Facebook's facing a possible €100,000 fine from the Irish authorities for holding data that users have deleted.
Using Irish data protection laws - Facebook's international headquarters is in Dublin - Austrian law student Max Schrems asked the company what information it had on him.
And Facebook sent a whole CD-full - including messages and information that Schrems says he'd deleted.
Facebook denies the allegation.
"Specifically on the reports that deleted data has sometimes shown up in the information file people receive, this is mostly likely due to the user removing a post from a specific place on Facebook rather than deleting it, or because we needed to retain information for a limited period for an investigation," a spokesperson told TG Daily.
"We're continuing to work on ways to make this process as seamless as possible."
In addition, says Schrems, Facebook failed to give all the information he'd requested. When he asked why, he was pointed to Section 4 of the Irish Data Protection Acts 1988 and 2003, which says companies don't have to do so if it would involve disproportionate effort.
But Facebook also cited a clause relating to trade secrets and intellectual property: "We have not provided any information to you which is a trade secret or intellectual property of Facebook Ireland Limited or its licensors," it said.
But Schrems tells TG Daily that none of the data he's requested could fall under this heading.
"It is important to note that the Irish law gives the users two access requests - one, the actual data, and two, the logics involved in processing the data," he says.
"Only for the logics there is an exception, if this would reveal TS or other IP rights. The actual data has to be revealed no matter if there are TS or IP rights involved."
Facebook says it comes down to what you regard as personal information.
"What if some coefficient we apply to a user is 9876548.64868848.646848 based on some analysis of his or her profile. Is that number personal information? Is it really useful to the user or just to competitors who know how systems work?" says the spokesperson.
"I'm sure competitors (or spammers) would love to know what all the factors are that we use. In summary, none of this stuff is personal information, and disclosing it presents real risks to users and our service."
The Irish data commissioner will now have to decide; if the decision is taken to prosecute and Facebook found guilty of data protection breaches, the fine could hit €100,000.