Facebook audit completed: Best practice recommendations for several key areas

In response to the audit conducted on Facebook Ireland (FB-I) by Ireland’s Data Protection Commissioner, FB-I has committed to either implement, or to consider positively, specific “best practice” improvements.

A key focus of the audit was to establish whether free use of the service in exchange for targeted advertising ‘could reasonably be described as meeting the requirements of fair collection and processing under the Data Protection Act’.

The Commissioner said on 21st December that ‘while acknowledging that this is a matter of judgment – ultimately by Irish and European Courts – the general conclusion was that targeting advertisements based on interests disclosed by user’s in the ‘profile’ information they provide on FB was legitimate. We also concluded that, by extension, information positively provided by users through ‘Like’ buttons etc. could legitimately be used as part of the basic “deal” entered into between the user and FB-I. The legitimacy of such use is, in all cases, predicated on users being made fully aware, through transparent notices, that their personal data would be used in this manner to target advertisements to them. And any further use of personal data should only be possible on the basis of clear user consent.‘

The complaints submitted by “Europe v. Facebook”, which resulted in FB-I receiving in excess of 40,000 subject access requests and the Irish Commissioner receiving 600 access request complaints, have not yet been resolved. Commissioner Billy Hawkes said that while the audit aimed to encourage best practice, the office will establish, in relation to the complaints, whether FB-I has breached Irish DP law or not.

Recommendations were made in several key areas, including:

1. A mechanism for users to convey an informed choice for how their information is used and shared on the site including in relation to Third Party Apps
2. A broad update to the Data Use Policy/Privacy Policy to take account of recommendations as to where the information provided to users could be further improved
3. Transparency and control for users via the provision of all personal data held on them on request and as part of their everyday interaction with the site
4. The deletion of information held on users and non-users via what are known as social plugins and more generally the deletion of data held from user interactions with the site much sooner than at present
5. Increased transparency and controls for the use of personal data for advertising purposes.

Facebook said in a statement:

“Facebook has committed to either implement, or to consider, other ‘best practice’ improvements recommended by the DP Commission, even in situations where our practices already comply with legal requirements. Meeting these commitments will require intense work over the next six months. We will be reviewing progress with the DP Commission and have agreed to a more formal follow-up review in July 2012.”

Read more about this topic in the February issue of PL&B International Report.