Austrian law student, Max Schrems, has embarked on a crusade against Facebook aimed at exposing what he considers to be Facebook’s misuse of users’ personal information. Schrems has lodged 22 Reclamacións (I understand these to be a form of complaint) against Facebook with the Irish Data Protection Commissioner (Facebook’s legal presence outside the US is in Ireland) regarding Facebook practices ranging from its Data Use Policy contents and the effectiveness of consent to the Data Use Policy to Facebook’s apparent practice of collecting personal information about or relating to people who are not yet Facebook users.
These complaints raise a number of concerns about the extent to which Facebook has complied with Europe’s Data Protection Directives which establish a legal framework to protect European users’ personal information and privacy rights. The Irish Data Commission is either about to or is in the process of conducting an audit of Facebook’s privacy practices and we should learn whether Schrems’ complaints are valid in due course but what this crusade does highlight is users’ responsibilities when sharing information and content on Facebook.
Facebook’s Data Use Policy is fairly extensive. At one point Schrems mentions that if the Data Use Policy were reproduced with a more readable font it would be close to 20 pages. I reformatted the Data Use Policy with 1.5pt line spacing and size 11 font and it worked out to about 17 A4 pages. It is readable and extensive. The primary reason for the policy’s length and Facebook’s efforts to explain the policy and privacy settings in different ways is that using Facebook has seriously implications for your privacy. The sharing controls have improved drastically over the last few years culminating in a recent update which exposes publicity controls in every post.
One of the issues Schrems raised concerns about was how much information he found in his downloadable archive of his Facebook profile. Schrems’ archive apparently ran to about 1 222 pages of data. I picked up concerns about how much information is contained in the archive (and, therefore, how much personal information Facebook receives and stores) and how much information he felt was not included.
Social media users are slowly coming to the realization that these free services we flock to in the tens and hundreds of millions have a lot of information about us and which we supply to them. Facebook is a great example because of its sheer size. The upcoming Timeline feature will heighten that awareness as it exposes users’ profile information and interaction going about as far back as they have been members, possibly even further back if users populate their profiles with historical biographical data. The point we are heading to is that privacy as secrecy is largely a myth on the social Web. If you are active on the social Web, emphasis shifts to the extent to which you have meaningful control over your personal information and this is where Facebook has historically been pretty bad. That said, Facebook’s privacy controls and its Data Use Policy have improved dramatically in the last 4 to 5 years. Facebook’s anticipated deal with the FTC should firmly place control over users’ profile information more in their hands than they have experienced in the past and that is a win for users.
Facebook is clearly improving its policy language and practices by being more transparent about what personal information it collects from users and what it does with that personal information as well as giving users more meaningful control over what they can do with their personal information and content in the Facebook ecosystem. Users must remember that how well their privacy is protected largely comes down to the choices they make. Failing to familiarize themselves with privacy policies and make proper use of privacy settings made available to them is no longer an option for users concerned about their privacy. If services like Facebook require more than users are comfortable sharing then they should refrain from using those services.
Facebook may have violated Europe’s privacy laws as Schrems contends. We will have to wait for the results of the Commissioner’s audit to make that determination. We may also discover that Schrems’ much publicized campaign amounts to little more than tilting at windmills. Facebook insists that it complies with these laws and will make whatever adjustments are required should the Irish Data Protection Commissioner find it to be acting unlawfully. Hopefully this crusade will remind users just how much they share on services like Facebook and take a little more responsibility for that.