Facebook’s international headquarters in Dublin, Ireland, are being audited by a government data protection agency and Facebook could face a fine of up to 100,000 euros ($138,720) if found to be in violation of the personal data laws of the United Kingdom, according to a report in The Guardian on Thursday.
The Irish office of the Data Protection Commissioner confirmed to the newspaper that it is investigating the world’s largest social network after numerous complaints were filed by a 24-year-old student, who discovered Facebook had been holding onto boatloads of personal information he had deleted from his Facebook account.
Max Schrems, an Austrian law school student, filed 22 separate complaints with the office in August and September as part of his “Europe v. Facebook” project, a grassroots effort designed to educate people about how much data Facebook stores about its users and one that aims to get European governments to crack down on the way the company manages its users’ personal information.
Schrems was motivated to begin this effort after he found out just how much data Facebook had kept of his activities on the website, even data that he thought he had deleted. In June, Schrems attended Santa Clara University in California as part of an exchange program, where he attended a lecture by a Facebok executive. As a result of that lecture, Schrems was motivated to ask Facebook for all of the data it was keeping about him via an online form on the Facebook website.
As Schrems described the incident that precipitated his David vs. Goliath quest in a Q-and-A posted on the Europe v. Facebook website: “I was studying in the US and met with guys from Facebook in law school. Their understanding of European privacy law was very different from what Europeans understood under our law.”
“…All Facebook users outside of the US and Canada have a contract with Facebook Ireland, so Irish and European privacy laws apply. Of course Facebook did not stick to them. So the next step was to file complaints with the Irish Authorities.”
As Schrems explained to German TV station Stern TV recently, Facebook initially tried to tell him that all the information he was seeking was available on a little-known public data request form on the website itself, from his personal account. But he kept at it and was eventually rewarded with a CD sent via snail mail, direct from Facebook world headquarters in Palo Alto, California.
Schrems described what was on the CD as follows: “My data package was a PDF with 1,222 pages. This included a lot of deleted data (e.g. messages, wall posts, friends, pokes, former names, e-mail addresses).”
Finally, on October 19, Schrems and the fellow 10 or so law students he recruited to be part of his Europe v. Facebook organization received unconfirmed reports that the Irish office of the Data Protection Commissioner would be auditing Facebook to determine if its storage of Schrems’ deleted data violated the 1998 Data Protection Act, a U.K. law which states, among other provisions, that “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes. Data controllers must therefore review the information they hold on a regular basis and delete any information no longer required.” The act was updated in 2003 to introduce new laws in compliance with even more stringent European Union data protection and privacy laws.
Now, Schrems and company are waiting and hoping that the office of the commissioner will enforce the toughest fine, the 100,000 Euro penalty, which is admittedly mere chump change to a company that some analysts think could be worth up to $100 billion.
“We are currently waiting for the findings of the Irish Commission,” Schrems wrote. “We got a lot of media and personal response. We are trying to limit the work that goes into the media and try to focus more on the legal aspects of the case.”
Facebook, for its part, vociferously denies any wrongdoing. As Facebook spokesman Andrew Noyes told TPM in an email Friday:
The allegations are false. For example, we enable you to send emails to your friends, inviting them to join Facebook. We keep the invitees’ email address and name to let you know when they join the service. This practice is common among almost all services that involve invitations from document sharing to event planning—and the assertion that Facebook is doing some sort of nefarious profiling is simply wrong. In addition, Facebook offers more control than other services by enabling people to delete their email address from Facebook or to opt-out of receiving invites.
Also, as part of offering people messaging services, we enable people to delete messages they receive from their inbox and messages they send from their sent folder. However, people can’t delete a message they send from the recipient’s inbox or a message you receive from the sender’s sent folder. This is the way every message service ever invented works. We think it’s also consistent with people’s expectations. We look forward to making these and other clarifications to the Irish DPA.Of course, Facebook wasn’t exactly caught off guard by the complaints. As the social network grown explosively around the world, it has incurred a steadily increasing stream of legal actions from various parties and entered into some of its own. The latest privacy-related lawsuit to hit Facebook came in late September from a user alleging that Facebook’s cookies track users across the Web even when they’ve logged out, violating U.S. law.
Regardless of what happens in his case, Schrems is already eyeing the next target in his privacy and data protection crusade: Google.
As Schrems wrote on his website: “I personally think Google+ is even more threatening than Facebook because they can connect the social media data with data from searches, advertisements, YouTube and all the other Google Services.”
TPM has reached out to Schrems and the Irish Data Protection Commissioner for more information, such as when their audit will be completed, and will update when we receive a response.