Tuesday, December 04, 2012

Irish Data Protection Commissioner still a Facebook friend

The Irish Data Protection Commissioner's Information Officer, Stewart Fennell, has responded to my communique of 12 November.
"Dear Mr. Corrigan

Thank you for your email highlighting a concern over items of personal data which you believe were not provided by Facebook Ireland (FB-I) in response to your access request.

The issue of FB-I responding to access requests for personal data was a key focus of the audit carried out by this Office, a report of  which was published in December 2011 (available on our website www.dataprotection.ie ).  In that Report it was indicated that " the key requirement in response to an access request is to ensure that a user has access to their personal data.  Therefore, either the data must be available on the requester’s profile page, their activity log, which is a feature of the new user Timeline, or via the download tool.  From a transparency perspective, it is desirable that most, and ideally all, of a user’s data should be available without having to make a formal request.  FB-I therefore will be implementing a number of enhancements to the activity log to provide users with access to and control over information about them.”  Given the complexity of the engineering task to extract and make available or supply the personal data available to users, the report outlined a detailed schedule specifying when different data sets would be provided.  That process is now complete.  The one exception up to end of October was in relation to metadata associated with uploaded photos to the site.

Facebook has produced detailed help on how to access personal data on the site together with a detailed description of the data that is available either from a user's Activity Log or via the download tool https://www.facebook.com/help/326826564067688.  We have worked extensively with FB-I on this help page.

Based on our audit and follow-up work with FB-I, it is our position that there is no personal data that can be supplied by FB-I that is not now available to users.

We hope that the above comprehensively addresses the matters which you have
raised.   However, if  there are specific items of personal data that you
have not received and believe are retained by Facebook-Ireland,  we would appreciate it if you could give us details so that  we can consider the matter for  further investigation.

Yours Sincerely,

Stewart Fennell
Information Officer
Office of the Data Protection Commissioner Canal House Station Road Portarlington Co. Laois

Ph: 057 868 4800
Fax: 057 868 4757
E: info@dataprotection.ie
www.dataprotection.ie"
He again asks me to give him details of "specific items of personal data" that I "have not received and believe are retained by Facebook-Ireland".

I haven't got the time to provide a considered response today but my first question again is how can I provide him with specific information on data that is not made available by Facebook?

If Facebook is holding “information constituting any personal data of which that individual is the data subject” that  it does not disclose - and it has admitted in its auto-response to my original complaint that this is the case - how do I find out what that data is, so I can tell the Irish Data Protection Commissioner specifically what the company is withholding?

Mr Fennell seems to be suggesting that his office is sympathetic to Facebook and the only way they will order complete disclosure is if someone somehow (legally, I presume) can determine what data Facebook are withholding, either deliberately or because of the technical complexities involved. So the DP Commissioner will consider further investigation, only if I can find out what is being hidden and let them know. This is real chicken and egg stuff. Why would I need the DPC to engage in "further investigation" let alone then consider actually ordering disclosure, if I had already found the data?

Maybe I should consult my favorite data expert...?

Update: It looks like the Europe v Facebook group are planning to tackle the Irish Data Protection Commissioner on this issue through the courts.

No comments: