Facebook draws scrutiny over data collection

Social networking giant faces audit and possible fine by Irish data protection commissioner, after user complained it stored detailed data even though he deleted the information from his profile.
Written by Jamie Yap, Contributor

Facebook could face a fine of up to 100,000 euros (US$137,716) if it is found to have kept data that users deleted, after a user registered 22 complaints against the social networking giant for keeping "1,200 pages of personal data about him".

British daily the Guardian reported Friday that Austrian law student, Max Schrems, has filed 22 separate complaints with the Irish data protection commissioner, after he discovered that Facebook held his personal data, most of which he said he deleted from his profile in the three years since joining the site. European users of Facebook are administered by Facebook's Irish subsidiary.

The commissioner is set to carry out its first audit of Facebook next week, the newspaper said. A spokeswoman for the commissioner also confirmed that officers will investigate alleged breaches raised by Schrems as part of the audit. If Facebook or its employees are found to have violated data protection laws, it could be fined a maximum penalty of 100,000 euros, the Guardian reported.

According to the report, Schrems had asked Facebook for a copy of his data in June, after attending a lecture by a Facebook executive while on an exchange program at Santa Clara University in California. He then received a CD containing 1,200 pages of personal information and messages he assumed had been deleted. Among the data: rejected friend requests, friend removals, a log of all his Facebook chats, photos that he untagged, names of people he "poked", and events he attended or didn't reply to.

"I discovered Facebook had kept highly personal messages I had written and then deleted, which, were they to become public, could be highly damaging to my reputation," Schrems told the Guardian.

The 24-year-old added that Facebook, by holding onto data its users assumed have been deleted, was acting like spy agencies such as the KGB or CIA. "Of course, they are not misusing it at the moment, but the biggest concern is what happens when there is a privacy breach, either from hackers or from someone inside the firm?"

A Facebook spokesperson explained in a statement to the Guardian that it provided Schrems with all of the information required in response to his request.

"It included requests for information on a range of other things that are not personal information, including Facebook's proprietary fraud protection measures, and any other analytical procedure that Facebook runs.

"This is clearly not personal data, and Irish data protection law rightly places some valuable and reasonable limits on the data that has to be provided," the representative said.

This is not the first time Facebook has been scrutinized for alleged data protection violations in Europe.

In August, German privacy watchdog, Independent Center for Privacy Protection (Unabhängige Landeszentrum für Datenschutz, or ULD) in Schleswig-Holstein, asked local agencies to close their Facebook Pages and remove the "Like" button from their sites, saying that the social network tracks and profiles its users in a way that breaches German and European Union laws. Security experts, lawyers and privacy advocates subsequently told ZDNet Asia that while fears of user profiling are legitimate, it is not cause for paranoia.

Editorial standards