Facebook, as mentioned in detail in the news, was exposed for keeping shadow profiles on users and non-users.

Through an incident (which should have been classified as a bug as it had been available for months) it was revealed that Facebook is keeping so-called shadow profiles of its users as well as data subjects who do not use their services.

A shadow profile is information about a certain data subject which the data subject in question did not give to the data processor. This profile is created without consent of the data subject and possibly without his knowledge. This means the data processor gathered this information through or by combining other sources, either through other data subjects or from other sources such as other web sites, chat sessions, search history, phone conversations…

European Data Protection law forbids this kind of ‘data brokerage’, gathering, combining and reprocessing data from different sources to build a file with personal data for these reasons:

• Data processors can only process your data with your explicit consent.
• Data processors can only process such personal data which is relevant to their services to you.

Your personal data has become a commodity which they use for their own profit and without a relationship with you, the data subject. Quite a number of companies, small and large, have made it their business to gather everybody’s personal data and sell it on to the highest bidder. Recent times have made it very easy for such companies to gather all information in an automated way and from the comfort of their own office. They are also not bothered by the fact that they are serving stale information which is no longer or never was correct, but can have very deep implications on your personal life.

European Data Protection Law has several safeguards:

• If a data subject suspects a data processor has such a shadow profile, the law provides a means to officially request a complete list of data kept by the data processor concerning the data subject.
• If a data subject objects to the data processor’s use of the data subject’s data, the data subject can submit a request to cease processing such data.
• The new EU Data Protection proposal mentions the right to be forgotten, but lobbying by major data processors is probably going to water this down.

The lessons for our clients are clear:

• Be transparent, only gather personal data from your data subjects through informed and explicit consent.
• Do not process other information than that given by the data subject and only if it is relevant to the purpose of your relationship with the data subject.
• Keep it alive, keep data up to date and do not keep data of data subjects beyond the duration of the relationship with your data subject.
• Protect the personal data entrusted to you.