Thursday 20 October 2011

Can we force facebook to give us its "like" database?

Jim Killock of the Open Rights Group pointed me at an interesting response made by facebook to an Irish student named Max's subject access request under Irish data protection legislation which forms a part of the Europe versus facebook campaign.

The particular point that interests me is that, concerns facebook's tracking of all pages visited which show a "like" button - a practice that can be really intrusive. Although Max did obtain a considerable quantity of information, facebook did not release to him their list of "like" tracked data.

In their response facebook say:

Section 4(12) of the Acts carves out an exception to subject access requests where the disclosures in response would adversely affect trade secrets or intellectual property. We have not provided any information to you which is a trade secret or intellectual property of Facebook Ireland Limited or its licensors.

Unfortunately for facebook, that isn't quite what the relevant Irish legislation appears to say (health warning: I am not an Irish lawyer). What section 4(12) of the Irish Data Protection Act 1988 says, according to a consolidated version of the statute, is:

(12) Subsection (1)(a)(iv) of this section is not to be regarded as requiring the provision of information as to the logic involved in the taking of a decision if and to the extent only that  such provision would adversely affect trade secrets or intellectual property (in particular any  copyright protecting computer software).

Note the phrase "information as to the logic involved in the taking of a decision". What this is all about is that section 4 gives data subject several different rights. One right (in section 4(1)(iii)(I)) is to be supplied with a copy of "the information constituting any personal data of which that individual is the data subject" - a simple right to information. Another, and different right, can be found in section 4(1)(iv) which applies to automatic decision making by the data controller. Here the data subject has a right to be informed of the "logic involve in the processing". Obviously that's quite a different right since it is essentially a right to know about algorithms rather than data.

Quite clearly section 4(12) is a restriction on the right under 4(1)(iv) to know about the logic of automatic decision making and not a restriction on the right of information simplicter. Nice try facebook, but I can't see that working.

Our own legislation is very slightly different. We also have a right (in section 7(1)(d) of the Data Protection Act 1998 to be informed about the logic involved in automatic decision making, but the restriction on that right is limited to trade secrets. Section 8(5) says:

Section 7(1)(d) is not to be regarded as requiring the provision of information as to the logic involved in any decision-taking if, and to the extent that, the information constitutes a trade secret.
So that any UK national involved in the Europe v facebook campaign has a much stronger argument.

In any case, at best facebook can claim a database right over the contents of the list of pages visited by Max that they have collected using the "like" button. The database right is a creature of European law (directive 96/9/EC). Recital 48 of the directive states that "the provisions of this Directive are without prejudice to data protection legislation", which seems to me to argue that data protection law ought to trump database right. If you think about it, the contrary would be an impossible situation. Personal data will often be protected by database rights. If you could use database rights to avoid subject access requests they would be of far less use.

1 comment:

Anonymous said...

Max is Austrian. I don't know if he is right in doing so but he apparently submitted his requests in Ireland because Facebook's own terms of use state that users outside of the US and Canada have a contract with their Irish subsidiary.