The 24-year-old wasn’t sure what to expect when he requested Facebook provide him with a record of the personal data it holds on him, but he certainly wasn’t ready for the 1,222 pages of information he received.
This included photos, messages and postings on his Facebook page dating back years, some of which he thought he had deleted, the times he had clicked “like” on an item, “pokes” of fellow users, and reams of other information.
“When you delete something from Facebook, all you are doing is hiding it from yourself,” Schrems told AFP in his home city of Vienna.
Shocked, Schrems decided to act. Hitting a dead end in Austria, he took his complaints in August to the Data Protection Commissioner (DPC) in Ireland, where Facebook has its European headquarters.
Believing that Facebook was contravening European Union law, and had more data on him that it is not releasing, Schrems has filed 22 complaints with the DPC, details of which can be found on his website: http://www.europe-v-facebook.org/.
“It’s a shock of civilisations. Americans don’t understand the concept of data protection. For them, the person with the rights is the one with the data. In continental Europe, we don’t see things like that,” Schrems said.
“If a company wants to operate in a country it has to abide by the rules.”
Facebook, he says, has agreed in Germany to stop keeping records of users’ IP addresses — information showing where someone is connected to the Internet — but in other European countries the practice continues.
“This is Facebook strategy. When someone gets really annoyed, they back off one step, but continue advancing in other ways,” Schrems said.
The problem is that most people don’t take the time to read the small print in Facebook’s terms and conditions, he says.
“For the average citizen data protection is too complex and subtle,” he says, believing it is therefore the responsibility of the state to ensure that users’ rights are upheld.
The David-versus-Goliath battle is is by no means the first time that Facebook has come under fire, with privacy campaigners saying the firm is amassing information on users’ interests in order to sell them to advertisers.
It has already been hit by complaints in the United States and other European countries and the Palo Alto, California-based company named a prominent US lawyer to be director of privacy in September.
In Germany, it has come under fire from the government for its popular facial recognition application that allows users to identify other people through online photos.
The DPC said it aims to complete its audit on Facebook, which was planned even before Schrems filed his complaints, by the end of 2011.
If it finds Facebook to have been in the wrong, it can ask the company to mend its ways, and if the firm refuses, a court could then fine it up to 100,000 euros ($136,400).
But DPC spokeswoman Lisa McGann said it was unlikely things would go so far.
“Facebook is cooperating fully with the audit and we would anticipate that it will implement any necessary changes to comply with any requirements identified,” she said in an emailed statement.
Facebook said in a statement it was “fully compliant with EU data protection laws,” adding it was “nonsense to say we are not willing to provide (Schrems) with his personal data.”
A spokesman added, however, that Facebook could not provide additional items because “provisions in Irish data protection law … place some reasonable limits on the data that has to be provided.”
In spite of everything, Schrems remains an avid Facebook user.
“Social networking sites are a great invention. Depriving yourself is not the answer.”