Facebook plans to change how it retains data and revamp some privacy controls following the release Wednesday of a critical audit from Ireland’s data protection authority.
Ireland’s Data Protection Commissioner, Billy Hawkes, said if Facebook follows therecommendations, it is unlikely that the social-networking site wouldbe found in violation of Irish data protection laws, which are based onEuropean Union laws.
The agency had more than a dozen recommendations for how Facebook canimprove privacy protections anddata-handling practices.
Facebook has agreed to the recommendations, and a review on thecompany’s progress is scheduled for next July. Facebook said it wouldmake the changes even in instances where it believes existing practicesare in legal compliance.
“Meeting these commitments will require intense work over thenext six months,” Facebook said in a statement published on its blog.
Facebook said some of the changes will be implemented worldwide, whileothers will only be visible to European users or to users in areas withlocal laws that the company is seeking to comply. Facebook Irelandoperations have a contractual obligation only to users outside the U.S.and Canada.
Last month, Facebook agreed to implement a comprehensive privacyprogram after the U.S. Federal Trade Commission found it made deceptive claimsover how it shared people’s personal data.
Can regulators keep up with Facebookchanges?
Whether the extensive Irish audit forces Facebook to implementbetterprivacy practices in the long term will depend on whether the companymakes the changes in “spirit rather than just in the letter,” saidKathryn Wynn, a data protection expert with the law firm Pinsent Masons.
“Regulators will find it difficult to keep up with the innovativenature of Facebook developments, so it is possible that Facebook coulduse technological workarounds in order to overcome changes the ODPC[Office of the Data Protection Commissioner] has called for,” she said.
The Irish audit covers many of the issues raised in more than 180complaints on data retention and disclosure filed with the DPC,although those complaints did not specifically trigger the audit. Theresults of the audit will be communicated to the complainants, Hawkessaid.
Twenty-two of those complaints were filed Europev. Facebook, a group run by Max Schrems, a law student at theUniversity of Vienna. The group contends — among many other complaints– that Facebook does not disclose all of the data it holds on users onrequest, which it and other data controllers are required to do underE.U. law.
As part of the audit, Facebook has agreed to add new user data to the download tool it provides to let users see the data it holds. The download tool, however, at present downloads information from a person’s profile.
Facebook’s new timeline feature combined withother data such as a user’s activity log will “present a morecomprehensive set of access controls” for users to see their data thanother comparable services, said Richard Allan, Facebook’s director ofpolicy for Europe.
Controversy over ‘Like’ button
Facebook has also agreed to changes around the use of its “Like,” button, a widely usedsocial plug-in used to share content from external websites on Facebookprofiles.
Much controversy has surrounded what data the Like button collects andhow it is used. The button collects IP addresses for users who are noteven members of Facebook, reporting the key identifier back to thecompany. It will also do that for people who are Facebook members butare logged out of the service.
As a result of the audit, Facebook said it will now remove the lastoctet of an IP addresses it logs from a social plug-in within 10 days.For all users, whether logged in or logged out or not even a member,Facebook said it will delete its logs collected by a social plug-inafter 90 days.
Ireland’s DPC found that Facebook does not use information collected bythe Like button for targeted advertising.
Facial recognition featurecriticized
The DPC did rebuke Facebook over its facial recognition feature, whichstores biometric information on users’ faces in order to enable anautomatic photo tagging feature.
The DPC said Facebook “should have handled the implementation of thisfeature in a more appropriate manner.” Facebook has agreed to quicklychange how it is presented by the end of the first week in January.Facebook will notify users a total of three times about the feature.
“We think that’s a very reasonable approach by Facebook on that issue,”said Gary Davis, deputy data protection commissioner for Ireland,during a conference call.
The DPC said it confirmed that if a person that does not want to usethe feature — called “tag suggestions” — their facial profile datawill be deleted.
Thecomplete report is available on the DPC website.