The image speaks volumes. Imagine a bottle of black ink being spilled over a lake. In a short time, this ink spreads all over the water. It is irreversible and uncontrollable. And that’s exactly what happens when personal data comes into Facebook’s huge system to be processed for commercial purposes. This is indeed what emerges from an internal document from last year, revealed by Vice.
Over fifteen pages, the author sounds the alarm on a brutal observation. More and more countries are passing more and more restrictive laws on the protection of personal data and the Facebook platform would, at present, be totally incapable of respecting them. In particular, the social network could not comply with article 5 of the GDPR which stipulates that the data must be “storage in a lawful, fair and transparent manner” and “required for specified, explicit and legitimate purposes”. However, at Facebook, data processing is so complex and integrated with each other that no one is able to say where the information obtained goes, how it is transformed and for what purpose. It’s total blur.
“We do not have an adequate level of control and explainability over how our systems use data, and therefore cannot confidently make controlled policy changes or external commitments such as ‘we don’t we will not use X data for Y purposes”. And yet, this is exactly what regulators expect of us, increases our risk of errors and misrepresentations,” can be read in the summary of this document.
This situation is a legacy of the years when personal data did not yet have the importance it has today. Facebook’s systems were designed in a very open and uncontrolled way. Data can flow freely, without any constraint, through the tens of thousands of programming interfaces and database tables that the group uses in its services and applications.
Also see video:
In order to comply with the laws, Facebook will have to add control, filtering and routing rules to all personal data processed by the “Ads” advertising platform. According to the author of the document, this is only possible by modifying in depth the internal architecture of data processing, knowing that certain functionalities cannot be retained in the future. Thus, it is not only recommended to bring order to the many data sources, but also to create a single entry point called ” Organized data sources “, where each data will be filtered according to a set of predefined rules of use, called ” Objective Policy framework (PPF). Once the data is associated with these rules, it could flow safely from one system to another, benefiting from the appropriate and legally compatible treatment.
A titanic project
But given Facebook’s enormity, it’s a Herculean job that’s going to require heavy investment, revealed at 750 man-years of IT development spread between 2021 and 2023. It’s unclear what stage that job is at today. today, or even if it really started. In the short term, to avoid legal conflicts, the document proposes using a simplified advertising system called “Basic Ads”, which quite simply ignores all the personal data disseminated by users: likes, messages posts, friends list, etc. According to the document, the launch of Basic Ads was scheduled for January 2022 in Europe. It would therefore seem that this project has been delayed.
Questioned by Vice, Facebook explains that this document does not present in an exhaustive way the processes and the controls put in place in its systems. It would therefore be wrong to conclude that the social network did not respect the laws in force. “We have, in fact, extensive processes and controls to manage data and comply with data protection regulations”, retorted a spokesperson. However, Facebook employees conceded in an interview with Vice that the company did not have control over every piece of data processed.