In early December 2012, the Irish media reported that the Austrian privacy group “Europe-v-Facebook” plans to appeal an audit of Facebook Ireland (“Facebook”) undertaken by the Irish Data Protection Commissioner (the “DPC”).

The Facebook audit was prompted by specific complaints raised by the “Europe-v-Facebook” group, the Norwegian Consumer Council and other parties.  Due to the fact that Facebook’s operations outside the US and Canada are headquartered in Ireland, the task fell to the Irish Data Protection Commissioner to carry out the audit.   

An initial audit was carried out in December 2011.  Following this initial audit and ongoing consultation with Facebook, the DPC made recommendations on a number of issues, including Facebook’s facial recognition features, improvement of its privacy and data use policy, transparency and limitation in the use of user data for targeted advertising, access requests, enhancement of data retention, information regarding the use of cookies and social plug-ins, as well as security related to third-party apps among others.

On 21 September 2012, the DPC published the outcome of its review of Facebook’s implementation of these recommendations.  The Report of Re-Audit (the “Report”) assesses Facebook’s compliance with the DPC’s recommendations and Irish and EU data protection law.  Facebook’s delivery on its commitments in that Report was evaluated by the DPC throughout the first half of 2012 and formally on-site in Facebook’s European HQ in Dublin on 2-3 May and 10-13 July 2012.  Other data protection authorities were consulted in the preparation of the Report (for example, the EU’s Article 29 Working Party and its Technology Sub-Group). 

Deputy Commissioner Gary Davis praised the “constructive approach” taken by Facebook and stated that most of the recommendations made by the DPC had been fully implemented to the full satisfaction of the DPC.  The Deputy Commissioner praised the actions taken by Facebook in the following areas:

  • The provision of better transparency for the user in how their data is handled;
  • The provision of increased user control over settings;
  • The implementation of clear retention periods for the deletion of personal data or an enhanced ability for the user to delete items; and
  • The enhancement of the user’s right to have ready access to their personal data and the capacity of Facebook to ensure rigorous assessment of compliance with Irish and EU data protection requirements.

The Deputy Commissioner noted that in some cases — notably in relation to the "tag suggest" feature — Facebook went beyond the initial recommendations of the DPC, in order to accommodate the views of other data protection authorities.  This feature scanned photographs uploaded by users and automatically tagged recognised faces.  For European users the tag suggest/facial recognition feature was suspended and any existing user templates were deleted (in order for the tag suggest feature to work, Facebook has collected “template” images of users in order to use them as reference points for its facial recognition technology).  Furthermore, Facebook also agreed to delete collected templates for EU users by 15 October.  Data Protection Commissioner Billy Hawkes said he was “particularly encouraged” by Facebook’s approach in this regard.

The DPC also found, however, that a number of its recommendations have not yet been fully implemented by Facebook. It set a deadline of four weeks from 21 September 2012 for these outstanding matters to be concluded satisfactorily.  These included better education for existing users, limiting advertising that targeted words and terms that could be viewed as sensitive personal data and the retention of data collected from cookies and social plug-ins. The DPC has asked Facebook to provide detailed information regarding the consent for the use of data collected from cookies.

The DPC has asked Facebook to implement a policy where users' accounts are fully deleted 40 days after a request.  Facebook has promised to rectify this by early 2013.  The DPC also stressed that “ongoing engagement with the company will be necessary as it continues to bring forward new ways of serving advertising to users and retaining users on the site”.

Criticism of the Report

In early December 2012, the Irish media reported that the Austrian privacy group “Europe-v-Facebook” plans to appeal the DPC’s audit of Facebook.  The group claims that the measures introduced by Facebook on foot of the audit do not go far enough and that the DPC in its Report was “massively departing from the common understanding of the underlying EU law”.

The group claimed that "the Irish authority is miles away from other European data protection authorities in its understanding of the law, and failed to investigate many things. Facebook also gave the authority the runaround," it said in a statement.

"We are hoping for a legally compliant solution from the Irish data protection authority. Unfortunately, that is highly doubtful at the moment. Therefore we are also preparing ourselves for a lawsuit in Ireland", the group added.

A spokesperson for Facebook replied that, "the latest DPC report demonstrates not only how Facebook adheres to European data protection law but also how we go beyond it, in achieving best practice.  Nonetheless we have some vocal critics who will never be happy whatever we do and whatever the DPC concludes".

Key Takeaways from the Facebook Re-Audit

  • The DPC will continue to work closely with other European Regulators. In one respect (in relation to Facebook’s "tag suggest" feature), Facebook went beyond the recommendations of the DPC in order to accommodate the views of other European Data Protection Regulators.
  • Audits may involve ongoing consultation with the DPC. From the time of its initial audit, Facebook was in constant contact with the DPC and is still in contact with the DPC following the Report of the Re-Audit.
  • The concept of “privacy by design” is set to increase in importance.  Given that Facebook agreed to put in place a process to ensure that new products comply with Irish data protection law, it appears that the concept of “privacy by design” (meaning that measures to protect privacy and personal data are embedded throughout the entire life cycle of technologies) is set to be a focus for the DPC.  Likewise, in its audit of Google which took place in July 2011, the UK ICO praised a privacy design document developed by Google whereby all new projects are assessed to ensure privacy controls are built-in.  The concept of “privacy by design” is to be introduced formally into EU law in the proposed Data Protection Regulation.
  • Audits may involve many business changes (such as Facebook’s removal of the facial recognition functionality) which may not have been financially modelled. 
  • There is a trend towards greater transparency. For example, the audits stressed the need to disclose the fact of third-party access to data using social plug-ins and the importance of having a more prominent privacy policy.
  • Regulatory focus on Ireland is likely to increase, given Ireland’s favourable conditions for the location of data centres.