Updated: 11:11 am ET, Wednesday, December 21
It’s not just U.S. regulators that Facebook has spent the last part of 2011 worrying about: The world’s largest social network — which has European headquarters located in Dublin, Ireland — was also being audited by the Irish Data Protection Commissioner’s office from October to December and could have potentially faced a fine of up to 100,000 euros (about $130,000) if found guilty of violating European data law.
But now that audit has concluded and the final, extremely detailed report was published on Wednesday by the Irish Data Protection Commissioner, it turns out Facebook has managed to avoid being fined by agreeing to make changes to its user privacy settings, privacy policies, targeted advertising and make further disclosures to users about its practices.
Furthermore, Facebook wasn’t found to be in violation of any specific European laws, although it could be in greater compliance with them.
The lengthy report and appendix detail a number of changes that Facebook has agreed to make to bring it into compliance with Irish data law, specifically the 1988 Data Protection Act, including allowing even non-users to request, and receive within 40 days — all data Facebook has collected about them and “immediately” changing its policy of retaining ad-click data indefinitely to a 2-year retention policy, among numerous other changes.
In addition, Facebook has agreed to “phase in” controls for users “to delete friend requests, pokes, tags, posts and messages…on a per item basis.”
Deputy Commissioner Gary Davis who led the conduct of the audit said in a press release that “this Audit was the most comprehensive and detailed ever undertaken by our Office. We set ourselves a very ambitious target for completion and publication as both this Office and Facebook, felt it was important that the outcome be published and opened to public comment and scrutiny.”
Based on the extensive nuance of the report, one can easily get an overview of the changes that will be coming to Facebook in the first several quarters of next year.
Yet there was no mistaking Facebook’s glee at dodging yet another fine or serious regulatory reprisal. As Facebook posted in a note on the website.
“We are pleased that following three months of rigorous examination, the DPC report demonstrates how Facebook adheres to European data protection principles and complies with Irish law.”
Intriguingly, the final report also notes the regulatory heat Facebook has faced in the United States, namely from the Federal Trade Commission, which recently settled its own investigation with Facebook, forcing the social network to agree to regular privacy audits by a third-party organization for the next 20 years.
The Irish audit, by contrast, was undertaken based on a series of complaints filed by a law student who discovered that Facebook had been holding onto all of his deleted data — including chats, messages and “pokes,” among other activities on the website.
The Irish audit also notes that Facebook’s dealings with the FTC shouldn’t leave it off the hook in Europe. As the report notes: “There is however a remaining legitimate concern that products and features developed by engineers predominantly based in California and subjected to privacy reviews by legal teams outside Ireland will not be capable of fully understanding and complying with Irish and EU data protection requirements.”
The Irish Data Commissioner’s office held a press conference on the report beginning at 10 am ET. We’ll update with more information once that has concluded.
First update: In an unexpected movie, “Europe v. Facebook,” an international advocacy organization critical of Facebook launched by Austrian student Max Schrems, who filed the original series of 22 complaints with the Irish Data Protection Commissioner’s office, released a statement supporting the DPC’s report and Facebook’s response.
“The results of the reports are vastly congruent with our complaints about Facebook’s
breaches of European Data Protection,” the release from Europe v. Facebook reads.
“At first sight the report seems to be a first victory over Facebook’s ignorance towards Privacy Laws,” the group adds on its website.
The release from Europe v. Facebook also brushes off the fact that Facebook managed to avoid fines in this instance, saying the changes that it has agreed to, along with proposed EU laws, will be a much greater penalty for the company.
“Proposed stricter EU legislation will narrow the possibilities of the data mining industry and give the European users more rights. These limitations on data processing might harm Facebook much more than the possible fines in Ireland. They may substantially reduce Facebook’s business opportunities and therefore the companies’ earning and value, right before going public on the stock market.”
Second update: The presser concluded just before 11 am ET. Unfortunately, it was basically just a re-hash of the report. Two items of immediate interest did surface though:
Firstly, that the Irish Data Protection Commissioner’s office has been in touch with its counterparts throughout Europe and around the globe regarding the numerous complaints by users that Facebook hasn’t abided by country-specific privacy laws.
Specifically, members of the Irish DPC said during the press conference that the Irish DPC had “come to an agreement with Hamburg Data Protection Office,” which had reportedly been contemplating suing Facebook over facial recognition technology used in photo-tagging.
We’ve reached out to the Hamburg Data Protection Office in Germany on what precisely, this agreement amounts to, and what impact it has on that office’s investigation of Facebook, and will update when we receive a response.
The second item worth mentioning from the press conference is more like a conspicuous omission: The fact that, although in attendance on the call, Facebook’s newly-installed privacy director Erin Egan didn’t have much to say whatsoever, as Kashmir Hill of Forbes reported.
Egan’s entire position within Facebook, Chief Privacy Officer, Policy, was created in order to satisfy the U.S. Federal Trade Commission, which settled its own privacy investigation into Facebook in late November.
There’s a certain irony to the fact that Egan has been tight-lipped since she came aboard, but it also underlines the fact that just because Facebook says it is making changes, doesn’t mean those changes will be necessarily evident from the get-go.
And when it comes to the actual changes to the website outlined by the Irish Data Protection Commissioner, we’ll have to wait and see.
Correction: This article originally stated that the Irish Data Protection office was scrutinizing Facebook under UK data protection law, when in fact, it was scrutinizing Facebook under Irish data protection law. The error has been corrected and we regret it.