Home Knowledge Report of Data Protection Audit of Facebook

Report of Data Protection Audit of Facebook

February 28, 2012
Partner
David Cullen

The Office of the Data Protection Commissioner (ODPC) has published the outcome of its three month audit of the practices and policies of Facebook at its European headquarters in Ireland.  Facebook Ireland took over responsibility for all users outside of the United States and Canada in September 2010. The report sets out recommendations for best practice for complying with EU data protection law. Facebook has also committed to implement or, in some cases, to consider positively, further specific “best practice” improvements recommended by the report. The ODPC expressly recognised the innovation and fast moving pace of development at Facebook and acknowledged that it would take time to incorporate the necessary measures. It plans to review progress made by Facebook Ireland in relation to the recommendations in July 2012.

The ODPC instigated the audit after it received more than twenty complaints from an Austrian lobby group called Europe v Facebook (see our previous article). The audit has been described as the most detailed and comprehensive audit ever undertaken by the ODPC. It focused on two aspects of Facebook’s practices and policies:

  • The extent to which it provides users and non-users with appropriate controls over the sharing of their information with others and information on the use of such controls
  • The extent to which it uses personal data of users to advertise to them

The ODPC concluded that targeted advertisement based on interests disclosed by users in their profile or through their use of the ‘Like’ button is legitimate as long as users are made fully aware, through transparent notices, that their information will be used in such a manner.

In addition, the report includes the following recommendations for best practice:

  • Provision of a mechanism for users to convey an informed choice for how their information will be used and shared on the site including use in relation to third party apps
  • Privacy policies should be more accessible and be in a prominent place. Simpler explanations of privacy policies should also be provided
  • Facebook should be transparent with users as to how they are targeted by advertisers
  • Information provided to users in relation to what happens to deleted or removed content should be improved
  • The current policy of retaining ad-click data indefinitely is unacceptable 
  • Enhance the ability of users to control tagging and posting on other user profiles
  • Enhance the ability of users to control their addition to groups by friends
  • Additional steps should be implemented to ensure the consent collected from users in relation to the ‘Tag Suggest’ (face recognition) feature can be relied upon

The ODPC advises that this report is the first significant step on the road to placing Facebook at the forefront of the technology sector in meeting users’ legitimate privacy expectations as to how their personal data will be handled and empowering them to make informed choices when sharing that information on the site.

Contributed by David Cullen.

Recommended Insights

See all
Article and Insights
1
Feb 2024
Responsible Business Annual Report 2023
William Fry is pleased to launch its Responsible Business Annual Report 2023.
Article and Insights
2
Feb 2024
Digital Operational Resilience Act – second batch of technical standards launched for consultation
We focus on the second batch of draft implementation measures announced by the Eur...
WF_author_blank
Partner
John O’Connor
Article and Insights
2
Feb 2024
John Delaney Documents – Supreme Court Refuses Leave to Appeal
The Supreme Court has refused leave to appeal from a decision rejecting John Delan...
WF_author_blank
Consultant
Deirdre O’Donovan
Article and Insights
24
Jan 2024
Cross-Examining Affidavit Evidence in Insolvency Cases
The High Court recently dismissed a petition seeking the winding up of a biofuel c...
WF_author_blank
Partner
Fergus Doorly
prev
next
See all