Improving Facebook: The 10 Most Important Conclusions of the Irish Data Protection Commissioner's Report

Does Facebook violate the privacy of its users? 

Yes, some of their policies do, says the Irish Data Protection Commissioner, who, on 21 December 2012, published the outcome of his audit of Facebook Ireland (which manages data for all European Facebook users). 

From the 150 page report, here's what I consider the 10 most important conclusions: 

1. Facebook's  privacy policies need to be made more simple.
2. Users need to be provided with more information as to why they are targeted by certain advertisers.
3. The current policy of retaining ad-click data indefinitely is unacceptable; Facebook agreed to move to a 2-year-retention period immediately.
4. Facebook employees have too much access to user data; Facebook agreed to implementing a new access provisioning tool.
5. Deleting a friend requests (or a poke) must mean they are permanently deleted and not stored.
6. If a user wishes to irrevocably delete their account, the account and all data have to be deleted completely within 40 days of receipt of the request.
7. Personal data collected by Facebook must be deleted when the purpose for which it was collected has ceased.
8. When law enforcement authorities make requests for user data, these should be validated by a designated officer of a senior rank.
9. There is  sufficient justification, including child protection, to allow Facebook's policy of refusing pseudonymous access to its services to stand.
10. The means in place for users and non-users to report abuse are "appropriate and accessible".

But why the audit in the first place? The audit was held in reaction to complaints lodged with the Commissioner by a group around Max Schrems, a Vienna University law student (and they say that law students only look to make partner fast).

In a press release, Commisioner Billy Hawkes underlined that it was a "challenging engagement" and the "most comprehensive and detailed ever undertaken by our Office" and lauded the cooperative spirit of Facebook.

Both the report and the appendices are a treasure trove of information on the policies and practices of Facebook. They make for very interesting reading and will be the topic of this blog in the weeks to come.

In a first statement, Richard Allan, Director of Public Policy, Facebook EMEA, expressed his content at the engagement with the Commissioner, even though the conclusions have identifed violations. On his website, Max Schrems criticizes Facebook for downplaying the negative aspects and requested further changes of policies, but concludes on a positive, if ironic note: "can it be true:  data protection experts and Facebook are both happy?" (my translation).

In retrospect, users shouldn't be too happy though because the recommendations (on pp. 5 et seq. of the report make for troubling reading. The Data Protection Commissioner, inter alia, finds and/or recommends

• that Facebook must work towards simpler explanations of its privacy policies, easier accessibility and prominence of these policies during registration and subsequently enhanced ability for users to make their own informed choices based on the available information;
• that Facebook must be transparent with users as to how they are targeted by advertisers;
• that Facebook should improve user knowledge of the ability to block or control ads that they do not wish to see again;
• that It should also improve user knowledge of the ability to block or control ads that they do not wish to see again;
• that the current policy of retaining ad-click data indefinitely is unacceptable (Facebook agreed to move to a 2-year-retention period immediately);
• that data on users or non-users must be provided upon access request within 40 days;
• that user’s should be provided with an ability to delete friend requests, pokes, tags, posts and messages and be able to in so far as is reasonably possible delete on a per item basis;
• that personal data collected must be deleted when the purpose for which it was collected has ceased;
• that  no use is made of data collected via the loading of Facebook social plug-ins on websites for profiling purposes of either users or non-users (something the Commission is satisfied with finding);
• that the current Single Point of Contact arrangements with law enforcement authorities when making requests for user data should be further strengthened by a requirement for all such requests to be signed-off or validated by a designated officer of a senior rank and for this to be recordable in the request;
• that more tools should be in place for ensuring that staff were authorised to only access user data on a strictly necessary basis; and
• that there must be a robust process in place to irrevocably delete user accounts and data upon request within 40 days of receipt of the request.

Importantly, the Commissioner also concluded that Facebook "has advanced sufficient justification for child protection and other reasons for their policy of refusing pseudonymous access to its services" and that  the site has "appropriate and accessible means in place for users and non-uses to report abuse on the site."

While generally agreeable, Facebook's reaction to most of these findings and recommendations was future-oriented: they will phase in changes by the end of Q1 2012, they "have commited to showing demonstrable progress" ... It is up to the Commissioner's review to make sure that these targets are met. Ideally, an interim review and constant supervision would ensure that the social network is on track.

It will be interesting to see how the changes will be implemented in the day-to-day management of the network and how Facebook will communicate them. 

The affair isn't over, though. In  July 2012, a formal review will take place in which the Irish Data Commission will assess Facebook's efforts over the next six months. It's also up to the users to make sure that the social network meets its obligations.

Kudos to Max Schrems and his team - they did what states should have done a long time ago: stand up for the rights of social network users.

At the same time the engagement by Facebook and the Data Protection Commissioner is an interesting development in the emergence of a human rights protection framework within Internet Governance. 

By the way: If you're interested in Facebook, Google and what challenges the Internet brings for human rights, consider coming to Graz on 12 January 2012, where the latest of edition of the Austrian journal on law and politics, juridikum, will be presented.

All in all, there's only one thing left to be said on the report. 

Like.