Student campaigns against Facebook data collection

Ever wondered what sites like Facebook know about you? Follow the lead of 24-year-old student Max Schrems, who has started a wave of so-called “Facebook data requests” after using a European law to force the company to release 1,200 pages of data it held on him, much of which he claims he had previously deleted from the site.

And Mark Zuckerberg’s social network could reportedly face a fine if auditors uncover any breaches of data protection law in an investigation planned for the next ten days.

“I was given a CD with all of the information about friend requests I had ignored, people I had ‘defriended’, even messages I had deleted. Facebook had kept it all. The scary thing was, with a simple ‘Ctrl+F’ search function on the computer, I could search for terms and key words. I found it was possible to build up a picture of who I am, what I like, who I might vote for,” said Mr Schrems.

He added: “There is a lot of data in there which is personal, which people might want to delete at some point but which Facebook is keeping hold of. And, since it is held in the USA, Europeans do not have the same sort of protection as they might have at home. They are subject to American laws like the Patriot Act, which could mean their data is released without their consent.”

Facebook confirmed that it had seen an increase in the number of requests for personal information since Mr Schrems began his campaign.

An emailed response to a request reads: “Due to the volume of personal data access requests that we have recently received, we are experiencing significant delay in processing such requests. We therefore are unlikely to respond within 40 days of your initial request.

After receiving his data, Mr Schrems filed 22 complaints with the Irish Data Protection Commissioner, which has jurisdiction over Facebook in Europe because the social network’s international headquarters are based in Dublin. A spokesman for the Commissioner confirmed an audit of Facebook’s offices is due to begin “before the end of the month”. But, she said, one had been planned prior to Mr Schrems complaints.

In a statement, the Office of the Data Protection Commissioner said the audit will “assess Facebook’s compliance with the requirements of the Irish Data Protection Acts as they apply to its users outside of the US and Canada”.

If Facebook is found to be retaining data illegally, it is likely to be served with an order demanding that it comply with the law. If that notice is broken, it faces a fine.

Mr Schrems, who has set up a website for his campaign called ‘Europe versus Facebook’, said he was confident of winning on “at least a few of the counts”.

Facebook said it provided Mr Schrems with “all of the information required in response to his request”. A spokesman added that some of the data requests would have required Facebook to give away the “secrets” of how its algorithms work.

She said the requests covered “a range of other things that are not personal information, including Facebook’s proprietary fraud protection measures, and ‘any other analytical procedure that Facebook runs’. This is clearly not personal data, and Irish data protection law rightly places some valuable and reasonable limits on the data that has to be provided”.

The spokeswoman said: "The allegations are false. For example, we enable you to send emails to your friends, inviting them to join Facebook. We keep the invitees' email address and name to let you know when they join the service.

"Also, as part of offering people messaging services, we enable people to delete messages they receive from their inbox and messages they send from their sent folder. However, people can't delete a message they send from the recipient's inbox or a message you receive from the sender's sent folder," the spokeswoman added.