Irish Data Protection Commissioner to begin Facebook audit

Billy Hawkes, Ireland's Data Protection Commissioner, has announced he will conduct a privacy audit of Facebook's activities. Since Facebook's international headquarters is in Dublin, all users outside the US and Canada could be affected by his findings.

His office has decided to investigate the company after an Austrian group called Europe versus Facebook made 22 complaints regarding the social network's practices. The group even managed to accidentally get Reddit involved, whose users recently overwhelmed Facebook with data requests. Here are all the complaints:

1. Pokes are kept even after the user "removes" them.
2. Facebook is collecting data about people without their knowledge. This information is used to substitute existing profiles and to create profiles of non-users.
3. Tags are used without the specific consent of the user. Users have to "untag" themselves (opt-out). Note: Facebook has announced changes for this.
4. Facebook is gathering personal data e.g. via its iPhone-App or the "friend finder". This data is used by Facebook without the consent of the data subjects.
5. Postings that have been deleted showed up in the set of data that was received from Facebook.
6. Users cannot see the settings under which content is distributed that they post on other’s pages.
7. Messages (incl. Chat-Messages) are stored by Facebook even after the user "deleted" them. This means that all direct communication on Facebook can never be deleted.
8. The privacy policy is vague, unclear and contradictory. If European and Irish standards are applied, the consent to the privacy policy is not valid. Facebook tried improving it earlier this year.
9. The new face recognition feature is an disproportionate violation of the users right to privacy. Proper information and an unambiguous consent of the users is missing.
10. Access Requests have not been answered fully. Many categories of information are missing.
11. Tags that were "removed" by the user, are only deactivated but saved by Facebook.
12. In its terms, Facebook says that it does not guarantee any level of data security.
13. Applications of "friends" can access data of the user. There is no guarantee that these applications are following European privacy standards.
14. All removed friends are stored by Facebook. This was reconfirmed recently.
15. Facebook is hosting enormous amounts of personal data and it is processing all data for its own purposes. It seems Facebook is a prime example of illegal "excessive processing".
16. Facebook is running an opt-out system instead of an opt-in system, which is required by European law.
17. The Like Button is creating extended user data that can be used to track users all over the internet. There is no legitimate purpose for the creation of the data. Users have not consented to the use.
18. Facebook has certain obligations as a provider of a "cloud service" (e.g. not using third party data for its own purposes or only processing data when instructed to do so by the user).
19. The privacy settings only regulate who can see the link to a picture. The picture itself is "public" on the internet. This makes it easy to circumvent the settings.
20. Facebook is only deleting the link to pictures. The pictures are still public on the internet for a certain period of time (more than 32 hours).
21. Users can be added to groups without their consent. Users may end up in groups that lead other to false impressions about a person.
22. The policies are changed very frequently, users do not get properly informed, they are not asked to consent to new policies.

"What we are doing is seen as the currently biggest legal action against Facebook in the German speaking area," Max Schrems of Europe versus Facebook told me. "There have been a couple of attempts to go after Facebook the new thing is that this now happening within Europe and that this authority has the power to fine them with up to €100.000 for every breach of the European law (they can also fine multiple times if Facebook would not comply)..."

The Data Protection Commissioner says it is likely to be the most detailed, challenging, and intensive audit ever undertaken by his office, according to RTÉ News. Hawkes said he will publish his findings by the end of the year.

Facebook has 800 million active users, but its headquarters in Palo Alto is not responsible for the majority of them. The company's international headquarters handles all users outside the US and Canada (many of the Facebook engineers I spoke to at f8 last week were from Dublin). In other words, the social networking giant's operations outside the US and Canada are subject to Irish and European data protection laws.

Any decisions made against Facebook in Ireland could also have huge implications for the rest of Europe. An audit in Ireland could result in other countries investigating Facebook, although we've seen this story before, especially in Germany (see links below). Even the European Union started looking into the social networking giant's facial recognition technology earlier this year.

Some may think Facebook could end up being forced to move its operations away from Ireland, but that's very unlikely. Palo Alto chose Dublin for the tax incentives: approximately 2 percent tax in Dublin instead of 35 percent tax in the US, according to Schrems. Those are numbers that Facebook is willing to fight for.

I have contacted Facebook for more information about this issue and will update this article if I hear back.

See also:

• US congressmen ask FTC to investigate Facebook cookies
• German minister tells colleagues to avoid Facebook
• Facebook agrees to sign voluntary privacy code in Germany
• German website creates two-click Like button, Facebook not amused
• Germany: Facebook Like button violates privacy laws
• Germany: Facebook facial recognition feature violates privacy laws