s approach to access requests.

By way of background, the right of access granted by Article 15 of the GDPR is best understood as a mechanism by which data subjects can ascertain the lawfulness of the processing of their personal data. Recital 63 of the GDPR states that: A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.

Facebook ensures that the purpose of the access right is met by providing its users with easy access to their data in a form which they can understand and from which they can assess the lawfulness of the processing of their data. For example, we provide our users with a variety of tools – such as Access Your Information (AYI), Download Your Information (DYI), Activity Log and Ads Preferences ­ that give users access to, and control over, their personal data.

Article 12(1) GDPR requires that the information provided to an individual in response to an access request is in “a concise, transparent, intelligible and easily accessible form, using clear and plain language”. At its most basic, this means that the information Facebook provides in response to a request should be capable of being understood by the average person. Highly technical data in its original form is likely to be meaningless to the average Facebook user and providing such data would be inconsistent with Facebook’s GDPR obligations. Indeed the Court of Justice of the European Union (the “CJEU”), and the Irish High Court, have accepted that personal data does not need to be provided “in its original material form” to data subjects.

In joined cases C-141/12 and C-372/12 YS & Ors, the CJEU held that the right of access is satisfied once data is provided in an intelligible form, meaning a form which allows the data subject to become aware of those data and to check that they are accurate and processed in compliance with that directive, so that that person may, where relevant, exercise the rights conferred on him [1]. The Court has also found that, provided the data is provided in a form which allows an individual to exercise their rights, a data subject has no right to access the underlying raw files which may contain their personal data: in so far as the objective pursued by the right of access may be fully satisfied by another form of communication, the data subject cannot derive from either Article 12(a) of Directive 95/46 or Article 8(2) of the Charter the right to obtain a copy of the document or the original file in which those data appear. [2]

This principle was recently applied by the Irish High Court in Nowak v. DPC**[3]**, where the Irish High Court concluded that the obligation on a data controller to provide a data subject with personal data… does not extend to an obligation to provide the data in its original material form or, in the case of a document, to provide the original of that document.

We have undertaken a thorough review of the best way of providing our users with meaningful access to their data. Via our AYI and DYI tools, Facebook has fulfilled its obligation to provide you (and other users) with easy access to data in an intelligible and meaningful form. Such data is available online, and it can be easily and quickly downloaded in HTML or JSON form.

Facebook’s approach accords with Recital 63 which states that: [w]here possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.

The market leading tools provided by Facebook facilitate users in confirming that their data is accurate and being processed lawfully, so as to enable them to exercise their rights if appropriate. All users are given easy access to the up-levelled and meaningful information, like their inferred interests. For example, Facebook users can learn what advertising interests we believe they have – and modify that information – through their Ads Preference tool.

Finally, we would note that the right of access is not absolute. It is subject to various exceptions in both the GDPR and national law. For example, Article 15(4) makes clear the right to obtain a copy of the personal data undergoing processing shall not, adversely affect the rights and freedoms of others”. Article 12(5) states that a controller may refuse to act on an access request which is “manifestly unfounded or excessive, in particular because of their repetitive nature.

More generally, proportionality is a general principle of EU law[4] that must inform the scope of a controller’s response to a data subject request. This means data subject rights such as the right of access need to be applied in a proportionate fashion. In cases where the right to data protection runs up against other fundamental rights, the CJEU has held that it is necessary to strike a fair balance between the various competing interests. [5] In other words, the right of access is not absolute and does not require the imposition of an excessive burden on the data controller.[6] When engaging in this balancing exercise, the court will seek to strike fair balance between on the one hand, the interest of the data subject in protecting his privacy, in particular through his right to have the data communicated to him in an intelligible form, so that he is able, if necessary, to exercise his rights to rectification, erasure and blocking of the data (in the event that the processing of the data does not comply with the directive) and his rights to object and to bring legal proceedings and, on the other, the burden which the obligation to communicate such data represents for the controller. [7]

A balanced and reasonable approach must be adopted with respect to assessing the data that is to be produced in response to a subject access request, having regard, in particular, to whether or not the data is readily accessible, and the costs incurred by the controller in retrieving certain information. The burden on Facebook cannot go beyond what is necessary to achieve the objective. Given the potentially excessive burden of retrieving all data and the nominal value of technical data (which is meaningless to the average person) to users, we are of the view that providing users with production data, as made easily accessible through our various tools, is the best way to provide the information Facebook processes about users in an intelligible and user friendly form.

For the reasons set out above we are satisfied that our response on 15 February 2019 fulfils Facebook’s obligations in respect of your subject access request.

We trust this is informative. However, should you have any further questions or specific concerns please feel free to reach out to us. Alternatively as mentioned previously, you also have a right to lodge a complaint with the Irish Data Protection Commission, which is Facebook’s lead supervisory authority (please see http://www.dataprotection.ie (https://protect-eu.mimecast.com/s/b7KKC31Z6UmlLXWIE0Zdg)) or your local supervisory authority.

Kind regards,

Alex
Privacy Operations
Facebook

[1] C-141/12 and C-372/12 YS & Ors, paragraph 57
[2] paragraph 58
[3] [2018] IEHC 118
[4] See Joined Cases C-27/00 and C-122/00) R (Omega Air Ltd) v Secretary of State for the Environment Transport and the Regions [2002] ECR I-2569 at [62]
[5] C-70/10 Scarlet Extended v. SABAM [2011] ECR I-11959.
[6] C-553/07 Rijkeboer [2009] ECR 1-3889, paragraph 59.
[7] C‑486/12 X. at 28.