Yesterday I pointed to a story on ZDNet about how Facebook withheld some information in response to a subject access request on the grounds that the requested information was a trade secret or its intellectual property.
Over on Forbes, Kashmir Hill supports Facebook’s argument and characterizes some responses to their position as an unreasonable freak-out.
I disagree with Kash on this. Informing a user that Facebook maintains a biometric faceprint of them and providing a copy of it is not the same as revealing the technology it uses to generate that faceprint. Similarly, showing the user what information it maintains on them for “Likes” is not the same as revealing how they compiled or generated that information or record(s).
One of the main purposes of an access request is to identify errors in records, correct them, or request deletion where deletion is an option.
Suppose Facebook tells a user, “Yes, we have a biometric faceprint of you,” but doesn’t provide them with the record of what it looks like. Could that faceprint — Facebook’s “property” but still your personal data — be purchased by or acquired by others? Could you be harmed in some way or suffer injury due to an inaccurate record that you did not know to correct or delete? Suppose Facebook’s Likes record(s) on you are wildly inaccurate and show you as liking neo-Nazis and hate groups? Could you be harmed by such inaccurate information about you?
Facebook can and should be able to protect their trade secrets and IP. But the product of those secrets and IP – to the extent they are personally identifiable information or records about a living individual – cannot be withheld from the consumer if they are to comply with the intent of data protection and access rights laws. At least, not as I understand the access rights.
Of course, what I think and what Kash thinks are both pretty much irrelevant. The issue is what the Data Protection Commissioner thinks and how he interprets the law, so I’ll be watching this complaint as it goes forward.