Out-Law / Your Daily Need-To-Know

Facebook audit set to begin amidst claims of unlawful personal data storage

Out-Law News | 24 Oct 2011 | 2:49 pm | 6 min. read

Facebook has denied that it builds 'shadow profiles' of individuals that do not use the social networking site, according to media reports.

The company rejected claims made by privacy campaigners from a group calling itself Europe v Facebook that it stores extensive personal data about "non-users" in order to create "extensive profiles" about them without their consent, according to technology news service CNET.

"We enable you to send e-mails to your friends, inviting them to join Facebook," Andrew Noyes, Facebook's manager of public policy, said, according to the CNET report.

"We keep the invitees' e-mail address and name to let you know when they join the service. This practice is common among almost all services that involve invitations – from document sharing to event planning – and the assertion that Facebook is doing some sort of nefarious profiling is simply wrong," Noyes said.

The Europe v Facebook group claims Facebook's processing and storage of personal data violates EU data protection laws. The group has raised 22 complaints with the Office of the Data Protection Commissioner in Ireland (ODPC) about the alleged practices of the social networking company in handling personal data.

An ODPC spokesperson told Out-Law.com that it will visit Facebook's international headquarters in Dublin as part of an investigation into the social networking company's data protection practices. The watchdog's data protection audit will begin this week, she said.

"Facebook Ireland is mainly collecting e-mail addresses but it also collects names, telephone numbers, addresses or work information about its users and non-users," Europe v Facebook said in a complaint (3-page / 145KB PDF) the group sent to the ODPC.

"This is done by different functions that encourage users to hand personal data of other users and non-users to Facebook Ireland (e.g. 'synchronizing' mobile phones, importing personal data from e-mail providers, importing personal information from instant messaging services, sending invitations to friends or saving search queries when users search for other people on facebook.com)," the complaint said

"By gathering all this information, Facebook Ireland is creating extensive profiles of non-users and it is also enriching existing user profiles. This is done in the background without notice to the data subject ('shadow profiles'). Facebook Ireland is gathering excessive amounts of information about data subjects without notice or consent by the data subject. In many cases these information might be embarrassing or intimidating for the data subject. This information might also constitute sensitive data such as political opinions, religious or philosophical beliefs, sexual orientation and so forth," it said.

Under the EU's Data Protection Directive personal data must be "processed fairly and lawfully" and be collected for "specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes". Extra emphasis is placed on the protection of rights around sensitive personal data. The law also provides that personal data may be processed if a person has given their unambiguous consent and that the consent is explicitly given.

The ODPC spokesperson said the watchdog will assess Facebook's compliance with Irish and EU data protection laws.

Staff from the organisation will conduct investigations at Facebook's Dublin office over "a number of days" and off-site investigations into the company's data protection practices would also take place, she said.

"An audit of Facebook was already planned prior to the receipt of the complaints in question but clearly they have raised issues which will be examined in the course of the audit as the Office is required to investigate the complaints it has received," the spokesperson said.

"We are receiving full co-operation from Facebook. It is the intention of the Commissioner that the investigation will be completed by the end of the year," she said.

Private companies in Ireland must agree to data protection audit requests from the ODPC. The UK's equivalent watchdog, the Information Commissioner's Office (ICO) only has the power to conduct compulsory data protection audits of central Government departments, but can only investigate the procedures of organisations in other sectors if they consent to it.

Max Schrems, a 24 year-old Austrian student who part-founded Europe v Facebook, told Out-Law.com Facebook withheld "sensitive" information it held about it him when it sent him a mass of data he requested.

Schrems set up Europe v Facebook with some friends after reviewing the information Facebook stored about him. Schrems received 1,222 pages of information related to the social networking site's storage of his personal data after he had requested that the company send him the information it stored about him. Under EU data protection laws organisations must send 'data subjects' details of the personal data they store about them when the subjects ask for it.

"The most 'sensitive' data was exactly the one that Facebook did not disclose at all (e.g. data collected via the like-buttons or facial recognition data)," Schrems said.

"It is the right of every user to access this data and get an overview of what Facebook holds. Facebook is in fact ignoring this right totally. We think it is especially interesting, that a company that asks all its customers to be as transparent as possible is not even trying to be a little transparent itself and is in fact even breaking the law if it comes to transparency," he said.

Schrems said Facebook should give its users a "right to be forgotten".

"According to all literature and previous decisions Facebook falls under the prime examples of an invalid consent," Schrems said.

"Probably the most experimental complaint is the one about excessive usage of data by Facebook. There we suggest a 'right to be forgotten' on Facebook as a solution. This would mean that every user would get the option to have old data deleted after a period that the user chooses," he said.

Facebook said that it already gives users the right to manage the information the company can store about them, according to the CNET report.

"Facebook offers more control than other services by enabling people to delete their e-mail address from Facebook or to opt-out of receiving invites," Andrew Noyes said, according to the report.

"Also, as part of offering people messaging services, we enable people to delete messages they receive from their inbox and messages they send from their sent folder. However, people can't delete a message they send from the recipient's inbox or a message you receive from the sender's sent folder. This is the way every message service ever invented works. We think it's also consistent with people's expectations. We look forward to making these and other clarifications to the Irish DPA," Noyes said, according to the report.

Under Irish data protection laws the ODPC has the power to access any data held by companies based in Ireland that it "considers appropriate in order to ensure compliance" with the laws.

Companies subject to data protection audits are usually informed "several weeks" in advance of it commencing, according to ODPC guidance on its audit procedures. The guidance said that the ODPC also has a range of sanctions that it can issue firms with if their investigations indicate non-compliance with the laws.

"The ODPC may seek corrective measures such as rectification, blocking or deletion of data and may issue recommendations of an advisory nature," its guidance (37-page / 429KB PDF) said.

"Unlike some of its European counterparts, the ODPC does not issue administrative fines. Other sanctions such as public statements and warnings or the publication of the principal findings of an audit in the annual report of the Commissioner may be used by the ODPC. The potential harm to an organisation’s reputation is viewed as a sufficient deterrent in many cases. In rare cases, where it is not possible to reach agreement with an organisation recently audited, the Data Protection Commissioner would consider a use of his legal enforcement powers to bring about a change in policy or practice," the guidance said.

Max Schrems said that Europe v Facebook may make complaints about Facebook's data practices to the European Commission if the ODPC does not enforce the laws "stringently".

"I think it’s good that an audit will be done but in fact it will be rather senseless," Schrems said.

"Facebook knew about the audit months ahead, so they will have prepared themselves and there aren’t any servers or anything like that in Ireland. So it is very unlikely that the DPC will find a whole lot there. I guess they will more or less discuss how things are handled with limited options to really get a proof that whatever Facebook is saying is correct," he said.

"If the Irish authorities are not enforcing the laws stringently we also have the option to bring the whole thing to Brussels and we all know that the European commission is just waiting to get its hands on Facebook. We would be more than happy to give them an opportunity to take action," Schrems said.

"But all this shows that European data protection law is still in the making. We will need another 10 or 20 years until it is a field where companies feel like they have to stick to the law. Probably this case is a first step to show that there are enforcement actions that can be taken. In fact it is rather absurd though that a 24 year old student with a couple of friends have to take action to get the whole thing going," he said.