The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Report of Review of Facebook Ireland's Implementation of Audit Recommendations Published – Facebook turns off Tag Suggest in the EU


The Office of the Data Protection Commissioner, Ireland today 21 September 2012 published the outcome of its Review of Facebook Ireland's (FB-I) implementation of recommendations made in the Office's Audit of the social networking site last December.  That Report was a comprehensive assessment of Facebook Ireland's compliance with Irish Data Protection law and by extension EU law in this area.  Facebook Ireland's delivery on its commitments in that Report was evaluated throughout the first half of 2012 and formally on-site in Facebook's European HQ in Dublin from 2-3 May and 10-13 July 2012.

The Review finds that the great majority of the recommendations have been fully implemented to the satisfaction of this Office, particularly in the following areas:

  • The provision of better transparency for the user in how their data is handled,
  • The provision of increased user control over settings,
  • The implementation of clear retention periods for the deletion of personal data or an enhanced ability for the user to delete items,
  • The enhancement of the user's right to have ready access to their personal data and the capacity of FB-I to ensure rigorous assessment of compliance with Irish and EU data protection requirements.

Those recommendations which are not implemented by FB-I as of yet are highlighted with a clear timescale for implementation listed.

The Irish Data Protection Commissioner, Billy Hawkes said, "I am satisfied that the Review has demonstrated a clear and ongoing commitment on the part of FB-I to comply with its data protection responsibilities by way of implementation or progress towards implementation of the recommendations in the Audit Report.  I am particularly encouraged in relation to the approach it has decided to adopt on the tag suggest/facial recognition feature by in fact agreeing to go beyond our initial recommendations, in light of developments since then, in order to achieve best practice.  This feature has already been turned off for new users in the EU and templates for existing users will be deleted by 15 October, pending agreement with my Office on the most appropriate means of collecting user consent.  By doing so it is sending a clear signal of its wish to demonstrate its commitment to best practice in data protection compliance."


Deputy Commissioner, Gary Davis who led the both the Audit and the Review stated that "the outcome reflects months of detailed engagement between Facebook Ireland and this Office.  The discussions and negotiations that have taken place, while often robust on both sides, were at all times constructive with a collective goal of compliance with data protection requirements.  There were a number of items on which progress was not as fully forward as we had hoped and we have set a deadline of 4 weeks for these matters to be brought to a satisfactory conclusion.  

It is also clear that ongoing engagement with the company will be necessary as it continues to bring forward new ways of serving advertising to users and retaining users on the site.  The value of such engagement to identify and deal with any data protection concerns prior to launch of new products and services is fully accepted by FB-I."



For more information, please contact:

Ciara O'Sullivan, Office of the Data Protection Commissioner at +353 (0)57 868 4800

Email: Media@dataprotection.ie


The Review consisted of a detailed examination of FB-I's implementation of each of this Office's recommendations made in the December Report.  Where new issues had arisen since the publication of the December Report, those were also examined during the review.  A detailed Technical Analysis Report is included as an Annex to the Report.  Also attached as an Annex is a formal response from FB-I to the recommendations made in the December Audit which the company wishes to be published for reasons of full transparency.

As with the earlier Audit Report, this Review Report does not include any formal decisions by the Office in relation to the complaints it has received in relation to FB-I.  The audit has taken account of the substantive issues raised in these complaints and it can be expected that at least some of these issues will have been dealt with to the satisfaction of the complainants.  However, any complainant has the right to seek a decision on her/his complaint(s) where an "amicable resolution" of the complaint can not be achieved and to appeal that decision to the Courts should they wish.  We are now moving to address any outstanding complaints, in accordance with our normal complaints handling procedures.


Please see link to report: https://www.dataprotection.ie/docs/Facebook_Audit_Review_Report/1232.htm