24-year-old Facebook user Max Schrems of Vienna, Austria recently sent a formal request to the social network and asked for a copy of every piece of personal information the site has collected on him since he created an account a year ago. According to ThreatPost, EU Directive 95/46/EC (PDF) grants each person the right to access data relating to him/her in order to verify the accuracy of that data and the lawfulness of how long it's being used. What he eventually received was a CD packing a 1,222 page collection in a single PDF file.
To Schrems' surprise, much of the data he discovered to be retained in Facebook's records were previously believed to be deleted. These records included the times when Schrems logged in and out of Facebook, the times and content of every message sent and received, and an "accounting of every person and thing he’s ever liked, posted, poked, friended or recorded." Facebook kept records of friend requests, photos, employment and relationship statuses, and former or alternative names and email addresses.
However Schrems notes that the PDF file he received from Facebook is based on himself and his 234 friends. He also said the experience with Facebook's obvious data collection practice has inspired him to launch a legal project he calls Europe vs. Facebook. Schrems is looking to increase Facebook transparency, make opt-in data access the default (instead of opt-out) and to encourage data-minimization on the network.
"Facebook offers no sufficient way of deleting old junk data," he writes. "Every inconsiderate comment, every invitation to an event (e.g. a demonstration) and every 'like' is recorded for an indefinite amount of time. But Facebook does more than that: even removed tags, friends or messages are kept in Facebook’s systems. Even if you delete your whole account, Facebook will keep some of this personal data."
As of this writing, Facebook has not issued a response to Schrems' claims.