Do Facebook's latest Terms of Service contravene the European Data Protection Acts?

Looking at the brouhaha surrounding Facebook's latest TOS changes, I wondered if they contravened the EU laws on Data Protection. At first blush they probably do in a number of areas. I'm no lawyer, but what Facebook is trying to do and what European Data Protection Law is trying to achieve look like they are far from a meeting of minds. The key edict is 95/46 a which states (italics are mine where added):

Article 6(e) argues that data should not be kept longer than is necessary:

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

Article 10 is pretty clear that the user has the right to access, change and understand what their data is being used for:

Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:

(a) the identity of the controller and of his representative, if any;

(b) the purposes of the processing for which the data are intended;

(c) any further information such as:
— the recipients or categories of recipients of the data,
— whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply,
— the existence of the right of access to and the right to rectify the data concerning him

in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee
fair processing in respect of the data subject.

Article 14 gives the right to protest and have altered/removed data the user does not wish held:

Member States shall grant the data subject the right:

(a) at least in the cases referred to in Article 7 (e) and (f), to object at any time on compelling legitimate groundsrelating to hisparticular
situation to the processing of data relating to him, save where otherwise provided by national legislation. Where there is a justified
objection, the processing instigated by the controller may no longer involve those data;

(b) to object, on request and free of charge, to the processing of personal data relating to him which the controller anticipates being
processed for the purposes of direct marketing, or to be informed before personal data are disclosed for the first time to third parties
or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object free of charge to such
disclosures or uses.

Article 25 implies that a non EU country is not exempt:

1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.

2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances
surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules
of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are
complied with in that country.

3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an
adequate level of protection within the meaning of paragraph 2.

So, although not specifically addressing the Facebook case, it would seem that the intent is to stop Facebook style datamining and data on-selling, and holding onto data - especially if the data provider does not wish it.

Well, that's just a little canter through it, but it looks like the Facebook T&C (see below) and the EU law are at opposed in a number of key areas.

You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof. You represent and warrant that you have all rights and permissions to grant the foregoing licenses.

A few other goodies from the preamble, referencing the rights of citizens under the Treaty of the European Union:

Firstly, all citizens have a right to privacy

(2) ...data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of
natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to economic and
social progress, trade expansion and the well-being of individuals;

Facebook being in the US does not mitigate their responsibility to EU citizens:

(20) ... the fact that the processing of data is carried out by a person established in a third country must not stand in the way of the protection of individuals provided for in this Directive; whereas in these cases, the processing should be governed by
the law of the Member State in which the means used are located, and there should be guarantees to ensure that the rights
and obligations provided for in this Directive are respected in practice;

Transmitting the data does not give Facebook the right of ownership (contradicts Zuckerberg's email example)

(47) Whereas where a message containing personal data is transmitted by means of a telecommunications or electronic mail
service, the sole purpose of which is the transmission of such messages, the controller in respect of the personal data contained
in the message will normally be considered to be the person from whom the message originates, rather than the person
offering the transmission services; whereas, nevertheless, those offering such services will normally be considered controllers in
respect of the processing of the additional personal data necessary for the operation of the service;

Interesting times ahead, methinks......

Update - Looks like a US organisation is preparing to file a complaint to the FTC.