Law student requested his personal data from Facebook, got a 1,000-page PDF.

The world’s largest legal battle against Facebook began with a class assignment. Student Max Schrems still hasn’t turned in his university paper on the topic, due well over a year ago, but he has already accomplished something bigger: forcing Facebook to alter its approach to user privacy. Now, Schrems wants cash—hundreds of thousands of euros—to launch the next phase of his campaign, a multi-year legal battle that might significantly redefine how Facebook controls the personal data on over one billion people worldwide.

What began as an academic assignment in spring 2011 quickly morphed into an advocacy organization called "Europe vs. Facebook." Over the last year, Schrems has encouraged tens of thousands of Facebook users worldwide to request copies of whatever data Facebook holds on each of them, as he has done. Under European Union law, Facebook is required to comply with these requests within 40 days, since its international (e.g., non-American) headquarters are in Ireland (largely for tax reasons). This means that all Facebook users outside the United States and Canada (which have their own, less-stringent privacy rules) are effectively governed by Irish and EU data protection authorities.

As a way to compel Facebook Ireland to comply with existing EU law, Schrems filed 22 formal complaints with the Irish Office of the Data Protection Commissioner (ODPC) on August 18, 2011. Those complaints included charges that Facebook Ireland violated EU law by keeping records of "pokes" even after a user has deleted them, collecting data on non-Facebook users as a way to create "shadow profiles," performing automatic tagging, gathering personal data via "Friend Find," retaining records of deleted posts, retaining copies of deleted chat messages, retaining copies of deleted friends, and many others.

In the meantime, Irish authorities have begun asking for changes, and Facebook has altered some of its policies. Just this month, Ars reported that Facebook changed the way it presents privacy information to new users, largely at the suggestion of the ODPC. Back in September, Facebook said it would disable facial recognition for European users, also under pressure from Irish authorities.

Right of access

This battle began nearly 18 months ago in California. Schrems, a spiky-haired, feisty Austrian from the University of Vienna, was spending the semester as a visiting law student at Santa Clara University (SCU) in the heart of Silicon Valley. As part of a privacy seminar taught by Dorothy Glancy, one of America’s top privacy scholars, Schrems learned that one of the major principles of European privacy law was called the "right of access."

It’s a simple idea: anyone interacting with an EU company or government agency can, for any reason, request all the data that entity has about oneself, and the company or government agency must comply. (American law has no equivalent principle, largely leaving privacy and data protection issues to be sorted out in contract law between individuals and corporations.) The idea is summed up in Section V, Article 12 of the 1995 EU directive "On the protection of individuals with regard to the processing of personal data and on the free movement of such data."
http://arstechnica.com/tech-policy/2012/11/how-one-law-student-is-making-facebook-get-serious-about-privacy/

Facebook attempts to settle privacy lawsuit.

San Francisco - A U.S. judge said he would consider whether to preliminarily approve Facebook's second attempt to settle allegations the social networking company violated privacy rights.

Earlier this year, U.S. District Judge Richard Seeborg rejected a proposed class action settlement over Facebook's 'Sponsored Stories' advertising feature. But at a hearing on Thursday in San Francisco federal court, Seeborg was much less critical of a revised proposal and promised a ruling "very shortly."

Five Facebook Inc members filed a lawsuit seeking class-action status against the social networking site, saying its Sponsored Stories feature violated California law by publicizing users' "likes" of certain advertisers without paying them or giving them a way to opt out. The case involved over 100 million potential class members.

As part of a proposed settlement reached earlier this year, Facebook agreed to allow members more control over how their personal information is used. Facebook also agreed to pay $10 million for legal fees and $10 million to charity, according to court documents.

However, Seeborg rejected the proposed deal in August, questioning why it did not award any money to members.

In a revised proposal, Facebook and plaintiff lawyers said users now could claim a cash payment of up to $10 each to be paid from a $20 million total settlement fund. Any money remaining would then go to charity.
 http://www.chicagotribune.com/business/sns-rt-us-facebook-lawsuitbre8ae1xw-20121115,0,6656046.story