Unsealed court documents reveal data anarchy at Meta

Meta’s internal use of data and the DMA

Dear Executive Vice President Vestager,

1. The unsealed documents come from a case against Meta in Northern California, which has run since 2018. We have examined thousands of pages of documentation and depositions of Meta engineers from the case, and present herewith the documents and a summary of the key facts.[1] These materials reveal a data free-for-all inside Meta that makes compliance with the DMA an impossibility, and that infringes the GDPR.

2. The case entered discovery in November 2019. After prolonged difficulty obtaining the necessary information from Meta[2] the Court in Northern California appointed a Special Master in July 2021 to oversee Meta’s production of information about several plaintiffs. Meta has continued to frustrate the discovery process. But even so, materials unsealed in the case are revelatory.

3. In December 2021 the Special Master ordered Meta to produce the following information about 149 internal data systems:

“(1) a high level description of the most common functions and purposes of the system; and
(2) the business units, divisions, or groups that use the system”[3] 

4. Meta was unable to respond to the request because (by its own admission) it does not know what its systems or business units or divisions do with peoples’ data. Its lawyers sent the Special Master a 36 page table that repeated the following excuse 149 times in January 2022:

“Facebook has not previously compiled information responsive to the Special Master's Order—including descriptions of the "most common functions and purposes of the data system" and a comprehensive list of “the business units, divisions, or groups that use the data system”—in the course of its prior efforts to inventory its data systems.”[4] 

5. Meta’s failure to account for what data its systems and business units use, or why they use it, was despite Meta conducting a yearlong internal review of its data uses.[5] That internal review was unable to produce any detail about what user data sits in any of 149 systems within Meta: it was unable to account for what Facebook’s internal systems do with personal data, why they process it, or what the personal data may be.[6] 

6. Meta’s lawyers subsequently told the Special Master that a new internal investigation would be required to determine which of its systems process the plaintiffs’ data:[7] 

“As an initial matter, individual data systems may have multiple different use cases, all of which may store and use data differently and need to be investigated separately. For each individual use case within each system, Facebook would need to assess whether the use case involves storage of individually-identifiable user data…”  

By its own admission Meta has not accounted for what personal data it processes in any “use case” in any of its systems. That Meta previously attempted to itemise its data uses but was unable to do so indicates that it may be impossible for Meta to ever do so.

7. In February 2022, the Special Master asked “someone must have a diagram that says this is where this data is stored”.^[8] Meta’s expert on the subject by replied:

“Effectively the code is its own design document often. …it is rare for there to exist artifacts and diagrams on how those systems are then used and what data actually flows through them”.^[9]

8. At a further hearing in February 2022, a Meta engineer spoke about 55 systems identified as potentially containing data about the plaintiffs, and described a lack of control or accountability over how they are used:

“Each of these 55 systems will have a team of engineers who are responsible and knowledgeable about it, but even then, those individuals may not know all of the ways in which that system is used by other teams”. [10]

In some cases, as a Meta engineer told the Special Master, in March 2022, even engineers directly involved may not be able to understand what is happening to the data because it is impossible for humans to understand.[11]

9. In March 2022, Meta’s head of Privacy Infrastructure testified about two data control systems.[12] However, the examples of data controls given by Meta engineers in depositions[13] and other references to those same systems by Meta’s lawyers[14] relate solely to data processing triggered by user actions rather than Meta’s own uses of data. Meta’s lawyers also stated that even these controls are not universally applicable.

10. Yet, in contrast to Meta’s lack of control and separation in how it uses data internally, the company took extensive engineering steps to tightly scope the identifiers it shares about its users with other companies to “make it hard for developers to collect data from multiple applications and merge it together into a single dataset”, according to testimony in June 2022 from Meta’s head of Cross-Meta Support.^[15]

11. These revelations about Meta’s internal use of data evince two important conclusions.

    First, Meta cannot comply with provisions of the DMA that prohibit data combination and reuse. Meta cannot account for how it uses data internally. It therefore also cannot distinguish data uses for separate core platform services, or for any other services, or other sources of data, too. Thus, it cannot comply with the following DMA provisions:

• • DMA Article 5(2)(a), which requires that Meta refrain from using personal data collected through other companies that use Meta services;
  • DMA Article 5(2)(b) and (c) and (d), which prohibit Meta from automatically combining and cross-using personal data from different "core platform services" in its business;
  • DMA Article 6(2), which prohibits Meta from advantaging itself by using data provided by businesses that use its service;
  • DMA Article 6(9), which requires that Meta give users the ability to take their data from its systems in order to use the data elsewhere; and
  • DMA Article 6(10), which requires that Meta provide access to business customers to the data it processes on their behalf.

Meta may also be unable to comply with DMA Article 14(1), which requires that it inform the Commission of its collection of data from newly acquired companies. Some of the 149 systems referred to were from acquired companies.[16]  

12. Second, Meta’s inability to know and account for how it uses data internally not only makes it impossible to comply with the DMA, but also infringes the GDPR, too. This is directly relevant to the DMA in several respects.

13. Article 5(2)(d) of the DMA requires that gatekeepers obtain consent as defined by Article 4(11) and Article 7 of the GDPR. Transparency about how data will be used is a condition of consent under the GDPR: Article 13(1)(c) specifies transparency obligations including disclosure of the “processing purposes” for which the consent is sought, and Recital 42 confirms this applies to consent. Recital 43 states there should be separate consent sought for different processing operations where appropriate. Meta’s inability to account for how it uses data makes transparency and precision impossible.

14. Article 8(1) of the DMA requires that gatekeeper implementation of DMA Articles 5, 6, and 7 must also comply with the GDPR. However, Meta’s data free-for-all infringes every principle of EU data protection law set out in Article 5 of the GDPR.

15. For example, Meta infringes the principle of purpose limitation in GDPR Article 5(1)(b), which provides that personal data must be collected and processed solely for specified, explicit and legitimate purposes. In October 2022, the CJEU confirmed this principle prohibits “any processing of personal data which takes place after the initial processing” unless it is compatible with the purpose for which the data were collected.[17] Whether further processing is “compatible” depends on the whether the person concerned would reasonably anticipate the further processing, and the sensitivity of the data and the harm that could arise from the processing, and other factors.[18] In contrast, there is data anarchy within Meta. It does not even know what each of its processing purposes may be, and there is no reasonable way for a person to anticipate what will be done with their data.

16. In addition, the new materials reveal that Meta infringes every other cardinal GDPR principle, too:

• • GDPR Article 5(1)(a), requires that Meta’s processing is lawful, fair, and transparent;
  • GDPR Article 5(1)(c), which requires Meta to limit its data collection to the minimum required for the processing purposes;
  • GDPR Article 5(1)(d), which requires Meta keep data up to date and accurate;
  • GDPR Article 5(1)(e), which requires Meta to delete personal data that are no longer required for the processing purposes;
  • GDPR Article 5(1)(f), which requires that Meta can keep the data secure; and
  • GDPR Article 5(2), which requires that Meta prove it complies with these principles.

17. These infringements of the GDPR are contrary to contestability and fairness in the market. In addition, an inability to comply with the GDPR compounds inability to comply with the DMA. For example, before Meta can obtain consent required in DMA Article 5(2), or facilitate business customers doing so under DMA Article 13(5), it must bring its data processing into compliance with the GDPR.

18. As Recital 68 and Article 36(3) of the DMA note, the Commission has the power to monitor gatekeepers’ compliance with these GDPR obligations under the DMA. This is essential, because Meta has continued to infringe the GDPR without correction by the Irish Data Protection Commission, which is its lead data protection supervisory authority.

19. We urge the Commission to take urgent action, including the following preparatory steps:

1. 1. The Commission should take immediate action now to prevent Meta from obfuscating how it uses data: the Commission should obtain from Meta a complete and granular list of each data processing purpose, and all relevant information about its data processing. Meta is required to maintain a detailed “Record Of Processing Activities” (ROPA) under Article 30 of the GDPR. Though the Commission cannot yet use its power to request explanations about Meta’s data use under DMA Article 21(1) or its powers of inspection under DMA Article 23, it may nonetheless immediately obtain Meta’s ROPA by collaborating with the Irish Data Protection Commission, or by directly requesting it from Meta. 
      
      
   2. If Meta’s ROPA is insufficiently complete or granular (as the new materials strongly suggest), or does not exist at all, then the Commission should immediately invite Meta’s lead supervisory authority to very rapidly deliver a draft decision to the European Data Protection Board to decisively end Meta’s non-compliance. 
      
      
   3. When DMA obligations finally become applicable, the Commission should rapidly move to adopt an interim measure under DMA Article 24, specifying that Meta must make its data uses separate and accountable to comply with all principles in Article 5 of the GDPR, so that it complies with Article 5 and 6 of the DMA. The Commission should also prepare in advance for an implementing act with the same effect, under DMA Article 13(7). 
      
      
   4. It is clear from the revelations that the Commission should anticipate that Meta will meet the test of systematic non-compliance in DMA Article 18(3). In view of the seriousness of the circumstances, the Commission should be fully prepared to use its powers to impose structural remedies in response to systematic non-compliance by Meta under DMA Article 18(1) at the earliest opportunity.

20. We are at your disposal to assist in investigating gatekeepers’ data uses, and to discuss this matter further.

Dr Johnny Ryan
FRHistS Senior Fellow