Facebook and the Office of the Irish Data Protection Commissioner publicly released the results of a detailed three-month audit of the social network’s privacy policies in the European Union region, but what steps did the social network agree to implement?

Facebook’s European headquarters are in Dublin, Ireland, which explains why the authorities over there get to dictate the social network’s entire plan for the continent.

That said, here are the policy changes Facebook promised to ma,e grouped by the dates set as delivery goals.

Immediately

  1. Facebook is taking steps to limit data collection from social plug-ins, restricting access to such data, and moving to delete such data according to a retention schedule.
  2. Facebook will retain ad-click data for two years, and a review will occur in July 2010 to determine if further reductions in the retention period are necessary.
  3. Within 10 days of receiving data via social plug-ins, Facebook will remove the last octet of the IP address from social plug-in impression logs, and delete browser cookies set when users visit Facebook. The social network will also: delete receives and records through social plug-in impressions within 90 days; make all search data anonymous within six months; do the same for all ad-click data within two years, and significantly shorten the retention period for log-in information.
  4. Impression data received from social plug-ins will become anonymous within 10 days for logged-out users and non-users and deleted within 90 days. For logged-in users, those data will be aggregated or become anonymous within 90 days.

January, 2012

  1. Facebook will provide identifiable personal data about users or nonusers upon access requests within 40 days, and it committed to grant users easy and effective access to their personal information. Data will be added to tools including users’ profiles, activity logs, and download tools beginning in January.
  2. Facebook agreed to strengthen its single point-of-contact arrangements with law-enforcement authorities that request user data by mandating that all such requests be approved by a designated officer of a senior rank and recording that approval in the request. It will also require that the section of the standard form for such requests that asks why the requested user data is sought be fully completed, and it will re-examine its privacy policy to ensure consistency. The process will begin in January and be reviewed in July.
  3. Facebook will provide an additional form of notification for its tag suggest feature, appearing atop the page when users log in, which will disappear once users interact with it, or appear a total of three times for users who do not interact with it. More detail will be offered on how the tag suggest feature works, and this information will also be shown if users adjust their settings. The social network will also discuss any plans to extend tag suggestions beyond confirmed friends with the DPC before implementing any such changes.
  4. The authorization token granted to applications can be transferred between apps to allow second apps to access information not granted by users. Facebook will provide more messaging to developers highlighting its policy regarding sharing of authorization tokens, and it will investigate technical solutions to reduce risk of abuse. Notifications to app developers will be completed by the end of January, with an assessment of the issue and a solution by the end of the first quarter.
  5. Facebook will integrate user password resets by employees into its monitoring tools.

February, 2012

  1. Facebook will move the links to its data-use policy and other policy documents, as well as the help center, to the left side of the user’s homepage.
  2. Facebook recently changed its granular data permissions dialog box for applications to enable users to fully understand the permissions they are granting to third-party apps, and it’s expected to become fully available on all apps by February, with a further assessment in July.
  3. Facebook will further educate users on the importance of reading app privacy policies and will increase the size of the “report app” link in the dialog box.

First Quarter Of 2012

  1. Facebook will begin phasing in the ability for users to delete friend requests, pokes, tags, posts, and messages on a per-item basis, with the hopes of showing demonstrable progress by its review in July.
  2. Facebook will move the option to exercise control over social ads to users’ privacy settings from account settings, in order to improve accessibility and knowledge of the ability to block or control ads users do not wish to see again.
  3. Facebook will provide users with information on what happens to deleted or removed content, such as friend requests received, pokes, removed groups, and tags.
  4. Facebook will work with the DPC to simplify explanations of its data-use policy, identify a mechanism for users to choose how their personal data are used, and provide easier accessibility and prominence of these policies during and subsequent to registration, including the use of test-groups of users and non-users.
  5. Facebook will clarify its data-use policy to ensure full transparency.
  6. Facebook will provide additional information on how log-in activity from different browsers across different machines and devices is recorded in its revised data-use policy.
  7. Facebook agreed that it will no longer be possible for a user to be recorded as a member of a group without that user’s consent. Users will not be recorded as members until they accept invitations, and they will be able to easily leave groups.
  8. Facebook will work toward reviewing alternatives to mobile transmission of user data, as well as educating users about the fact that their details are transmitted in plain text when they synch their contact information from mobile devices.
  9. Even though it should be obvious to users that their synchronized data still exists after synching is disabled, Facebook will add text to that effect .
  10. Facebook immediately geo-blocked the major European Union domains so that messages from pages could not be sent to the vast majority of the social network’s EU users and nonusers, and will further refine information and warnings for businesses using the ability to upload up to 5,000 contact email addresses for page contact purposes.
  11. Facebook will add information to its policy clarifying that it acts as a data controller and information generated by use of Facebook Credits is linked to users’ accounts. The social network will also launch a privacy policy for its payments systems in approximately six months.

Second Quarter Of 2012

  1. When a friend of a user who installs an application has chosen to restrict what apps can access about them, apps cannot override this selection, but Facebook will examine alternative placements for app privacy controls to more easily enable users to make informed choices about what apps installed by friends can access personal data about them, and it will report back prior to July.
  2. Facebook will review the broader implications of a recommendation by the DPC that members be allowed to prevent tagging of themselves once they fully understand the potential loss of control and prior notification that comes with it.
  3. Facebook will review the broader implications of a recommendation by the DPC that it add functionality to inform users how broad an audience will be able to view their posts, and to notify them if profile settings are changed to make that post available to a greater audience.

July, 2012

  1. Facebook will work with the DPC to establish an acceptable retention period for data held in relation to inactive or deactivated accounts.
  2. Facebook will assess changes it has already implemented to its granular data permissions dialog box to enable users to choose who can see when they activate and use an app.
  3. Facebook is examining the technical feasibility of deploying a tool to check whether privacy policy links are live, and it will provide an update in July.
  4. Facebook will further refine its auditing and automated tools to monitor and take action against applications that breach platform policies, such as accessing user information other than where the user has granted an appropriate permission, and there will be a progress review in July.
  5. Facebook will continue to document policies and procedures in order to maintain consistency in security practices, and newly documented policies and procedures will be reviewed in July.
  6. Facebook is implementing a new access-provisioning tool that will allow more fine-grained control of employee access to user data, and it will thoroughly review the application and usage of the new token based tool in July.
  7. Facebook is working toward meeting the DPC’s objective that it irrevocably delete user accounts and data upon request within 40 days of receipt of the request, and it will review its progress in July.
  8. Facebook will take additional measures during the first half of 2012 to ensure that new products or uses of user data take full account of Irish data protection law, and it will have the procedures, practices, and capacity to comprehensively meet its obligations in this area in place by July.

To Be Determined

Facebook will meet with the DPC in advance of any plans to provide individuals’ profile pictures and names to third parties for advertising purposes, and users would have to provide their consent.

Images courtesy of Shutterstock.