[danShumway]

Yep. And I don't know a way to get around shadow profiles.

We should try to find one. I fully support the privacy fixes people are proposing. I think that's really important. But it's pretty obvious that Facebook is winning right now.

However, the only thing that Facebook cares about is getting you to click on an ad. So even if you can't stop Facebook from getting a shadow profile on you, at least you can make that profile worthless by blocking ads literally everywhere that Facebook can think to display them to you, for you and your family/friends.

And you can be public about it to ensure that when Facebook goes to companies and says, "we have all this data for your next campaign", somebody in the sales-pitch meeting raises their hand and says, "yeah, but nobody looks at your ads."

[chopin]

The workaround is called GDPR. A shadow account is illegal with that.

[MzHN]

The standard official Facebook response to this is that you do not own your "shadow profile" since it's a profile made out of data gathered from other people and companies, and thus they can not let you control it. In other words "it is not your data".

I doubt that holds in court, but as mentioned in the article, there are people in the EU who for months have tried to get Facebook to provide the shadow profile data on GDPR grounds, and Facebook has yet to allow it.

It seems like Facebook can afford to stall, they've got more knowledge and power than a single EU citizen can have, so I'm sure they know what they're doing.

----

To be honest, I think Facebook is in breach of _multiple_ GDPR articles _simultaneously_ here, which is quite a feat in itself.

They're in breach of:

- Privacy by Design (a.k.a. Privacy by Default)

- Right to Access

- Right to Be Forgotten (which is older than GDPR..?)

- Data Portability

Then again, Facebook is not alone. I'm pretty sure there are very, very few companies on the web that are not in breach of GDPR at least in spirit, if not in letter.

[M2Ys4U]

>I doubt that holds in court

There's a zero chance that holds in court. If it were possible to have a negative chance it would have a negative chance of holding in court.

Data protection does not in any way relate to "ownership" of data.

If the data are personal data then you are forbidden from processing that data unless you have one of seven lawful bases enumerated in the GDPR, and where the data are sensitive then those bases are reduced further.

[danShumway]

So this is an interesting scenario that I've seen people bring up before, but I've never been completely clear on the answer. Let's say I'm using an online virtual assistant with auto-replies and stuff like that, and I upload your contact information and phone number so it can help me manage my schedule/emails/etc...

Under GDPR, the company I just gave that information to doesn't have your permission. So, let's say that later on, you go to the company and say, "hey, delete any information about me." For them to comply, they can't keep on syncing your contact information in my address book, right?

I guess, how does GDPR handle a situation where a separate customer is going to Facebook and saying, "hey, let me put in that I'm X's cousin"? Should Facebook block that person from specifying the relationship in the UI? Or would that just fall under "essential for business"?

[Zhenya]

What if they dont keep an account but just a query that can return results like an account.

How would that work?

[chopin]

That doesn't make a difference. GDPR doesn't talk about data ownership it talks about data on persons. If it's data about me it's not allowed to hold it if there is no otherwise relationship.