In the modern, digital world, each of us is asked to read and accept hundreds of pages of terms and conditions governing the way we use our products and services. While no one could be expected to read every term (especially for entertainment or other “low risk” services), as a specialist in reading and drafting such documents, a lawyer can offer insight into just how they operate (and what rights the average user gives away when they sign on the dotted line).
In “A Lawyer Reads…”, we’ll take a deeper dive into a few of those little-read contracts, terms, and conditions in an effort to provide just a bit of that insight.
Today we finish our reading of the Facebook Data Policy with discussions on data deletion, what happens when the law comes calling, Europe, and more.
How can you manage or delete information about yourself?
You can manage the content and information you share when you use Facebook through the Activity Log tool. You can also download information associated with your Facebook account through our Download Your Information tool.
The links provided here are interesting. They point to (more) help center pages, but describe tools within the Facebook application itself. The “Activity Log” is described as “a list of your posts and activity, from today back to the very beginning, [and] stories and photos you’ve been tagged in, as well as the connections you’ve made”. In other words, everything you’ve done (or had done to you) directly on Facebook.
Perhaps more interestingly, the “Download Your Information” is described by Facebook as a tool which allows users to download “the personal data from their Facebook account that we hold about them”. Of particular note here, the categories of available information include “Ad Topics”, “Location History”, “Calls and Messages”, and other information that we discussed earlier, but which the average user may not expect is being collected by the company.
(For reference, the tool says that I am likely to be interested in, among other things, the Dexter TV Series, Lyft, and “Track and Field”. It also includes a listing of all advertisers who have uploaded advertisements with my information based on “lists provided to them”. As you might expect, this list is very long and includes many companies with which I have no present relationship (and, indeed, have never previously interacted); i.e., my information was sold or otherwise transferred to them.)
We store data for as long as it is necessary to provide products and services to you and others, including those described above. Information associated with your account will be kept until your account is deleted, unless we no longer need the data to provide products and services.
This should be read as “We will keep your information until you delete your account.” The extra verbiage is nice, but as Facebook can always say that it needs user information to provide the primary Facebook service, it will retain most information until a user “goes away.”
You can delete your account any time. When you delete your account, we delete things you have posted, such as your photos and status updates. If you do not want to delete your account, but want to temporarily stop using Facebook, you may deactivate your account instead. To learn more about deactivating or deleting your account, click here. Keep in mind that information that others have shared about you is not part of your account and will not be deleted when you delete your account.
So, again Facebook washes its hands of what users say about each other. There is nothing they can do about information (accurate or inaccurate) which User X posts about User Y. This is to be expected, but can still be a bit concerning given how closely intertwined “tagging” is with the person being “tagged”.
More interestingly, Facebook states that they will “delete things you have posted” when a user deletes their account, but does not say anything about the other data (such as “relevant ad” analysis, location information, etc., which it has itself collected or compiled.) Intention or oversight? It’s impossible to say from this language.
Further, at the link provided (to yet another Help Center page), it is stated that a user’s information may not be deleted for up to 90 days after the request is made. So there is a period of time after a user has indicated its desire to dissociate from the company that Facebook will continue to hold their information.
How does Facebook respond to legal requests or prevent harm?
We may access, preserve and share your information in response to a legal request (like a search warrant, court order or subpoena) if we have a good faith belief that the law requires us to do so.
“Good faith belief” is extraneous language here and widens Facebook’s ability to respond to legal inquiries without the direct requirement of law. Were I negotiating this contract on a one-to-one basis I would require the law to actually apply in order to allow disclosure.
This may include responding to legal requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law in that jurisdiction, affects users in that jurisdiction, and is consistent with internationally recognized standards.
Users are subject to international standards of data release if the inquiry relates to foreign users. Again, this is necessary (roughly) for an international data company, but takes a fairly deferential view as to the requirements of the request. “Consistent with internationally recognized standards” is a particularly weak threshold to meet. Don’t expect Facebook to block EU regulators if they ask to see a user’s data.
We may also access, preserve and share information when we have a good faith belief it is necessary to: detect, prevent and address fraud and other illegal activity; to protect ourselves, you and others, including as part of investigations; or to prevent death or imminent bodily harm. For example, we may provide information to third-party partners about the reliability of your account to prevent fraud and abuse on and off of our Services.
Whenever there are lists, one “fun” thing to do is to try to parse them down to what is really happening. So, at it’s most extreme, this provision can be read as “We may…access, preserve, and share information…to protect ourselves.” That’s a very broad right. What is the legal definition of “protect”? Can Facebook release user information in the face of downward share price pressure in order to “protect” the company’s value? Can it release user information to regulators in order to “protect” the company’s market share? This is very broad language and obviously too ambiguous to provide users with much comfort.
Information we receive about you, including financial transaction data related to purchases made with Facebook, may be accessed, processed and retained for an extended period of time when it is the subject of a legal request or obligation, governmental investigation, or investigations concerning possible violations of our terms or policies, or otherwise to prevent harm. We also may retain information from accounts disabled for violations of our terms for at least a year to prevent repeat abuse or other violations of our terms.
Same thing here: “Information…may be accessed, processed and retained for an extended period of time…to prevent harm.” So, that’s a fairly broad right. To prevent any harm? What about to the company’s bottom line? Any other harm? What if disclosing a user’s data could save 10 other users. Is that permitted? Who gets to decide? Facebook?
How do Facebook’s “Global Services” operate?
Facebook may share information internally within our family of companies or with third parties for purposes described in this policy. Information collected within the European Economic Area (“EEA”) may, for example, be transferred to countries outside of the EEA for the purposes as described in this policy. We utilize standard contract clauses approved by the European Commission, adopt other means under European Union law, and obtain your consent to legitimize data transfers from the EEA to the United States and other countries.
You can contact us using the information provided below with questions or concerns. We also may resolve disputes you have with us in connection with our privacy policies and practices through TRUSTe. You can contact TRUSTe through their website.
In other words, Facebook assumes broad authority to do what it needs to do to make its business work, particularly in Europe. This matches the other language contained in the Data Policy, but users should note the broad deference to legal authority (foreign and domestic) that the company evinces in the remainder of the document.
The website they direct to is a third party service which offers to settle data disputes between program participants and their users. I do not know whether such service is an effective advocate for users.
How will Facebook notify its users of changes to the Data Policy?
We’ll notify you before we make changes to this policy and give you the opportunity to review and comment on the revised policy before continuing to use our Services. (Additional contact data is then provided.)
Like most online terms, Facebook reserves the right to change their policies and contracts when and as desired. A user’s recourse upon receiving notice of such changes is to stop using the company’s services. Whether or not the company adequately conveys the presence and nature of amendments to its terms of service is always a question in the digital space, and one likely governed (in part) by the terms and conditions document itself.