It only takes a moment’s thought to realize Facebook stores a fair amount of personal data about its users. But one man has made a formal complaint after discovering the site had kept more than a thousand pages of information about him, even though he’d “deleted” most of it.
Austrian Max Schrems has complained to the data protection commissioner in the Republic of Ireland: that’s because Facebook’s European operations are based in the country. The commissioner’s office is now investigating 22 separate allegations by Schrems that the data file breached regulations. If the case leads to criminal action, it could mean a maximum fine of €100,000 (around US$139,000.)
Schrems made the discovery after an exchange trip to California where he heard a Facebook executive give a lecture. That sparked him to exercise his rights under European regulations to get a copy of all data stored about him by a company operating on the continent. Facebook mailed him a CD containing the data, which Schrems has now published online, with personal details blanked out.
While Schrems believes the details he was given are not the complete set of data, the amount of information is staggering. It falls into 57 categories and, to put it simply, it’s safest to assume that everything you’ve ever typed, clicked or viewed has been recorded forever, even when you’ve specifically deleted it.
But even with that philosophy in mind, there are still some details you might not expect to be listed:
- e-mail addresses linked to you, even if you’ve never submitted them and instead another users has imported it from their own address book;
- details of every event you’ve been invited to, even if you declined the invitation or simply didn’t respond;
- every friend request you’ve received, even if you rejected it;
- details of every time you logged into Facebook, including the IP address you used;
- details of pictures in which you have been tagged, even if you’ve explicitly untagged it (in this case the information is “deactivated” not deleted);
- lists of every Facebook friend you’ve ever had, even those you’ve “unfriended”; and
- everything posted on your wall, including posts you’ve deleted.
Schrems also notes this is far more detail than is available through Facebook’s own utility for users to download a “personal archive” of their activity through the site, rather than making a legal request. Facebook said it only provided personal data, in line with the law governing such requests, and that it is not obliged to share other information with a user.
It should be noted that Facebook’s own terms of service allow it to use data even after a user deletes their account. Of course, while that’s a contractual agreement between Facebook and the user, it doesn’t necessarily override laws or regulations.