Despite Audit, Facebook Holds Back Personal Data
Facebook has reduced the amount of personal data it releases to users as required by European Union law despite an ongoing audit by Ireland's Data Protection Commissioner.
The agency is auditing Facebook to see if it complies with the country's Data Protection Acts of 1988 and 2003, which transpose the E.U.'s Data Protection Directive, known as 95/46/EC. The laws allow people to request to see their personal data held by a company.
Twenty-two complaints have been filed with the Irish agency by Europe v. Facebook, a group run by Max Schrems, a law student at the University of Vienna. The group contends Facebook is withholding personal data that it should disclose to users on request, in violation of the law.
Since those complaints were filed, the Irish agency has received 150 additional complaints about Facebook's response to data requests and 10 complaints over the company's approach to data protection, wrote Lisa McGann, a senior investigations officer, in an e-mail to IDG News Service on Tuesday.
Facebook may not be confident that it will escape the Irish audit without criticism.
Schrems said he has exchanged e-mails with Richard Allan, Facebook's director of European public policy. Allan has indicated that Facebook is looking into modifying its systems into providing a more in-depth batch of information if the agency finds fault in the company's current strategy, Schrems claimed. Facebook did not comment on Schrems' claim.
Schrems said in recent weeks Facebook is disclosing even less personal information than when he and others began asking the company to view the information it held on them months ago.
Facebook defended its actions, saying on Tuesday it is "fully compliant with E.U. data protection laws."
When just a few people were making requests to Facebook for their data, the company would send a CD with 57 categories of data, Schrems said in an interview on Tuesday. He said there are at least 19 more data categories, and maybe as many as 24 more that are unknown.
Due to the volume of requests since Europe v. Facebook began its campaign, Facebook is no longer sending CDs to people. Facebook said in a statement that the CD mailout "contains a level of detail that is less useful for the average user -- it is a much rawer collection of data."
Facebook has also in recent weeks changed its information pages for how people can obtain data it stores.
Users are now directed to a page where they can download their personal "archive," which according to Facebook is a copy of "all of the personal information you've shared on Facebook."
That tool was already available, Schrems said. Facebook has repurposed it, saying it can be used to see personal data in compliance with E.U. law, he said.
But all of the data that Facebook provides in the archive can be viewed by an account owner on their Facebook page, such as profile photos, messages, a list of friends and wall posts.
Rather than the 57 categories of data Schrems said early data requesters received, the tool downloads just 22 categories. Facebook said the tool is intended to be useful to help people download their information "rather than an exhaustive, pixel-by-pixel dataset that is of less practical use."
Schrems argues it falls far short of the disclosure he feels is required by European as well as Irish law, which allows people to obtain the raw data. Europe v. Facebook wants to see all data categories disclosed, such as information on how a person interacts with advertisements, location-based data and use the "Like" button, among many others.
Earlier this month, Facebook also created a new e-mail address -- firstname.lastname@example.org-- for people to request their data. But when an e-mail is sent to that address, Facebook sends an autoreply with instructions for how to use the archive download tool.
It then bluntly adds: "We will not enter into further correspondence about your specific data through this email address."
The latest move by Facebook is just "a way of getting rid of people," Schrems said. To be more transparent would simply "freak people out," he said.
Facebook is also required to disclose "decision logic," such as how the system generates friend suggestions, under Article 12(a)(3) of the E.U. Data Protection Directive, Schrems said.
Companies are not required to disclose some types of that information in order to protect their intellectual property, but Schrems argues that Facebook overuses that protection.
For companies such as Facebook, "there's not a big incentive to stick to the law in the first place," Schrems said. Data protection authorities in Europe tend to have small staffs in comparison with the companies they're tasked with regulating, and fines -- which are rarely mandated -- are affordable, he said.
Send news tips and comments to email@example.com