The standard official Facebook response to this is that you do not own your "shadow profile" since it's a profile made out of data gathered from other people and companies, and thus they can not let you control it. In other words "it is not your data".
I doubt that holds in court, but as mentioned in the article, there are people in the EU who for months have tried to get Facebook to provide the shadow profile data on GDPR grounds, and Facebook has yet to allow it.
It seems like Facebook can afford to stall, they've got more knowledge and power than a single EU citizen can have, so I'm sure they know what they're doing.
----
To be honest, I think Facebook is in breach of _multiple_ GDPR articles _simultaneously_ here, which is quite a feat in itself.
They're in breach of:
- Privacy by Design (a.k.a. Privacy by Default)
- Right to Access
- Right to Be Forgotten (which is older than GDPR..?)
- Data Portability
Then again, Facebook is not alone. I'm pretty sure there are very, very few companies on the web that are not in breach of GDPR at least in spirit, if not in letter.
There's a zero chance that holds in court. If it were possible to have a negative chance it would have a negative chance of holding in court.
Data protection does not in any way relate to "ownership" of data.
If the data are personal data then you are forbidden from processing that data unless you have one of seven lawful bases enumerated in the GDPR, and where the data are sensitive then those bases are reduced further.
So this is an interesting scenario that I've seen people bring up before, but I've never been completely clear on the answer. Let's say I'm using an online virtual assistant with auto-replies and stuff like that, and I upload your contact information and phone number so it can help me manage my schedule/emails/etc...
Under GDPR, the company I just gave that information to doesn't have your permission. So, let's say that later on, you go to the company and say, "hey, delete any information about me." For them to comply, they can't keep on syncing your contact information in my address book, right?
I guess, how does GDPR handle a situation where a separate customer is going to Facebook and saying, "hey, let me put in that I'm X's cousin"? Should Facebook block that person from specifying the relationship in the UI? Or would that just fall under "essential for business"?
That doesn't make a difference. GDPR doesn't talk about data ownership it talks about data on persons. If it's data about me it's not allowed to hold it if there is no otherwise relationship.
I doubt that holds in court, but as mentioned in the article, there are people in the EU who for months have tried to get Facebook to provide the shadow profile data on GDPR grounds, and Facebook has yet to allow it.
It seems like Facebook can afford to stall, they've got more knowledge and power than a single EU citizen can have, so I'm sure they know what they're doing.
----
To be honest, I think Facebook is in breach of _multiple_ GDPR articles _simultaneously_ here, which is quite a feat in itself.
They're in breach of:
- Privacy by Design (a.k.a. Privacy by Default)
- Right to Access
- Right to Be Forgotten (which is older than GDPR..?)
- Data Portability
Then again, Facebook is not alone. I'm pretty sure there are very, very few companies on the web that are not in breach of GDPR at least in spirit, if not in letter.