24 Oct 2011

How private is your Facebook data?

As Facebook faces an audit over its storage of information, Channel 4 News talks to the 24-year-old Austrian student who has gone head to head with the social networking giant.

A Facebook user views a computer monitor (Getty)

As part of his research into privacy law this summer, 24-year-old Austrian law student Max Schrems asked Facebook to turn over all the data the social networking site had collected on him for the past three years, as is his right under European data protection legislation.

In response, Facebook sent him a CD containing more than 1,200 pages of wall posts, messages, removed friends, and “pokes” – activity that Mr Schrems thought had been deleted.

“I think it’s quite frightening just how much data is stored by Facebook,” Mr Schrems told Channel 4 News.

“They think it’s legal and they talk about ‘industry standards’. That may be the case in America, but this is Europe, and they’re just not getting it,” he continued.

I think it’s quite frightening just how much data is stored by Facebook. Max Schrems

Investigation opens

Along with a group of fellow law students, he established the “Europe versus Facebook” group and filed 22 complaints with the office of the Irish Data Protection Commissioner (DPC) – which has jurisdiction over Facebook’s EMEA headquarters in Dublin.

“I find it all quite amusing that it’s caused these huge waves around the world really,” he said.

As a result of the complaints, the DPC told Channel 4 News that they will be commencing a “comprehensive” audit of Facebook Ireland before the end of the month.

It also revealed it had received “approximately 10 other complaints” in relation to Facebook’s approach to data protection.

“We have also received a large number of other complaints regarding Facebook’s responses to access requests which arise from a campaign for access which Europe v Facebook led.”

A Facebook spokesperson told Channel 4 News: “We are cooperating fully with the Irish Data Protection Commissioner as part of this routine audit.”

If found guilty of violating Irish law, Facebook could be fined about 100,000 euros.

Read more: The full list of 22 complaints made to the DPC 

Have your messages really been deleted?

Of the 22 complaints Max Schrems and his group have filed, he says the inability to delete messages – including “chat messages” – on the social networking site is perhaps the most worrying issue.

“Facebook doesn’t allow messages to be deleted,” Mr Schrems said.

“They still keep it in their system. I mean, this can be very personal correspondence, from psychological problems of friends, to relationship information – all of this is kept forever.”

A Facebook spokesman responded to the allegation by saying: “We enable people to delete messages they receive from their inbox and messages they send from their sent folder.

“However, people can’t delete a message they send from the recipient’s inbox or a message you receive from the sender’s sent folder. This is the way every message service ever invented works. We think it’s also consistent with people’s expectations. We look forward to making these and other clarifications to the Irish DPC.”

She added that once an account has been deleted from Facebook, “it typically takes about one month to delete the account, but some information may remain in back-up copies and logs for up to 90 days.”

Mr Schrems claims he has no information on ex-user data as Facebook is not answering access requests for ex-users.

Emphasis on regulation

Gus Hosein, executive director of the Privacy International campaign group, expressed his concern at the complaints but emphasised the need for the Irish regulator properly to understand a complicated area of data protection legislation.

The price we pay for using many free social media services is our personal information. Martin Bryant, Next Web

He told Channel 4 News: “The Irish commission may surprise us by showing that they are adept at understanding Facebook, the way people use Facebook, and what these breaches mean.

Mr Hosein added that the regulator would have to be “very strong and innovative” to understand the more complicated complaints, such as personal information when it is on other people’s pages, or messages that have been deleted.

Martin Bryant, European editor of the Next Web magazine, gave Channel 4 News a more philosophical conclusion: “There’s an observation about free online services in general, that ‘If you’re not paying for the product, you are the product.’

“The price we pay for using many free social media services is our personal information.”