Facebook and the Irish Data Protection Commission

December 21, 2011 at 6:54am

The people who use Facebook take privacy and data protection seriously and so do we.  We work closely with privacy commissioners and regulators around the world to demonstrate our compliance with legal requirements and to improve our policies and practices.


Last month, Facebook announced an agreement with the Federal Trade Commission, our regulatory oversight agency in the United States, to formalise our commitment to provide you with control over your privacy and sharing -- and provide new protections to ensure that your information is only shared in the way you intend. You can read more about this on our blog post 


Today, the Office of the Irish Data Protection Commissioner (DPC), announced the results of its thorough and detailed audit of Facebook’s practices and policies. (Because Facebook’s international headquarters are located in Ireland, the DPC oversees our legal compliance to Facebook users outside of the United States and Canada),  We are pleased that following three months of rigorous examination, the DPC report demonstrates how Facebook adheres to European data protection principles and complies with Irish law.


Audit reports are not frequently made public, but in this case, the DPC and Facebook agreed at the outset that -- in the interests of transparency -- the contents of the audit should be made public, in full, immediately upon completion.  We believe this is the best way for users and policymakers around the world to understand how thoroughly the DPC performed its examination and how closely we will be working together in the future.


The DPC recognised that Facebook’s success rests in part from our constant evolution and innovation.  We appreciate that the DPC acknowledges that the pace at which we offer new products and features requires continual dialogue with regulators to ensure that adequate protections are in place.


We’re particularly pleased that the report highlighted a number of Facebook’s strengths or best practices:


Security Protection: The DPC commended Facebook on our ongoing focus on the protection and security of user data.  It acknowledged that Facebook makes “innovative use of cookies to identify unusual or suspicious activity” on an account.


Importance of Real Name Authenticity: The DPC recognised that Facebook’s real name policy is a valid and justified reason for refusing to allow pseudonyms on our service.  It recognised that this policy has substantial benefits in protecting the people who use Facebook.


No Profiling based on “Tracking”: The DPC conducted a thorough analysis of Facebook’s use of social plug-ins and determined that no information collected is associated with users or non-users or is used in any way to build a profile of the user or non-user.  The DPC confirmed: “…while certain data which could be used to build what we have seen termed as a ‘shadow profile’ of a non-user was received by Facebook, no actual use of this nature was made of such data” and “neither is there any profile formed of non-users which could be attributed to a person on becoming a user.” The DPC also stated that Facebook is now taking active steps to delete any such information very quickly after it is received.


User control: The DPC recognised the effectiveness of Facebook’s existing efforts to respond to subject access requests made by people using our service. Facebook agreed with the DPC on a process for offering more comprehensive access through the Download Your Info tool, Timeline and Activity Log (part of the new Timeline feature).  The report also found that Facebook already offers people effective controls to delete their personal data and proposes several enhancements.


The DPC also examined a number of areas of recent public interest and government scrutiny and made the following observations:


Tag Suggest: The introduction of Tag Suggest, a popular tool to make the tagging of large numbers of images quick and easy, could have been done in a more transparent fashion.  Despite these concerns, the DPC did not find that the launch of Tag Suggest breached Irish data protection law, and confirmed that the function used to delete the user's facial profile is invoked when the user disables "tag suggestions."  The DPC recommended we take a ‘best practice’ approach in this area and display additional notifications to users in Europe, to help them learn more about the feature.  Both the Irish DPC and Facebook agree that this approach will increase transparency to people using the product while enabling Facebook to continue to meet their obligations under relevant data protection law.


The DPC credited several elements of Facebook’s data protection practices and offered various recommendations for improvements:


Advertising: The DPC carefully examined our advertising practices and policies related to the extent we use personal data of users to target advertising to them and concluded that “the targeting of advertisements based on interests disclosed by user’s in the ‘profile’ information they provide on FB is legitimate.”


Third Party Applications: Facebook has controls in place to protect user information from being improperly available to developers offering applications on Facebook Platform.  The DPC “verified that it was not possible for an application to access personal data over and above that to which an individual gives their consent or enabled by the relevant settings.”


Friend Finder feature: The Friend Finder feature, as well as the inclusion of people a non-user may know in email invitations sent by users, has been previously examined closely by other data protection and privacy authorities and Facebook has already implemented several improvements.  We provide clear notice about how the email address will be used and notify all non-users who get the email how they can opt-out or unsubscribe. The DPC confirmed our practice was compliant, as well as verified that the email addresses of non-users who have opted-out from further contact are not available for any further use.


Of course, Facebook is always looking to improve our privacy policies and practices, and the DPC’s review of our existing operations highlighted several opportunities to strengthen our existing practices. Facebook has committed to either implement, or to consider, other “best practice” improvements recommended by the DPC, even in situations where our practices already comply with legal requirements.  Meeting these commitments will require intense work over the next six months.  We will be reviewing progress with the DPC and have agreed to a more formal follow-up review in July 2012.


Among the key commitments, we have agreed to:

  • Offer additional notifications to European users about Facebook’s photo Tag Suggest feature so that they can decide whether or not to use this feature to help people tag them in photos
  • Change a number of our policies related to retention and deletion of data including how data is logged when people access websites with social plugins to minimise the amount of information collected about people who are not logged in to Facebook
  • Work with the DPC to improve the information that people using Facebook are given about how to control their information both on Facebook and when using applications


We work on a daily basis with regulators around the world, and we appreciate the investment of time and effort by the DPC and its leadership to improve the experience of Facebook users.  In particular, we would like to thank Commissioner Billy Hawkes and Deputy Commissioner Gary Davis and their team.  As a result of their work, we are better able to give people the ability to connect and share and make the world more open. We have benefited from the open, honest and cooperative relationship and look forward to continue working together.


Richard Allan

Director of Public Policy, Facebook EMEA