After an audit that lasted three months, the Office of the Irish Data Protection Commissioner (DPC) delivered its findings late last month. As a result, Facebook will have to clarify its policies on privacy protection.
According to the DPC, the company must put implement “a broad update to the Data Use Policy/Privacy Policy to take account of recommendations as to where the information provided to users could be further improved.” In other words, Facebook will have to do a better job of explaining what happens to the personal data of its users, and enable those users to have more control over their data.
In 2008, the Palo Alto company established its international headquarters in Dublin, largely to take advantage of attractive financial conditions offered by the Irish government of the day. But in so doing, Facebook was obliged to submit to Irish and European laws.
Facebook will have to make changes to its site before July for their roughly 500 million non-US based subscribers. According to the DPC’s Paula Nerney, Mark Zuckerberg’s social network is playing along:
[Facebook] is committed to respecting the privacy of users (…) Facebook has fully cooperated throughout the audit; we have sent them a list of recommendations, and we will return in July to carry out a new audit. In the meantime, we will be following with interest the actions of Facebook Ireland, to ensure that the company will meet the deadlines that we have imposed on them.
Facebook have publicly welcomed the results of the audit. Anne-Sophie Bordry, Facebook’s director of public affairs for France and Southern Europe:
The audit shows that we are in fact open to discussions. We have opened our doors to show that we have nothing to hide. We have laid out everything in relation to the operation of the Facebook platform, and we will work hand in hand with the DPC. We have an opportunity to defuse some worries, to explain what it is we do with the data. We are very content.
So Facebook are feeling pretty relaxed then. The company has, however, some work ahead of it. First they will have to make their privacy settings simpler and clearer. In its report, the DPC requests that Facebook further simplify the settings that allow users to control what is public or private. “When you go into the privacy management settings, it is already quite clear. It’s laid out in pictures,” says Anne-Sophie Bordry. “The DPC…agrees. You can preview your profile, modify the settings, test them out. It’s already great, but we’re going to improve the tool and make it clearer,” she adds.
No hard details are available for the moment, but Michelle Gilbert, communications director of Facebook France, assured OWNI that “our engineers are working on the topic”. She adds:
The DPC conducted its audit before the release of Timeline, the new version of the Facebook profile. Now users have much greater choice, they can manage what is visible to others more easily. But we can always improve. We will make it easier to manage these aspects.
Another area for improvement highlighted by the DPC: transparency regarding collected data. A series of complaints have been made about Facebook in this area, including those of Max Schrems. The Austrian student, founder of the group ‘Europe Against Facebook’, demanded all of his personal data from Facebook under EU Directive 95/46/CE.
Michelle Gilbert of Facebook France makes light of the request:
Max has succeeded very well in getting attention, but he has accused us of quite a few things that we have not done. The audit has proved that. His complaints reflect the many fantasies associated with Facebook. The DPC agrees that “ghost profiles”, that is non-registered profiles that we would create, do not exist…Nor do we track people. Facebook is a host: we store the content, but we don’t look at it.
The DPC’s Paula Nerney found that Facebook’s use of the personal information of its members was legitimate, in order to “establish a sustainable economic model” for the site. The DPC does not call into question the use of information such as age, sex, relationship status or the location of the user, for advertisers looking for highly targeted ads. But “it is up to Facebook to communicate better about their use of data”. Anne-Sophie Bordry is insistent about the social network’s “advertising model”:
We are not a marketing agency. Profile data goes into an aggregator of anonymized data, and is never sold. We do not rent out data; Facebook itself uses the data to optimize ads for advertisers. But everything remains within Facebook. Similarly, as confirmed by the DPC, no information is collected that is not associated with the user.
The same goes for the data collected when a user clicks the “Like” button, which allows Facebook to know users’ browsing habits. Data, such as profile information, “goes back to the anonymous aggregator that we use, and ends up being deleted quickly.” The DPC has nevertheless asked Facebook to anonymize the data more quickly, within 90 days, and then to delete it. Facebook has previously not always respected that deadline. Anne-Sophie Bordry:
Although our system is already adequate, the DPC has asked us to delete the data faster. We will do what it takes to shorten the delay. But we insist: Facebook does not use data received from this area for profiling or targeted advertising.
In its audit, the DPC notes that upon registration the user acknowledges and accepts Facebook’s use of data. After your account is verified, in order to access information on the use of personal data the user must go, whether you are registered or not, into the terms of use, visible at the bottom of each page in small print.
Facebook must “make an effort to make these terms of use more visible,” says Billy Hawkes, the Irish Commissioner for Data Protection. Similarly, a greater effort must be made to make the facial recognition technology, used by Facebook to automatically identify a user in a photograph, more transparent. “Internet users are not sufficiently informed about the issues surrounding this function,” criticises the DPC. In response, Facebook has committed to simplifying the procedure to refuse automatic identification. “Today the user has only two choices, to opt out of facial recognition or accept it. We will try to refine the system. All this is under discussion,” said Michelle Gilbert of Facebook France.
Meanwhile ‘Europe Against Facebook’ have criticised the handling of the audit:
The DPC’s report was written in cooperation with Facebook. Therefore it can not be considered fully independent …
Before the IPO
For Facebook, this report appears to be a godsend, an opportunity to refine its communications at a crucial turning point. The social network is expected to generate over $4 billion (€3.1 billion) in revenue this year. Next spring, the company is likely to go public, which is speculated to increase its value to anything up to $100 billion. That’s an event that Facebook does not want tarnished by any new criticism. Michelle Gilbert:
Our users need to feel reassured. If they don’t trust us, Facebook will go out of business. That’s why we will make sure to have things in order by July. We must do away with the fantasies surrounding Facebook.
At the DPC, Paula Nerney warns that “nothing is off the table for Facebook.” In July, the new audit will be performed.
Our recommendations go in the direction of “best practice” rather than mere compliance with the law. If Facebook implements our recommendations, the company will be in accordance with Irish law. But if they do not, we have significant means of coercion available to us, which we will not hesitate to use. Given the cooperation shown by Facebook, we would be disappointed if we were forced to use such means …
If Facebook does not implement the necessary changes, the company “may be prosecuted”, according to the DPC. It’s unlikely Facebook will be quite so relaxed if that were to be the outcome.
Image Credits: Flickr CC Tsevis, ArnoKath, Sean McEntee et boltron
💬 Discussion
No comments yet. Be the first to comment!