[Profile picture of Ruben Verborgh]

Ruben Verborgh

Email: Re: Contact the Data Protection Officer (DPO) #[case-number]

From
Ruben Verborgh <ruben@verborgh.org>
To
Facebook <case++[case-code]@support.facebook.com>
CC
Stephen Deadman <stephendeadman@fb.com> and a couple of others
Date
14 August 2019 at 21:38:46 GMT+2
Subject
Re: Contact the Data Protection Officer (DPO) #[case-number]

Dear Elsa,

Two months to the day.
Or make that three months, since Alex’s previous reply was basically I’m gonna take a two-month holiday. Really squeezing the GDPR lemon there, aren’t you?

BTW, what happened to Alex—did they chicken out?
That is so regrettable.

I’m pleased to see that you take privacy seriously at Facebook. The PDF you sent me did not contain any metadata at all. If only you cared that much about your users.

It’s also regrettable that you consider yourself the judge of how GDPR should be interpreted. I mean, you’ve tried playing judge several times in the past, and that never worked out well, did it?

Facebook does not have a legal obligation to provide Data Warehouse data in its unintelligible form

First of all, Elsa, let’s stop with the straw man arguments already. As I’ve told you before, I never asked for any raw data or data in its original material form.


But let’s get to the good bits in all of the tables you provided. You conveniently forgot quite some things there. Did you really think I wouldnt notice?

Your data policy, which you quoted in your message, states that:

[Your] systems automatically process content and communications you and others provide to analyze context and what’s in them

GDPR also gives me the right to obtain derived data.

Hereby, I am (again) explicitly requesting you to provide me with the results of your processing and analysis of data that I have provided and that others have provided about me. They do not have to be in raw or original material form.


Next, for Things others do and information that they provide about you, you write that:

[I] can submit a specific personal data request for matched contacts, or contact information that maybe associated with your account.

Then you start getting all weird:

We cannot determine whether we hold matched contacts for you as your account is currently deactivated and scheduled for deletion. If you wish for us to look into this further, you would need to reactivate your account.

Elsa, have you read the EU Regulation 2016/679 more commonly known as the General Data Protection Regulation (GDPR) Directive?

I don’t think you have.

Because if you did, I’m sure you would have noticed that there is no paragraph stating that I need to reactivate my Facebook account in order to exercise my legal rights. I mean, I’m sure you would want that, and that your buddy Thomas Myrup Kristensen has been lobbying a lot for such things with the EU, but he sure as hell did not get that exception in. Trust me, I wouldve known.

Please let us know.

Yeah, I want it. All of it.

I hereby explicitly request all of the information that others have provided about me and the data you have derived from that. They do not have to be in raw or original material form.

And you cannot oblige me to reactivate my account for that.


Next, you are making the claim that

[You] do not store this data in a form which can be effectively retrieved

and

part of the personal data [I] asked for may be stored in non-retrievable form in [your] offline data warehouse

and that

[your] data warehouse contains technical log-level data which is stored by date, not profile (more specifically: not on an individual user level)

about the following categories data:

I don’t know how to put this, Elsa, but you are lying. You are lying, I know it, we know it. And I can easily argue it.

You expect us to believe that a company the size of Facebook cannot retrieve such information efficiently?

First of all, your answer says that it may be stored in non-retrievable form. Are you saying that my unique identifiers would not be stored as information that you can readily access on an individual user level? Because that would entirely defeat the purpose of having such identifiers in the first place.

So I am hereby requesting those identifiers, to which you clearly have access. They do not have to be in raw or original material form.

As I have explained before, in 2013, I watched a Facebook employee look up exactly how much money Facebook had made off me during the previous year. So these are the kinds of analyses you can do.

Hence, I am requesting a year-by-year overview of the money my profile has earned you. Clearly, you can access that data easily. And the average person can understand it. They do not have to be in raw or original material form.

While we’re at it, I am requesting that you provide me with all of the above data points that are not in your offline data warehouse. They do not have to be in raw or original material form.


And finally, I request access to all derived profile data you have about me. Inferred interests, preferences, political leanings, whatever. Every single profile characteristic that is connected to my identifier. They do not have to be in raw or original material form.


we consider our practices to be fully compliant with our obligations under Article 15 GDPR

I’m sure you do, but that’s not really up to you to decide, is it?

As has been shown time and time again, you’re not a very good judge.

We trust the above is informative and demonstrates that we have in fact fulfilled your access request

No, you haven’t. See missing pieces above.

We will be closing out this matter.

I’ll tell you when it’s done, thanks.

Best,

Ruben