The Irish data protection commissioner has told Facebook it must go further in warning users how the social network and third-party apps handle personal information, after a wide-ranging audit of its privacy practices.
The audit was partly prompted by complaints that Facebook was illegally creating “shadow profiles” of people who were not members of the site or using its “Like” button to track internet users after they had logged out. The Irish regulator said that if Facebook, whose European operations are based in Dublin and therefore bound by Irish regulations, made all of its recommended changes, it did not expect it to breach local laws.
The Irish DPC’s three-month examination included a review of its operations, privacy practices and parts of the software code that underpins Facebook. It had received 22 complaints from a privacy campaign group, Europe V Facebook, and a further set from the Norwegian Data Protection Agency. Facebook said it was “pleased that the report highlighted a number of Facebook’s strengths or best practices” in areas such as the security of user data and the legitimacy of its business model of using personal information to target advertisements. It promised to maintain “continual dialogue with regulators”.
The report’s publication follows Facebook’s settlement last month of a privacy complaint from the US Federal Trade Commission, in which Facebook’s founder and chief executive, Mark Zuckerberg, admitted to making “a bunch of mistakes” in how the company handled personal data.
“The audit has found a positive approach and commitment on the part of Facebook Ireland to respecting the privacy rights of its users,” said Billy Hawkes, the Irish data protection commissioner. “Arising from the audit, Facebook Ireland has agreed to a wide range of ‘best practice’ improvements to be implemented over the next six months, with a formal review of progress to take place in July of next year.”
The commissioner warned that Facebook should not rely on third-party application developers – of whom the most successful is Zynga, maker of games including CityVille – to protect user data.
“We do not consider that reliance on developer adherence to best practice or stated policy in certain cases is sufficient to ensure security of user data,” its report said.
“We expect Facebook Ireland to take additional steps to prevent applications from accessing user information other than where the user has granted an appropriate permission.”
Facebook said it would make changes to the pop-up boxes that appear when users first install an application, for instance making links to developers’ privacy policies more obvious.
Data collected from “social plug-ins” such as the “Like” button on web pages outside Facebook’s own site had to be made anonymous within 10 days for users who were logged out or who did not belong to Facebook, and within 90 days for users who were logged into Facebook.
“It is not appropriate for Facebook to hold data collected from social plug-ins other than for a very short period and for very limited purposes,” the DPC wrote.
“There are limits to the extent to which user-generated personal data can be used for targeted advertising,” the DPC said.
By the middle of next year, Facebook has committed to allowing users to delete historical friend requests, “pokes”, postings to group pages and other messages they are currently unable to control.
Richard Allan, Facebook’s director of policy in Europe, said that the audit had been undertaken in a mutually “amicable” spirit.
“This is, we think, the most meaningful evaluation of a wide range of our policies and practices and our legal obligations in Europe,” he told the FT.
“When you put this in the context of the FTC work that has been done and the fact that both processes will lead to ongoing dialogue and evaluation of Facebook, in sum we can say we are a well-regulated company and we would hope that people who use our service will appreciate the fact we are working in partnership with regulators to offer the strongest possible protection for their personal data.”
But privacy campaigners claimed a victory in their campaign to make Facebook take the issue more seriously.
Europe V Facebook said that the Irish DPC’s findings “were vastly congruent with our complaints” and suggested that the required changes could mean Facebook’s advertising business was “severely limited” in Europe.
Privacy International, a non-profit “watchdog” organisation, said the audit presented a “damning assessment of the company’s approach to privacy”, which it described as “patchy and unstable”.
“Even as a charitable assessment by Europe’s softest privacy regulator it has unravelled a mass of difficult privacy issues,” said Privacy International’s Simon Davies. “The Irish audit is a promising start but other privacy regulators should now conduct rigorous assessments into the unexplored dynamics of the site.”