Facebook USA recently founded a subsidiary in Dublin, Ireland. It is speculated that this is mainly to avoidAmerican Taxes (see Article on Bloomberg). According to Facebook’s terms all users outside of the US andCanada have a contract with this subsidiary in Ireland (see Terms section 18.1).
This provision applies toabout 70% of worldwide users of Facebook.This means that Facebook is not only saving US taxes, but is also subject to European privacy and consumerlaw, which is generally tougher than US laws. Every EU member state has its own privacy legislation (e.g. the‘Data Protection Act’ in Ireland), but all of these laws are based on the European Directive 95/46/EG.Unbelievable masses of Data.Every citizen in the EU has the right to get a full copy of all personal data a company is holding about them(“access request”).
Three students from Vienna, Austria have done so recently and got a CD with a PDF of780, 1,142 and 1,222 pages. In all data sets you could find sensitive information such as political and religiousbeliefs, or sexual orientation of the user.
You can find the blackened files, a detailed explanation about all datasent and a guide on how to request personal data on www.europe-v-facebook.org.Removed Data still held.Facebook makes the users belief that they can delete information if they want to.
Even in its privacy policyFacebook is claiming e.g. “If another user tags you in a photo or video or at a place, you can remove the tag“But according to the data sets that were sent by Facebook the following information is never deleted but only„invisible“:
1. tags in pictures,
2. “unfriended” friends,
3. all messages (incl. chats), 3. pokes,
4. any changes ofnames
and 5. deleted e-mail-addresses; even some deleted wall posts could be found in the data sets.
It is unclear if there are more undeleted pieces of information because Facebook did not grant access to allpersonal data held. Some examples of removed data that is still held can be found here.But they agreed to the Terms.
During the sign-up process there is a little grey text on the “security check” page, which claims that the user isagreeing to Facebook’s terms and privacy policy.The policy is about 12 printed pages (longer than the US constitution, see article by the NYT) and links tocountless other documents.
The policies are unclear, vague and contradictory. It is very likely that these termsare not legally binding in most European countries.
Sharing with “Friends“ only?Facebook makes users belief that they are sharing their information only with “friends“. In fact Facebook’sstandard settings have become more and more liberal (see this graphic) and most information is shared with“everyone”.
Even the setting “friends of friends” is rather limitless; an average Facebook user has 130 friends,which means an average can have up to 16.900 “friends of friends”.In reality all data is always shared with Facebook, and some data is even shared with applications that friendsare using. All data can also be accessed by law enforcement agencies. This is especially true for USagencies, since all data is stored on US territory.22 Complaints against Facebook.
Now we filed 22 complaints against Facebook Ireland with the Irish Data Protection Commission (DPC). TheDPC will investigate the complaints and decide if they are justified. A list of all 22 complaints can be foundhere, we are planning to file a couple more complaints soon. Most of the complaints center around two issues:user control and transparency.
We believe there is a lack of both on facebook.com.Irish DPC undertakes audits.The Irish DPC announced shortly after receiving the complaints, that it will use all legal powers againstFacebook if necessary (Link). Later it announced in the “Irish Independent” that it will audit Facebook Ireland’sheadquarter in Dublin, including going into the premises of Facebook Ireland for about 4 to 5 days (newsarticle).
The first audit took place on the 25th of October 2011 and lasted a couple of days and a second auditwas conducted at the beginning of December 2011.
The results will be publishes by the end of December.
If the Irish DPC finds only some of the 22 complaints justified, it may mean that Facebook has to undertakeserious changes in its practices. The DCP can issue enforcement notices in which Facebook will be asked toundertake certain changes. Noncompliance may be punished with fines of up to € 100.000.David and Goliath.europe-v-facebook.org is done by a small group of Facebook users.
The starting point was a paperMax Schrems (Law Student, University of Vienna) was writing during his semester abroad at Santa Clara University, California.
The group is not aiming for any financial gain or other personal interest.
Further Questions.europe-v-facebook.org media@europe-v-facebook.org
http://www.europe-v-facebook.org
(We answer within 1 hour)Facebook press@fb.com
Irish Data Protection Commission Tel.: +353 57 868 4800 http://www.dataprotection.ie
