Facebook gets privacy warning from Irish watchdog

Facebook must make a number of changes to improve privacy for users outside the US and Canada, according to the Irish data protection commissioner
Written by Tom Espiner, Contributor

Facebook must improve its data-protection practices to be compliant with European data-protection law, according to the Irish data protection commissioner.

Facebook privacy controls

Facebook must tighten its data-protection practices to comply with EU law, the Irish data protection commissioner has said. Image credit: Facebook

The company has agreed to a list of privacy improvements it must make before July 2012 following a data-protection audit in October at its Dublin offices. These include making privacy policies simpler, giving users more information about how personal data is used, flagging facial recognition to users, and limiting the amount of time it can keep ad-click data to two years. 

"Our approach... is to try to always encourage organisations and companies to achieve best practice," Irish data protection commissioner Billy Hawkes told ZDNet UK on Wednesday. "We only focus at the end of our process on whether there's actually been a breach of our law or not. The results of the audit are part of the process of resolving complaints. If at the end of the process, the people who've complained to us are not happy with the outcome, then I'm obliged under Irish law to make a decision whether or not there has been a breach of Irish law."

Facebook said it would work with the Irish data protection commissioner (DPC) to resolve the privacy issues for all Facebook users outside of the US and Canada.

This is a very meaningful evaluation of how we can comply with our legal obligations.
– Richard Allan, Facebook

"This is a very meaningful evaluation of how we can comply with our legal obligations," Facebook's EMEA director of policy, Richard Allan, told ZDNet UK. "We are keen to engage intensively and actively with the commissioner over the six months to work on the programme as set out in the report, with the objective of achieving the amicable resolution of the complaints."

Some of the changes will require Facebook to alter its practices globally, said Allan. For example, Facebook will change its systems to flag a privacy policy when users are installing a Facebook application.

The DPC received a number of privacy complaints about Facebook over the past two years, including from Vienna-based campaign group 'Europe v Facebook' in August, which claimed Facebook had breached European data-protection laws. In October, the DPC conducted an audit of the social-networking company that lasted six days, DPC senior compliance officer John Rogers told ZDNet UK. The investigation began in August.

Privacy changes

To be compliant with European law, Facebook must make a number of changes, the DPC said in a report published on Wednesday.

The company must address issues such as being more transparent with users about how personal data is used for targeted advertising. Facebook currently retains data on who has clicked on ads indefinitely. The social-networking company must cut the length of time it retains ad-click data to two years, said the DPC.

To be legal in Europe, Facebook must get user consent for photo-tag suggestions, the DPC found. Facebook agreed to notify users up to three times to get consent to allow Facebook to suggest names for photo-tags to third parties.

Facebook rolled out its facial-recognition and tag suggestion technology in June, a move that brought the attention of European data-protection authorities, including those in the UK and Germany.

Use of cookies

In its report, the DPC hauled Facebook up on its data-retention practices. One concern was over Facebook's use of browser cookies to track people using social plug-ins such as Facebook 'Like' buttons. Facebook has agreed to delete browser cookies from social plug-in logs.

"Cookies required a very detailed analysis," deputy DPC Gary Davis told ZDNet UK on a conference call on Wednesday. "Facebook, given the nature of its platform, does have a large number of cookies."

Facebook tends to use cookies for security purposes, rather than to sell the information to advertisers, said Davis. Facebook does not appear to use cookie data in conjunction with third parties. "We did not find that the [cookie] data had been queried in any way at a personal, individual level," said Davis.

Deleting data

Some of the complaints against the company made by Europe v Facebook focused on user deletion of data. The DPC said Facebook must put a robust process in place to irrevocably delete user accounts and data within 40 days of a user request.

"Facebook is adopting a very rigorous approach in that area, and also in applying the requirements to delete the backup data," said Davis. "We are satisfied now that accounts, when users seek deletion, are deleted."

Richard Allan said that Facebook was in the process of working towards the complete deletion of user data on request.

"It's been a very comprehensive exercise the data-protection commissioner carried out, in terms of looking at our deletion processes," said Allan. "I think they found we have a commitment to responding to user requests for deletion, and we have technical processes in place to make sure that even across as complex a system as the kind of system we run, we are able to deliver that commitment in practice."

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards