Russian social media network VKontakte has been having a bad few months. Multiple platform users have been prosecuted for their posts, and the company has been publicly shamed for its lack of transparency regarding how it shares user data with law enforcement authorities.
Now, VKontakte (VK) is facing a new privacy-related challenge: Kristian Shinkevich, a Belarussian activist living in Poland, is demanding that VK give him all the personal data that it has pertaining to him. The company has yet to comply. And in the meantime, it has suspended his access to the account.
Shinkevich first began wondering about VK's data collection practices after he faced legal threats for participating in a demonstration in Belarus. Shortly thereafter, he was expelled from his university, where he says an administrator told him that the school had access to all their students’ VKontakte data, including which posts they had liked. In his case, this would have revealed his involvement with demonstrations.
Between this, and the fact that other Belarussian activists have been arrested for VKontakte posts promoting protests (an indication that authorities in Belarus also monitor activity on the social network), Shinkevich found himself wanting to know more about VK's data collection practices.
So he looked to the European Union’s newly-instituted General Data Protection Regulation (GDPR), a set of policies aimed at standardizing the handling of personal information by companies and organizations. Under the GDPR, any company that processes the personal information of EU subjects must comply with certain rules regarding the protection and transfer of such data.
Another provision stipulates that EU subjects have a right to access the personal information that companies retain about them, and that they have a right to know how this information is used.
Although Shinkevich is a citizen of a non-EU state, Belarus, he is entitled to request this information under the GDPR, as an EU resident (or “subject”, as described in the GDPR) in Poland. Additionally, despite the fact that VKontakte is a Russian company, it must still comply because it is providing services to EU subjects abroad and handling their information.
Noncompliance would give EU authorities the power to levy a fine of either 20 million euros or 4 percent global gross revenue, depending on which is higher.
When Shinkevich filed a request to VKontakte Support to get access to all the data VKontakte had collected about him, he received the requested file. He described what he found on Facebook:
Today I have received the file, and that's freaking serious.
1. the whole name and surname changes history
2. groups and public pages I've managed
3. name of files uploaded, from which IP address, city, links to the deleted files, moreover, even simple voice messages from deleted conversations are there
4. complete list of files I've removed from my page, their exact address, name, date added, direct link – no matter that they all have been removed – voice messages, PDF documents etc.
5. adresses [sic] of pictures from Saved Photos album (protected). Direct links can be opened without being logged in
6. complete history of conversations, including removed, up to 27.06.2018 20:43:51 (the first message is dated 01.09.2016 21:40:30), with all the attachments including removed ones.
7. complete history of phone number ever linked to the account
8. history of password retrieval requests
9. all the comments and posts from my page timeline, including ones removed about 1-2 years ago (the section is titled “Messages posted on the user's wall”)
This file is about 1,5 Mbytes but it has al [sic] the history of my activity on VK since 2016 (when my page was created).
Shinkevich was not surprised by what the file contained — but he was surprised at what it lacked. “I am pretty sure that what they have sent me is not the whole information, and they have much more,” he wrote on Facebook.
Do these and other types of information qualify as “personal data”? It depends on where you ask the question. While Russian Federal Law 152 defines personal information as any information directly or indirectly related to a specific individual, the GDPR has a very specific breakdown of this wide interpretation. But as the terms of the GDPR apply to all companies providing services to EU subjects, VKontakte is required by law to follow these terms when dealing with customers in the EU.
When Shinkevich asked VKontakte for the rest of the information, it evaded his request. The company later blocked his access to his account at the end of July. His page is still online, but he cannot log in to it or reset his password.
When Russian news aggregator TJournal reached out to VKontakte, they said:
Страницу пользователя мы не блокировали. Доступ к ней был ограничен после того, как пользователь изменил несколько ключевых параметров, в том числе имя, фамилию, пол и другие. Такие действия считаются подозрительными и могут свидетельствовать, например, о продаже аккаунта или передаче другому лицу.
Ограничение доступа к странице никак не связано с запросом пользователем информации по GDPR.
We didn’t block the user’s page. Access was restricted after the user changed several key parameters, including first name, last name, gender, and so on. Such activity is considered suspicious and could be proof that the account was sold or given to another person.
Restricting access to the page isn’t in any way related to the user’s GDPR information request.
Shinkevich has since filed a complaint with Poland’s personal data security service and has taken the controversial step of advocating that VKontakte be blocked in Poland. He joins a growing number of voices urging users to stop using VKontakte and delete their pages.
Last year, VKontakte's total revenue was over $200,000,000.If found in violation of GDPR, their fine would be ten percent of that amount. With upwards of two million EU users, the social network could soon pay a hefty price if it doesn't address privacy concerns.