Ireland’s Data Protection Commissioner has today announced the results of its investigation into Facebook’s data protection policies, and among other findings has announced that it is satisfied that Facebook is not building ‘Shadow Profiles’ of data about people who are not logged in to Facebook. Facebook has agreed to a number of changes related to privacy, however.
In October, Ireland’s Office of the Data Protection Commissioner said that it was to audit Facebook’s International HQ in Dublin in relation to complaints over the social network keeping copies of supposedly ‘deleted’ data. Additionally, the Europe vs Facebook campaign, claimed that Facebook was building up detailed profiles of non-members.
Austrian citizen Max Schrems drew attention to this practice keeping deleted data after requesting a copy of all the information Facebook held about him – something Facebook is legally obliged to comply with in the European Union. You can see how much data was revealed in this video.
On a conference call, currently underway, the Irish authority says that it is satisfied that there are no ‘shadow profiles’. It also said that its audit of Facebook’s data protection compliance was planned before Europe vs Facebook made its allegations.
In a blog post today, Facebook says that “We are pleased that following three months of rigorous examination, the DPC report demonstrates how Facebook adheres to European data protection principles and complies with Irish law.”
The report broadly finds Facebook to comply with Irish law, however there are a number of recommendations related to how it handles the following features: Tag Suggest; Advertising; Third Party Apps, and Friend Finder. Tag Suggest, the controversial face recognition service for auto-tagging photos, was found to comply with Irish law, even if it could have been launched in a more transparent way.
As a result of the investigation, Facebook has agreed to the following changes:
- To offer additional notifications to European users about Facebook’s photo Tag Suggest feature so that they can decide whether or not to use this feature to help people tag them in photos.
- To change a number of its policies related to retention and deletion of data including how data is logged when people access websites with social plugins to minimise the amount of information collected about people who are not logged in to Facebook.
- To work with the DPC to improve the information that people using Facebook are given about how to control their information both on Facebook and when using applications.
The full list of recommendations from the Irish authority are:
- a mechanism for users to convey an informed choice for how their information is used and shared on the site including in relation to Third Party Apps
- transparency and control for users via the provision of all personal data held to them on request and as part of their everyday interaction with the site
- the deletion of information held on users and non-users via what are known as social plugins and more generally the deletion of data held from user interactions with the site much sooner than presently
- increased transparency and controls for the use of personal data for advertising purposes
- an additional form of notification for users in relation to facial recognition/”tag suggest” that is considered will ensure Facebook Ireland is meeting best practice in this area from an Irish law perspective
- an enhanced ability for users to control tagging and posting on other user profiles
- an enhanced ability for users to control whether their addition to Groups by friends
- the Compliance management/Governance function in Dublin which will be further improved and enhanced to ensure that the introduction of new products or new uses of user data take full account of Irish data protection law.
Facebook has agreed to complete all its changes by July 2012. It plans to make many of these changes on a worldwide basis, except where they apply to legislation specific to Ireland.
The full report published today is supposed to be available here, however, if is currently not loading properly for us.
In November, it was ruled in the United States that Facebook would face 20 years of privacy audits from the Federal Trade Commission due to what CEO Mark Zuckerberg admitted were “mistakes” in its handling of privacy issues.