Ireland’s Facebook audit gives it privacy green light, but with conditions

21 Dec 2011

Ireland’s Data Protection Commissioner has concluded his massive audit of Facebook – the biggest investigation in the agency’s history – and has cleared it of most charges. However, Facebook has agreed to a wide range of ‘best practice’ improvements.

Arising from the audit, Facebook has agreed to ‘best practice’ improvements to be implemented over the next six months, with a formal review happening in July 2012.

The Data Protection Commission began investigating Facebook in October. Austrian lobby group Europe Versus Facebook had 22 complaints lodged with the Data Protection Commission, ranging from allegations that ‘Pokes’ are being kept after the user removes them, the alleged existence of shadow profiles that gather information and are used to create profiles of non-users, to excessive processing of data.

The DPC examined Facebook’s advertising practices related to the extent it uses personal data and concluded that “the targeting of advertisements based on interests disclosed by users in the ‘profile’ information they provide on FB is legitimate.”

DPC recommendations

While the DPC scrutinised all the various services that were part of the complaint filed against Facebook and found them to be adequate, it did point out that the introduction of Tag Suggest, a popular tool to make the tagging of large numbers of images quick and easy, could have been done in a more transparent fashion.  

Despite these concerns, the DPC did not find that the launch of Tag Suggest breached Irish data protection law, and confirmed the function used to delete the user’s facial profile is invoked when the user disables “tag suggestions.”  

“The DPC recommended we take a ‘best practice’ approach in this area and display additional notifications to users in Europe, to help them learn more about the feature,” Facebook said.

“Both the Irish DPC and Facebook agree that this approach will increase transparency to people using the product while enabling Facebook to continue to meet their obligations under relevant data protection law.”

In terms of third-party applications, the DPC acknowledged Facebook has controls in place to protect user information being made available to developers on Facebook Platform. The DPC “verified that it was not possible for an application to access personal data over and above that to which an individual gives their consent or enabled by the relevant settings.”

The Friend Finder feature, as well as the inclusion of people a non-user may know in email invitations sent by users, has been previously examined closely by other data protection and privacy authorities and Facebook has already implemented several improvements.  

“We provide clear notice about how the email address will be used and notify all non-users who get the email how they can opt-out or unsubscribe. The DPC confirmed our practice was compliant, as well as verified that the email addresses of non-users who have opted out from further contact are not available for any further use,” Facebook said.

In terms of Security Protection, the DPC commended Facebook on its focus on the protection and security of user data. It acknowledged that Facebook makes “innovative use of cookies to identify unusual or suspicious activity” on an account.

DPC recognised that Facebook’s real name policy is a valid and justified reason for refusing to allow pseudonyms on its service.  

The DPC conducted a thorough analysis of Facebook’s use of social plug-ins and determined that no information collected is associated with users or non-users or is used in any way to build a profile of the user or non-user.  

“While certain data which could be used to build what we have seen termed as a ‘shadow profile’ of a non-user was received by Facebook, no actual use of this nature was made of such data and neither is there any profile formed of non-users which could be attributed to a person on becoming a user.”

The DPC also stated that Facebook is now taking active steps to delete any such information very quickly after it is received.

Facebook agreed with the DPC on a process for offering more comprehensive access through the Download Your Info tool, Timeline and Activity Log (part of the new Timeline feature). The report also found that Facebook already offers people effective controls to delete their personal data and proposes several enhancements.

A challenging audit

Irish Data Protection Commissioner Billy Hawkes said, “This was a challenging engagement both for my office and for Facebook Ireland. The audit has found a positive approach and commitment on the part of Facebook Ireland (FB-I) to respecting the privacy rights of its users. Arising from the audit, FB-I has agreed to a wide range of ‘best practice’ improvements to be implemented over the next six months, with a formal review of progress to take place in July of next year.”

Deputy Commissioner Gary Davis, who led the conduct of the audit, said, “This audit was the most comprehensive and detailed ever undertaken by our office. We set ourselves a very ambitious target for completion and publication as both this office and Facebook felt it was important that the outcome be published and opened to public comment and scrutiny.”

He added, “It is important to recognise that Facebook Ireland, as recently as September 2010, was designated responsibility for all users outside of the USA and Canada. It perhaps should not come as a surprise, therefore, that there should be room for improvement in how Facebook Ireland handles the personal information of users.”

The DPC credited several elements of Facebook’s data protection practices and offered various recommendations for improvements.

“Facebook is constantly evolving and adapting in response to user needs and technical developments. Like any successful technology platform, the service needs to innovate by introducing new products and features in order to adapt to changing circumstances. Indeed, the almost Darwinian nature of the site means that there will constantly be an absolute need to have in place robust mechanisms to keep pace with the innovation that is the source of the site’s success.

“Therefore, this report is not the conclusion of our engagement with Facebook Ireland. It is rather the first significant step on a road that can place it at the forefront of the technology sector in meeting users’ legitimate privacy expectations as to how their personal data is handled and empowering them to make informed choices when sharing that information on the site,” Davis said.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years