Do Facebook engineers themselves not know where user data goes? This is what advances an internal document of the social network, recovered by Vice April 26. Joke aside, this inability significantly hampers compliance with data protection regulations across the world and specifically in GDPR Europe.
Free data, too free of circular
” If we can’t catalog all the data we think about – where it is, where it goes, how it’s used – then how can we make commitments about it to the outside world? “, this is nothing less than the central issue posed by the document, obviously dated 2021.
Social networks ordered to preserve war crimes images by Congress
Vice copied the text (pdf) before publishing it to protect its sources, but assures that it is authentic. It will come from a team of engineers from the Ad and Business Product team, the team responsible for Facebook’s advertising system.
Inside, they are worried. They explain that ” the heart of our problem is the lack of closure of our systems “. Due to the openness of Facebook’s internal systems, the circulation of data available to the network, including users’ personal data, circulates freely everywhere.
With this culture of openness, it is impossible to follow in their footsteps. This difficulty poses a real compliance problem for Facebook, “ therefore, we cannot confidently make policy changes or make external commitments such as ‘we will not use X data for Y purpose’. And yet, this is exactly what regulators expect of us. This increases our risk of errors and misrepresentations “.
In Europe, the GDPR imposes precisely what Facebook engineers consider themselves unable to do. According to Article 5 of the Regulation, personal data must be ” imported for defined, explicit and legitimate purposes, and not be authorized in a manner incompatible with those purposes “. The “principles relating to the processing of personal data”, Facebook appears unable to apply them.
To change the situation would involve a profound change in the way Facebook operates, a complete culture change. Failure to do so would expose you to prosecution from the European CNIL or even from individuals or associations.
Facebook says there is no compliance issue
A former employee of the company met with Vice that maintaining this situation could be quite cynical of Facebook, ” It gives them an excuse to keep so much data private, simply because at their scale, with their business model and infrastructure design, they can plausibly claim that they don’t know what they have “.
Johnny Ryan, privacy campaigner with the Irish Civil Liberties Council believes that “ This document admits what we have long suspected: that there is a free-for-all of data inside Facebook, and that the company has no control whatsoever over the data it holds “.
Called to react, Facebook explained in essence that the document was taken out of context, “ Considering that this document does not describe our and extensive processes for complying with privacy regulations, it is simply inaccurate to conclude that it demonstrates non-compliance. “. If a CNIL and European justice come to different conclusions, Meta, the parent company of the social network, could risk a fine of 4% of its global turnover.