Facebook vs GDPR - Private Messages I sent to others will never be deleted/erased from Facebook servers

Question

I asked this question to Facebook:

I would like to know how can I permanently delete private messages from both sides of the conversation. For example, conversations I had in the past with other Facebook users that I don't want them to be able to see/read anymore.

If this is currently possible, or will be possible in the future, how can I apply this action also to messages I have already deleted from my side in the past?

And they replied this:

Messenger works like texting (SMS) and other mobile messaging apps to let you reach people instantly on their phones. When you send a message on Messenger a copy will be saved to your device. Only you and the people you’re in a conversation with can see your messages.

Deleting a message permanently removes it from your inbox and your copy is removed from our servers. Keep in mind that deleting a message or conversation from your inbox won't delete it from your another person's inbox. As with messages sent via text message or by email, it isn't possible to delete sent or received messages from another person's inbox.

Since I don't agree with this answer, I replied:

While I understand what you mean regarding Messenger working like texting (SMS), there is a difference in that SMS messages do not stay saved on the servers permanently.

Even with Whatsapp, as far as I know, messages are deleted from the servers once they reach the recipient's device. This seems more like texting (SMS).

So, regarding Messenger, I would like to have a way to delete messages from Facebook's servers (including those I deleted so far), in both my side and recipient's side, even if a copy stays on recipients' devices.

With a final reply from Facebook:

As previously mentioned deleting a message permanently removes it from your inbox and your copy is removed from our servers. However, deleting a message or conversation from your inbox won't delete it from your another person's inbox. As with messages sent via text message or by email, it isn't possible to delete sent or received messages from another person's inbox even if you delete your account.

Is this being GDPR compliant?

I'm sure they are aware that private messages can have a lot of PII data, such as photos, addresses, private information that can easily identify an individual, etc... (or even my name, if they keep it attached to the message threads)

If I decide to delete my account, apparently all the private messages I sent to others will never be deleted from Facebook servers, unless the recipients have deleted from their side.

I don't see this as being compliant to the Art. 17 GDPR - Right to erasure.
Am I correct?

Answer 1

Art. 17 GDPR Right to erasure (‘right to be forgotten’)

1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

Assuming private messages contain personal data, if at least one of the following points (a..f) applies, it would have to be deleted.

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

The original main purpose was probably Article 6(1)(b) (performance of a contract). If you delete your account, that would no longer apply. However, for the receiver of the private message, Article 6(1)(f) (legitimate interests pursued by a third party) would apply. The receiver might still want to read that message. So there is still a purpose to process this data. So point (a) does not apply.

(Note that a Facebook private message can be considered a hosted version of SMS messages. A receiver does not expect SMS messages to be automatically deleted after they have reached the recipient's device. A receiver expects full control of the storage of SMS messages. I think a receiver expects the same for messages on facebook.)

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

Data processing was not based on consent, so point (b) does not apply.

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

Article 21(1) allows you to object to processing based on Article 6(1)(f), unless there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject. While I think processing is based on Article 6(1)(f), I also think there are legitimate grounds to refuse your objection. As explained before, the receiver might still want to read that message. The receiver was able before to read your message, so one can assume he/she has already knowledge of the personal data in the message. As it is a private message, no one else will be able to read that message. (At least Facebook will not allow it). So if the message is not deleted, the privacy implications for you are low. That's why I think the interests of the receiver will prevail. However, in the end, a judge will be the only person which can make such a consideration. So you would have to got to court to get a final decision about this.

Article 21(2) is for direct marketing, that does not apply to this situation. So I think point (c) does also not apply.

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

These points do not apply.

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

This data processing was not based on consent, so even if you are a child below the age of 16 years, point (f) does not apply.

Article 17(2) and Article 17(3) wont help you either. So in my opinion Facebook is right in this case.

Answer 2

I think the answer is provided here, in the introduction of the GDPR law:

(18) This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.

So I think it depends on what Facebook does with the data on their servers, technically. If when you ask them to delete the personal data they actually delete it from all their servers, then it's ok. If the data only remains on the recipient's device and Facebook isn't able to access it anymore, then it's ok. The reason is that it would be data only owned by the recipients, and so it would be part of a "personal activity" unrelated to any professional or commercial activity. You would have to ask the recipient to delete the message you sent them, but the recipient won't have to comply with the GDPR if they are simply a natural person (not a company, etc.)

However if the data somehow remains on Facebook's servers, anywhere, if you deny your consent and ask them explicitly to delete the data, then they must delete it to comply with the GDPR.

Answer 3

I know this is an old question but I saw it and thought to just answer it. Facebook says that the message is deleted from the servers (only if both parties remove a message). And then I was thinking, why? As part of GDPR the part where it states:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed

As I saw in a previous answer, "the other recipient may want to read the message". However, if both parties deleted it then surely point A should apply. It is possible for messages to be on backup servers for a bit of time but soon they would get removed too. Not only that, you can also remove your consent of the message but I think that won't be necessary. Anyway, if Facebook still stores messages then it'll be unlawful because of the GDPR legislation. To add to this, if they still kept the messages then that would mean that Facebook provided false information which is an offence in itself. If you ask me it seems like a big gamble to store Facebook messages and they'll be putting themselves at unnecessary risk just to store useless bits of data.

If the recipient still has the messages then the messages will stay on Facebook servers. As Facebook says "There are two copies of a message" then that means the recipient will keep the messages (if he/she doesn't remove it). Text messages have to follow GDPR so there is no exception to Facebook Messenger.