This past December, Ireland's Data Protection Commissioner (DPC) completed his three-month privacy audit of Facebook's activities. Facebook promised to make a slew of changes, and agreed to a more formal follow-up review in July 2012. Some changes were, however, were supposed to be completed by March 31, 2012. We're in April now, meaning Facebook missed the deadline.
The Irish authority told the group in a phone call yesterday that it hopes to find a solution with Facebook by the end of April. There won't be any consequences or penalties for breaching the deadline.
Here is what Facebook agreed to complete by the end of Q1 2012:
Facebook must work towards: simpler explanations of its privacy policies, easier accessibility and prominence of these policies during registration, and subsequently an enhanced ability for users to make their own informed choices based on the available information. Facebook agreed to work with the Office to achieve the objectives of simpler explanations of its Data Use Policy, identify a mechanism to provide users with a basis to exercise meaningful choice over how their personal data is used, easier accessibility and prominence of these policies during and subsequent to registration, including making use of test groups of users and non-users as appropriate.
There are limits to the extent to which user-generated personal data can be used for targeted advertising. Facebook agreed to clarify its data use policy to ensure full transparency.
Facebook agreed to move the option to exercise control over social ads to the privacy settings from account settings to improve their accessibility. Facebook also agreed to improve user knowledge of the ability to block or control ads that they do not wish to see again.
The information provided to users in relation to what happens to deleted or removed content, such as friend requests received, pokes, removed groups and tags, and deleted posts and messages should be improved. Facebook agreed comply with this recommendation in an updated Data use Policy.
Users should be provided with a means to exercise more control over their addition to Groups. Facebook agreed that it will no longer be possible for a user to be recorded as being a member of a group without that user's consent. A user who receives an invitation to join a group will not be recorded as being a member until s/he visits the group and will be given an easy method of leaving the group.
There is not currently sufficient information in the Data Use Policy to educate users that login activity from different browsers across different machines and devices is recorded. Facebook has agreed to provide additional information in a revised Data Use Policy.
Users should be made aware that where they choose to synch their contact information from a mobile device, those contact details are transmitted in plain text and are therefore not secure during transmission. This is not an issue within Facebook’s control but users should nevertheless be made aware when choosing this option. Facebook said it is not more risky to send data in plain text via the synchronization process than doing so by sending email using an internet email provider, which do not provide disclosures on security risks. Facebook agreed to have further dialogue in order to work towards reviewing alternatives for reducing risk and addressing them through education or changes in the product.
Disabling synchronisation does not appear to delete any of the synchronised data. This requires an additional step via the "remove data" button within the app. Facebook said it should be obvious to users that their synchronized data is still there after they disable synching but the company agreed to add text to that effect within the app.
Businesses could upload up to 5,000 contact email addresses for Page contact purposes, creating a possibility of the sending of unsolicited email invites by those businesses in contravention of the
ePrivacy law. Facebook in response immediately geoblocked the major EU domains so that messages from Pages cannot be sent to the vast majority of EU users or non-users. Facebook agreed to further improve the information and warnings made available to businesses using this facility.
It is not fully apparent to those using Facebook Credits that Facebook is acting as a data controller and that information generated in the context of their use of Facebook Credits is linked to their account. Facebook agreed to add information to this effect in the Data Use Policy.
"It seems like the authority does not care if Facebook is breaching the law and the deadline in the authorities report," Max Schrems of Europe versus Facebook said in a statement. "Every normal citizen gets a fine, but Facebook apparently doesn't."
Facebook has 845 million active users, but its headquarters in the U.S. is not responsible for the majority of them. Facebook's international headquarters is in Dublin, meaning all users outside of the U.S. and Canada are subject to Irish and European data protection laws. Facebook chose Dublin for the tax incentives: businesses are charged approximately 2 percent tax in Dublin compared to 35 percent tax in the U.S., Schrems told me.
I have contacted Facebook about how the company missed the deadline and will update you if I hear back.
Update at 12:45 PM PST: "Facebook Ireland is investing a huge amount of effort to ensure we are making progress against all of the commitments we made during the audit," a Facebook spokesperson said in a statement. "We have a constant dialogue with officials working for the Irish Data Protection Commissioner, who are responsible for overseeing the work we are undertaking, to reassure them of our progress. We recently reported to them that we have implemented some of their recommendations ahead of schedule and that we expect to meet all the Q1 aspirations over the coming weeks."