I was recently asked if it would be possible to make a subject access request to Facebook under the Data Protection Act 1998 (DPA 1998). In simple terms, ignoring some important exemptions, section 7 of the DPA 1998 gives anyone the right to ask someone whom they believe has personal information about them, to disclose that personal information and to state why they have it. The Information Commissioner publishes guidance to the public on how to do this. However, my immediate thought was that Facebook was an American entity, outside of the jurisdiction of the UK, with no UK presence.
Out of curiosity, I then had a look at Facebook’s Statement of Rights and Responsibilities – in effect their terms and conditions. I was particularly taken by section 17.2 in the Definitions clause:
By “us,” “we” and “our” we mean Facebook, Inc., or if you are outside of the United States, Facebook Ireland Limited.
Defined Terms. “Us,” “we,” “our,” “Platform” and “Facebook” mean the same as they do in the Statement of Rights and Responsibilities.
Why is this interesting? There are a number of reasons, but let’s stick to the subject access question.
The DPA 1998 is the UK implementation of the Data Protection Directive 95/46/EC. Every member state of the European Union should have implemented this Directive into local laws. This can easily be checked on a European Commission Justice and Home Affairs webpage dedicated to showing the status of implementation. The webpage also give links to member states’ data protection laws, so that it can easily be discovered that in Ireland, section 4 of their Data Protection Act 1988 (as amended) gives the same access rights as the UK section 7 DPA 1998.
So the surprising conclusion must be that any Facebook user not based in the United States can write to Facebook Ireland Limited (address above) and request a copy of all personal information that Facebook holds about them. Facebook can, under Irish regulations, make a charge to supply the information, but to a maximum of €6.35.
Facebook may argue that it is a service provided by Facebook, Inc and that its terms and conditions (or Statement of Rights and Responsibilities) are subject to the laws of the State of California, but this is not how this would be viewed in the EU. In the plain terms of the Statement of Rights and Responsibilities, Facebook means Facebook Ireland Limited. Facebook Ireland Limited, as an entity in the EU, cannot by a choice of law in consumer terms and conditions deny a consumer a right the consumer would otherwise have. It is immaterial that the personal information collected by Facebook Ireland Limited may be stored and processed by Facebook, Inc in the United States. In the terms of the Data Protection Directive, Facebook Ireland Limited is the controller and Facebook, Inc the processor of users’ personal information. There are arguably other consequences of Facebook being provided by Facebook Ireland Limited, as Irish laws may have implemented certain other EU consumer protection legislation to make unilateral changes in the provision of services, such as with the recent changes in privacy settings, in consumer contracts unlawful.
Facebook Ireland Limited, in addition to reading up on the Irish Data Protection Act 1988 as amended (in particular, section 16 and regulations made under it), may therefore also wish to consider the Irish laws implementing, amongst others, the Electronic Commerce Directive 2000/31/EC, Unfair Terms in Consumer Contracts Directive 93/13/EEC and Rome Regulation (Rome I) 593/2008/EC (in particular, Article 6).