THE STATE’S data protection watchdog has given social networking site Facebook four weeks to fully comply with its recommendations on improving user privacy, or it will face enforcement action.
The company still has work to do on a “small number” of issues, the Data Protection Commissioner said, and EU regulators would continue to watch the firm closely.
The commissioner said it was satisfied the dominant internet firm had already implemented many of the best practice recommendations regulators made following an audit last year.
Facebook Ireland is responsible for users of the site outside the US and as a result the State’s Data Protection Commissioner is responsible for ensuring the company complies with EU and Irish law.
The commissioner said the company had made satisfactory progress on a number of issues, including giving users access to data they placed on the site, the deletion of such data from Facebook when it was no longer required, and the adequate resourcing of compliance functions in Ireland.
A key change was the appointment of senior executives in Facebook’s Dublin office who could make decisions on data protection.
“We had a particular focus on making sure Facebook Ireland users knew exactly how the personal data they were placing on the site was being used and to give them greater control over who could see their information,” commissioner Billy Hawkes said. “On a small number of issues, we’re not satisfied with the degree of progress. We’ve given Facebook Ireland four weeks to come up with satisfactory solutions.”
Outstanding issues include better education for existing users and avoiding using sensitive data to target online advertising at users.
The company could face fines of up to €100,000 if it fails to meet the deadline.
Facebook’s Richard Allan said the company was confident it would be able to satisfy watchdogs, and was generally pleased with the report’s findings. “It’s a small number in the context of what we’ve implemented,” he said.
Mr Hawkes said in some cases the site had gone further than his office had requested, particularly with the controversial facial recognition feature the site implemented in recent months, which suggested the identity of people in photographs uploaded to the site.
Mr Allan said the feature was for user convenience, and not a commercial element of the site. Facebook has turned it off for European users and agreed to delete data generated by this tag feature by October 15th. If it plans to reintroduce it at a later date, it will discuss the matter with regulators.
The commissioner's report was criticised by lobby group Europe-v-facebook.org, which said privacy laws had been waived for the tech giant. The student group has 22 complaints against Facebook that it says it will get a decision on later in the year.
“At the same time this is just a non-binding report,” spokesman Max Schrems said in a statement. “The decision on our complaints is still to be decided.”
Deputy commissioner Gary Davis, who led the review and the original audit, said there had been “frank discussions” at times between Facebook Ireland and the regulator’s office, and indicated he was satisfied that it had done its job. “To my mind, it’s a sign of strength rather than weakness that we can get the job done without having to resort to the final issuance of an enforcement notice where it has to go before the courts,” he said.
COMPLIANCE WITH EU LAW
What’s been done
* For EU-based users, Facebook has disabled its tag suggestion feature for photographs. It will delete data generated by this by October 15th
* Users can now see what data Facebook holds on them more easily
* Data can be deleted by users from profiles more easily
* Data collected by Facebook is not retained after the purpose for which it is collected has ended
What’s left to do
* Changing use of data considered sensitive under European law to target ads at users
* Better education for existing users