[Nextgrid]

Regardless of whether Facebook has my e-mail, services providing them with a hashed version of it for advertising purposes still allow Facebook to tell "this hash is associated with these services" even if they never had the original un-hashed email. They can combine it with all the other information they have (stolen from people's contacts which may have the unhashed e-mail along with my name and potentially phone number) and create a pretty good profile on me even if I never signed up for a Facebook account and agreed to their ToS/privacy policy.

[Silhouette]

Things get murky in this area (or perhaps not, the lawyers will figure it out in time).

If Facebook is only using something like a hash of an email address in order to target ads at specific Facebook users at the request of one of their advertisers, they are probably only acting as a data processor for a very specific purpose that might be acceptable for both Facebook themselves and the advertiser under the GDPR rules.

If Facebook does anything else at all with that data, their role probably changes from a GDPR perspective. The hash is personal data, since by definition it's being used to identify a specific person. If Facebook is using the data they have associated with that hash -- for example, anything they know about the business that provided it -- to build up more of a profile on their users, they are probably now a data controller, possibly as well as a data processor in connection with the original targeted ad process. Then you get into questions about whether Facebook's users have given their suitably informed consent to Facebook or there is some other lawful basis for whatever processing is happening.

Obviously if businesses were providing actual email addresses to Facebook or if Facebook were using that data to do things like building shadow profiles on non-Facebook users, that would be another level entirely. And AFAIK, the custom audience tools on marketing platforms like Facebook typically do accept directly uploads of literal email addresses, phone numbers or other identifying details for the audience to be targeted, so maybe the discussion about hashing above is all moot anyway.

[gingerlime]

Always enjoy reading your insightful comments Silhouette!

I think Facebook hashes any plain text you give it client side to (try) to buffer their defenses... but I’m not sure. It’s a theater.

I wrote a blog post about this data sharing with Facebook https://blog.gingerlime.com/2020/whos-sharing-my-data-and-wh... that digs a little in this direction.

[Silhouette]

Thank you, that's nice of you to say, but I claim no special insight here. I just happen to live in the UK where these issues are relevant and to have some professional experience dealing with them.