Austrian students report Facebook to Ireland’s Data Protection Commissioner

A move by a group around Vienna-based law student Max Schrems has set in motion a process which has now resulted in a formal privacy investigation by the Irish Data Protection Commissioner (DPC) against Facebook. The group of students explains that due to the legal structure of Facebook, any user outside of the U.S. and Canada has a formal contract with Facebook Ireland Ltd., which is subject to Irish as well as E.U. privacy law, e.g. the famous Directive 95/46/EG. The fact that Facebook claims to comply with the Safe Harbor framework also subjects it to the principles of the E.U. directive. This law, among other things, grants individuals the right to be informed of all data that is being held about oneself, as well as the right to rectify or erase the data.

Max Schrems, who has studied at a university in the U.S. for a while, has had personal experience with executives and privacy experts of large and small Internet companies, and he states that in Silicon Valley tech culture he has noticed little respect or even awareness of the requirements of E.U. privacy laws.

On the group’s website “Europe versus Facebook”, the full story and history of the initiative is documented. The website also describes a step-by-step process on how one’s data can be requested from Facebook. After doing research on Facebook’s privacy policy, at least three members of the group have successfully gone through this process and received a CD filled with pictures, posts and much other profile data, including for example dates, tagged people and geo-locations of uploaded images, friend requests, pokes, etc. However, much information was still missing from the data set, such as likes, comments on other people’s walls, data about face recognition, FriendFinder, advertising activities, the use of Facebook plugins on external websites, and more. Max Schrems explains that according to E.U. law, in addition to making available one’s data entirely, Facebook would also be required to state 1. where the data is from, 2. what the purpose of collecting the data is, and 3. to whom the data has been made available.

The group’s complaints about concrete violations are numerous and are listed on its website. Besides the handling of personal data, the group also criticizes Facebook’s privacy policy and terms of service in general. Only a few days after the complaints have been made, the Irish DPC has now started an investigation against Facebook. One DPC spokesman states:

“We will have to go and audit Facebook, go into the premises and go through in great detail every aspect of security. It’s a very significant, detailed and intense undertaking that will stretch over four or five days. Then we’ll publish a detailed report and Facebook will respond.”

Sources: