[Profile picture of Ruben Verborgh]

Ruben Verborgh

Email: Re: Contact the Data Protection Officer (DPO) #[case-number]

From
Ruben Verborgh <ruben@verborgh.org>
To
Facebook <case++[case-code]@support.facebook.com>
CC
Stephen Deadman <stephendeadman@fb.com> and a couple of others
Date
16 November 2019 at 15:50:38 GMT+1
Subject
Re: Contact the Data Protection Officer (DPO) #[case-number]

Dear Elsa,

Three months. It has been three full months.

And I thought to myself:
Let it go, let it go…
Turn away and slam the door.
I don’t care what they’re going to say…
Let the storm rage on;
the cold never bothered me anyway.

But I couldn’t. I just couldn’t let it go like your namesake did.

Every single day, I have been checking my inbox, hoping that maybe, today would be the day where you finally reply to me. Hoping that you would fulfill Facebook’s legal duty.

Normally, Facebook replies in exactly 30 days. I know Alex did—and I miss Alex.

Now, you might wonder: why 30 days? Why would Alex always reply in exactly 30 days?
It took me some time to figure out, but I heard a rumor that the Facebook legal department has a special Send button in their e-mail application, which is labeled Send 30 days later, and the original button has been hidden such that e-mails are not accidentally sent earlier. Either it’s a rumor or I just made it up.

But still, why exactly 30?

Well, Elsa, there’s this piece of European legislation called GDPR. If that sounds familiar, that’s because I mentioned it in my last mail. Maybe you’re still reading it, and that’s why you haven’t gotten back to me. I understand it’s a lot to read, and you probably were unable to process it all. I mean, Facebook has only had a GDPR department for years before the legislation kicked in, and you only had a handful of lobbyists in Brussels, so there is no way whatsoever that anyone could expect the company to be knowledgeable about this complex legislation that it surely did not try to influence.

So let me spell out the relevant part of Article 12 Paragraph 3 for you. The emphasis is entirely mine:

The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request.

First of all, your lack of response to me is unlawful. I have made a very clear request last time, and you did not get back to me. That’s a big no-no.

But also interesting is the undue delay. This means that your standard practice there at Facebook of hitting the Send 30 days later button is highly questionable. Remember that one time where you even hit that button barely on time, just to tell me that I would have to wait another 30 days? To then send a reply that cost you at most an hour? It seems to me that your interpretation of European law has been a bit too creative.

I guess Move fast and break things doesn’t apply to the legal department then. I mean, breaking things obviously does. Just not moving fast. Because why move fast if you can break things better by moving slowly, or not at all?


Anyways, let’s get to business. As you might have realized by now, every time you try to stall, I’m asking for more data.

I will start by listing all of the data I have asked for previously, just so you cannot pretend to have forgotten about it. Oops.

I (again) request the results of your processing and analysis of data that I have provided and that others have provided about me. They do not have to be in raw or original material form.

I (again) request all of the information that others have provided about me and the data you have derived from that. They do not have to be in raw or original material form.

I (again) request all my unique identifiers, to which you clearly have access. They do not have to be in raw or original material form.

I (again) request a year-by-year overview of the revenue my profile has earned you. They do not have to be in raw or original material form.

I (again) request all of the data points from the list below that are not in your infamous offline data warehouse. They do not have to be in raw or original material form.

I (again) request all derived profile data you have about me. Inferred interests, preferences, political leanings, whatever. Every single profile characteristic that is connected to my identifier. They do not have to be in raw or original material form.

And now for the new data points.

I additionally request the following data. They do not have to be in raw or original material form.

Please provide me all of the above within one month, according to my legal rights under Article 15 of the General Data Protection Regulation. They do not have to be in raw or original material form.


Now you may wonder: why should we answer this guy?
Wouldn’t it be more convenient if we just ignored him?

It’s not like he’s going to file a complaint with the Irish Data Protection Authority, right? It’s not like he’s going to trigger Article 66 of the GDPR and start an urgency procedure to set a precedent. It’s not like he’s going contact Axx Wxxxxx from Stephen Deadman’s office at axxwxxxxx@fb.com, or call Axxxxx McNxxxxxxx at Sheryl Sandberg’s office on her mobile number +1-215-xxx-xxxx, or CC her on this message via her email address amcnxxxxxxx@fb.com.

He wouldn’t do any of those things if we don’t answer, would he?

You know what, Elsa…
There’s only one way to find out.

Best,

Ruben

PS I liked Alex better.