Friday, 16 December 2011

Article: Max's privacy war brings Facebook to heel

Original Article written by AP for The Age - Thursday 27, October 2011


Austrian student Max Schrems sits with 1222 pages worth of his personal data 
that Facebook provided to him. Photo: AP

Max Schrems wasn't sure what he would get when he asked Facebook to send him a record of his personal data from three years of using the site.

What the 24-year-old Austrian law student didn't expect, though, was 1222 pages of data on a CD. It included chats he had deleted more than a year ago, "pokes" dating back to 2008, invitations to which he had never responded, let alone attended, and hundreds of other details.
Advertisement: Story continues below

Time for an "aha" moment.

In response, Schrems has launched an online campaign aimed at forcing the social media behemoth that has 800 million users to abide by European data privacy laws - something the Palo Alto, California-based company insists it already does.

Yet, since Schrems launched his Europe vs. Facebook website in August, Facebook has increasingly been making overtures not only to Schrems, but to other Europeans concerned about data privacy, including Germany's data security watchdogs.

"Have we done enough in the past to deal with you? No," Facebook's director of European public policy, Richard Allan, testified before a German parliamentary committee on new media. "Will we do more now? Yes."

The lawmakers were holding a hearing on privacy rights.

Europeans - Germans in particular - have long been more concerned about data privacy than their US peers. Still, the European campaign comes amid increased agitation in the US over what many view as invasive internet marketing practices that allow consumers to be observed, analysed and harvested for profit, with no regard for their right to privacy.

Last month, several US privacy interest groups asked the US Federal Trade Commission in Washington to look into recent changes made by Facebook that give the company greater ability to disclose users' personal information to businesses than it used to have.

The German lawmakers brought up a raft of complaints, from allegations that Facebook's "Like" button allows the company to track non-members' internet activity, to concerns over the company's use of facial recognition software on personal photos.

One of Schrems's main complaints with Facebook, he says, is that the company retains information far longer than allowed under European law, which in most cases is limited to a few months.

"I wondered, what are they doing with my data?" Schrems said, sitting with his laptop in a Viennese coffee house. "I thought through everything that one can do with that amount of information; all the marketing that is possible."

Under European law, consumers have the right to request a record of the personal information held by a company. The law further stipulates that to retain data beyond the limit of several months, a company must have a reason to do so.

In Australia it is not clear whether Facebook users can get as much of their data from the company as Schrems received. However, Facebook has several pages on its site explaining how people can pull down their profile data and other posts they've made to the site since being a member.

That issue has been the basis for several of the 22 formal complaints that Schrems and his group have lodged with the Irish Data Protection Commissioner - responsible for Facebook's Ireland-based European subsidiary, which serves all users outside of the US and Canada.

Schrems also disputes that Facebook has given him all of the information it holds about him, arguing that he has only received information from 23 out of a possible 57 data categories.

Facebook insists it has given Schrems and others in his group all of the information that is legally required. Still, Facebook insists it is allowed to hold back data that includes "a range of other things that are not personal information, including Facebook's proprietary fraud protection measures, and 'any other analytical procedure that Facebook runs,'" a Facebook spokesman said.

"This is clearly not personal data, and Irish data protection law rightly places some valuable and reasonable limits on the data that has to be provided," said the spokesman, who did not give a name in keeping with company policy.

Ciara O'Sullivan, a spokeswoman for the Irish commissioner, said a formal investigation has been launched into Schrems's complaints. In addition, a routine audit of Facebook's Irish operation will be conducted sooner than planned, to give authorities a complete picture in weighing the requests.

"We look at the law, and whether something is in breach of that law or not, whether we need to bring an organisation into compliance or not," O'Sullivan said in a telephone interview.

Allan repeatedly stressed that Facebook's view is that the way its service operates is completely compatible with European data protection law.

If an organisation is found not to be in compliance, they receive a warning and are asked to mend their ways. If they fail to do so, they could face a fine of about euro 100,000 ($133,500) - a drop in the bucket for a company valued by Goldman Sachs at $US50 billion ($48 billion).

Schrems, who has spent hours poring over his data and the European laws, points out that although the laws on data privacy are tough, there is little incentive for companies to follow them.

"I am not interested in money. What interests me is that the company follows the law," Schrems said. He argued that the only way that can happen is if Facebook users take matters into their own hands.

"It only takes a click to do something about it," he said.


No comments:

Post a Comment