Max Schrems wasn't sure what he would get when he asked Facebook to send him a record of his personal data from three years of using the site.
What the 24-year-old Austrian law student didn't expect, though, was 1,222 pages of data on a CD. It included chats he had deleted more than a year ago, "pokes" dating back to 2008, invitations to which he had never responded, let alone attended, and hundreds of other details.
Time for an "aha" moment.
In response, Schrems has launched an online campaign aimed at forcing the social media behemoth that has 800 million users to abide by European data privacy laws _ something the Palo Alto, California-based company insists it already does.
Yet since Schrems launched his "Europe vs. Facebook" website in August, Facebook has increasingly been making overtures not only to Schrems, but to other Europeans concerned about data privacy, including Germany's data security watchdogs.
"Have we done enough in the past to deal with you? No," Facebook's director of European public policy, Richard Allan, testified Tuesday before a German parliamentary committee on new media. "Will we do more now? Yes."
The lawmakers were holding a hearing on privacy rights.
Europeans _ Germans in particular _ have long been more concerned about data privacy than their U.S. peers. Still, the European campaign comes amid increased agitation in the U.S. over what many view as invasive Internet marketing practices that allow consumers to be observed, analyzed and harvested for profit, with no regard for their right to privacy.
Last month, several U.S. privacy interest groups asked the U.S. Federal Trade Commission in Washington to look into recent changes made by Facebook that give the company greater ability to disclose users' personal information to businesses than it used to have.
The German lawmakers brought up a raft of complaints Tuesday, from allegations that Facebook's "Like" button allows the company to track nonmembers Internet activity, to concerns over the company's use of facial recognition software on personal photos.
One of Schrems' main complaints with Facebook, he says, is that company retains information far longer than allowed under European law, which it most cases is limited to a few months.
"I wondered, what are they doing with my data?" Schrems said, sitting with his laptop in a Viennese coffee house. "I thought through everything that one can do with that amount of information, all the marketing that is possible."
Under European law, consumers have the right to request a record of the personal information held by a company. The law further stipulates that to retain data beyond the limit of several months, a company must have a reason to do so.
That issue has been the basis for several of the 22 formal complaints that Schrems and his group have lodged with the Irish Data Protection Commissioner _ responsible for Facebook's Ireland-based European subsidiary, which serves all users outside of the U.S. and Canada.
Schrems also disputes that the Facebook has given him all of the information it holds about him, arguing that he has only received information from 23 out of a possible 57 data categories.
Facebook insists it has given Schrems and others in his group all of the information that is legally required. Still, Facebook insists it is allowed to hold back data that includes "a range of other things that are not personal information, including Facebook's proprietary fraud protection measures, and 'any other analytical procedure that Facebook runs,'" a Facebook spokesman said.
"This is clearly not personal data, and Irish data protection law rightly places some valuable and reasonable limits on the data that has to be provided," said the spokesman, who did not give a name in keeping with company policy.
Ciara O'Sullivan, a spokeswoman for the Irish commissioner, said a formal investigation has been launched into Schrems' complaints. In addition, a routine audit of Facebook's Irish operation will be conducted sooner than planned, to give authorities a complete picture in weighing the requests.
"We look at the law, and whether something is in breach of that law or not, whether we need to bring an organization into compliance or not," O'Sullivan said in a telephone interview.
Allan repeatedly stressed that Facebook's view is that the way its service operates is completely compatible with European data protection law.
If an organization is found not to be in compliance, they receive a warning and are asked to mend their ways. If they fail to do so, they could face a fine of around euro100,000 ($140,000) _ a drop in the bucket for a company valued by Goldman Sachs at $50 billion.
Schrems, who has spent hours poring over his data and the European laws, points out that although the laws on data privacy are tough, there is little incentive for companies to follow them.
"I am not interested in money. What interests me is that the company follows the law," Schrems said. He argued that the only way that can happen is if Facebook users take matters into their own hands.
"It only takes a click to do something about it," he said.