On Ars Technica: How one law student is making Facebook get serious about privacy

According to Facebook’s “About” page, millions of people use the site everyday “to keep up with friends, upload an unlimited number of photos, share links and videos, and learn more about the people they meet”. That’s a lot of data, and Facebook has a detailed data use policy, but not everyone will be comfortable with every element of that policy. As well as the inevitable online contact form, Facebook invites questions or complaints about its data use policy or practices by mail, to its California headquarters for enquiries from the USA or Canada, or – since Dublin became the centre of Facebook’s international operations in 2008 – to its Dublin address for enquiries from everywhere else. So, when an Austrian student raised queries about Facebook’s data policies, the appropriate regulator was the Irish data protection commissioner. His story is the feature story on the front page of Ars Technica right now.

How one law student is making Facebook get serious about privacy

Max Schrems requested his personal data from Facebook, got a 1,000-page PDF.

words by Cyrus Farivar; pic, in thumbnail above left, by Aurich Lawson

The world’s largest legal battle against Facebook began with a class assignment. Student Max Schrems still hasn’t turned in his university paper on the topic, due well over a year ago, but he has already accomplished something bigger: forcing Facebook to alter its approach to user privacy. Now, Schrems wants cash—hundreds of thousands of euros—to launch the next phase of his campaign, a multi-year legal battle that might significantly redefine how Facebook controls the personal data on over one billion people worldwide. …

What began as an academic assignment in spring 2011 quickly morphed into an advocacy organization called “Europe vs. Facebook.” … As a way to compel Facebook Ireland to comply with existing EU law, Schrems filed 22 formal complaints with the Irish Office of the Data Protection Commissioner (ODPC) on August 18, 2011. … Schrems argues that Irish data protection authorities aren’t properly enforcing the law when it comes to Facebook, and he hopes that a judicial review will vindicate his position. If necessary, he plans to take his case all the way to the European Court of Justice in Luxembourg. … Working separately, an Austrian law student and an under-staffed Irish data protection watchdog have helped bring worldwide improvements to Facebook’s privacy policies. …

Read how they did it (with a few quotes from yours truly) in the full story on Ars Technica.

The ODPC Facebook Privacy Review can be downloaded here (also here) (21 December 2011) and here (21 September 2012).

The europe-v-facebook support page is here.

Updates (3 December 2012): (1) A week after this post was published, Facebook proposed changes to its data use policies which have – inevitably – proved controversial. According to the Washington Post (with added links),

New Facebook policy conflicts with European law, concerns privacy advocates

… Regulators alerted Facebook about the problem shortly after the company announced major changes Wednesday in how it will treat users’ personal data, said Gary T. Davis, deputy data protection commissioner in Ireland. …

“Facebook is not really telling users what this means and how this is going to work,” said Jeff Chester, executive director of the Center for Digital Democracy. His group is planning to join the Electronic Privacy Information Center in complaining to the [Federal Trade Commission] (FTC) about the proposed Facebook policy changes. The agency declined to comment on Friday. …

(2) Ray Corrigan’s experience of his complaint to Facebook about his data makes for interesting reading (see: here, here, here, so far).