He may be right on the legal bit (from the brief bit I read on the CPS website - although I'm no lawyer). There could be another avenue however and that is facebooks community standards which I've pulled some bits out of below - that you might be able to use to get the facebook posts removed.https://en-gb.facebook.com/communitystandards/bullying
Bullying and harassment happen in many places and come in many different forms
, from making threats to releasing personally identifiable information
, to sending threatening messages and making unwanted malicious contact. We do not tolerate this kind of behaviour because it prevents people from feeling safe and respected on Facebook.Context and intent matter
, and we allow people to share and reshare posts if it is clear that something was shared in order to condemn or draw attention to bullying and harassment. In certain instances, we require self-reporting because it helps us understand that the person targeted feels bullied or harassed.
Target anyone maliciously by:
- Threaten to release an individual's private phone number, residential address or email address
Sending messages that contain the following attacks when aimed at an individual or group of individuals in the thread
- Calls for death, serious disease or disability, or physical harm
1. Violence and incitement
We aim to prevent potential offline harm that may be related to content on Facebook. While we understand that people commonly express disdain or disagreement by threatening or calling for violence in non-serious ways, we remove language that incites or facilitates serious violence. We remove content, disable accounts and work with law enforcement when we believe that there is a genuine risk of physical harm or direct threats to public safety. We also try to consider the language and context in order to distinguish casual statements from content that constitutes a credible threat to public or personal safety. In determining whether a threat is credible, we may also consider additional information such as a person's public visibility and the risks to their physical safety.
Given that it's your personal data they've posted (both photo and address are considered PII - personally identifiable information - especially when posted together in this situation) you could also go down the GDPR route of right of erasure.
Right to erasure (‘right to be forgotten’)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e.g. you haven't given them your permission to process your personal data)
Right to object
1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Lawfulness of processing
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
It looks like the above would come down to legitimate interest however for which the ICO says to apply a test (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/).
I personally can't see that facebook could justify legitmate interests but they may be able to with the large legal team I imagine they have.
The bits to point out in the above link if they claim this would be the third test and in particular the below.
Third, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:Is any of the data particularly sensitive or private?Would people expect you to use their data in this way?
What is the possible impact on the individual?How big an impact might it have on them?
The ICO page also mentions Recital 47 of GDPR which can be found at https://www.privacy-regulation.eu/en/r47.htm
(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.