Facebook Inc., the world’s biggest social networking site, will overhaul its service in Europe over the next six months as a result of an investigation into how the social network handles personal data.
Facebook “has agreed to a wide range of best practice improvements” to its service that will get a formal review in July, the Irish data-protection agency said today, after concluding a three-month audit. Facebook’s Ireland operation is responsible for all the Palo Alto, California-based company’s users outside the U.S. and Canada, the agency said.
“This was a challenging engagement both for my office and for Facebook Ireland,” Billy Hawkes, Ireland’s data-protection commissioner, said in an e-mail. The report said there has to be “increased transparency and controls for the use of personal data for advertising purposes” and “the deletion of data held from user interactions with the site much sooner.”
The agency began reviewing Facebook’s compliance with Irish and European Union data-protection rules three months ago and conducted an on-site audit of the U.S. company’s offices there.
Facebook agreed to improve the information users get on what happens to deleted or removed content and to simplify explanations of its privacy policies.
“This is a real way for Facebook to test this relatively new and prominent service,” said Tanguy Van Overstraeten, head of data protection at law firm Linklaters LLP. “They are faced with their own success. They have to tackle so many different positions because of the geographical spread and rules that may be different from one country to another.”
Facebook said it would work closely with privacy commissioners and regulators to demonstrate its compliance with legal requirements.
“The people who use Facebook take privacy and data protection seriously and so do we,” Richard Allan, Facebook’s director of public policy for Europe, said in a blog post in response to the Irish audit.
In the U.S., Facebook last month agreed to settle complaints by the Federal Trade Commission that it failed to protect users’ privacy or disclose how their data could be used. The proposed 20-year agreement would require Facebook to get clear consent from users before sharing material posted under earlier, more restrictive terms, and would compel independent reviews of Facebook’s privacy practices.
Subject to Scrutiny
Facebook is tied in by the FTC and by the commitment they have given the Irish data protection agency in the final recommendation “to ensure that before they produce anything, new product, new use, that they’ll be subjecting it to scrutiny,” said Gary Davis, deputy commissioner at the Irish data-protection agency.
In Ireland, the company agreed to “phase in” more transparency and control for the use of personal data for advertising purposes and to users to delete friend requests, tags or messages and to give users more control over their addition to groups.
“They can be very transparent, but it must be done in a fashion that it is legible,” said Van Overstraeten. “This should be a shared burden” between authorities raising more awareness among users on privacy matters and “companies designing ways to be transparent in a legible manner.”
Watchdogs from several of the EU’s 27 nations have said they will probe possible privacy violations in a feature on Facebook that uses facial-recognition software to suggest people to tag in photos without their permission. A German data-protection agency said it may fine Facebook over facial-recognition. Norway’s privacy watchdog is also investigating.
Facebook, which is considering raising about $10 billion in an initial public offering a person with knowledge of the matter said last month, noted the agency acknowledged the pace at which it offers new products and features requires constant interaction with regulators.
“This report is not the conclusion of our engagement with Facebook Ireland,” said the Irish agency’s Davis. “Taking a leadership position that moves from compliance with the law to the achievement of best practice is for Facebook Ireland to decide.”
The Irish audit was planned before the office received 22 complaints related to an Austrian law student’s experience with how the social-networking service kept storing data users had removed from their pages.
The Irish agency can’t impose fines. If companies don’t comply, it can pursue summary proceedings that can result in a maximum fine of 3,000 euros ($3,900). If convicted of serious breaches of data policy, a court may fine a company as much as 100,000 euros.