Lack of transparency with Facebook and other social media sites will be forced to come to an end as a result of GDPR

The Economist reports today (7 April 2018) that there’s been a bit of wake up call for Facebook and all other social media giants as a result of the furore over the mis-use of personal data. Mark Zuckerberg is openly admitting that Facebook data of up to 87 million people – 37 million more than previously reported – may have been improperly shared with Cambridge Analytica.

As a result of a data breach on a scale not seen since Yahoo!, Americans are looking enviously at Europe where data protection, privacy and security laws protecting the individual are now the global ‘gold standard’ as a result of the GDPR that’s fully enforceable from 25 May – just 34 working days from today.

Rights over personal data are enshrined in the EU’s Charter of Fundamental Rights and EU citizens now have a beefed-up set of data protection rights that will force Data Controllers and data Processors to be transparent and accountable in a way they’ve never had to do before.

However, The Economist also makes the point that the exercise of those rights will need to become much easier than at present.

Take the case of Paul-Olivier Dehaye. In December 2016, Dehaye, a Belgian mathematician, e-mailed Facebook asking for a copy of the data it had gathered about him through an advertising tool called Pixel. Yet it took 106 days for Facebook to do so. Facebook acknowledged the existence of Dehaye’s Pixel data, but declined to provide them, stating that doing so would involve “disproportionate effort”.

A good example of customer service and treating users fairly? Or symptomatic of how big Facebook has grown and its significant resources that it can squat away requests that it finds irritating in its naked pursuit of making vast sums of money out of yours and my personal data?

Apparently, the personal data was buried too deep inside Facebook’s data-analytics warehouse, known as Hive. The Irish Data Protection Commissioner is still carrying out its investigations.  Antonio García Martínez, a former Facebook product manager, explained to The Economist that sending Dehaye his Pixel data would be technically difficult. And Facebook’s global corporate structure makes it even harder. Employees of Facebook Ireland, says Martínez, have “no power or leverage to tell an engineer at Menlo Park” to do anything, including retrieving the users’ personal data.

Other Europeans run into similar quagmires with American tech companies.

Millie Graham Wood, a solicitor with Privacy International, a charity, has tried for six months to find out what data Google has collected from her Nest smart thermostat. Google (very helpfully) sent her only links to privacy policies, blog posts and irrelevant log data, each time after a long delay.

“It’s been a real nightmare,” says Wood. “If you’re not a lawyer, you’re going to give up.”  Perhaps the art of obfuscation is part of Google’s induction programme for new joiners? The matter is now in the hands of the ICO.

Tech companies prefer to meet their privacy obligations through web portals that let customers and users download some, but not necessarily all, of their personal data. So called Privacy Enhancing Technologies (PET) are in fact actively encouraged by the European Commission are referred to in the Recitals to the GDPR. It’s also something we cover on the GDPR Programme at Henley Business School.

But limited disclosure of personal data that;s being processed may not satisfy everyone. And this could lead to further anxiety, not less, particularly if the PET includes data that users have uploaded themselves but not the way the system categorizes this personal data.

The GDPR makes changes to Subject Access Requests (SAR) by providing a significant ‘shopping list’ of information that must be delivered to the Data Subject (Art.15, GDPR) within 30 days and must be free of charge.

This may open the floodgates to a millions of users and customers seeking to exercise their rights post-25 May and could lead to legal challenges where partial disclosure is offered and this is tested in the courts. Under Art.80, GDPR, Data Subjects can also mandate a not-for-profit body, organisation or association that has been properly constituted to lodge complaints on their behalf.

Taken together, all of these changes will result in a greater degree of transparency, accountability and control for 500m European Union citizens.










Leave a reply