He is the nightmare of Facebook managers: Max Schrems, 21 years old, law student in Vienna. Schrems wanted to know whether Facebook had to abide by the European data privacy regulations. Privacy groups had often complained that in Europe there was no leverage against the U.S. company. Schrems studied terms of use, the text of laws and made a momentous discovery.

Presumably for tax reasons, Facebook has an Irish subsidiary, “Facebook Ireland Ltd.,” with a place of business in Dublin. All Facebook users outside of the United States and Canada have an exclusive agreement with Facebook Ireland. For this reason, roughly 70 percent of the worldwide 710 million Facebook users can proceed against Facebook according to European law and have a copy of the data stored about them forwarded to them.

Over 1000 Pages per Person

Max Schrems and three other students in Vienna exercised this right. They were sent CD-ROMs from Facebook with their data and made an astonishing discovery: The sheer volume of collected data exceeded their fears — printed out, the data records covered more than 1,000 pages of size A4 paper per person. At the same time, they determined that Facebook had not handed over everything, for instance, data connected to the “like” function and face recognition.

The students could, however, read for the first time in detail the profiles that Facebook makes about its users. They found 57 categories in which Facebook stores data: everything from birth date to relationship to religious and political beliefs is there.

Schrems and his fellow students even discovered dozens of records that they had deleted. “Removed friends” is the name of the category in which Facebook stores the names of the people whom the user supposedly “deleted.” According to the records, “delete” in this context only means that Facebook stores fully and for an unlimited time what was deleted when and by whom.

So supposedly “deleted” chat transcripts, emails, postings, friend requests and names are found in Facebook’s secret records. For the company, supposedly deleted content endures forever.

“That is illegal,” thinks Schrems. Users are not permitted to be deceived according to data privacy laws. If in the process of deleting one’s account, Facebook’s user interface asks three times whether one really wants to delete everything, everything cannot remain stored in the end.

Schrems has triggered a movement among Facebook users; they are demanding their records on a massive scale. It is becoming even more unpleasant for the company, however: With his acquaintances, law student Schrems has recently filed 22 well-founded complaints against Facebook on the grounds of violation of data privacy laws — naturally with the responsible Irish data privacy authority, and it promptly threatened Facebook with an official audit.

Facebook’s “Intellectual Property”

The “deleted” data in the records “must be preserved a short time for investigations,” says Facebook, and it gives no further explanation. Facebook does not want to send Schrems his missing data. This is the “intellectual property” of Facebook according to the company. “If my stored facial features are supposed to be the intellectual property of Facebook, then we are coming into the realm of total absurdity,” says Schrems, to wide agreement.

The student initiative is to be welcomed and shows “how non-transparent Facebook’s data handling is,” says Federal Commissioner for Data Protection and Freedom of Information Peter Schaar. “All users should take advantage of their right to information and check what Facebook has stored about them.” If Facebook had not moved into the tax haven of Ireland — there would have been no right to such actions.