Facebook ordered to reveal who requested deletion of deceased’s profile – Sabados v Facebook Ireland
Where a social media company has completed a request from an unknown person to delete a deceased’s profile and refused to tell the deceased’s partner, can a Norwich Pharmacal order be used to disclose the identity?
In Sabados v Facebook Ireland  EWHC 2369 the claimant was a British citizen originally from Bosnia. The claimant had had a serious relationship with a childhood friend for six years before his sudden death. The relationship had been predominantly long distance as the deceased lived in Sarajevo. They communicated every day, often using Facebook Messenger.
Six months after his death, Facebook received an unknown request to delete his profile. The material was irreversibly erased. Facebook refused to reveal who had made the request, but did confirm their process had been followed. Facebook responded to a Section 7 Data Protection Act 1998 (DPA) request, by stating that the data from the profile was no longer available. In response the claimant served a claim on Facebook at their Republic of Ireland address. A law firm responded informing the claimant that they acted for Facebook, but that it was not authorised to accept service or enter into correspondence. No acknowledgement of service was filed.
The claimant submitted the following points:
- there was clear evidence that a person unknown posed as a family member in order to get Facebook to delete the profile;
- this act resulted in the permanent deletion of posts and messages stored on it;
- some of this data was the claimant’s own personal data under the meaning of the DPA, giving rise to a breach;
- the deletion of the claimant’s partner’s Facebook profile interfered with her mourning process, which was an intrusion into her private life and a misuse of her private information;
- the course of conduct completed by the person unknown amounted to harassment;
- if the person unknown had gained access to the messages between her and her partner, then this would amount to a breach of confidence;
- without the court making the Norwich Pharmacal order the claimant would not have sufficient information to be able to identify the defendant; and
- the English court had jurisdiction under the Brussels Recast Regulation to make the order.
The application was granted on the basis that there was a good arguable case a person unknown posed as a family member to get the Facebook account deleted. These actions could have given rise to misuse of private information and breach of confidence. Without the Norwich Pharmacal order the claimant would have had insufficient information to identify the person unknown in order to bring a claim. Facebook had both hosted and deleted the information at the request of the person unknown. The court decided that Facebook was more than a mere witness, as it was mixed up in the alleged wrongdoing.
The court agreed it did have jurisdiction under the Brussels Recast Regulation. The alleged torts were committed or the damage incurred in England. The court cited Vidal-Hall v Google Inc  EWCA Civ 311 in support of this conclusion.
Why is this important?
Although the case was heard under the DPA, it serves as an important reminder that extreme care must be taken when handling requests for deletion of personal data to ensure the requestor has appropriate authority. In the era of GDPR when fines are greatly increased, corporations must be even more alert to the consequences of unauthorised erasure of data.
Any practical tips?
It is important to ensure that rigorous processes are in place for deletion requests of a deceased’s data, and that they meet GDPR requirements.