Dear Facebook, about these elections…

I copy-paste below an email I just addressed to Facebook. You can prepare your own, through this convenient tool, then send it directly to them.

To: datarequests@support.facebook.com

Dear Facebook,

For the past two years, I have been trying to contribute to the public debate around Facebook’s influence in elections. For instance, I have been credited for research on two influential articles: The Data That Turned the World Upside Down (Das Magazin, Zurich, then translated worldwide) and Robert Mercer: The big data billionaire waging war on mainstream media (The Guardian/The Observer).

As part of this wider effort, I have tried for a long time to use my data protection rights to get access to more information about the ad targeting that takes place on your platform. These requests have so far been met with one limited, but encouraging, success.

I now wish to consolidate many of my previous unsuccessful requests into one. I am hoping that increased self-awareness by Facebook on the impacts the digital phenotypes they collect have on the wider information ecosystem will lead you to change your stance, particularly when balancing my right to data protection against your rights and freedoms, and those of others’.

I will now:

  • explain the overall goal of my request;
  • list all the data I (still) wish to get access to;
  • explain my view on relevant laws and jurisdictions;
  • offer my views on the applicability of exemptions envisioned in law.

Overall goal

The overall goal of my request is to ensure that, through access to my personal data, I would manage to render more intelligible to me how the democratic process materialises on Facebook. I would value this better understanding of election dynamics in order to empower myself to make better political decisions.

I consider this goal to be of higher interest for both myself and the general public than Facebook’s natural interest in its shareholders, and therefore find it a necessity to myself gain access to this data in order to gain the necessary level of transparency to match my goals.

My plan, once I have gained access to my data, is to use the methodology outlined here to leverage this data more broadly.

Data I wish to get access to

Simply said, I wish to gain access to all the personal data held by Facebook that could potentially help me realise my objective of making more intelligible to me how the democratic process materialises on Facebook, independently from Facebook’s decisions on what transparency should be in that space.

While not restricting the scope in any way from the above, this request would in particular include:

  1. Any point of my personal data held by Facebook linked to ads shown to me since January 1st 2014: when was it shown (and similar information), how much time I spent looking at it (and similar information), who advertised (and similar information), how did the targeting take place (and similar information), why was it shown to me compared to other ads (and similar information), why was it shown to me compared to other content (and similar information), which Facebook products and tools were used to send and target this ad (and similar information), etc.
  2. Any point of my personal data held by Facebook that was ever used by Facebook since January 1st 2014 to target ads to me (and similar information). This would include for instance Lookalike Audience data.
  3. Any point of my personal data held by Facebook that might indicate, since January 1st 2014, the presence of some of my personal data (in the broadest sense) with advertisers on the platform (and similar information). This would include, for instance, tracking information held by Facebook that was never actually used for targeting purposes (Pixel data, Custom Audiences data, Lookalike Audience data, etc).
  4. Any point of my personal data, such as a click or a view, held by Facebook that was (potentially) reshared at any point since January 1st 2014 with an advertiser (and similar information). This would concern all advertisers, but particularly in this order: those not self-identified as political, yet detected by Facebook to post political ads, those self-identified as political, those not detected by Facebook as posting political ads.
  5. Any point of my personal data held by Facebook relating to experiments conducted by Facebook since January 1st 2014 (on the model of my previous successful request to you concerning the Emotion Manipulation Experiment).
  6. Any point of my personal data held about my viewing on Facebook of recorded or Live videos since January 1st 2014, particularly about political topics or posted by accounts identified by Facebook as political.

Throughout the above, I use the word “held” to mean “held on any database controlled by Facebook and making an appearance in the 2012 Audit subcontracted by the Irish Data Protection Commissioner, or, possibly,other databases , either missed by the audit at the time, or maintained by Facebook as further iteration of those 2012 databases or to develop new services”. This would include so-called User Databases, Hive, Haystack and Titan. I expect newer databases to have been developed by Facebook for its newer services, such as Facebook Live.

Page 97/186 of the Facebook 2012 audit contracted by the Irish Data Protection Commissioner.

While this definition is extremely inclusive, it is meant to reflect the wide access Facebook would have on my personal data if it wanted to influence (or to enable others to influence) me (or my perception of others) within an election context.

In addition, for each of these requests about “any point of my personal data”, I make a second request for information about the “logic involved in the processing” of said data (or similarly refer to the “logic of the processing” if applicable in the relevant jurisdiction). For additional information about this right, please refer to here.

Note that the right to information about the “logic of the processing” is distinct from the right to access, and generally envisions its own, distinct, set of exemptions (depending on applicable jurisdiction). Therefore, for each applicable jurisdiction, if you were to claim exemptions to either right, I wish you to make clear separately which exemption you claim to the right of access and to the right to information about the logic of the processing.

I understand that you might need additional information in order to find my data back in your systems. My Facebook shortname is paulolivier.dehaye. Beyond that, should you need any data to answer my request (cookie values, Pixel outputs, user agent, etc), please tell me which. I have tried to log such information by instrumenting my web browsers and should be sufficiently proficient technically to be able to provide this information to you.

In addition to the previous requests, and in line with the problem of identifying my personal data within your systems over time, I ask that you provide me with access to any pseudonymous identifier created and maintained by Facebook about me, my account, my face, my behaviours, my devices or similar. I make particular reference to the RIDs (“Replacement IDs”, mentioned in the Facebook 2012 Audit) that have been created at this stage by Facebook but have not yet been delinked through deletion of “assocs” (“associations”, see 1.9.2.1 in the Facebook Audit).

Finally, I ask, under the right of access in current applicable data protection laws, for any information held by Facebook about which data points Facebook would consider to currently fall within the scope of Data Portability under the GDPR, i.e. data collected now or earlier that would be accessible under portability come May 2018. The goal of that part of the request is to anticipate and accelerate the process described here.

Relevant laws and jurisdictions

The requests I am making here are purely legal. I do not rely on any moral or ethical ground to back them up.

I understand Facebook considers the consolidated Irish Data Protection Act 1988 to be applicable, and that it would be the same for any non-North American user (due to the Terms of Service being signed with the Irish subsidiary for all those users). I also understand that some countries, even European countries, contest this view.

I can see why the Irish Data Protection Act could conceivably be applicable to some of the data, for instance some of the data that was collected as I was traveling within the EU. However, in your considerations of relevant laws, jurisdictions and agreements, I ask that you consider the following facts:

  1. some data protection regulation mechanisms protecting users should be additive: California law and Irish law could give me access to distinct overlapping sets of data for instance.
  2. I have opened my Facebook account while a resident of California, in 2005 I think.
  3. I am currently a resident of Switzerland (not in the EU), traveling regularly around Europe.
  4. Some of the personal data I seek to access was first transferred to Facebook by users (e.g. advertisers) who were transferring my personal data to Facebook under a different regulatory system than the Irish Data Protection Act (for instance because they are located outside of the EU). A Canadian company might for instance transfer my personal data directly to Facebook HQ, based on the EU-Canadian adequacy agreement and the EU’s recognition of Facebook’s Safe Harbor or Privacy Shield self-registration.
  5. The winding down of the Safe Harbor agreement and the enabling of its Privacy Shield substitute followed dual timelines for Switzerland and the European Union.

For the purpose of making this problem finite for Facebook, I ask that you consider only the following legal instruments:

  • Irish Data Protection Act;
  • Swiss Data Protection Act;
  • Belgian Data Protection Act (my nationality);
  • Finnish, Estonian, French, German and UK data protection laws (location of frequent travels);
  • separately, the Swiss and EU versions of the Safe Harbor and Privacy Shield arrangements (bear in mind the legal basis of transfers done by others to Facebook Ireland and Facebook HQ);
  • any applicable federal data protection law in the US, and state laws in California and New York (location of frequent travels and Facebook headquarters).

Note that, except for the last bullet point, all instruments (including the Privacy Shield and Safe Harbor arrangements!) have a fairly homogeneous definition of personal data as (paraphrasing:) data relating to an identified or identifiable individual.

Please bear in mind that for each refusal or reduction of scope, I need a clear outline for each regulatory environment and each of data point of the legal reasoning for the refusal (with again a separate outline for the right to information about the “logic of the processing”). I need this in order to expedite the recourse process in each applicable jurisdiction (even those that Facebook does not consider applicable). I also need separate timelines for each circumstance, in order to assess failure or success. I certainly understand this is a significant legal undertaking for Facebook — if it was to refuse access — but do not take Facebook to be too-big-to-comply-with-data-protection-laws.

Possible exemptions and counter arguments

Over time, for previous requests, Facebook has claimed several exemptions to my right of Access and my right of information on the “logic of the processing”. For the sake of expediency, I address each now.

  • “Download My Archive” tool: I have used the tool, but in general this information is not available there at the time of writing. The limited information that is available (such as “advertisers with your contact information”) is very narrowly scoped in time. I infer this is an implicit acknowledgment of Facebook’s responsibility to provide access to such data, but consider the scoping inappropriate.
  • “Please refer to our Privacy Policy”: I have carefully read your Privacy Policy, but it is not meant to answer Access request (but might provide some very high-level of information about the “Logic of the Processing”, but not at the level of granularity sought here).
  • “This is not PII”: The “Personally Identifiable Information” concept has no legal basis in any European country, or even in potentially relevant transatlantic data flow arrangements such as Safe Harbor or Privacy Shield.
  • “technically infeasible”: Twice the Irish Data Protection Commissioner audit of 2012 refers to a particular task as being “technically infeasible”, and Facebook has previously used this argument to dismiss many of my requests. However, this argument is a strawman: indeed, the audit report builds an artificial problem (“give access to all users to all their Facebook log data since the end of times”), only to claim this is “technically infeasible”. Facebook used that excuse in the past for a request concerning the Facebook Emotional Manipulation Experiment, only to later reverse its opinion on what was “technically infeasible” when I scoped my request over just one week (the week of that experiment). Similarly, if reduction of scope from three years to a shorter time period would help with this set of requests, please let me know quickly (and for which request).
  • “disproportionate effort”, “carefully engineered systems”: I agree that all my requests would represent significant work to answer at a technical level. However, this only reflects previous failures by Facebook to properly engineer its systems to properly address access requests. For instance, some of the data Facebook provides through its download tool only cover the past eight weeks. Why was this limited to eight? Especially once one understands the technical architecture behind, Facebook retains effective use of all the data but, it seems, artificially restricts its ability to easily answer access request for a longer time range. In a way, the systems have been carefully engineered to make it hard to answer access requests. In addition, Facebook has itself touted the significant resources invested in understanding its own impact on elections. These resources would be, in my view, better distributed in ensuring Facebook respects the law in providing access to individuals to their personal data, and trusting that civil society would find resources to investigate and report on Facebook’s impact. This would be especially important given the likelihood that Facebook would not dedicate the same resources for the U.S. election as for the, say, Belgian elections, or the likelihood that Facebook misunderstands local dynamics of particular elections such as, say, the upcoming European elections to Parliament.
  • “trade secret” or “intellectual property”: I fully acknowledge some restrictions do exist on the right of Access and the right to information about the “logic of the processing”. However, these restrictions are 1/ specific for each context, 2/ specific for each regulatory environment, 3/ not absolute, but always to be carefully balanced against rights and freedoms of others 4/ different between the right of Access and the right to information about the “logic of the processing”. I ask that, should Facebook use that argument, it specifically outlines the interests of which “others” it has considered (or not), and how it has balanced competing interests.
  • “privacy of others”, “confidential information of [our] advertisers”: In all the jurisdictions that I know of, the right of access indeed envisions restrictions based on the privacy of others, but it takes slightly different form. As a consequence, I would expect any reliance on this argument to be made explicit for each relevant regulatory environment. In addition, this argument might sometimes rely on understanding “others” to mean legal persons (“corporations are people who have a right to privacy”). If that is the case, I would ask once again that Facebook outlines the legal reasoning for this understanding, for each considered regulatory environment.

Wow, that was long… Thank you for reading this far!!! Remember, if you want to send your own, it’s easy through this convenient tool.

Paul-Olivier Dehaye is co-founder of PersonalData.IO, a startup helping individuals regain control of their personal data, through innovative products built around the GDPR. PersonalData.IO also offers compliance solutions, business innovation and consulting services to companies, as well as expert advice to educators, regulators and journalists.