Austrian law student found that data, most of which he had deleted, had been stored and segregated under 57 categories, including chats and rejected ‘friend’ requests
Facebook could be fined €100,000 by Irish data protection commissioner, after an Austrian law student filed a complaint that the social networking company stored 1,2000 pages of data, most of which he had deleted years ago.
Max Schrems, 24, has filed 22 complaints against the social network for holding data that users have deleted.
Schrems had asked Facebook for a copy of his data in June. The CD he received from Facebook contained 1,2000 pages of data including messages and information Schrems says he had deleted from his profile.
The social networking company had segregated Schrems data into 57 categories. There was a log-on list, which had details of his login times and the IP addresses he had logged in from. The data also contained his "likes", rejected "friend" requests, his "defriend" actions, and a log of all Facebook chats he had ever had, the Guardian reported.
"I discovered Facebook had kept highly personal messages I had written and then deleted, which, were they to become public, could be highly damaging to my reputation," said Schrems.
Schrems claimed that Facebook also stored emails, which included some email addresses he had never uploaded to the site. Facebook also stored a list of photos Schrems had detagged of himself, the names of everyone he had ever "poked", which events he had attended, and even the ones he hadn’t replied to.
"I’m not saying there was anything criminal or forbidden there, but let’s just say that, as someone wanting to work in law, there was stuff which could make it pretty impossible for me to get a job." By holding on to data its users assumed was deleted, Facebook was acting like "the KGB or the CIA", said Schrems.
"Information is power, and information about people is power over people. It’s frightening that all this data is being held by Facebook."
After receiving the CD, Schrems filed 22 separate complaints with the Irish data protection commissioner, which is expected to conduct a privacy audit of Facebook. If found guilty of data protection breaches, Facebook could be asked to a maximum penalty of €100,000.
Facebook has said that the data stored by the company is not personal data. The company said that any user can download their "personal archive".
A spokesman for Facebook told the Guardian, "Facebook provided Mr Schrems with all of the information required in response to his request.
"It included requests for information on a range of other things that are not personal information, including Facebook’s proprietary fraud protection measures, and ‘any other analytical procedure that Facebook runs’.
"This is clearly not personal data, and Irish data protection law rightly places some valuable and reasonable limits on the data that has to be provided."
Schrems has also raised concerns about the social networking site’s security.
He asked, "Of course, they are not misusing it[data] at the moment, but the biggest concern is what happens when there is a privacy breach, either from hackers or from someone inside the firm?"
Schrems has also set up a website to raise awareness of Facebook’s data archives.
The website says that "’removed’ content is not really deleted by facebook and it is often unclear what facebook exactly does with our data. Users have to deal with vague and contradictory privacy policies and cannot fully estimate the consequences of using facebook.
"A company that constantly asks its costumers to be as transparent as possible should be equally transparent when it comes to the use of its costumers personal data. Transparency is not only a question of fairness but it is also a principle of European data protection law. It is time that the biggest social network worldwide sticks to these legal principles."
The website also provides information about how users can check what data Facebook has stored about them.
It says, "You can take a first step for more transparency on facebook by requesting a full copy of all your personal data (further information see "request your data!").
Last month, Facebook had to face embarrassment after Australian hacker and blogger Nik Cubrilovic revealed on his blog about how Facebook stored cookie in user computers after they had logged out of the social networking service.
Cubrilovic said that frustration over lack of response made him to post details on his blog, adding that Facebook knows much more than users are aware of.
After refuting charges for a long time, Facebook said last month that it had "fixed" cookies that could have tracked the websites users visited even after logging out of the social networking site.