Summary:
On 4 September 2011, The Daily Irish Independent reported that the Data Protection Commission (DPC) would conduct a full investigation into Facebook's alleged violations of European data protection law. The basis for this investigation were the 22 complaints by 'europe-v-facebook.org', which was founded by a group of Austrian students. Under European law Facebook Ireland is the "data controller" for the social network, and therefore, is governed by European data protection laws.
Allegations:
- The group 'europe-v-facebook.org' spearheaded by a Viennese law student Max Schrems, accused Facebook of violating EU data protection law. They made access requests at Facebook Ireland and received up to 1,222 pages of data per person in 57 data categories that Facebook was holding about them, including data that was previously removed by the users. The group claimed that Facebook failed to provide some of the requested data, including 'likes', facial recognition data, data about third-party websites that use "social plugins" visited by users, and information about uploaded videos.
- The first 16 complaints targeted different problems, from undeleted old "pokes" all the way to the question if sharing and new functions on Facebook should be opt-in or opt-out. The second wave of six more complaints was targeting more issues including one against the 'Like' button. The most severe complaint was that the social network's privacy policy, and the consent to the privacy policy was void under European laws.
- In its first report, the Irish DPC listed numerous measures Facebook had to comply with in order to improve its compliance with the Irish and European laws. The report was not legally binding, and was criticised by Schrem's group.
Defence:
- In spring 2012, Facebook proposed a new worldwide privacy policy and other changes such as an extended download tool which would allow users to exercise the European right to access all stored information.
- After pressure from the group behind 'our-policy.org', Facebook had to conduct a worldwide vote on its proposed changes. Since the voter participation per cent was less, the vote against the policy was non-binding and the new privacy policy was implemented.