Report of Data Protection Audit of Facebook Ireland Published

The Office of the Data Protection Commissioner, Ireland today 21 December 2011 published the outcome of its audit of Facebook Ireland(FB-I) which was conducted over the last three months including on-site in Facebook Ireland’s Headquarters in Dublin.  The Report is a comprehensive assessment of Facebook Ireland’s compliance with Irish Data Protection law and by extension EU law in this area.

The Irish Data Protection Commissioner, Billy Hawkes said, “This was a challenging engagement both for my Office and for Facebook Ireland. The audit has found a positive approach and commitment on the part of FB-I to respecting the privacy rights of its users. Arising from the audit, FB-I has agreed to a wide range of  “best practice” improvements to be implemented over the next 6 months, with a formal review of progress to take place in July of next year.”

Deputy Commissioner, Gary Davis who led the conduct of the Audit stated that “this Audit was the most comprehensive and detailed ever undertaken by our Office.  We set ourselves a very ambitious target for completion and publication as both this Office and Facebook, felt it was important that the outcome be published and opened to public comment and scrutiny.”

He added, “It is important to recognise that Facebook Ireland, as recently as September 2010, was designated responsibility for all users outside of the USA and Canada.  It perhaps should not come as a surprise therefore that there should be room for improvement in how Facebook Ireland handles the personal information of users. 

Facebook is constantly evolving and adapting in response to user needs and technical developments.  Like any successful technology platform, the service needs to innovate by introducing new products and features in order to adapt to changing circumstances.  Indeed the almost Darwinian nature of the site means that there will constantly be an absolute need to have in place robust mechanisms to keep pace with the innovation that is the source of the site’s success. 

Therefore this Report is not the conclusion of our engagement with Facebook Ireland.  It is rather the first significant step on a road that can place it at the forefront of the technology sector in meeting users’ legitimate privacy expectations as to how their personal data is handled and empowering them to make informed choices when sharing that information on the site.  It is the role of our Office to ensure that Facebook Ireland complies with data protection law and this report assesses that compliance.  Taking a leadership position that moves from compliance with the law to the achievement of best practice is for Facebook Ireland to decide but if it continues to display the commitment I witnessed throughout the Audit process it is certainly achievable. ”

The Report records significant recommendations and commitments from Facebook Ireland in relation to:

·   a mechanism for users to convey an informed choice for how their information is used and shared on the site including in relation to Third Party Apps

·   a broad update to the Data Use Policy/Privacy Policy to take account of recommendations as to where the information provided to users could be further improved

·   transparency and control for users via the provision of all personal data held to them on request and as part of their everyday interaction with the site

·   the deletion of information held on users and non-users via what are known as social plugins and more generally the deletion of data held from user interactions with the site much sooner than presently

·   increased transparency and controls for the use of personal data for advertising purposes

·   an additional form of notification for users in relation to facial recognition/”tag suggest” that is considered will ensure Facebook Ireland is meeting best practice in this area from an Irish law perspective

·   an enhanced ability for users to control tagging and posting on other user profiles

·   an enhanced ability for users to control whether their addition to Groups by friends

·   the Compliance management/Governance function in Dublin which will be further improved and enhanced to ensure that the introduction of new products or new uses of user data take full account of Irish data protection law.

Facebook Ireland’s delivery on its commitments will be evaluated throughout the first six months of 2012 and as part of an agreed formal review in July of next year that will take the form of a follow-up Audit.

Ends

For more information, please contact:

Ciara O’Sullivan, Office of the Data Protection Commissioner at +353 (0)57 868 4800