The Irish Data Protection Commission has issued social networking giant Facebook with a series of recommendations for improving its data handling processes.
In a report published this afternoon, the watchdog made a total of 41 recommendations. Among other measures, the US company should make its privacy policy clearer and more prominent; it should allow users to delete more actions associated with their profile, and it should delete personal data when the purpose it was collected for has ceased, the DPA advised.
Facebook has agreed to implement or examine all 41 recommendations by the middle of next year. It will undertake two of the recommendations – reducing the amount of time it retains ad-click data to two years and anonymising data collected from social plugins within 10 days – with immediate effect.
The DPC investigated Facebook, whose European headquarters are based in Dublin, after an Austrian law student filed an official complaint about the US company’s data protection practices. Max Schrems had issued the social networking giant with a subject access request demanding all the data that it held on him, as mandated by the EU Data Protection Directive.
Schrems alleged that his subject access request revealed a number of data protection abuses, including the retention of ‘shadow profiles’ of individuals that are not members of the social network. The Irish DPC found that the data Facebook holds on non-members is only used to allow new members to invite their friends to join the network, and that they have the option of deleting this data.
Ireland’s data protection commissioner Billy Hawkes observed that Facebook could only be found to have breached Irish data protection laws if it had refused to implement the DPC’s recommendations. "It will be unlikely that Facebook will be found to have broken any laws if it fully complies with our recommendations," he said.
Campaign group Europe vs Facebook said that the DPC’s recommendations may impair Facebook’s ability to do business.
"Facebook’s business model is based on heavy processing and exploitation of personal data," the group said in a statement. "Following the report by the Irish DPC, this business model could consequently be severely limited within the EU."
Facebook firmly denies this, however. "There is no substance to the assertion made by Europe v Facebook which runs entirely counter to the acceptance of Facebook’s advertising model in the report," a spokesperson said.