Facebook denies 'shadow' profiles of non-users

Facebook has denied allegations that it maintains 'shadow' profiles of internet users who have not yet signed up to the social network - accusations which, if proved true, could fall foul of data protection laws in an audit of its European subsidiary by Ireland's Data Protection Commissioner (DPC) that begins this week.

The company claims that the only information it holds on unregistered individuals is their name and email address so that it can flag up friends if the person eventually signs up to Facebook.

The social network's Communications and Policy Manager Mia Garlick told IT news site The Register: "We keep the invitees' e-mail address and name to let you know when they join the service... This practice is common among almost all services that involve invitations... the assertion that Facebook is doing some sort of nefarious profiling is simply wrong."

Garlick also hit back at accusations made by privacy campaign group Europe vs Facebook that the site is holding on to messages that users have deleted, also in breach of data protection law.

"People can't delete a message they send from the recipient's inbox, or a message you receive from the sender's sent folder. This is the way every message service ever invented works," claimed Garlick

Ireland's Data Protection Commissioner brought forward a routine probe into Facebook's data handling after receiving 22 complaint from lobbyist group Europe vs Facebook, concerning what the group claims are incomplete records of the personal data held on users produced in response to subject access requests under European law. thinq_ showed readers how to submit their own subject access request in an article last month.

Speaking to thinq_ last week, spokesperson for the DPC Ciara O'Sullivan said that while the probe would look in general at Facebook's data protection regime, "we will be bearing those complaints in mind."

"Facebook is co-operating fully with the audit," O'Sullivan added, "but we don't know yet what the outcomes will be."

The DPC has no direct powers to fine Facebook for breaches of data protection law, but failure to respond to a legal notice from the DPC could result in prosecution and a fine of up to €100,000 (£87,000).