Facebook promises changes following Irish privacy audit

Ireland's Data Protection Commissioner has completed his three-month privacy audit of Facebook's activities. Facebook's international headquarters is in Dublin, so most users are affected.
Written by Emil Protalinski, Contributor on

Facebook today announced that the office of Billy Hawkes, the Irish Data Protection Commissioner (DPC), has completed its privacy audit of the company's practices and policies. The DPC report has concluded Facebook adheres to European data protection principles and complies with Irish law. Nevertheless, Menlo Park has promised to make changes based on recommendations from the DPC.

More specifically, Facebook has committed to either implement, or to consider, improvements recommended by the DPC, including in situations where its practices already comply with legal requirements. Facebook will be reviewing progress with the DPC and has agreed to a more formal follow-up review in July 2012. Facebook is aiming for three key commitments:

  • Offer additional notifications to European users about Facebook's photo Tag Suggest feature so that they can decide whether or not to use this feature to help people tag them in photos.
  • Change a number of its policies related to retention and deletion of data including how data is logged when people access websites with social plugins to minimize the amount of information collected about people who are not logged in to Facebook.
  • Work with the DPC to improve the information that people using Facebook are given about how to control their information both on Facebook and when using Facebook apps.

Facebook has 800 million active users, but its headquarters in the US is not responsible for the majority of them. Facebook's international headquarters is in Dublin, meaning all users outside of the US and Canada are subject to Irish and European data protection laws, and are thus affected by these findings. Although audit reports are not frequently made public, the DPC and Facebook agreed at to release the contents in the interest of transparency.

"We believe this is the best way for users and policymakers around the world to understand how thoroughly the DPC performed its examination and how closely we will be working together in the future," a Facebook spokesperson said in a statement. "The DPC recognized that Facebook's success rests in part from our constant evolution and innovation. We appreciate that the DPC acknowledges that the pace at which we offer new products and features requires continual dialogue with regulators to ensure that adequate protections are in place."

Hawkes announced his plans to conduct a review of Facebook's activities almost three months ago. At the time, he said it would likely be the most detailed, challenging, and intensive audit ever undertaken by his office, and vowed to publish his findings by the end of the year. Now that he's delivered, let's take a look at what his office found.

Given that Facebook was found within the law, it's not surprising the report highlighted a number of the social network's strengths and best practices. Here is what Facebook listed from the report:

  • Security Protection: The DPC commended Facebook on its ongoing focus on the protection and security of user data. It acknowledged that Facebook makes "innovative use of cookies to identify unusual or suspicious activity" on an account.
  • Importance of Real Name Authenticity: The DPC recognized that Facebook's real name policy is a valid and justified reason for refusing to allow pseudonyms on its service. It recognized that this policy has substantial benefits in protecting the people who use Facebook.
  • No Profiling based on "Tracking": The DPC conducted a thorough analysis of Facebook's use of social plugins and determined that no information collected is associated with users or non-users or is used in any way to build a profile of the user or non-user. The DPC confirmed: "…while certain data which could be used to build what we have seen termed as a 'shadow profile' of a non-user was received by Facebook, no actual use of this nature was made of such data" and "neither is there any profile formed of non-users which could be attributed to a person on becoming a user." The DPC also stated that Facebook is now taking active steps to delete any such information very quickly after it is received.
  • User control: The DPC recognized the effectiveness of Facebook's existing efforts to respond to subject access requests made by people using its service. Facebook agreed with the DPC on a process for offering more comprehensive access through the Download Your Info tool, Timeline. and Activity Log. The report also found that Facebook already offers people effective controls to delete their personal data and proposes several enhancements.

All that being said, the DPC did criticize Facebook's introduction of Tag Suggest, a popular tool to make the tagging of large numbers of images quick and easy, saying it could have been launched in a more transparent fashion. On the other hand, the DPC did not find that the launch of Tag Suggest breached Irish data protection law, and confirmed that the function used to delete the user's facial profile is invoked when the user disables tag suggestions. Still, the DPC did recommend Facebook take a "best practice" approach in this area and display additional notifications to users in Europe, to help them learn more about the feature. Both the Irish DPC and Facebook agree that this approach will increase transparency to people using the product while enabling Facebook to continue to meet their obligations under relevant data protection law.

Furthermore, the DPC made three big conclusions:

  • Advertising: The DPC carefully examined Facebook's advertising practices and policies related to the extent the company uses personal data of users to target advertising to them and concluded that "the targeting of advertisements based on interests disclosed by user's in the 'profile' information they provide on FB is legitimate."
  • Third Party Apps: Facebook has controls in place to protect user information from being improperly available to developers offering apps on Facebook Platform. The DPC "verified that it was not possible for an application to access personal data over and above that to which an individual gives their consent or enabled by the relevant settings."
  • Friend Finder feature: The Friend Finder feature, as well as the inclusion of people a non-user may know in e-mail invitations sent by users, has been previously examined closely by other data protection and privacy authorities and Facebook has already implemented several improvements. Facebook says it provides clear notice about how the e-mail address will be used and notifies all non-users who get the e-mail how they can opt-out or unsubscribe. The DPC confirmed Facebook's practice was compliant, as well as verified that the e-mail addresses of non-users who have opted-out from further contact are not available for any further use.

"We work on a daily basis with regulators around the world, and we appreciate the investment of time and effort by the DPC and its leadership to improve the experience of Facebook users," a Facebook spokesperson said in a statement. "In particular, we would like to thank Commissioner Billy Hawkes and Deputy Commissioner Gary Davis and their team. As a result of their work, we are better able to give people the ability to connect and share and make the world more open. We have benefited from the open, honest and cooperative relationship and look forward to continue working together."

The DPC office decided to investigate the social networking giant after an Austrian group called Europe versus Facebook made 22 complaints regarding the social network's practices. The group even managed to accidentally get Reddit involved, whose users recently overwhelmed Facebook with data requests. Here are all the complaints:

  1. Pokes are kept even after the user "removes" them.
  2. Facebook is collecting data about people without their knowledge. This information is used to substitute existing profiles and to create profiles of non-users.
  3. Tags are used without the specific consent of the user. Users have to "untag" themselves (opt-out). Note: Facebook has announced changes for this.
  4. Facebook is gathering personal data e.g. via its iPhone-App or the "friend finder". This data is used by Facebook without the consent of the data subjects.
  5. Postings that have been deleted showed up in the set of data that was received from Facebook.
  6. Users cannot see the settings under which content is distributed that they post on other's pages.
  7. Messages (incl. Chat-Messages) are stored by Facebook even after the user "deleted" them. This means that all direct communication on Facebook can never be deleted.
  8. The privacy policy is vague, unclear and contradictory. If European and Irish standards are applied, the consent to the privacy policy is not valid. Facebook tried improving it earlier this year.
  9. The new face recognition feature is an disproportionate violation of the users right to privacy. Proper information and an unambiguous consent of the users is missing.
  10. Access Requests have not been answered fully. Many categories of information are missing.
  11. Tags that were "removed" by the user, are only deactivated but saved by Facebook.
  12. In its terms, Facebook says that it does not guarantee any level of data security.
  13. Applications of "friends" can access data of the user. There is no guarantee that these applications are following European privacy standards.
  14. All removed friends are stored by Facebook. This was reconfirmed recently.
  15. Facebook is hosting enormous amounts of personal data and it is processing all data for its own purposes. It seems Facebook is a prime example of illegal "excessive processing".
  16. Facebook is running an opt-out system instead of an opt-in system, which is required by European law.
  17. The Like Button is creating extended user data that can be used to track users all over the internet. There is no legitimate purpose for the creation of the data. Users have not consented to the use.
  18. Facebook has certain obligations as a provider of a "cloud service" (e.g. not using third party data for its own purposes or only processing data when instructed to do so by the user).
  19. The privacy settings only regulate who can see the link to a picture. The picture itself is "public" on the internet. This makes it easy to circumvent the settings.
  20. Facebook is only deleting the link to pictures. The pictures are still public on the internet for a certain period of time (more than 32 hours).
  21. Users can be added to groups without their consent. Users may end up in groups that lead other to false impressions about a person.
  22. The policies are changed very frequently, users do not get properly informed, they are not asked to consent to new policies.

When this saga first started, some thought Facebook could end up being forced to move its operations away from Ireland. I said at the time that was very unlikely, since the company chose Dublin for the tax incentives: approximately 2 percent tax in Dublin instead of 35 percent tax in the US, Max Schrems of Europe versus Facebook told me. Those are numbers that Facebook was willing to fight for, and it won.

See also:

Editorial standards