Using a right to be forgotten for Facebook data deletion
Facebook is responsible for the data which is being processed on it's platform. If there is data on Facebook which you believe is in breach of GDPR, you should demand that Facebook deletes it.
J.A., the CEO of a renown online marketing company had become the victim of a defamatory campaign on Facebook. He instructed us to help him remove all the Facebook posts whilst minimising the potential for a PR disaster for his company.
The campaign was started by a former client of the company who became obsessed with what he considered was poor customer services. When his campaign against the company did work, he decided to pick on the company's CEO. He attempted to strip the director of his privacy by posting defamatory and private comments about him. The former client posted his comments, particularly on a Facebook Group which he created, to target J.A. and his company.
As part of his campaign, the former client mentioned J.A.’s name numerous times on the Facebook Group and defamed him by referring to him as a scammer and as a professional fraudster. J.A., despite being a CEO of a successful company, is a private individual who values his right to privacy.
He doesn’t use Facebook or any other social media, not in a public way, at least. J.A. was concerned that the former client would use any request by him or by the company to delete posts as a reason to enhance and escalate his hate campaign.
For this reason, J.A. instructed his PR team to search for an experienced specialist to help them deal with the matter and mitigate any risks of escalation. Having spoken to one of our specialist lawyers, we were instructed to facilitate the removal of the Facebook posts and to secure an outcome which will prevent the poster from continuing his campaign, particularly against J.A.
To help J.A. and his company remove the harassing posts from Facebook, we decided to serve a Right to be forgotten GDPR Notice on the poster himself, rather than on Facebook. The reason for this decision was that we wanted the Facebook user to understand the implications of his actions and to place him under a real threat of legal proceedings in connection with his posts against J.A. We offered the Facebook poster an opportunity to avoid legal proceedings under GDPR and defamation laws by deleting the Facebook Page that he had created, by deleting all the posts referencing J.A. and his company and by giving us an undertaking (giving a legally binding promise) to never write about J.A. or his company again.
Following the service of the GDPR Notice on the Facebook user, the matter was completely resolved to the full satisfaction of J.A.
Sadly, sometimes individuals who feel aggrieved about a company, decide to pick on individuals who work for the company with an attempt to place undue pressure on those decision-makers.
An adverse impact on the company's PR can occur because the CEOs are often left feeling intimidated by those personal attacks because they are afraid that any action they might take.
Furthermore, some CEOs are too shocked with the unexpected level of privacy invasion that they had been exposed to and as a result are unsure how to deal with the situation. For us, the important thing is to provide the CEO and the PR team with balanced advice and to then, confidently, move on with the strategy of their choice.
Finally, when it comes to breach of privacy on Facebook, it is often better to serve a GDPR Notice on the Facebook user rather than on Facebook.
This strategy is more likely to provide a long-term solution to the victim and it makes the Facebook user aware that should anything else be posted in the future, which is untoward, he or she will be the first suspect and could become the subject of legal action for harassment, defamation or privacy law.