Student receives 1,222-page data haul after requesting records but he has only received information from 23 of a possible 57 data categories.
Facebook's privacy practices: dislike?
VIENNA // Max Schrems was not sure what he would get when he asked Facebook to send him a record of his personal data from three years of using the site.
What the Austrian law student did not expect, though, was 1,222 pages of data on a CD. It included chats he had deleted more than a year ago, "pokes" dating back to 2008, invitations to which he had never responded, let alone attended, and hundreds of other details.
In response, Mr Schrems, 24, has launched an online campaign aimed at forcing the social media behemoth that has 800 million users to abide by European data privacy laws - something the Palo Alto, California-based company insists it already does.
Yet since Mr Schrems launched his Europe vs. Facebook website in August, Facebook has increasingly been making overtures not only to Mr Schrems, but to other Europeans concerned about privacy, including Germany's data security watchdogs.
"Have we done enough in the past to deal with you? No," Facebook's director of European public policy, Richard Allan, testified on Tuesday before a German parliamentary committee on new media. "Will we do more now? Yes."
The German parliamentarians brought up a raft of complaints, from allegations that Facebook's "Like" button allows the company to track the internet activity of non-members, to concerns over the company's use of facial recognition software on personal photos.
One of Mr Schrems's main complaints with Facebook, he says, is that the company retains information far longer than allowed under European law, which in most cases is limited to a few months.
"I wondered, what are they doing with my data?" Mr Schrems said, sitting with his laptop in a Viennese coffee house. "I thought through everything that one can do with that amount of information, all the marketing that is possible."
Under European law, consumers have the right to request a record of the personal information held by a company. The law further stipulates that to retain data beyond the limit of several months, a company must have a reason to do so.
That issue has been the basis for several of the 22 formal complaints that Mr Schrems and his group have lodged with the Irish Data Protection Commissioner - responsible for Facebook's Ireland-based European subsidiary.
Mr Schrems also disputes that Facebook has given him all of the information it holds about him, arguing that he has only received information from 23 out of a possible 57 data categories.
Facebook insists it has given Mr Schrems all of the information that is legally required. Still, Facebook maintains it is allowed to hold back data that includes "a range of other things that are not personal information, including Facebook's proprietary fraud protection measures, and 'any other analytical procedure that Facebook runs'," a spokesman said.
Ciara O'Sullivan, a spokeswoman for the Irish commissioner, said a routine audit of Facebook's Irish operation would be conducted sooner than planned.
If an organisation is found not to be in compliance, they receive a warning. If they fail to mend their ways, they face a fine of €100,000 (Dh511,400) - a drop in the bucket for a company valued by Goldman Sachs at Dh183 billion.