Facebook data protection row
Updated on 17 November 2007
The social networking site faces an investigation from UK privacy watchdog after a complaint from a Channel 4 News viewer.
Having decided that he no longer wanted to use the site, Alan Burlison tried to remove his account - but he found that he wasn't able to do it.
Facebook does allow people to 'deactivate' their accounts. This means that most of their information becomes invisible to other viewers, but it remains on Facebook's servers - indefinitely.
This is handy for anyone who changes their mind and wants to rejoin. They can just type their old user name and password in, and they'll pop straight back up on the site - it will be like they never left.
But not everyone will want to grant Facebook the right to keep all their data indefinitely when they aren't using it for any obvious purpose. If they do want to delete it permanently, they need to go round the site and delete everything they've ever done.
That includes every wall post, every picture, and every group membership. For a heavy Facebook user, that could take hours. Even days. And it could violate the UK's Data Protection Act.
Facebook told us that they comply with the Act. They told Channel 4 News that: "We give users the notice that the UK Data Protection Act requires in order to inform them about what information is collected. We also give users granular control over what information they share and who they share it with."
Facebook does allow people to 'deactivate' their accounts
But the site's policy of keeping data after a user has deactivated their account does seem to fly in the face of the acts' provisions.
Vanessa Barnett, an internet lawyer with Berwin Leighton Paisner, told Channel 4 News: "The Data Protection Act is designed to protect individuals like me from having our data used in ways that we don't want. We get to choose how data gets processed, what people can do with it, and if we don't like it, we can say, 'Please stop' "
"Ultimately it's a question for the information commissioner as to whether someone is in breach of the act. And he has to balance two different things. Yes certainly, I as an individual have the right to say, 'please don't have my data,' but he also has to balance the rights of the business not to have to expend lots of money trying to get rid of that data."
So could Facebook argue that it's just impossible for them to provide an easier way to delete data? Or that they don't have the money to implement one? They didn't make that claim to us. In fact, they didn't engage with the question of why they need to retain data at all - they just didn't answer it.
Vanessa Barnett again: "One of the very key things that the information commissioner will look at is the resources of the business. And if that business has lots of money and lots of IT infrastructure, has the capabilities for example to easily write scripts to delete it, that will certainly sway the information commissioner into whether that data should have been deleted."
Given that earlier this month Facebook received a £115m injection of cash from Microsoft, it seems unlikely that they can play the poverty card now, if they ever could.
We asked the Information Commissioner's Office, which oversees the implementation of the Data Protection Act. They promised to investigate our viewer's complaint. And gave us this statement:
"Many people are posting content on social networking sites without thinking about the electronic footprint they leave behind. It is important that individuals consider this when putting information online. However, it is equally important that websites also take some responsibility.
"In particular they should ensure that personal information is not retained for longer than necessary especially when the information relates to a person who no longer uses the site."
It will be interesting to see whether the Information Commissioner will judge that Facebook's data policy meets that last stipulation.