Do Facebook engineers themselves not know where user data goes? This is what advances an internal document of the social network, recovered by Vice April 26. Beyond the joke, this inability considerably hampers compliance with data protection regulations around the world and more particularly in GDPR Europe.
Free data, too free to circulate
” If we can’t catalog all the data we have – where it is, where it goes, how it’s used – then how can we make commitments about it to the outside world? “, this is nothing less than the central issue posed by the document, obviously dated 2021.
Bored Ape Yacht Club: the famous collection of hacked NFTs
Vice has copy the text (pdf) before publishing it to protect its sources, but assures that it is authentic. It would come from a team of engineers from the Ad and Business Product team, the team responsible for Facebook’s advertising system.
Inside, they are worried. They explain that ” the heart of our problem is the lack of closure of our systems “. Due to the openness of Facebook’s internal systems, the circulation of data available to the network, including users’ personal data, circulates freely everywhere.
With this culture of openness, it is impossible to follow in their footsteps. This difficulty poses a real compliance problem for Facebook, “ therefore, we cannot confidently make policy changes or make external commitments such as ‘we will not use X data for Y purpose’. And yet, this is exactly what regulators expect of us. This increases our risk of errors and misrepresentations “.
In Europe, the GDPR imposes precisely what Facebook engineers consider themselves unable to do. According to section 5 of the regulationsthe personal data must be “ collected for specified, explicit and legitimate purposes, and not further processed in a manner incompatible with those purposes “. The “principles relating to the processing of personal data”, Facebook appears unable to apply them.
To change the situation would involve a profound change in the way Facebook operates, a complete culture change. Failure to do so would expose oneself to prosecution by the European CNIL or even by individuals or associations.
Facebook says there is no compliance issue
A former employee of the company estimated with Vice that maintaining this situation could be quite cynical of Facebook, ” It gives them an excuse to keep so much data private, simply because at their scale, with their business model and infrastructure design, they can plausibly claim that they don’t know what they have “.
Johnny Ryan, privacy campaigner with the Irish Civil Liberties Council believes that “ This document admits what we have long suspected: that there is a free-for-all of data inside Facebook, and that the company has no control whatsoever over the data it holds “.
Called to react, Facebook explained in essence that the document was taken out of context, “ Considering that this document does not describe our extensive processes and controls for complying with privacy regulations, it is simply inaccurate to conclude that it demonstrates non-compliance. “. If a European CNIL and justice came to different conclusions, Meta, the parent company of the social network, would risk a fine of 4% of its global turnover.