In Canada, we have a federal law called the Privacy Act, as well as one called PIPEDA, which amongst other things, allows you to access the information private sector organizations (companies) have on you. In order for you to make this request, every organisation must provide Canadians the contact information for their company’s privacy officer, no matter how small or large the company is.
For Facebook, they have a page they call Data Policy Questions, which includes a link for requesting your personal data. They describe on that page how to download your Facebook data, which might be enough for your needs, but as I’m writing this partially in response to the issue around Facebook’s relationship with Cambridge Analytica, that information is not included in the default personal information archive. Thus, at this stage you will want to click on the link to make a data access request.
This is where it gets tricky, as Facebook doesn’t want you to easily have access to whom they’ve disclosed your personal information to. On the Personal Data Requests page, you have to click “This doesn’t answer my question” and you will see three options, with the last one being “Other”. You need to click the other option to see the manual request form. I notice they don’t have a text box to request specific data, but this is where you can see the actual email address to make the request, finally: email@example.com
OK, now we have the email address, which request should you make? You need to make sure in the email you identify a) your personal contact information — both so they can contact you, but also so they know which Facebook account is yours b) that you’re creating this request as per PIPEDA, and which section.
For part a, I’ll leave that up to you. I included my email, phone number, a request for a written response (I don’t want a phone call unless it’s for clarification of which information I’m requesting), and a link to my Facebook profile. In my case it’s https://facebook.com/hates.privacy, but you can find your URL by clicking on your name or profile at the top of your Facebook profile and copy/pasting the URL in your browser at this point.
For B, what you are requesting regarding PIPEDA is information about an identifiable individual. Here is mine as an example:**
I am making this request today as a Canadian, in regards to PIPEDA, specifically information about myself, as an identifiable individual.
I would like to request a list of all third parties (companies and apps) whom have collected my personal information from your platform, including confirmation if Cambrige Analytica was one of them.
Once you have sent this request, Facebook has 30 days to reply to you. If they don’t reply, or don’t reply to your satisfaction, you now have reason to file a complaint with the Privacy Commissioner of Canada.
Once you’ve done that, you can also make a request to Cambridge Analytica to ask them what information they have on you, as an identifiable individual, as well as from where that data was collected.
I am making this request today as a Canadian, in regards to PIPEDA, specifically information about myself, as an identifiable individual you have on me. I would also like a list of organizations whom you collected this information from
Same rules apply, they have 30 days to respond, and satisfactorily, or you can file a complaint with the Privacy Commissioner.