Facebook could face a fine of up to €100,000 ($139,000) after an Australian law student discovered that the social networking site held 1,200 pages of personal data about him, much of which he had previously deleted.

Max Schrems, 24, requested a copy of his data after attending a lecture hosted by Facebook's chief executive, Mark Zuckerberg whilst he was on an exchange program at Santa Clara University in California. He eventually received a CD from the social networking giant, and was shocked to find information through his three years of having an account despite having deleted a majority of the information.

Among the 1,200 pages of data were rejected friend requests, information regarding incidences where he had removed friends from his list and his entire conversation history. Also included were images that he had removed tags of himself from, every event he had attended and every event he never responded to, poked and email addresses of people he'd corresponded with.

"I discovered Facebook had kept highly personal messages I had written and then deleted, which, were they to become public, could be highly damaging to my reputation," said Schrems in an interview yesterday. He further commented that by keeping hold of the data Facebook was behaving much like the CIA or KGB. "Information is power, and information about people is power over people. It's frightening that all this data is being held by Facebook."

Having reviewed the data, Schrems has lodged 22 separate complaints with the Irish data protection minister, which is due to start its first audit of Facebook next week. A spokesperson for the commissioner has confirmed its officers will be investigating the alleged breaches raised by Schrems as part of the audit. If they are found guilty of breaching data protection laws, they could face a fine of up to €100,000.

A spokesperson for Facebook said in a statement, "Facebook provided Mr Schrems with all of the information required in response to his request. He further commented that they were happy to answer any questions asked of by the Irish data protection authorities.