As Facebook has continued its rapid rise, one thing it has not been able to shake off are questions over how it deals with user data and privacy. That issue is getting revisited again today in Europe, where a consumer rights group says that Facebook has missed a deadline, set by Ireland’s Data Protection Commissioner, to make a number of changes to comply with European data protection laws. That group is now encouraging consumers to take the fight to the next level and make formal complaints to the European Commission over the issue.
But TechCrunch understands that Facebook, whose international headquarters are located in Ireland, is working on changes that will be implemented in time for a later deadline of July 2012.
The pressure group, europe-v-facebook.org, was formed originally after a group of Austrian students filed 22 privacy violation claims against Facebook last year. At the time, the story picked up a lot of attention — partly because it captured some of the pro-privacy zeitgeist — and as a result some 40,000 more people made requests for Facebook to reveal all the data it stored on them.
Around then, the Irish DPC issued a report and set an end of March deadline for Facebook to make recommended changes to improve its data transparency. The recommendations covered areas like making language simpler for users, providing a better mechanism to see how data is used, a better flow for the sign-in process, and better access to one’s data.
But the consumer group says that as of today, Facebook has yet to make most of the changes recommended by the DPC. Facebook did reply to the 40,000 complaints, says Max Schrems, a law student and one of the group’s founding members, but did by providing a series of links that only gave users a limited amount of information — 22 of the 84 data groups that Facebook holds, according to Schrems; the Irish DPC said there needed to be a minimum of 38 by July 2012.
Schrems says that as a result several hundred people have made further complaints and it is this smaller group that he is hoping will now escalate things by writing to the EU, complaining not only about Facebook but also the failure of the DPC in Ireland to handle this correctly. (If you live in Europe and are among those who think that a little pressure can move the needle, you can follow the link to Schrems’ site to make your complaint.)
Apart from the fact that Facebook is understood to be still working through these changes — again, with a July 2012 deadline — there seems to be a bigger issue here, which is that the Irish DPC has laid out recommendations, but no legal obligations.
“There is a law for data protection, but no consequence if you break that law,” Schrems told TechCrunch.
That means that while it’s potentially bad PR for Facebook if it fails to comply, it doesn’t result in fines or any operational penalties.
“Facebook Ireland is investing a huge amount of effort to ensure we are making progress against all of the commitments we made during the audit,” a spokesperson told TechCrunch. “We have a constant dialogue with officials working for the Irish Data Protection Commissioner, who are responsible for overseeing the work we are undertaking, to reassure them of our progress. We recently reported to them that we have implemented some of their recommendations ahead of schedule and that we expect to meet all the Q1 aspirations over the coming weeks.”