You had me up until the legalese email, after which the correct response is to sue. You lost me with the belligerent reply ranting about what Mark said in the Washington Post. It seems, at that point, that you're more interested in grandstanding than making a defensible case.
Grandstanding is not my goal; it's a means of attracting attention to a matter that people have been desensitized to. A secondary goal is to cause internal escalation. In the end, I really just want my data, as way to create a path for myself and others.
Is data posted on FB by other people, which just happens to be (partly) about you, "your" data?
Unfortunately, that tool only gives me all of the data I put on there myself. So nothing I didn’t already have
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller
Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) the categories of personal data concerned;
(e) the recipients or categories of recipients of the personal dataArticle 15 - "Right of access by the data subject" - is what defines one's right to a copy of personal data, and has no restriction on the personal data one is entitled to access.
Other than that, my guess is he hopes that this story will get picked by press sooner or later, and thus tries to make the paper trail as attractive and instantly easy to use in newspapers as possible. With a side goal of also making it as attractive, fun to read, and generally entertaining as possible, to any other people casually coming by his site. Which I see as a very noble and valuable goal, esp. when talking about legal stuff, which is super hard to talk and write about in entertaining and approachable way.
A hand full of people are just an annoyance and can be easily stalled. But to stall many more without running in legal trouble seems more difficult to me, and requires Facebook to actually invest some resources into it.
I understand the author's need to vent his spleen, but he should create a second, more black-and-white version that comes off as more credible and is less easily dismissed.
You coolly negotiate with business partners; you get pissed off at being screwed with by conmen.
> And let’s not pretend that it’s a big cost to you: getting the listed data about a single person is about the simplest query you can write. (Did I mention I’m a data scientist?)
And that particular trait emerges quite a bit throughout the correspondence. Where the author labels things as reasonable, I open the link only to find anything but.
Since the author is happy to put words into Facebook's mouth, I may venture as well that the author was _looking_ to pick a fight.
Facebook responds with an overload of legal nonsense to discourage people from replying. I overload them with a lot of non-legal nonsense. In the end I just want my data—it's my legal right.
"How will this end?"
This will only end me getting my data, obviously.
And thereby giving you a clearer path to get yours.See also his non-profit org dedicated to data protection in the EU: https://noyb.eu/
Exposing the level of detail in the data accumulated.
This starts at "opened the messenger app at this location on this date&time" and goes to "visited this Facebook-unrelated website on these times". Having to provide all of this data exposes the detailed profile they're getting on people.
If you decide to browse the web without uBlock Origin or if you decide to use Android, you know what you're being exposed to.
Time to step out of the bubble of tech-savvy people and talk to everyday users. It's unrealistic to assume everybody understands technical consequences, and it's unreasonable to require everybody to do so. That's why there is regulation. This applies to all fields, including medicine, food, and IT.
2. No, it doesn't matter if you use Android (what does using Android have to do with Facebook?) or not, Facebook can and will collect info on you through other means: analytics, logins, sharing etc.
3. You have very little to no idea of how pervasive tracking is especially in the case of large social platforms that everyone integrates with.
This is just clearly and verifiably false for the vast majority of users who browse the internet.
Then maybe exposing some of the third party quizzes, VPN's, and privacy apps that have poured more into the data vats. Possibly exposing the third party sources they've bought data from - connecting other data you didn't knowingly provide.
Who knows what else. Maybe they're afraid that once the full picture comes out they simply won't have users.
I say this in jest but at the same time I'm concerned this might be true.
Remember how you could cross post between twitter and FB ages ago? That went away for a reason!
Facebook takes the GDPR very seriously. I know this, because I know some of the people who worked on compliance. Facebook has lawyers who have studied the law. Facebook has worked with the EU to ensure compliance. Facebook publishes online the steps necessary to access your data, the list of uses of that data, and even a form for special requests. You may ask, then, how I reconcile that statement with the website posted here?
Well, take a moment to actually read the linked website. The writer made a request for their data, and was disappointed when Facebook complied, and gave them access to all of the data that they had on him.
The writer then asks for this specifically: access to their own data, how it's processed, and some minutiae around the processing. The user already has access to their own data, and the additional information requested is already publicly available.
The writer uses email and a special request form in order to make this request, and becomes irate when the special request takes longer than he would like.
Facebook then politely sends the writer an explanation of all of this, at which point the writer starts harassing the customer service agents who are helping him. He then researches ways that he can personally harass members of Facebook's team. He sends an email not just demanding his data, but requesting the raw data from Facebook's servers.
Facebook's response is still quite polite and factual. They have already delivered all of his data to hime, as well as all of the descriptions requested. They point out the timeline of events. They then explain that despite his request, the GDPR does not cover raw server dumps, a fact which has been proven in court.
Finally, the writer creates a defamatory website and posts it to Hacker News.
So no, sir, this event does not make me question my morals.
From their Help page on the data downloaded in the "Your Information", the only locations included are "The last location associated with an update."
How can you possibly claim they "gave them access to all of the data that they had on him"? FB itself denies this claim.
How do you figure "the user already has access to their own data" when the author never received their explicitly requested location/device/wireless history (which FB definitely has)?
Does the GDPR only apply to publicly available data? I was under the impression the company was obligated to give the user everything, public and private.
I guess drinking too much of the KoolAid does this to... maybe thats why all the big co's have so many KoolAid drinking sessions. :)
What's the case?
>Article 12(1) GDPR requires that the information provided to an individual in response to an access request is in “a concise, transparent, intelligible and easily accessible form, using clear and plain language”. At its most basic, this means that the information Facebook provides in response to a request should be capable of being understood by the average person. Highly technical data in its original form is likely to be meaningless to the average Facebook user and providing such data would be inconsistent with Facebook’s GDPR obligations.
is reflective of the scorn with which Facebook treats their users.
> Not valid, since gdpr applies to eu citizens everywhere, regardless of where they live.
This isn’t correct. GDPR applies to people IN the European Union, not their citizenship [0]
[0] https://ec.europa.eu/info/law/law-topic/data-protection/refo...
Since Facebook was using their Ireland branch as the main company for all users outside the US and Canada, that means everyone outside those countries can make GDPR requests to them. Unfortunately, not for long: https://www.reuters.com/article/us-facebook-privacy-eu-exclu...
That said, the post may as well be trolling and seeding doubt on purpose.
The author needs to contact his country's DPA and they will be the ones to drop the hammer on Facebook.
Facebook might not listen to an end user, but European governmental authorities have the power to force them to.
It's the only logical next step in my opinion.
Facebook in EU is registered in Ireland.
Ireland is making a mockery of GDPR, slow walking investigations while paying lip service to GDPR.
Ireland is a leech. They've figured out that they can attract global companies through very lenient tax auditing and (now) GDPR enforcement. A little tax is better than none. As such they are undermining the rest of EU when it comes to actions against companies like Facebook, Google, Microsoft.
"EU countries have set up national bodies responsible for protecting personal data in accordance with Article 8(3) of the Charter of Fundamental Rights of the EU." Source: https://ec.europa.eu/info/law/law-topic/data-protection/data... https://edpb.europa.eu/about-edpb/board/members_en
You may lodge a complaint with the designated data protection agency in Germany, but when they establish that the complaint is against Facebook residing in Ireland, they will refer the complaint to Ireland. Ireland clearly sees slow walking complaints as a competitive advantage.
Eh, a leech that took the brunt of the real estate crunch for the EU? A leech would have let the German banks fold instead of paying bond holders.
> Ireland is making a mockery of GDPR, slow walking investigations while paying lip service to GDPR.
Slow walking is pushing it - the agreement to allow home countries be the enforcement authority put a massive burden on a really small country and its civil service. Ireland's population is 4.7 (about 1/2 that of London on its own). Our DPC offices are overwhelmed by the number of requests, and hiring people to deal with the uptick is taking time. We also have a lot of the majorly complex GDPR cases, as we have FB, GOOG, MSFT, etc, along with a ... interesting ... relationship with the Catholic Church, which has ... views ... on what the GDPR means for them.
I don't disagree with you, but it seems to be largely a problem of Ireland's own making.
As this is the process though, I'm still going to say that this is the logical next step.
Likely the only way to get any movement on this is with public outcry, and if this issue gets enough attention, would be good to show not only the flaws in Facebook's system, but also any flaws in GDPR enforcement.