2

If Alice posts Bobinators private information like full name and address on a Facebook group, in an attempt to warn others of bad experience with him, is it a GDPR violation?

Does it matter if a group is private or public? Or if it's in a comment or her own wall? Does it matter if Bob really did do the bad thing?

If it's a violation who should Bob ask for the fix before complaining to his local data protection agency? Alice, Facebook, group admins, or someone else entirely?

My research of the topic didn't go well because I'm getting just a huge amount of information about how to remove your private data from Facebook, and how to stop companies from sharing it, it's very hard to get information about private people making public posts.

Affaltar
  • 167
  • 5

1 Answers1

1

Perhaps. But invoking the GDPR might not be that useful here.

The GDPR does not apply to processing of personal data for purely personal or household purposes. Ordinary social media use is covered by this exception. Warning friends about another person is fine.

Publishing personal data to an indeterminate number of recipients is probably not covered by this exception. Such publication would require a legal basis under the GDPR. For example, such publication might be necessary for a “legitimate interest”. But that would require a case-by-case analysis that also weighs this interest against the rights and interests of the affected person. For this balancing test, I'd think that it would be quite important whether Bob did the Bad Thing: if Bob didn't do the Bad Thing, then there can't be a legitimate interest in publishing the personal data to warn others.

If there is a legitimate interest, then only activities that are necessary for that legitimate interest are covered. If publication of a name is sufficient, also publishing the address would be illegal.

When exercising data subject rights such as the right to object to legitimate interests or the right to erasure, the request must be made to the data controller who is responsible for the data processing activities. Here, Alice is clearly a data controller because she decided to disseminate the information. But Facebook or the group admins would likely be joint controllers, and would also be responsible. Note that an objection to further processing can be denied if there are overriding legitimate grounds.

If Bob wants to take down Alice's postings, GDPR data subject rights are probably not the most suitable mechanism. Instead:

  • Depending on which country this is happening in, there are probably laws against defamation. Depending on those laws and on what Alice claimed, the posts might be defamatory, even if the alleged behavior by Bob is true. Bob's lawyer could write Alice a cease and desist letter asking for the allegedly defamatory post to be taken down, or sue if Alice doesn't comply.

  • Since the posts have been made on Facebook, FB's policies apply. In particular, certain content might violate the community standards against bullying or harassment. Posting someone's address is clearly against the Facebook community standards about privacy violations. The FB help center explains how to report things.

amon
  • 24,244
  • 3
  • 46
  • 77