In my previous two posts I explored the extent to which it is legal for Facebook to accept Alice’s uploading of Bob’s personal data without Bob’s consent. I concluded that with a far-fetched interpretation of the GDPR, it could be legal in many cases. But Alice can also upload Bob’s picture and make it public. In that case, if Bob asks Facebook “tell me what data you have about me”, I don’t see any way around the fact that they should include the picture in the response—but, of course, they won’t.
The entire GDPR has been written having in mind structured data—the kind of data that results when you fill-in a form that has distinct fields for “Surname”, “Given name”, etc. But Facebook is also full of unstructured data, such as Alice sending a private message to Bob telling him “today I met Charlie and I saw that his eyes are brown”. The private message remains in Facebook’s systems so now Facebook is in possession of (unstructured) personal data for Charlie. The GDPR doesn’t distinguish between structured and unstructured, and therefore its provisions seem to cover unstructured as well, but it doesn’t really provide a solution as to how the unstructured data must be handled.
But in the end, Facebook does not need to be legal. First of all, they can play all kinds of tricks to avoid replying when you ask them questions the GDPR requires them to answer. And they can also pay a few fines as part of doing business.
I’m writing this series on GDPR and privacy laws because, when we bring a scientific model to the web, we inevitably face the question of how we will comply with privacy laws. So, first, I wanted to clear up that these laws are a joke.