While researching a paper on privacy law this summer, Max Schrems, a 24-year-old law student in Austria, asked Facebook to turn over all the data the social networking site had collected on him. In response, Facebook sent him a detailed dossier of his activity for the past three years: a CD containing more than 1,200 pages of Facebook wall posts, messages, removed friends and "pokes," among other things. Schrems thought he had deleted most of that activity, but Facebook had stored it, he said.
So Schrems and some fellow law students who also request their data filed 22 complaints with the Irish Data Protection Commissioner over how Facebook stores its users' information. (The complaints were filed in Ireland because Facebook's Dublin office handles issues outside the U.S. and Canada.)
Now, those complaints are part of an investigation by Irish authorities that could have implications for the way Facebook collects and stores information on millions of users. Next week, the Irish Data Protection Commissioner will conduct an audit to determine whether Facebook has violated Ireland's data protection laws. A spokeswoman for the commissioner said the students' complaints will be part of the audit, which is expected to take several days. Its findings will be published by the end of the year.
"Facebook is cooperating fully with the audit and we would anticipate that it will implement any necessary changes to comply with any requirements identified," said Ciara O'Sullivan, the commissioner's spokeswoman, by email.
The investigation is just the latest example of the growing scrutiny of Facebook's privacy practices. Last month, a coalition of privacy, consumer and civil liberties groups asked the U.S. Federal Trade Commission to investigate Facebook for secretly tracking users after they logged off Facebook.
In August, German state official Thilo Weichert said Facebook's "Like" button violated German and European law because it allowed Facebook to track users' interests without their consent and send that information to servers in the United States, according to the Associated Press. On Friday, German media reported that Facebook had offered to exempt users in the German state of Schleswig-Holstein -- where Weichert is data protection commissioner -- from having their "Like" choices sent to Facebook's U.S. servers.
Schrems and his fellow law students at the University of Vienna were able to access their data because of a European law requiring organizations to disclose information about users upon request. Facebook users in the United States do not have that same right. But Schrems admitted being surprised that Facebook sent him the CD.
"I would never have known this data was not deleted if they had not sent it to me," Schrems said in a phone interview. "I'm convinced it was just a mistake."
Schrems has created a website, Europe-v-Facebook.org, where he has posted copies of the group's complaints against Facebook and detailed steps that European Facebook users can take to request their data.
"A company that constantly asks its costumers to be as transparent as possible should be equally transparent when it comes to the use of its costumers' personal data," the site says. "Transparency is not only a question of fairness, but it is also a principle of European data protection law. It is time that the biggest social network worldwide sticks to these legal principles."
In one complaint, the students allege that Facebook creates "shadow profiles" of non-users by collecting their email addresses when members invite them to join the site.
In an email, Facebook spokesman Andrew Noyes said the site only keeps invitees' email addresses to let members know if and when they join. "The assertion that Facebook is doing some sort of nefarious profiling is simply wrong," he said.
"We look forward to making these and other clarifications to the Irish [Data Protection Commissioner]," added Noyes.
Schrems said the data on the CD were divided into 57 categories. But he said he believes that still more information was not turned over by Facebook, including data about the site's "Like" button and facial recognition software, which automatically tags people in photos.
Cindy Cohn, legal director for the Electronic Frontier Foundation, said her organization has been pushing Facebook to be more clear about its data retention policies, which are "very confusing and difficult" for users to understand. As a result, she said, "people are sharing more information on Facebook than they think they are."
If found guilty of violating Irish law, Facebook could be fined about $140,000, O'Sullivan said. That's a small sum for a company that has been valued at more than $100 billion.
Still, Schrems' efforts have turned him into a celebrity of sorts, generating widespread media coverage in Germany and praise from privacy experts around the world.
On his blog, Kim Cameron, former chief architect of identity at Microsoft, said
Schrems has cast a spotlight on Facebook's opaque methods of collecting user information.
"It will be absolutely amazing to watch how this issue plays out, and see just what someone with Max's media talent is able to do with the answers once they become public," Cameron wrote. "The result may well impact the whole industry for a long time to come."