Facebook Agrees To Make Privacy Improvements, Though Audit Says It’s Lawful

After a 3 month audit by the Office of the Irish Data Protection Commissioner (DPC), Facebook has issued a statement that “a DPC report demonstrates how Facebook adheres to European data protection principles and complies with Irish law.” Still, Facebook has committed to making a wide range of changes to its privacy policies and features. These include deleting or anonymizing retained user data, increasing access to and educating users about data and application privacy, and notifying users about the facial recognition feature “Tag Suggest”.

The DPC ruling could be considered a victory for Facebook, as none of the changes it has agreed to will significantly hamper its ability to launch new products or monetize through advertising. Update: Check out our analysis of the 45 privacy changes Facebook will make to comply with the DPC’s recommendations.

The audit stemmed from complaints by made several Austrian users. In accordance with European law, they filed personal data access requests with Facebook and discovered the company was retaining a substantial amount of data that they deleted or that was otherwise inaccessible.

The complaints prompted the Office of the Irish Data Protection Commissioner to launch the audit of Facebook’s international headquarters in Ireland, which oversees Facebook’s legal compliance with all users outside the US and Canada. This subsidiary allows Facebook to avoid some US taxes, but also puts it in the jurisdiction of the European privacy offices that enforce stricter polices than the US.

Many of the audits findings were positive and found Facebook’s practices to be legitimate. These include ad targeting based on personal data, email invitations sent through the Friend Finder feature, and how third-party applications access user data. Facebook was also commended for its security innovations, user control of data via Download Your Information, and for not tracking or profiling users based on cookies from offsite social plugins.

The DPC did make a long list of recommendations for changes Facebook could implement to better educate users and protect their privacy. I spoke with a Facebook public policy representative who told me Facebook has either agreed to implement or provided an acceptable alternative to all of the recommendations.

Some of the most important changes from the full audit report (.PDF) include:

  • Adding more prominent links for the privacy and data use policy to the sign up process and home page
  • Notifying European users via home page prompts about how its facial recognition feature works
  • Educating users on how their data is used for ad targeting, and how deleted data is retained
  • Setting limits to how long Facebook can retain data on ad-clicks, logged out users, log in information, and more
  • Allowing users to permanently delete more data types
  • Checking to see if third-party application privacy policy links are active

Few of these changes will seriously alter the user experience or the way Facebook develops and launches products. The company similarly avoided catastrophic changes when it settled with the United States Federal Trade Commission last month. Though the Facebook Public Policy team can sometimes be vague with press, it’s done an impressive job of protecting the company from devastating government intervention.

Implementing and reporting back to the DPC on the whole list of changes it has promised will be a time suck for Facebook’s design, communications, and engineering teams. But with major privacy offices of Europe and the US satisfied, Facebook is pretty much in the clear to push forward with its “Move Fast and Break Things” strategy for innovation. The audit’s outcome could also bolster investor confidence in a possible $100 billion IPO for Facebook next summer.

For a deeper understanding of what the audit means for Facebook, check out our article: The 45 Privacy Changes Facebook Will Make To Comply With Data Protection Law

[Image Credit: Shutterstock]