Irish eyes (and those of the rest of the European Union) are finally smiling on Facebook, as Ireland’s Office of the Data Protection Commissioner announced that “the great majority” of the privacy recommendations it made to the social network to keep it in compliance with those of the EU have been “fully implemented to the satisfaction of this office.” The major concession by Facebook: Its tag suggest feature, which enabled facial recognition for Facebook photos, has been turned off for all new users in the EU, with existing users to lose access to the feature by Oct. 15.
Facebook’s European headquarters are in Dublin, Ireland, which explains why that country’s Office of the Data Protection Commissioner has been at the forefront of the EU’s dealings with the social network.
The agency conducted a detailed three-month audit of Facebook’s privacy policies in the region in late 2011, releasing the results in December, along with a long list of policy changes agreed to by the social network.
According to TechCrunch, Ireland’s Office of the Data Protection Commissioner announced that Facebook satisfied most of its commitments in these areas:
- Better transparency in alerting users to how their data are handled.
- User control over settings.
- More clarity on the social network’s retention periods for deletion of personal data, with users gaining more control over deleting data.
- Improved access to personal data for users.
- Better tracking by Facebook of how it is complying with data-protection requirements.
The DPC said Facebook’s determination as to whether or not it uses data collected from social plugins and applications for targeted advertising was “unchanged,” and it expects these issues to be clarified in the next four weeks:
- How Facebook clarifies to users of its Android app that when data synching is disabled, data that had been synched in the past is not deleted.
- How the social network complies with new regulations.
The DPC said in the executive summary of its report:
As with the main audit, Facebook Ireland cooperated with the review process, while vigorously defending its point of view, particularly where our recommendations, or the views of other data-protection agencies, challenged the general philosophy of the company. This was true, for example, in relation to the company’s insistence on maintaining its requirement that users use their real names on the network.
It is clear that this review is no more than an assessment at this point in time of Facebook Ireland’s compliance with its data-protection obligations to its users. As indicated above, new developments in terms of services to users and use of their data for advertising purposes will continue to throw up challenges to Facebook Ireland’s strengthened in-house compliance function. It will also involve continued detailed involvement of our office’s oversight role, including responding to issues raised by other DPAs and by the many data subjects for whom Facebook Ireland is the data controller.
Billy Hawkes, head of the DPC, said in a statement, as reported by TechCrunch:
I am particularly encouraged in relation to the approach (Facebook) has decided to adopt on the tag suggest/facial-recognition feature by in fact agreeing to go beyond our initial recommendations, in light of developments since then, in order to achieve best practice.
And Facebook responded to the DPC announcement with the following statement:
As our regulator in Europe, the Irish Office of the Data Protection Commissioner is constantly working with us to ensure that we keep improving on the high standards of control that we have built into our existing tools.
This audit is part of an ongoing process of oversight, and we are pleased that, as the Data Protection Commissioner said, the latest announcement is confirmation that we are not only compliant with European data protection law, but we have gone beyond some of their initial recommendations and are fully committed to best practice in data protection compliance.
Readers: How would you assess Facebook’s efforts to comply with EU data-protection requirements?