Making Facebook-driven elections more transparent at the individual level: an update
Over the past 15 months, I have tried exercising my data protection rights with Facebook, in order to obtain personal data held by Facebook that would help me better understand the impact micro-targeting might have on political discourse around me. Lawmakers worldwide are starting to push for more individual transparency as well, after initial requests for more transparency top-down (aggregate statistics). I provide here an update and a timeline on my personal efforts, which have remained unsuccessful so far. I hope this will encourage a reflection on failures of enforcement of data protection laws, and their consequences.
Around December 2016, I started asking Facebook pointed questions on how their ad targeting worked, and to get copies of the underlying personal data that they still held. It is my contention that for some combinations of jurisdictions for advertiser and user, Facebook has to disclose this information.
My goal is to establish that individual Facebook users have a right to obtain this data, so tools can be built (by me or anyone else) to help each individual user better understand the political filter bubbles that are engineered around them. One could for instance imagine two users (husband and wife) comparing which political parties are targeting them, and how.
These disclosures would take a different form than what has been politely asked so far from Facebook by politicians in Europe and the United States.
I can see the following advantages to the mode of disclosure I would recommend:
- the legal basis (data protection law) for such disclosures already exists;
- the legal basis for restricting the disclosure also exists (this would enable us to ground more in law the nonsensical excuse by Facebook that disclosing which bots have posted would be an invasion of their privacy);
- (in theory), the scope of the data released is subject to the law, not to PR decisions;
- the data obtained is more relevant to the individual than high-level statistics;
- the data obtained is more actionable to the individual user;
- the impetus for analyzing targeting data would be driven through wisdom-of-the-crowd, rather than by Zuckerberg (read: nil) or politicians (read: slow).
After one initial success (unfortunately not picked up yet by tool-makers), I started asking around February 2017 multiple additional questions to Facebook. These concerned for instance:
- Access to Facebook Lookalike Audiences data (and the legal basis for such profiling in the political context);
- Full list of advertisers who have ever had my contact information, and more granular access to such data;
- Access to Facebook Custom Audiences data;
- Access to Facebook Pixel data.
I have written a summary of what might actually be asked from Facebook, and how, here (this list is of course limited by my own imagination, get in touch if you have further ideas).
In each circumstance, I did manage to engage Facebook into a long discussion of their legal obligations regarding disclosure, but eventually all my requests were dismissed.
Privacy Shield
Privacy Shield is a legal instrument covering personal data transfers between Europe and the United States. I filed Privacy Shield appeals for all those refusals between February and April 2017.
On April 21st 2017, all my appeals were suddenly dismissed by TRUSTe.
TRUSTe is supposed to be an independent arbitrator for the Privacy Shield arrangement. The language they used in their dismissals (“TRUSTe and Facebook have conducted additional review”) indicates that TRUSTe consulted separately with Facebook to assess their own authority to assist with each request. On the other hand, I was never asked by TRUSTe why I might think TRUSTe would have that authority, and TRUSTe pretty clearly shut the door before I even had the chance.
I still think they have that authority, for instance in cases where non-North American advertisers would have uploaded the contact information of a user, but was never offered a chance to express that opinion. Interestingly, I contend this authority extends regardless of the origin of the user themselves. In other words, this US-based instrument would also be open to Americans, if Russians have indeed uploaded their data to Facebook Ireland in order to target them on Facebook Inc’s platform.
Irish Data Protection Commissioner
Another recourse mechanism is the Irish Data Protection Commissioner, since Facebook’s headquarters for Europe are there (also applicable to Switzerland, where I live).
Since I did not agree with Facebook’s decisions on my requests, in parallel I requested that the Irish Data Protection Commissioner look at two specific examples: Facebook Pixel data and Facebook Custom Audiences data. These appeals were initiated quickly, in January 2017, but the Irish DPC refused to look at the substance of the matter until Facebook’s refusals really were definite. In other words, the Irish DPC read Facebook’s obligation as only requiring them to respond to my queries and stall the matter for as long as they could. Facebook did this very successfully for months, until the Summer 2017. Then:
- On September 18th 2017, I was able to raise the matter again with the Irish DPC.
- On October 18th 2017, not having received any response from the Irish DPC (not even an acknowledgment), I asked again.
- On October 19th 2017, I was told that “the Irish DPC Office of the Data Protection Commissioner has queried Facebook’s use of this [exemption] and are currently awaiting a response from Facebook”, and that “This office will be in touch with [me] as soon as Facebook respond”.
- On December 14th 2017, not having received a response, I asked the Irish DPC again.
- On December 18th 2017, I was told that the “Office of the Data Protection Commissioner is currently assessing Facebook’s responce [sic]”. I immediately asked if I could at least see that response, and how long that assessment would take.
- Not having received a response, I asked for an update on January 2nd 2018.
- On January 4th 2018, I was told the Irish DPC was still ascertaining the full set of facts, and that I would not obtain a copy of Facebook’s response, per Irish DPC’s policy. I was also told that “the matter has the DPC’s full attention and [it] will provide [me] with an update once the relevant facts have been established and assessed”.
- On February 9th 2018, still without any update, I asked the Irish DPC again for an update, pointing to recent developments heightening ever more the urgency of a response.
Note that my initial request involved a structured presentation to the Irish DPC of all the relevant exchanges with Facebook. All these exchanges took place within two email threads. It should therefore not take months for one of the biggest companies on Earth to ascertain facts related to my request itself. My understanding is that the data flow themselves have generated these delays, either in just mapping them or clarifying their legal bases. Note that I have never been able to offer my own vision of either of these (with the Privacy Shield arbitrator or with the Irish DPC), despite the wealth of information available publicly on the topic, mostly through Max Schrems’ actions.
Summary
Even though I have managed to engage the Irish DPC (somewhat reluctantly) on this matter, my complaint is now moving forward at a pace dictated by both the Irish DPC and Facebook itself. Short of any money to inject into a civil procedure, the entire body of data protection law has thus been useless to me (and others) so far, despite my dedication to bring this matter forward.
Paul-Olivier Dehaye is co-founder of PersonalData.IO, a startup helping individuals regain control of their personal data, through innovative products built around the GDPR. PersonalData.IO also offers compliance solutions, business innovation and consulting services to companies, as well as expert advice to educators, regulators and journalists.
