The outcomes of an investigation by the Irish data protection authority into Facebook will bring major changes to the social network’s global privacy settings. The three month audit covered almost every aspect of Facebook’s data management and privacy settings, including facial recognition, tagging, deleted account, and advertising.
Credit: Facebook
Because Facebook Ireland manages the privacy settings for users outside of the US and Canada the results of the investigation with be seen internationally. Below we present the outcomes from the report, including the DPC’s findings, Facebook’s response, and the time required for a resolution (download the original Data Protection Commissioner’s report here as a PDF for even more information). Read the DPC’s announcement of the report on their website.
Use the links below to see just what the outcomes of the investigation are, and how they will change Facebook for you.
- Complexity & accessibility of user controls
- Advertising use of user data
- Access Requests
- Retention of data
- Cookies/Social Plug-Ins
- Third Party Apps
- Facial Recognition/Tag Suggest
- Security
- Deletion of Accounts
- Friend Finder
- Tagging
- Posting on Other Profiles
- Abuse Reporting
- Compliance Management/ Governance
Complexity & accessibility of user controls
| Complexity & accessibility of user controls | |
Facebook Ireland must work towards:
|
|
| Facebook Ireland Response | Facebook Ireland will work with the Office to achieve the objectives of simpler explanations of its Data Use Policy, identify a mechanism to provide users with a basis to exercise meaningful choice over how their personal data is used, easier accessibility and prominence of these policies during and subsequent to registration, including making use of test-groups of users and non-users as appropriate. |
| Target Implementation Date | End Q1 2012 and routinely thereafter |
Advertising use of user data
| Advertising use of user data | |
| There are limits to the extent to which user-generated personal data can be used for targeted advertising. Facebook must be transparent with users as to how they are targeted by advertisers | |
| Facebook Ireland Response | Facebook Ireland will clarify its data use policy to ensure full transparency. |
| Target Implementation Date | By the end of Q1 2012 |
| Advertising use of user data | |
| The current policy of retaining ad-click data indefinitely is unacceptable. | |
| Facebook Ireland Response | Facebook Ireland will move immediately to a 2-year retention period which will be kept under review with a view to further reduction. |
| Target Implementation Date | Review in July 2012 |
Access Requests
| Access Requests | |
| If identifiable personal data is held in relation to a user or non-user, it must be provided in response to an access request within 40 days, in the absence of a statutory exemption | |
| Facebook Ireland Response | Facebook Ireland will fully comply with the right of access to personal data, as outlined in the schedule contained within the Access Section of the Report. It has additionally committed to a key transparency principle that users are entitled to have easy and effective access to their personal information. |
| Target Implementation Date | In line with the schedule in relation to availability from the user’s profile, their activity log and the download tool. Data will be added to the various tools in phases, beginning in January 2012. |
Retention of data
| Retention of data | |
| The information provided to users in relation to what happens to deleted or removed content, such as friend requests received, pokes, removed groups and tags, and deleted posts and messages should be improved. | |
| Facebook Ireland Response | Facebook Ireland will comply with this recommendation in an updated Data use Policy. |
| Target Implementation Date | By the end of Q1 2012. |
| Retention of data | |
| Personal data collected must be deleted when the purpose for which it was collected has ceased | |
| Facebook Ireland Response | Facebook Ireland will comply with requirements in relation to retention where the company no longer has a need for the data in relation to the purposes for which it was provided or received. Specifically it will:
|
| Target Implementation Date | Immediate and ongoing, subject to any legal holds placed on the data by civil litigation or law enforcement. The continuing justification for these periods will be kept under continuous assessment and will be specifically re-assessed in our July 2012 review. |
| Retention of data | |
| Data held in relation to inactive or de-activated accounts must be subject to a retention policy | |
| Facebook Ireland Response | Facebook Ireland will work with this Office to identify an acceptable retention period |
| Target Implementation Date | July 2012. |
Cookies/Social Plug-Ins
| Cookies/Social Plug-Ins | |
| It is not appropriate for Facebook to hold data collected from social plug-ins other than for a very short period and for very limited purposes | |
| Facebook Ireland Response | Impression data received from social plugins will be anonymised within 10 days for logged-out and non-users and deleted within 90 days, and for logged-in users, the data will be aggregated and/or anonymised in 90 days. |
| Target Implementation Date | Immediately and to be verified by this Office subject to any legal holds placed on the data by civil litigation |
Third Party Apps
| Third Party Apps | |
| It must be made easier for users to understand that their activation and use of an app will be visible to their friends as a default setting | |
| Facebook Ireland Response | Facebook Ireland has recently changed its granular data permissions dialog box for apps where users can choose the audience (“audience selector”) for their app activity directly in the dialog box. |
| Target Implementation Date | Assessed again in July 2012 |
| Third Party Apps | |
| We do not consider that reliance on developer adherence to best practice or stated policy in certain cases is sufficient to ensure security of user data. We do note however the proactive monitoring and action against apps which breach platform policies.However, this is not considered sufficient by this Office to assure users of the security of their data once they have third party apps enabled. We expect Facebook Ireland to take additional steps to prevent applications from accessing user information other than where the user has granted an appropriate permission. | |
| Facebook Ireland Response | Facebook Ireland has proactive auditing and automated tools designed not just to detect abuse by developers, but to prevent it in the first place and the findings of the audit will be used to further refine the tools. |
| Target Implementation Date | Progress review in July 2012. |
Facial Recognition/Tag Suggest
| Facial Recognition/Tag Suggest | |
| Facebook Ireland should have handled the implementation of this feature in a more appropriate manner and we recommended that it take additional steps from a best practice perspective to ensure the consent collected from users for this feature can be relied upon | |
| Facebook Ireland Response | Facebook Ireland will provide an additional form of notification for Tag Suggest. It will appear at the top of the page when a user logs in. If the user interacts with it by selecting either option presented then it will disappear for the user.If the user does not interact with it then it will appear twice more for a total of 3 displays on the next successive log-ins. Before making a selection more detail about how the feature works will appear behind a Learn More link and will also be shown if a user clicks Adjust Your Settings.Facebook Ireland will discuss with this Office any plans to extend tag suggest to allow suggestions beyond confirmed Friends in advance of doing so. |
| Target Implementation Date | First week January 2012 at the latest |
Security
| Security | |
| Many policies and procedures that are in operation are not formally documented. This should be remedied. | |
| Facebook Ireland Response | Facebook Ireland will continue to document policies and procedures as required to maintain consistency in security practices. |
| Target Implementation Date | Newly documented policies and procedures to be reviewed in July 2012. |
Deletion of Accounts
| Deletion of Accounts | |
| There must be a robust process in place to irrevocably delete user accounts and data upon request within 40 days of receipt of the request (not applicable to back-up data within this period.) | |
| Facebook Ireland Response | Facebook Ireland had already devoted a substantial amount of engineering resources to progressing account deletion to an acceptable level and is committed to working towards the objectives outlined by this Office. |
| Target Implementation Date | Review in July 2012 |
Friend Finder
| Friend Finder | |
| We recommend that users be made aware that where they choose to synch their contact information from a mobile device, those contact details are transmitted in plain text and are therefore not secure during transmission. This is not an issue within Facebook’s control but users should nevertheless be made aware when choosing this option. | |
| Facebook Ireland Response | It is not more risky to send data in plain text via the synchronization process than doing so by sending email using an internet email provider, which providers do not provide disclosures on security risks. Facebook Ireland will have further dialogue in order to work towards reviewing alternatives for reducing risk and addressing them through education or changes in the product. |
| Target Implementation Date | End of Q1 2012. |
| Friend Finder | |
| We established that the action of disabling synchronisation does not appear to delete any of the synchronised data. This requires an additional step via the “remove data” button within the app. We recommend that it should be clear to users that disabling synching is not sufficient to remove any previously synched data. | |
| Facebook Ireland Response | It should be obvious to users that their synchronized data is still there after they disable synching but Facebook Ireland will add text to that effect within the app. |
| Target Implementation Date | End of Q1 2012. |
Tagging
| Tagging | |
| There does not appear to be a compelling case as to why a member cannot decide to prevent tagging of them once they fully understand the potential loss of control and prior notification that comes with it. | |
| Facebook Ireland Response | Facebook Ireland will examine the broader implications of this recommendation and will engage further on this issue in the July 2012 review |
| Target Implementation Date | In advance of July 2012 |
Posting on Other Profiles
| Posting on Other Profiles | |
| We recommend that Facebook Ireland introduce increased functionality to allow a poster to be informed prior to posting how broad an audience will be able to view their post and that they be notified should the settings on that profile be subsequently changed to make a post that was initially restricted available to a broader audience. We recommend the sending of a notification to the poster of any such change with an ability to immediately delete their post if they are unhappy. | |
| Facebook Ireland Response | Facebook Ireland will examine the broader implications of the suggested approaches and having done so will engage further on this issue in the July 2012 review. |
| Target Implementation Date | In advance of July 2012 |
Abuse Reporting
| Abuse Reporting | |
| We are satisfied that Facebook Ireland has appropriate and accessible means in place for users and non-uses to report abuse on the site. We are also satisfied from our examination of the User Operations area that Facebook Ireland is committed to ensuring it meets its obligations in this respect. | |
| Facebook Ireland Response | n/a |
| Target Implementation Date | n/a |
Compliance Management/ Governance
| Compliance Management/ Governance | |
| This Office requires that Irish data protection law and by extension European data protection laws be fully addressed when Facebook Ireland rolls-out a new product to its users. We recommend therefore that Facebook Ireland take additional measures in the first half of 2012 to put in place a more comprehensive mechanism, resourced as appropriate, for ensuring that the introduction of new products or uses of user data take full account of Irish data protection law. | |
| Facebook Ireland Response | Facebook Ireland already fully considers and analyzes applicable laws, including Irish and EU laws, prior to product rollouts, but will implement this recommendation and consult with this Office during the process of improving and enhancing its existing mechanisms for ensuring that the introduction of new products or new uses of user data take full account of Irish data protection law. |
| Target Implementation Date | We will fully assess the improvements made in this regard in July 2012 and will expect that by that time Facebook Ireland will have in place the procedures, practices and the capacity to comprehensively meet its obligations in this area. |
