Facebook and Data Protection

So what other information does Facebook have about me, other than the profile picture and my account name used to generate this Facebook badge?  Maybe I should ask? Would Facebook tell me if I did?

I was recently asked if it would be possible to make a subject access request to Facebook under the Data Protection Act 1998 (DPA 1998).  In simple terms, ignoring some important exemptions, section 7 of the DPA 1998 gives anyone the right to ask someone whom they believe has personal information about them, to disclose that personal information and to state why they have it.  The Information Commissioner publishes guidance to the public on how to do this.  However, my immediate thought was that Facebook was an American entity, outside of the jurisdiction of the UK, with no UK presence.

Out of curiosity, I then had a look at Facebook’s Statement of Rights and Responsibilities – in effect their terms and conditions.  I was particularly taken by section 17.2 in the Definitions clause:

By “us,” “we” and “our” we mean Facebook, Inc., or if you are outside of the United States, Facebook Ireland Limited.

Facebook also states in its Privacy Policy:

Defined Terms. “Us,” “we,” “our,” “Platform” and “Facebook” mean the same as they do in the Statement of Rights and Responsibilities.

This suggests that for those of us not in the United States, Facebook is a service provided by, and under the privacy policy of, an Irish company.  Checking up on the Irish Companies Registration Office website shows that there is indeed a Facebook Ireland Limited (Company Number 462932) registered in Ireland, with registered office at Hanover Reach, 5-7 Hanover Quay, Dublin 2.

Why is this interesting?  There are a number of reasons, but let’s stick to the subject access question.

The DPA 1998 is the UK implementation of the Data Protection Directive 95/46/EC.  Every member state of the European Union should have implemented this Directive into local laws.  This can easily be checked on a European Commission Justice and Home Affairs webpage dedicated to showing the status of implementation.  The webpage also give links to member states’ data protection laws, so that it can easily be discovered that in Ireland, section 4 of their Data Protection Act 1988 (as amended) gives the same access rights as the UK section 7 DPA 1998.

So the surprising conclusion must be that any Facebook user not based in the United States can write to Facebook Ireland Limited (address above) and request a copy of all personal information that Facebook holds about them.  Facebook can, under Irish regulations, make a charge to supply the information, but to a maximum of €6.35.

Facebook may argue that it is a service provided by Facebook, Inc and that its terms and conditions (or Statement of Rights and Responsibilities) are subject to the laws of the State of California, but this is not how this would be viewed in the EU.  In the plain terms of the Statement of Rights and Responsibilities, Facebook means Facebook Ireland Limited.  Facebook Ireland Limited, as an entity in the EU, cannot by a choice of law in consumer terms and conditions deny a consumer a right the consumer would otherwise have.  It is immaterial that the personal information collected by Facebook Ireland Limited may be stored and processed by Facebook, Inc in the United States.  In the terms of the Data Protection Directive, Facebook Ireland Limited is the controller and Facebook, Inc the processor of users’ personal information.  There are arguably other consequences of Facebook being provided by Facebook Ireland Limited, as Irish laws may have implemented certain other EU consumer protection legislation to make unilateral changes in the provision of services, such as with the recent changes in privacy settings, in consumer contracts unlawful.

Facebook Ireland Limited, in addition to reading up on the Irish Data Protection Act 1988 as amended (in particular, section 16 and regulations made under it), may therefore also wish to consider the Irish laws implementing, amongst others, the Electronic Commerce Directive 2000/31/EC, Unfair Terms in Consumer Contracts Directive 93/13/EEC and Rome Regulation (Rome I) 593/2008/EC (in particular, Article 6).

A fine way to equality of arms

£500,000 Banknote Forgery

So, after an inordinate and unexplained delay from Royal Assent of the Criminal Justice and Immigration Act 2008 (8 May 2008) until earlier this month, the Ministry of Justice has finally published a consultation document on the maximum monetary penalty it considers should apply to the new powers at ss. 55A to 55E of the Data Protection Act 1998, once these sections are brought into effect: £500,000.

What perhaps will be more interesting is how the Information Commissioner will use his new powers to levy monetary penalties.  Draft guidelines have been published.

Could the judicious use of these powers engineer effective data subject access to personal data? We will write this up as an article, hopefully for the journal Privacy and Data Protection, but we think there may be enough in the draft guidelines concerning deliberate contraventions (of the sixth data protection principle) and the question of whether compensation has been paid to the data subject (including reimbursement of reasonable legal fees where the individual has sought to enforce their rights under s.7(9)?), to suggest a method.

Perhaps we can then, at last, get rid of the effect of the pernicious dicta in Durant -v- Financial Services Authority [2003] EWCA Civ 1746 that renders it extremely difficult for data subjects to assert their subject access rights when they are also in legal proceedings with the data controller, against the view of the Information Commissioner.  Perhaps then we can also ensure that there is equality of arms between well-financed data controllers and data subjects, who currently cannot readily enforce their s.7 rights without incurring massive and disproportionate costs.