Facebook pledges improved privacy policy after audit


FACEBOOK WILL tighten privacy settings and alter its policies on the retention and deletion of user data, following a detailed report by the Irish Data Protection Commissioner’s office.

In a report published yesterday, the Irish data commissioner said indefinite retention of users’ “ad click” by Facebook was “completely unacceptable”.

Facebook agreed the data, relating to adverts users clicked on, will now be deleted within two years.

The report also recommended changes to privacy policy surrounding third-party “apps”.

However, the commissioner found no evidence to suggest Facebook had built up so-called shadow profiles, the alleged practice of collection of data on non-members. The office said while data is collected about non-users for security purposes, Facebook does not otherwise use this data.

The report criticised Facebook for the way it implemented its facial-recognition feature. In response Facebook said it would alert users in January that they could opt out of facial recognition.

The site has also committed to make progress by mid-2012 on deletion of information such as friend requests, “pokes” and photo “tags”, over which users currently have limited control.

As Facebook’s European headquarters is located in Dublin, the commissioner has jurisdiction over the social network’s users outside the US and Canada, meaning the implications of yesterday’s report will affect more than 600 million users worldwide.

Facebook will make significant changes to its privacy policy, due to be undertaken in the next six months, as a result of the report, which recommended it make a number of “best practice” changes to its privacy policies.

The commissioner found that in order to fully understand the use of their information, the user has to read Facebook’s full privacy policy, statement of rights and responsibilities, and advertising policy, among other information.

“It is clearly impractical to expect the average user, never mind a 13-year-old joining the site for the first time, to digest and understand this information and make informed choices,” the report said.

It recommended Facebook move towards simpler explanations of its privacy policies.

In relation to the targeted advertising of users, the data commissioner found that advertisements based on interests disclosed by users was legitimate and formed part of the “basic ‘deal’ entered” into by the user when joining.

However, it said there were limits as to the extent to which a user’s personal data may be used for targeted advertising and said users needed to be made fully aware their personal data would be used for targeted ads.

Richard Allen, Facebook’s director of policy in Europe, said the audit and report by the Irish Data Protection Commissioner’s office demonstrated the social network’s alignment to Irish and European data protection law, adding the report displaced “some of the myths” about the site.

Max Schrems, an Austrian student who initiated the Europe vs Facebook campaign, which lodged 22 complaints with the data commissioner’s office, said the group was “generally happy” with the report’s findings, but said it was the first step in a longer process.

Data commissioner Billy Hawkes said Facebook had fully co-operated with the audit, adding it was “unlikely” to come into conflict with Irish and European data protection law if it abided by the recommendations made in the report.

Last month the US Federal Trade Commission barred Facebook from making “deceptive privacy claims” after it found the site had deceived consumers by telling them they could keep their information private before “repeatedly allowing it to be shared and made public”.