Irish Boomeran- Austrian Students Forces Facebook to change privacy policies

Facebook USA recently founded a subsidiary in Dublin, Ireland. It is speculated that this is mainly to avoidAmerican Taxes (see Article on Bloomberg). According to Facebook’s terms all users outside of the US andCanada have a contract with this subsidiary in Ireland (see Terms section 18.1).

This provision applies toabout 70% of worldwide users of Facebook.This means that Facebook is not only saving US taxes, but is also subject to European privacy and consumerlaw, which is generally tougher than US laws. Every EU member state has its own privacy legislation (e.g. the‘Data Protection Act’ in Ireland), but all of these laws are based on the European Directive 95/46/EG.Unbelievable masses of Data.Every citizen in the EU has the right to get a full copy of all personal data a company is holding about them(“access request”).

Three students from Vienna, Austria have done so recently and got a CD with a PDF of780, 1,142 and 1,222 pages. In all data sets you could find sensitive information such as political and religiousbeliefs, or sexual orientation of the user.

You can find the blackened files, a detailed explanation about all datasent and a guide on how to request personal data on Data still held.Facebook makes the users belief that they can delete information if they want to.

Even in its privacy policyFacebook is claiming e.g. “If another user tags you in a photo or video or at a place, you can remove the tag“But according to the data sets that were sent by Facebook the following information is never deleted but only„invisible“:

1. tags in pictures,

2. “unfriended” friends,

3. all messages (incl. chats), 3. pokes,

4. any changes ofnames

and 5. deleted e-mail-addresses; even some deleted wall posts could be found in the data sets.

It is unclear if there are more undeleted pieces of information because Facebook did not grant access to allpersonal data held. Some examples of removed data that is still held can be found here.But they agreed to the Terms.

During the sign-up process there is a little grey text on the “security check” page, which claims that the user isagreeing to Facebook’s terms and privacy policy.The policy is about 12 printed pages (longer than the US constitution, see article by the NYT) and links tocountless other documents.

The policies are unclear, vague and contradictory. It is very likely that these termsare not legally binding in most European countries.

Sharing with “Friends“ only?Facebook makes users belief that they are sharing their information only with “friends“. In fact Facebook’sstandard settings have become more and more liberal (see this graphic) and most information is shared with“everyone”.

Even the setting “friends of friends” is rather limitless; an average Facebook user has 130 friends,which means an average can have up to 16.900 “friends of friends”.In reality all data is always shared with Facebook, and some data is even shared with applications that friendsare using. All data can also be accessed by law enforcement agencies. This is especially true for USagencies, since all data is stored on US territory.22 Complaints against Facebook.

Now we filed 22 complaints against Facebook Ireland with the Irish Data Protection Commission (DPC). TheDPC will investigate the complaints and decide if they are justified. A list of all 22 complaints can be foundhere, we are planning to file a couple more complaints soon. Most of the complaints center around two issues:user control and transparency.

We believe there is a lack of both on DPC undertakes audits.The Irish DPC announced shortly after receiving the complaints, that it will use all legal powers againstFacebook if necessary (Link). Later it announced in the “Irish Independent” that it will audit Facebook Ireland’sheadquarter in Dublin, including going into the premises of Facebook Ireland for about 4 to 5 days (newsarticle).

The first audit took place on the 25th of October 2011 and lasted a couple of days and a second auditwas conducted at the beginning of December 2011.

The results will be publishes by the end of December.

If the Irish DPC finds only some of the 22 complaints justified, it may mean that Facebook has to undertakeserious changes in its practices. The DCP can issue enforcement notices in which Facebook will be asked toundertake certain changes. Noncompliance may be punished with fines of up to € 100.000.David and is done by a small group of Facebook users.

The starting point was a paperMax Schrems (Law Student, University of Vienna) was writing during his semester abroad at Santa Clara University, California.

The group is not aiming for any financial gain or other personal interest.


(We answer within 1 hour)Facebook

Irish Data Protection Commission Tel.: +353 57 868 4800

Report of Data Protection Audit of Facebook Ireland Published
The Office of the Data Protection Commissioner, Ireland today 21 December 2011 
published the outcome of its audit of Facebook Ireland(FB-I) which was conducted 
over the last three months including on-site in Facebook Ireland’s Headquarters in 
Dublin.  The Report is a comprehensive assessment of Facebook Ireland’s compliance 
with Irish Data Protection law and by extension EU law in this area.
The Irish Data Protection Commissioner, Billy Hawkes said, “This was a challenging 
engagement both for my Office and for Facebook Ireland. The audit has found a 
positive approach and commitment on the part of FB-I to respecting the privacy rights 
of its users. Arising from the audit, FB-I has agreed to a wide range of  “best practice” 
improvements to be implemented over the next 6 months, with a formal review of 
progress to take place in July of next year.”
Deputy Commissioner, Gary Davis who led the conduct of the Audit stated that “this
Audit was the most comprehensive and detailed ever undertaken by our Office.  We 
set ourselves a very ambitious target for completion and publication as both this 
Office and Facebook, felt it was important that the outcome be published and opened
to public comment and scrutiny.”
He added, “It is important to recognise that Facebook Ireland, as rece

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

More To Explore