Facebook – The Irish Data Protection Commissioner’s Audit
September 2012
The Irish Data Protection Commissioner has just published its Report of Re-Audit in relation to the data management practices of Facebook Ireland Limited (“FB-I”). The report was a follow on from the Report of Audit of FB-I published by the Commissioner in December 2011. Both reports build on the work already carried out by the American, Canadian and German data protection regulators.
Report of Audit
The audit was carried out between October and December 2011 pursuant to the Irish Data Protection Act, 1988 (as amended) (the “Act”). FB-I is the company responsible for most of Facebook group’s social networking activities with consumers outside of North America. The Commissioner reviewed in some detail the compliance with the Act of various features on Facebook’s website, including facial recognition technology for the “tagging” of individuals, the use of social plug ins (Facebook’s “like” button), the “Friends Finder” feature and the Third Party Applications (“apps”) operating on the Facebook platform. The audit focused on two key areas.
Firstly, the extent to which Facebook provides users with appropriate controls over the sharing of content with other users and information on the use of such controls. The “tagging” feature was of concern to the Commissioner. Secondly, it examined the extent to which FB-I uses personal data to target advertising to its users. The Facebook business model is based on a service which is free to users and which is used by Facebook to charge advertisers a fee to deliver advertisements to users targeted on interests disclosed by users including in the “profile” information provided by them. This is the “deal” which the user agrees to when he signs up to Facebook and accepts the Data Use Policy. The critical question was: is the “deal” in compliance with the obligations of fair data collection and processing under the Act?
While the Commissioner acknowledged that the ultimate determination of this question could only be finally decided by the Irish Courts, the decision of the Commissioner was that the “deal” is in principle in compliance with the Act and the therefore the underlying EU data protection legislation. Moreover, targeting advertising on the interests disclosed in the “profile” section was legitimate. In addition, information provided by users via the “Like” button could legally be used by Facebook as part of the deal. However the Commissioner reviewed many of the Facebook features and data practices in great technical detail and provided in the Report a list of “best practice” recommendations for amendments to these. Compliance with the recommendations was monitored by the Commissioner formally on-site in Facebook’s European HQ in Dublin in May and July 2012.
Report of Re-Audit
In September 2012 the Commissioner published the Report of Re-Audit. The Report found that most of the recommendations had been fully implemented to the satisfaction of the Commissioner. Some of the points which emerged from the review of Facebook site can be summarised as follows:
Privacy and Data Use Policy
- The Privacy Policy wording had to be made more user-friendly and the Policy itself more accessible.
- The links to the Privacy Policy had been made more user-friendly by being more prominent and better physically aligned on the page in the signing up process.
Advertising
- The restrictions on the extent to which user generated personal data could be used for targeted advertising were reviewed and found acceptable and satisfactorily transparent to users;
- FB-I confirmed it would not use data collected from social plug-ins for the purpose of targeted advertising;
- The option to exercise control over “social ads” was moved to the Privacy settings from the “Accounts” settings which was acceptable;
- FB-I undertook to ensure that targeted advertising using “sensitive personal data” would be prevented.
Retention of Data
- Users should be provided with an ability to delete Friend requests received, pokes, tags, posts and messages and be able to delete, where reasonably possible, on a per item basis. FB-I was however given an extension in arranging for the deletion of images.
- The procedure allowing for Data entered by users as part of an in-complete registration was changed to prevent the data being retained;
- Data held in relation to de-activated or inactive accounts must be subject to a clear retention policy. Facebook is to contact account holders who have de-activated their accounts or are in-active. In nearly all cases such data would have to be deleted after 6 months.
- The Data Use Policy was amended to explain clearly that login activity of users from different browsers across different machines and devises is recorded;
- Personal data must generally be deleted when the purpose for which it was collected has been completed. The practice was acceptable other than in the case of “Social Plug In” impression data which is subject to further review.
Cookies/Social Plug Ins
- Data collected from social plug ins is only to be held for a very short period and a limited purpose.
Third Party Apps
- It must be easier for users to understand that their activation and use of an app will be visible to their friends as a default setting.
Facial Recognition/Tag Suggest
- FB-I had agreed that the “tag suggest”/facial recognition feature had already been amended and templates for EU users would be deleted by October 2012, pending agreement with the Commissioner on the most appropriate means of collecting user consent.
- An additional notification to users for Tag Suggest would be provided at the top of the page whenever the user links in.
Deletion of Accounts
- User accounts and data of users generally must be irrevocably deleted within 40 days of the receipt of the request from a user. FB-I needed additional time to comply with this due to technical constraints.
Conclusion
In summary, the Commissioner has deployed significant resources and demonstrated considerable technical expertise in its audit of Facebook Ireland. In all material areas Facebook Ireland is, in the view of the Commissioner, in compliance with Irish data processing law or has undertaken to so comply in the near future. The Report’s recommendations are a reasonably comprehensive and clear guide to best practice in relation to data privacy and data security in the social networking area, based on current technology. The Report should be considered carefully by all in the social networking and the broader data processing sectors.
For more information contact Brendan Ringrose or your usual Whitney Moore contact.