Italy’s Data Protection Authority has ordered Facebook to turn over all the data it has on a user, along with data from a fake page that a troll set up in his name and used to extort him.
In addition, the company’s been ordered to hand over details of how the personal data was used, including who it was sent to or who might have obtained knowledge about it.
According to official documents, the user in question had accepted a friend request from an unspecified party.
When the man – kept anonymous in the documents – resisted that party’s extortion attempt, the troll swiped his personal information and photo and set up a phony account in his name.
Then, he or she used the fake account to send pictures and video montages to the man’s contacts. The images were meant to smear his reputation by implicating him in sexual activity, including with a minor.
The man immediately asked Facebook to take down the bogus account and to hand over all the relevant information it had on him, including data and photographs. Facebook then sent him an email explaining how to download his personal data using the standard tool.
But what he downloaded was jibberish, he said: a series of data, unintelligible because it was marked with codes, numbers and symbols. Beyond that, Facebook hadn’t delivered information about his tormentor.
Facebook told him it was taking steps to delete the fake account. But the self-service tool showed him that related conversations, though marked unavailable, hadn’t actually been deleted.
Unsatisfied, seeking information about who set up the account, he took the matter to the Italian data protection authority (DPA).
The DPA agreed with him.
It ordered Facebook to hand over all the data concerning the user: personal information, photographs, and posts, including those entered and shared by the troll. Also, the DPA said that the social network has to hand over information on its “aims, methods and logic of data processing,” as well as on the people communicated with, in an intelligible, non-gobbledygook form.
The case is notable because it’s yet another example of a European data authority telling tech companies they can’t hide inside their “but our headquarters are over here!” jurisdiction argument.
That jurisdiction notion has already failed to hold water in Google’s failed attempts to fight off the EU’s right to be forgotten.
We don’t care if a URL’s got a .fr, a .uk or a .com glued to the end, the French data protection agency told Google in June; if a European makes a legitimate request to be forgotten in search results, make it so on all your search engines in all countries.
The failure of the jurisdiction gambit hit home big-time in October, in the case of the Slovakian-registered company Weltimmo, which was in court over alleged breaches of Hungarian data protection laws.
In that case, a judgment from the EU Court of Justice opened the door for individuals to complain about data protection law breaches to their local data protection authorities, even if they’re complaining about a company headquartered outside their country.
Italy isn’t Facebook’s first loss on the jurisdiction front. It’s repeatedly tried to claim that it only has to answer to data protection authorities in Ireland, where it has its EU headquarters.
Looks like we can now add Italy to that growing list.