Data protection
September 30, 2011Spurred by the actions of an Austrian law student, within the last week, Facebook's international headquarters in Dublin, Ireland has been inundated with "access requests" for user data and will face a new privacy audit from the Irish Data Protection Commissioner's office next month.
"There has been a substantial increase in access requests [to Facebook] since earlier this week," said Gary Davis, the Irish deputy data protection commissioner, in an interview with Deutsche Welle. "[It is] approaching thousands."
Under the law, Facebook has 40 days to respond to such requests, but due to this overwhelming volume, the company has been sending out automated messages to new requests.
Individuals can also file a formal complaint with the Irish Data Protection Commissioner's office if they feel that Facebook is in breach of European privacy and data protection law.
Such complaints could explode globally, given that the Irish Commissioner's office is effectively the data protection controller for all Facebook interactions outside of the United States and Canada, since the company declared its international headquarters to be in Dublin in 2009.
When asked if users living outside of the United States, Canada or even Europe could file complaints with his office, Davis added: "that would appear to be a reasonable interpretation."
"We have not had to consider it from a legal perspective," he said. "The hypothesis would not appear unreasonable."
Facebook declined to comment beyond previously-published corporate statements.
"Facebook's European headquarters in Ireland manages the company's compliance with EU data protection law," the company said in a statement e-mailed to Deutsche Welle. "We are in regular dialogue with the Irish Data Protection Commissioner and we look forward to demonstrating our commitment to the appropriate handling of user data as part of this routine audit."
This new revelation comes just one day after the Electronic Privacy Information Center and other groups in the United States sent a letter to the Federal Trade Commission, calling on it to investigate potential privacy breaches by Facebook. Earlier this month, German Consumer Protection Minister Ilse Aigner also met with a Facebook representative in Washington, DC over privacy concerns.
'Right to access'
These new calls for Facebook users to find out what information the company has were inspired by Max Schrems, an law student at the University of Vienna who determined that given that Facebook's international headquarters are in Ireland, European Union data protection law applies.
While a visiting student last year at Santa Clara University in California, Schrems attended lectures on the topic of European data protection and said that his professors in the United States had provided a new perspective than the one that he was used to in Europe.
Schrems postulated that under the "right to access" - a part of European law that allows any individual to request data that a company holds about him or her - Facebook must send him whatever information they have on him.
"I wrote a paper on it and analyzed what are the wrongdoings by Facebook were," he told Deutsche Welle. "That turned it into complaints that we filed. Accessing your own data was a way to have proof for the complaints."
On July 11, 2011, Schrems wrote to Facebook requesting all information the company had on him following the deletion of his account the previous year.
He later received a package sent from Facebook in California, which included a 496 megabyte PDF file, including over 800 pages of personal data detailing Facebook events he had responded to, places he had checked-in, IP addresses where he last used the site, and other private details.
As a result of his efforts, he founded a campaign called "Europe versus Facebook," where has also posted a redacted version of this file and provided instructions in German and English so that other people can follow suit.
"The redacted file reveals nothing surprising at all," said Smari McCarthy, and Icelandic digital activist told Deutsche Welle by e-mail. "Facebook has a database. They store data in it. The more data they store, the more valuable their company."
In an interview with Deutsche Welle, Scherms described Europe versus Facebook as an "informal group" of 10 Austrian students.
Facebook overwhelmed with requests
The Irish Data Protection Commissioner's office said earlier this month that it would be opening a new audit of the California social networking giant in October.
"We will be commencing in third week of October," Davis said. "It will be made public by the end of the year. The intention to do an audit was a pre-standing one. In light of these [new] complaints, we've given it a higher priority."
The Commissioner's office will spend four to five days at Facebook's Dublin headquarters to examine the company's servers and conduct interviews with Facebook officials there.
Given the high volume of requests, Facebook has said it cannot meet the normal 40 day requirement.
"We know that [Facebook] has been spammed with access requests - that was not our intention," Schrems said. "We just wanted to tell people how to access their data."
The company has been sending out automated e-mails to alert users of this delay.
"We are presently refining our request response processes and approach to align the present high volume of access requests with the resources available to process these requests," the e-mail from the Facebook User Operations - Data Access Request Team states.
"We appreciate your patience and will respond as soon as possible. Please be aware as well that we are not required to comply with any future similar requests, unless, in our opinion, a reasonable period of time has elapsed."
Davis added, as Europe versus Facebook website states, 22 complaints have already been filed with the Irish Data Protection Commissioner's office, in addition to another one filed previously by the Norwegian Consumer Council.
"This is a somewhat absurd situation where we have to contact the Irish Data Protection Commissioner for a clarification as to what Facebook can and cannot do in Norway," wrote Thomas Nortvedt, the head of the Digital Services Section at the Council, in an August 2011 statement posted on his organization's website.
Digital rights activists globally have long called for a greater awareness of privacy and data protection rights and laws.
"More consciousness about privacy is good," wrote McCarthy in the same e-mail. "The level of general public ignorance about privacy is startling, and it'd be nice to see people taking a more pro-active stance towards managing their personal data."
Author: Cyrus Farivar
Editor: Matt Hermann