Facebook often makes a point of reminding the press and public that its privacy measures and data protection compliance in Europe are regulated by the Irish Data Protection Commissioner (IDPC). But how thorough is that organization?
You won’t get a clear idea from the IDPC’s annual report, which has just been released. It dedicates a mere 78 words to its discussions with the social network:
Continuing engagement with Facebook Ireland prior to the introduction of new features, alterations to existing features, privacy settings and controls for individuals, advertising functions, and the recent launch of its new “Terms and Conditions” in January 2015.
This included legal and technical examinations of the ‘user facing’ elements of Facebook’s offering, and the organisational and technical processing that goes on behind the scenes. In addition, a substantial on-site review of audit recommendations took place in mid-2014.
What did that “substantial on-site review” entail? The document doesn’t give any further details. I’ve emailed the IDPC and will update this post if it provides any.
Update: The IPDC says “a number of aspects of Facebook services remain under examination by the office.” When I asked for clarification on what that entails it told me they include “sharing data within the Facebook family of companies, cookies and social plug ins.”
Facebook’s privacy measures and its use of data are hot topics, so it is somewhat unsettling that the regulator best placed to investigate its European activities isn’t more transparent.
Other tech companies highlighted in the report include Apple (which has been consulting with the regulator about its forthcoming ‘Streetview-style’ maps product), Microsoft (which is mentioned once in regard to terms and conditions) and LinkedIn (which received a privacy audit.)
Incidentally, when I contacted the IPDC earlier this year, following an update to Facebook’s terms and conditions, it told me its last full audit of the company took place in December 2011, followed by a review in September 2012, and that there were no upcoming plans to repeat the exercise.
➤ Annual Reports [Irish Data Protection Commissioner]