Newly unsealed court documents reveal data anarchy at Meta.

We've just sent the European Commission new material revealing Meta’s internal data systems
+how Meta infringes the new EU Digital Markets Act + GDPR
https://www.iccl.ie/news/unsealed-court-documents-reveal-data-anarchy-at-meta/

We examined thousands of pages of unsealed docs and depositions of Meta engineers from a long running case against Meta in Northern California. We found a data free-for-all inside Meta that makes compliance with the new EU Digital Markets Act an impossibility.

The case starts in 2018. After prolonged difficulty obtaining the necessary information from Meta the Court in Northern California appointed a Special Master in July 2021 to oversee Meta’s production of information about several plaintiffs. See
https://twitter.com/jason_kint excellent Twitter timeline.

In December 2021 the Special Master ordered Meta to produce the following information about 149 internal data systems.

But Meta couldn't answer.
Its lawyers sent the Special Master a 36 page table in January 2022 that repeated the following excuse 149 times:
Meta does not know what its systems or business units or divisions do with peoples’ data.
PDF table is here --> https://iccl.ie/wp-content/uploads/2022/11/6-January-2022-table-from-Metas-lawyers-to-Special-Master.pdf

This remarkable admission was after Meta had an internal team conduct a yearlong review of its data uses. That internal review was unable to detail what user data sits in 149 systems within Meta, who uses them, why, or much else.

A pause to say bravo to
Jason Kint for his constant attention to this case over the years. We looked at it in detail only because his analysis put it on our radar.

Meta’s lawyers told the Special Master in a second letter in January 2022 that Meta would need to do investigate again: "For each individual use case within each system, Facebook would need to assess whether the use case involves storage of individually-identifiable user data"

Further revelations feature in our letter to the Commission
https://www.iccl.ie/news/unsealed-court-documents-reveal-data-anarchy-at-meta/

Despite its own internal data free-for-all, Meta took extensive engineering steps to tightly scope user identifiers it shares with other companies to prevent them building data free-for-alls of their own.

Two conclusions

First, Meta cannot comply with DMA provisions that prohibit data combination and reuse. It can't account for how it uses data internally. It therefore also can't distinguish data uses for separate core platform services, or for any other services, or other sources of data, too.

Meta is not prepared to comply with DMA Article 5, Article 6, presumably Article 14 too.

Second, Meta’s inability to know and account for how it uses data internally not only makes it impossible to comply with the DMA, but also infringes the GDPR, too. This is directly relevant to the DMA.

Article 8(1) of the DMA requires that gatekeeper implementation of DMA Articles 5, 6, and 7 must also comply with the GDPR. However, Meta’s data free-for-all infringes every principle of EU data protection law set out in Article 5 of the GDPR.

Before Meta can obtain consent required in DMA Article 5(2), or facilitate business customers doing so under DMA Article 13(5), it must bring its data processing into compliance with the GDPR.

As Recital 68 and Article 36(3) of the DMA note, the Commission has the power to monitor gatekeepers’ compliance with these GDPR obligations under the DMA. This is essential because Meta has continued to infringe the GDPR without correction.

We propose to the Commission several actions that can be immediately taken in advance of the application of the DMA to Meta. (Step one is immediate action to prevent Meta from obfuscating how it uses data.)

When DMA obligations finally become applicable, the Commission should rapidly move to adopt an interim measure under DMA Article 24, specifying that Meta must make its data uses separate and accountable.