Nine months after their last report the Irish Data Protection Commissioner has released its reassessment of various parts of Facebook’s data retention and user privacy policies. Facebook has been widely praised by the Commissioner’s Office for its open participation with the review process and willingness to go beyond the Office’s requirements for user privacy.
The Irish Data Protection Commissioner’s re-audit of Facebook’s use of user data has implications for users across Europe. Since Facebook is based in Ireland the responsibility for ensuring the company’s services comply with EU data protection laws fell to the Irish Data Protection Office.
In it’s 186 page review (15MB | PDF – click here for the HTML version) the DPC lists several areas of concern it had for user privacy and data. Taken from the report the tables below show the areas the Office reviewed and Facebook Ireland’s (FB-I) actions taken over the past year, or actions still to take.
The document covers areas such as Facebook’s policy that users must sign up with their real names (Facebook’s response: Child Protection); the Office confirmed that Facebook doesn’t use data from websites that have Like buttons installed (such as this site) to profile users. Facebook’s automatic facial tagging system was turned off in Europe for new users and existing users’ facial templates will be removed from the site by October 15.
Read more about the report here.
Use the links below to see how the review has changed these aspects of Facebook;
- Privacy Policy / Data Use Policy
- Advertising
- Access Requests
- Retention
- Cookies/ Social Plug-Ins
- Third Party Apps
- Disclosures to Third Parties
- Facial Recognition / Tag Suggest
- Data Security
- Deletion of Accounts
- Friend Finder
- Tagging
- Posting on Other Profiles
- Facebook Credits
- Pseudonymous Profiles
- Abuse Reporting
- Compliance Management / Governance
Privacy Policy / Data Use Policy
| ISSUE | CONCLUSION/BEST PRACTICE RECOMMENDATION | STATUS |
| Privacy & Data Use Policy | FB-I must work towards:simpler explanations of its privacy policies easier accessibility and prominence of these policies during registration and subsequently an enhanced ability for users to make their own informed choices based on the available information |
Satisfactory response from FB-I with more precise details regarding education efforts with existing users to be provided to this Office within four weeks |
| Complexity & accessibility of user controls | The relative size of the links to the privacy policy and statement of rights and responsibilities on the second page of the sign up process must be aligned with the other information presented on that page. | Satisfactory response from FB-I |
Advertising
| ISSUE | CONCLUSION/BEST PRACTICE RECOMMENDATION | STATUS |
| Advertising | There are limits to the extent to which user-generated personal data can be used for targeted advertising. Facebook must be transparent with users as to how they are targeted by advertisers | Satisfactory response from FB-I |
| Use of user data | FB-I does not use data collected via social plug-ins for the purpose of targeted advertising | Unchanged |
| FB-I should move the option to exercise control over social ads to the privacy settings from account settings to improve their accessibility. It should also improve user knowledge of the ability to block or control ads that they do not wish to see again | Satisfactory response from FB-I | |
| If, FB-I in future, considers providing individuals’ profile pictures and names to third parties for advertising purposes, users would have to provide their consent. | n/a | |
| The current policy of retaining ad-click data indefinitely is unacceptable. | Satisfactory response from FB-I | |
| There is a requirement for a change in policy and practice in relation to the possibility of targeted advertising utilising Sensitive Data (Due to an oversight this recommendation was not contained within the published table of recommendations in this area). | Four week period for FB-I to address concerns outlined by this Office | |
| The availability and use of features on site that allow users to filter and block certain types of ads does not appear well known to users and FB-I is therefore asked to take steps to better educate users about the options which they present to control ad content (Due to an oversight this recommendation was not contained within the published table of recommendations in this area) | Satisfactory response from FB-I |
Access Requests
| ISSUE | CONCLUSION/ BEST PRACTICE RECOMMENDATION |
TARGET IMPLEMENTATION DATE |
STATUS |
| Access Requests | If identifiable personal data is held in relation to a user or non-user, it must be provided in response to an access request within 40 days, in the absence of a statutory exemption | In line with the schedule in relation to availability from the user’s profile, their activity log and the download tool. Data will be added to the various tools in phases beginning in January 2012 | Satisfactory response from FB-I with the exception of uploaded photo metadata which will be available from the end of October. |
Retention
| ISSUE | CONCLUSION/BEST PRACTICE RECOMMENDATION | STATUS |
| Retention of data | The information provided to users in relation to what happens to deleted or removed content, such as friend requests received, pokes, removed groups and tags, and deleted posts and messages should be improved. | Satisfactory response from FB-I |
| User’s should be provided with an ability to delete friend requests, pokes, tags, posts and messages and be able to in so far as is reasonably possible delete on a per item basis. | Satisfactory response from FB-I with the exception of an acceptable period for the deletion of images with FB-I requested to provide details of an amended procedure within 4 weeks of this date | |
| Users must be provided with a means to exercise more control over their addition to Groups | Satisfactory response from FB-I | |
| Personal data collected must be deleted when the purpose for which it was collected has ceased | Satisfactory response in general from FB-I but subject to a further review from this Office in relation to social plug-in impression data subject that was subject to a litigation hold | |
| There is not currently sufficient information in the Data Use Policy to educate users that login activity from different browsers across different machines and devices is recorded. | Satisfactory response from FB-I | |
| We have confirmed that data entered on an incomplete registration is deleted after 30 days | Process changed so this issue no longer arises | |
| Data held in relation to inactive or de-activated accounts must be subject to a retention policy | We are satisfied with the information provided by FB-I on the justification for the current approach to retention. FB-I to revert within 4 weeks in relation to an appropriate means to contact account holders who have deactivated accounts to be examined. |
Cookies/ Social Plug-Ins
| ISSUE | CONCLUSION/BEST PRACTICE RECOMMENDATION | STATUS |
| Cookies/Social | We are satisfied that no use is made of data collected via the loading of Facebook social plug-ins on websites for profiling purposes of either users or non-users. | Re-confirmed |
| Plug-Ins | ||
| It is not appropriate for Facebook to hold data collected from social plug-ins other than for a very short period and for very limited purposes | Dealt with in Retention Section | |
| FB-I to supply more detailed information to this Office within four week’s of today’s date on the use of the fr cookie and the consent collected for this cookie | Ongoing with FB-I to revert in Four weeks |
Third Party Apps
| ISSUE | CONCLUSION/BEST PRACTICE RECOMMENDATION | STATUS |
| Third Party Apps | The complexity for a user to fully understand in a meaningful way what it means to grant permission to an application to access their information must be addressed. Users must be sufficiently empowered via appropriate information and tools to make a fully informed decision when granting access to their information to third party applications | Satisfactory response from FB-I |
| It must be made easier for users to understand that their activation and use of an app will be visible to their friends as a default setting | Satisfactory response from FB-I | |
| The privacy policy link to the third party app should be given more prominence within the application permissions screen and users should be advised to read it before they add an app. This should be supplemented with a means for a member to report a concern in this regard via the permissions screen. | Satisfactory response from FB-I | |
| As the link to the privacy policy of the app developer is the critical foundation for an informed consent, FB-I should deploy a tool that will check whether privacy policy links are live. | Due to bug issues not operational at present and therefore will be re-examined when operational | |
| We verified that it was not possible for an application to access personal data over and above that to which an individual gives their consent or enabled by the relevant settings. | Re-confirmed | |
| We verified that when a friend of a user installing an app has chosen to restrict what such apps can access about them that this cannot be over-ridden by the app. However, it should be made easier for users to make informed choices about what apps installed by friends can access personal data about them. The easiest way at present to manage this is to turn off all apps via a user’s privacy settings but this also prevents the user from using apps themselves. | FB-I should re-examine providing choice to their users short of turning off the ability to use Apps altogether | |
| We have identified that the authorisation token granted to an application could be transferred between applications to potentially allow a second application to access information which the user had not granted by way of the token granted to the first application. While this is a limited risk we recommend that FB-I bring forward a solution that addresses the concerns outlined. In the meantime, at a minimum we expect FB-I to advise application developers of their own responsibility to take appropriate steps to ensure the security of the authorisation tokens provided by it. |
Satisfactory response from FB-I |
|
| We do not consider that reliance on developer adherence to best practice or stated policy in certain cases is sufficient to ensure security of user data. We do note however the proactive monitoring and action against apps which breach platform policies. However, this is not considered sufficient by this Office to assure users of the security of their data once they have third party apps enabled. We expect FB-I to take additional steps to prevent applications from accessing user information other than where the user has granted an appropriate permission. |
Satisfactory response from FB-I |
Disclosures to Third Parties
| ISSUE | CONCLUSION/BEST PRACTICE RECOMMENDATION | STATUS |
| Disclosures to Third Parties | The current Single Point of Contact arrangements with law | Satisfactory response from FB-I |
| enforcement authorities when making requests for user data should be further strengthened by a requirement for all such requests to be signed-off or validated by a designated officer of a senior rank and for this to be recordable in the request. We also recommend that the standard form used require all requesting entities to fully complete the section as to why the requested user data is sought so as to ensure that FB-I when responding can form a good faith belief that such provision of data is necessary as required by its privacy policy. FB-I should also reexamine its privacy policy to ensure that the current information provided is consistent with its actual approach in this area. |
Facial Recognition / Tag Suggest
| ISSUE | CONCLUSION/ BEST PRACTICE RECOMMENDATION |
FB-I RESPONSE | STATUS |
| Facial Recognition/ Tag Suggest |
FB-I should have handled the implementation of this feature in a more appropriate manner and we recommended that it take additional steps from a best practice perspective to ensure the consent collected from users for this feature can be relied upon | FB-I will provide an additional form of notification for Tag Suggest. It will appear at the top of the page when a user logs in. If the user interacts with it by selecting either option presented then it will disappear for the user. If the user does not interact with it then it will appear twice more for a total of 3 displays on the next successive log-ins. Before making a selection more detail about how the feature works will appear behind a Learn More link and will also be shown if a user clicks Adjust Your Settings. FB-I will discuss with this Office any plans to extend tag suggest to allow suggestions beyond confirmed Friends in advance of doing so. |
Implemented. FB-I has also agreed to delete collected templates for EU users by 15 October and to agree a process for collecting consent with this Office if it chooses to provide the feature to EU users again. |
| We have confirmed that the function used to delete the user’s facial profile is invoked when the user disables “tag suggestions”. | Re-confirmed |
Data Security
| ISSUE | CONCLUSION/BEST PRACTICE RECOMMENDATION | STATUS |
| Security | Many policies and procedures that are in operation are not formally documented. This should be remedied. | Satisfactory response from FB-I |
| We are satisfied that FB-I does have in place an appropriate framework to ensure that all access to user data is on a need to know basis. However, we recommended that FB-I expand its monitoring to ensure that there can be no employee abuse through inappropriate password resets of a user’s account | Satisfactory response from FB-I | |
| We were concerned that the tools in place for ensuring that staff were authorised to only access user data on a strictly necessary basis were not as role specific as we would have wished. | Satisfactory response from FB-I | |
| We are satisfied that there is no realistic security threat to a user photo from their upload to Akamai. We are also satisfied that there is no realistic threat to a deleted image | Position as stated in December Audit | |
| Position as stated in December Audit |
Deletion of Accounts
| ISSUE | CONCLUSION/BEST PRACTICE RECOMMENDATION | OUTCOME |
| Deletion of Accounts | There must be a robust process in place to irrevocably delete user accounts and data upon request within 40 days of receipt of the request (not applicable to back-up data within this period.) | Given the scale of the task, a satisfactory response from FB-I pending resolution or clarification within four weeks on image deletion and log de-identification, with group content to be deleted in early 2013 |
Friend Finder
| ISSUE | CONCLUSION/BEST PRACTICE RECOMMENDATION | STATUS |
| Friend Finder | We are satisfied that, aside from storage of synchronised data for its users, FB-I makes no additional use of telephone numbers or other contact details uploaded as part of the synchronisation feature unless the user chooses to supply email addresses for friend finder purposes. | Reconfirmed |
| We recommend that users be made aware that where they choose to synch their contact information from a mobile device, those contact details are transmitted in plain text and are therefore not secure during transmission. This is not an issue within Facebook’s control but users should nevertheless be made aware when choosing this option. | Data now securely transmitted | |
| The released version of the iPhone App has addressed this issue. FB-I to revert to this within 4 weeks on the addition of disclosure to the Android version of the app. | ||
| We were concerned that the facility whereby businesses could upload up to 5,000 contact email addresses for Page contact purposes created a possibility of the sending of unsolicited email invites by those businesses in contravention of the ePrivacy law with an associated potential liability for FB-I. We recommended a number of steps to be taken to address this risk | Satisfactorily addressed by publication of December Audit and re-confirmed | |
| We confirmed that passwords provided by users for the upload of contact lists for friend-finding purposes are held securely and destroyed | Re-confirmed |
Tagging
| ISSUE | CONCLUSION/BEST PRACTICE RECOMMENDATION | STATUS |
| Tagging | There does not appear to be a compelling case as to why a member cannot decide to prevent tagging of them once they fully understand the potential loss of control and prior notification that comes with it. | Taking account of the various tools available to users to manage Tags and to delete them if they so wish we are not requiring an ability to prevent Tagging at this time. |
Posting on Other Profiles
| ISSUE | CONCLUSION/BEST PRACTICE RECOMMENDATION | STATUS |
| Posting on | We recommend that FB-I introduce increased functionality to allow a poster to be informed prior to posting how broad an audience will be able to view their post and that they be notified should the settings on that profile be subsequently changed to make a post that was initially restricted available to a broader audience. We recommend the sending of a notification to the poster of any such change with an ability to immediately delete their post if they are unhappy | We are satisfied with the information provided by FB-1 on the operation of this function |
Facebook Credits
| ISSUE | CONCLUSION/BEST PRACTICE RECOMMENDATION | STATUS |
| Facebook Credits | We are satisfied that FB-I does act as a data controller in the provision of the Facebook Credits service However, we would consider that it is not fully apparent to users using the service that FB-I is acting as a data controller and that information generated in the context of their use of Facebook Credits is linked to their account. It is recommended that the Data Use Policy be significantly expanded to make clear the actual personal data use taking place in the context of Facebook Credits. | Satisfactory response from FB-I pending further clarification emerging from the operation of FB-PI |
Pseudonymous Profiles
| ISSUE | CONCLUSION/BEST PRACTICE RECOMMENDATION |
| Pseudonymous Profiles | We consider that FB-I has advanced sufficient justification for child protection and other reasons for their policy of refusing pseudonymous access to its services |
Abuse Reporting
| ISSUE | CONCLUSION/BEST PRACTICE RECOMMENDATION |
| Abuse Reporting | We are satisfied that FB-I has appropriate and accessible means in place for users and non-users to report abuse on the site. We are also satisfied from our examination of the User Operations area that FB-I is committed to ensuring it meets its obligations in this respect. |
Compliance Management / Governance
| ISSUE | CONCLUSION/BEST PRACTICE RECOMMENDATION | STATUS |
| ComplianceManagement/Governance | We found that the compliance requirements for the conduct of direct marketing by electronic communications means had not been fully understood by certain FB-I staff members engaged in marketing. We recommend that documented procedures be developed to ensure that data protection considerations are taken fully into account when direct marketing is undertaken either by or on behalf of FB-I and that appropriate training be given to staff and contractors. | Complete at the time of publication of the December Audit |
| This Office requires that Irish data protection law and by extension European data protection laws be fully addressed when FB-I rolls-out a new product to its users. We recommend therefore that FB-I take additional measures in the first half of 2012 to put in place a more comprehensive mechanism, resourced as appropriate, for ensuring that the introduction of new products or uses of user data take full account of Irish data protection law | Ongoing. All significant changes to the use of personal data with a data protection impact to be approved by FB-I in a manner set out by the Board of FB-I that takes full account of European data protection requirements |
Featured image: Copyright bigstockphoto.com, used with permission.
