Max Schrems, an Austrian law student and founder of the Europe versus Facebook group, took the stage in the last session of Unlike Us #2 – Social Media Activism and the Critique of Liberation Technology – and told his audience about his ongoing battle for privacy with the social networking giant Facebook. It all started with him asking Facebook for all the personal data it stored relating to his Facebook account, exercising his right to access as laid down in European data protection law.
After going through the more than 1200 pages long PDF document he got on a CD, Schrems started wondering why Facebook had data about him that by European law it shouldn’t have and what could be done about this.
(Click here for the video of Max Schrems’s presentation)
He found that users from Europe enter a legal contract with Facebook Ireland Ltd., the European branch of the company, when creating an account on the site. Therefore, his group filed 22 complaints in Ireland against Facebook, trying to find out who is actually responsible for what happens on Facebook; who is the controller of data processing. Facebook’s reply to was somewhat dubious, first referring to internal communication problems and then claiming they were ‘the controller for what they control’ and that users have responsibilities too. But in fact, as Schrems said, it seems like Facebook’s approach is to control everything that happens on the page. In this way, the company doesn’t comply with European laws.
Their business model is based on users providing all the content, and in turn the company gets to use and control all that data. The idea is that Facebook functions more or less like a blog, but they analyze all the uploaded content in the background, taking information from and about its users. Facebook justifies these actions by saying that users in fact gave their consent to all of this when signing up to the site.
In his presentation, Schrems shared some of the complaints they filed against the company. Among the data that Facebook stored about him, he could find categories like the user’s last location and IP address. This data was not only collected based on direct interaction with the site, but also based on the data retrieved from pictures that are uploaded to the site from phones. As Schrems explained, the problem is not necessarily that this data gets collected by Facebook but more the fact that users don’t know about it. Besides the lack of transparency, he also mentioned that the PDF document did not contain any data about his ‘likes’. Another alarming concern of his was that when users delete something from their profiles, it never actually got deleted and still stays on Facebook’s servers by being placed in a folder for removed data – even our deleted pokes are kept. When questioned about this, the company tried to defend its practice by claiming that this ‘deleted’ data can help track down cases of cyberbullying, in the case of pokes. The group is also campaigning for making it possible for users to opt-in, rather than opt-out of pre-configured settings.
Written by Orsolya Gulyás