[alextingle]

I'm not sure the DPA needs to come into it. If a nightclub bouncer checks your ID, then he's free to forget all about it once he lets you inside. If all FB do is set an "ID checked" flag (and discard data collected as part of the checking process) then I think they'd be in a similar position - I'm not sure whether you could successfully argue that an "ID checked" flag could count as additional personal data.

(Then again, I'm sure FB hold on to data like thieving magpies, so the idea that they would delete your passport number/image/whatever once they have it is, I agree, laughable.)

[ZoFreX]

I agree 100%, a simple "ID checked" flag would be OK. Where I think the DPA fits into it is that without the DPA, a lot more people would store those details just because. With the DPA in place I'm a lot more comfortable sharing information like that, knowing that either they just store a flag, or if they store more than that I am protected.

[aestetix]

Not necessarily. What happens if someone challenges Facebook on their flags? If you're a bouncer, you can hunt down the person who looks underage and re-check their ID. It's much harder to do that with something like Facebook.