I heard an interview on Radio 4 last week with the Austrian guy taking out a class action against Facebook for unauthorised processing of personal data. Should be an interesting case.
He made a Subject Access Request to Facebook – one of their obligations under DPA. His eventual reply was 1000s of pages long. It included a number of email addresses that were vaguely like his name and used the domain of companies he had worked for. The only explanation was that FB had accessed the phones stripped the data from the phone contacts accounts of people he was (in some cases wasn’t even) friends with, and associated this with his account.
Sinister ? You decide.
