In the face of an ocean of users demanding their personal data as required by European Union law, Facebook has sharply constricted the amount of data it's handing over.
Instead of sending CDs, Facebook is now directing users to a page where they can download a personal archive, but that archive is now covering only 22 categories — less than half of the 57 categories received by early requesters in the Europe vs. Facebook campaign, according to a report from ITworld.
The new stinginess comes in the midst of an audit by Ireland's Data Protection Commissioner. The audit is the result of 22 privacy-based complaints (to view the list of complaints, go to Kim Cameron's Identity Weblog) lodged by Europe vs. Facebook.
That campaign is led by Max Schrems, a 24-year-old law student from Vienna who secured 1,200 pages of personal data on a CD months ago by using a European requirement that entities with data about individuals make it available to those individuals if they request it.
The Irish agency is auditing Facebook for compliance with the country's Data Protection Acts of 1988 and 2003, which transpose the E.U.'s Data Protection Directive, known as 95/46/EC.
Europe vs. Facebook contends that Facebook is withholding personal data in violation of these laws, which require companies to disclose data to users on request.
Lisa McGann, a senior investigations officer, on Tuesday told IDG News Service that the agency has received an additional 150 complaints about Facebook’s inadequate response to data requests and 10 complaints over data protection, according to ITworld.
Mr. Schrems told ITworld that he’s exchanged e-mails with Richard Allan, Facebook's director of European public policy, who’s indicated that Facebook is contemplating a system modification that would allow a more in-depth batch of information if the agency finds fault in the company's current strategy.
In the meantime, Facebook is throttling back the data volume it releases. While Facebook is defending its actions, claiming that it is "fully compliant with E.U. data protection laws," the categories of data it’s releasing has nosedived.
Mr. Schrems told ITworld that the CDs Facebook initially sent out when he and others first requested their personal Facebook dossiers contained 57 categories of data. Now, Mr. Schrems said, Facebook is excerpting between 19 and 24 categories of data.
In addition to cutting back on the data it releases, Facebook has turned to a do-it-yourself model. Facebook recently created an email address, firstname.lastname@example.org, for people to request data. An autoreply from that account directs users to an archive download tool.
The autoreply also curtly snips off further conversation, stating that “We will not enter into further correspondence about your specific data through this email address.”
The latest move by Facebook is just "a way of getting rid of people," Mr. Schrems told ITworld, since more transparency would "freak people out," he said.
Facebook, if what Mr. Schrems believes is correct, I’d like to propose that you’re wrong. More transparency would have the opposite effect to freaking us out.
As it is, we’re already freaked out. Hundreds of legal complaints are a visible symptom of freak-out.
What’s going to continue to freak us out is if you keep tightening your sphincter.
The more tight-fisted you are with our personal data, the more you will cause your users to suspect that you plan to do things with it that we would rather you didn't.
If you're on Facebook and want to keep informed about privacy issues, scams and internet attacks, join the Sophos page on Facebook, where over 150,000 people regularly share information on threats and discuss the latest security news.Follow @lisavaas