Facebook faces a fine from a German privacy regulator for failing to obtain the consent of the people whose contact details it stores.
At issue are the site's invitation and address-book synchronisation functions, through which it uploads and stores contact information from the email and mobile phone address books of its users.
The problem, according to the Hamburg Commissioner for Data Protection and Freedom of Information, is that some of that personal information relates to people who are not Facebook users, and who have not given their permission for the site to store their personal information, nor use it for marketing purposes.
When someone creates a Facebook account, they are invited to upload their email address books to the site so that it can send email invitations to their contacts to join Facebook, or identify those of their contacts that are already Facebook users to suggest that they become Facebook friends.
If the Facebook user chooses not to send an email invitation to a contact who is not yet a Facebook user, that contact's email address is stored anyway, associated with that of the user who uploaded it.
Facebook regularly invites users, through their account page, to "Add people you know as friends."
Users are shown photos of people in networks they have joined (and perhaps since left), and of friends of friends - but Facebook will also show a user other people who have uploaded their email address, perhaps people with whom they have had no contact for years, but who have not cleaned out their address book meanwhile.
Many citizens of the German state of Hamburg have complained in recent months of Facebook passing their contact information to third parties and storing information about their relationships in this way, according to Johannes Caspar, head of the state's data protection service.
Such storage of data by third parties is "inadmissible" because of its implications for data protection, he said.
Facebook confirmed on Thursday that it received a letter from Caspar's office.
"We are currently reviewing the letter and will respond to it within the given time frame," according to a brief statement.
Facebook did not immediately respond to a request for comment.
Facebook is not the only social network to offer such friend-finding functions or to misuse data in this way, merely the largest, Caspar said in a statement issued Wednesday.
"That doesn't mean that social networks should be storing data about people who are not members of those networks," he said.
The Commissioner is also concerned about Facebook's practice of sending out e-mail invitations on behalf of its users, suggesting that this may fall foul of existing laws prohibiting certain kinds of direct mail.
Facebook has until 11 August to make its case to the data protection commissioner if it wishes to avoid a fine.
Hamburg takes a hard line on data protection: It is keeping a close eye on Google's collection of data for its Street View service, which adds panoramic views of streets to the company's mapping service. Germans have a right to oppose any publication of their own image, or that of their house, the regulator says, while Google's view is that it is fine to publish such images, as long as it gives people the option to have them removed later.
Google is in particular trouble with data protection authorities in Hamburg, and in France, Italy and Spain, for recording traffic on unencrypted Wi-Fi networks as the cars taking pictures for the Street View service drove by. Some of the traffic recorded includes email usernames and passwords, as well as personal communications, according to a preliminary report by the French privacy regulator.
Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at [email protected].