Meta not complying with GDPR

Atemu, 8 months ago

Did you have an Occulus account?

steersman2484, 8 months ago

Damn, yes

Atemu, 8 months ago

That might be it. I received an email on my newer email that I did use for Occulus but not on my old one I had used for Facebook stuff where I deleted my account.

goodhunter, 8 months ago

Facebook leaked my mobile phone, where consequently I get sales calls from the other side of planet. I had deleted my account already 6 years prior. I live in the EU btw. F Meta

Ubermeisters, 8 months ago

Yeah I was really disappointed to see that email. They shouldn’t have any of my information any longer. Unfortunately I’m a citizen of the United States so we don’t have national level protections because our country doesn’t give a fuck about our information security or privacy

WhoRoger, 8 months ago

I’d say try again but specifically 1) talk to someone who is a designated GDPR officer (they have to have the contact listed), 2) specify that you don’t have an account, but are requesting the information anyway

Maybe just talking to a different person will get you different information. Most likely support is done by some center in India that is going by an internal faq and so it always depends who you gonna get.

I mean, them asking you to provide email/info of your account smells of misdirection already (whether deliberate or not), because you don’t have to have an account for them to have your data.

Recently I’ve been thinking of doing something about emails from a gaming store I’ve started receiving a few months ago, to an email I’ve not been using for over a decade and that’s only been registered to some forums. If I decide to look into that, they need to be able to explain where they got the my contact in the first place.

steersman2484, 8 months ago

I did everything you included in your first paragraph.

I could try again but I don’t know if this makes any difference, at least I read a simmilar story on reddit some time ago. If I remember correctly it was about a person who got banned on Instagram and therefore he was not able to get his data deleted.

WhoRoger, 8 months ago

Well they have to, regardless of account status. If they don’t, then as you say they’re in violation and therefore you can report them to your local GDPR bureau, which every EU country has.

You don’t have to sue Meta, the bureau has the authority to enforce compliance and give fines for every day they don’t. Dunno how effective it is against entities like Meta, but they’ve been in hot water in a couple countries already.

Ed: ok I guess it’s important how identifiable the data is. Monoliths like Meta do collect a ton of data which they technically can claim is anonymous… We’ll see how that turns out eventually. But email and name are definitely personal data.

blue_zephyr, 8 months ago (edited 8 months ago)

There’s a really low bar for what is considered personal data. If they collect location data coupled to an “anonymous” ID, it’s still personal data, because it shows you moving to your house and place of work every day. If you can infer a person’s identity from the data, it’s personal data.

So yeah them collecting your personal e-mail address and refusing to delete it is a clear violation of the GDPR.

adespoton, 8 months ago

And in this case, they demonstrated they held email address linked to first name, and linked to account status. Having all that PII and refusing to both hand it over and to purge it is an open/shut violation. And the only way the fines will scale is if enough people report these violations. Meta counts on most people just ignoring them.

Chilly, 8 months ago

It seems plausible to me that their GDPR process probably missed some email communication system where the name and email was stored, like a hubspot or something custom. Most places I’ve seen have a ton of systems with name and email in it, and GDPR processes aren’t maintained well across all of the teams using that data.

Not saying it’s right, just saying it’s possible an account was mostly deleted and the remnants remain in some other tool, and the person you spoke with only knows about their main systems.

steersman2484, 8 months ago

Yes, could be possible, but I think this is not acceptable for a company as big as Meta

Chilly, 8 months ago

Agreed it’s not acceptable. Unfortunately I don’t think GDPR is taken seriously enough. Hopefully at some point the consequences will get better

Asudox, 8 months ago

Well, it’s your chance to sue them.

blue_zephyr, 8 months ago

You don’t have to sue them. Suing a multinational company will bankrupt you. Let the data protection authority handle this.

koper, 8 months ago

The DPC is almost certainly going to ignore complaints like this. You can choose between suing meta or suing the DPC.

Spawn7586, 8 months ago

It’s not the US here, suing is not viable nor easy in the EU. That’s why we created that system in the first place. And it kinda works. It may be slow but they are not gonna ignore complaints at random

koper, 8 months ago

Have you ever seen the statistics? The DPAs are massively underfunded and the Irish DPC in particular is notorious for ignoring complaints, to the point where the EU is considering launching infringement procedures against Ireland for not properly enforcing the GDPR. If you think they will take action on a complaint like this, you will get disappointed.

On the other hand, petitioning the courts to intervene is probably easier than you think. In some member states you don’t even need a lawyer, so all it takes is a bit of time and some court fees. I’m not saying it’s the preferred option, but realistically it is the shortest path to a result.

PlasmaDistortion, 8 months ago

I received the same email and also deleted the account about 9 years ago. They absolutely are keeping account information.

jgkawell, 8 months ago

Just jumping in to say I had the same thing. Deleted account and got that same email.

Crakila, 8 months ago

And water is wet.

Meta has never and will never comply with GDPR in any capacity and the Irish DPO will be more than happy to dish out more fines if stuff like this comes to light.

hddsx, 8 months ago

Water has the ability to make things wet but is not wet in and of itself.

Navarian, 8 months ago

Meta and however many other of the giant tech companies.

Often it’s cheaper for these services to take fines than it is to change up their operation, by an order of magnitude.

Sidenote - Hey, been a minute.

blue_zephyr, 8 months ago

GDPR fines can scale to a company’s yearly revenue. They can absolutely get in more trouble than it’s worth if they keep blatantly shitting on the GDPR. Keep reporting them whenever you see these violations.

MummifiedClient5000, 8 months ago

National data protection authorities contact info

CameronDev, 8 months ago

Are you sure it wasn’t a phishing email? With stolen creds?

steersman2484, 8 months ago

This was the sender email: notification@email.meta.com

And all links point to meta.com, so no phishing

envis10n, 8 months ago

Check the email headers. You can spoof a sender address

520, 8 months ago (edited 8 months ago)

Spoofing a sender while falsifying compliance with SPDIF and DKIM are another matter entirely.

OP, do you know if your email host performs these checks? (The popular webmail services do)

dot20, 8 months ago

S/PDIF (Sony/Philips Digital InterFace) is an audio interface, perhaps you meant to refer to SPF (the Sender Policy Framework)?

520, 8 months ago

Ahh yes, you are correct, I got mixed up!

dot20, 8 months ago

:)

steersman2484, 8 months ago

It is a gmail address

520, 8 months ago

Then you are probably fine unless you're a high value target. Gmail checks these, and any such bypass would not be burned on a common target.

steersman2484, 8 months ago

I know, already done. Looks fine

envis10n, 8 months ago

All good, just wanted to make sure since it wasn’t clear

steersman2484, 8 months ago

Thank you anyways for the hint