Irish watchdog’s review of Facebook gives EU users more privacy & data protection rights

Following a “robust review” by Ireland’s Data Protection Commissioner (DPC) millions of Facebook users in Europe, have improved privacy and data protection rights, especially in the area of facial tagging, according to documents released today by the DPC today.

But the Commission says that it will need to maintain engagement with Facebook to ensure new Facebook services to its platform comply with data protection requirements before they are released to users.

Read the DPC’s earlier review of Facebook here and here, which outlined the changes Facebook was required to make.

Following the DPC review Facebook have implemented for EU users;

1. Tighter control over tag suggest/facial recognition
2. The provision of better transparency for the user in how their data is handled,
3. The provision of increased user control over settings,
4. The implementation of clear retention periods for the deletion of personal data or an enhanced ability for the user to delete items,
5. The enhancement of the user’s right to have ready access to their personal data and the capacity of Facebook Ireland to ensure rigorous assessment of compliance with Irish and EU data protection requirements.

Tag suggest/facial recognition

New Facebook users in the EU no longer have access to tag suggest/facial recognition.  This feature scanned photographs uploaded by users for faces and automatically tagged recognised faces with users’ names.  The DPC says that existing users’ templates (we presume this means Facebook’s database of recognised faces) will be deleted by October 15.

The commissioner praised Facebook’s compliance with the review process, saying that the organisation went “beyond [the office’s] initial recommendations” to comply with requests of other European Data Protection Offices’ concerns over face tagging;

“I am satisfied that the Review has demonstrated a clear and ongoing commitment on the part of FB-I [Facebook Ireland] to comply with its data protection responsibilities by way of implementation or progress towards implementation of the recommendations in the Audit Report.

I am particularly encouraged in relation to the approach it has decided to adopt on the tag suggest/facial recognition feature by in fact agreeing to go beyond our initial recommendations, in light of developments since then, in order to achieve best practice.

This feature has already been turned off for new users in the EU and templates for existing users will be deleted by 15 October, pending agreement with my Office on the most appropriate means of collecting user consent. By doing so it is sending a clear signal of its wish to demonstrate its commitment to best practice in data protection compliance”.

Defending Facebook’s Philosophy

But the DPC report paints a picture of a detailed series of difficult debates between the company, and the Irish and European DPCs.  The report cites an example of Facebook’s instance that users use their real name on the site.

“Facebook Ireland cooperated with the review process, while vigorously defending its point of view, particularly where our recommendations, or the views of other DPAs, challenged the general philosophy of the company. This was true, for example, in relation to the company’s insistence on maintaining its requirement that users use their real names on the network.”

Facebook still has work to do

Facebook has yet to comply with some DPC requests but it says a time line has been put in place for these to be dealt with.

1. Facebook has to work to improve account deletion so that users can be assured that deleted account data is removed “beyond all doubt.”
2. Facebook has to minimise the amount of personal data used for ad targeting
3. Removal of social plugin impression data for EU users, and
4. Better education for new users on the site.

Facebook’s responsibility to monitor users

While the report outlines Facebook’s responsibly to maintain users data securely, the Commissioner says that Facebook has a responsibility to monitor user behaviour to protect young users, but such monitoring should not be disproportionate.

“[there is a ]balance to be struck between Facebook Ireland’s duty to protect young users from sexual predators, through monitoring certain user behaviour and reporting reasonable suspicions to relevant authorities, and the need to ensure that such monitoring and reporting is proportionate to the danger of serious consequences for young victims.”

Comprehensive Assessment

The DPC called the review a “comprehensive assessment of Facebook Ireland’s compliance with Irish Data Protection law and by extension EU law in this area,” adding, “Facebook Ireland’s delivery on its commitments in that Report was evaluated throughout the first half of 2012 and formally on-site in Facebook’s European HQ in Dublin from 2-3 May and 10-13 July 2012”

The Irish/EU review came on foot of a detailed examination of Facebook Ireland’s operations in December 2011.  These changes won’t affect Facebook’s users outside of the EU.