Facebook plans to change how it retains data and revamp some privacy controls following the release of a highly critical audit from Ireland's data protection authority.
The agency had more than a dozen recommendations for how Facebook can improve privacy protections and data-handling practices.
Ireland's Data Protection Commissioner, Billy Hawkes, said if Facebook follows the recommendations, it is unlikely that the social-networking site would be found in violation of Irish data protection laws, which are based on European Union laws.
Facebook has agreed to the recommendations, and a review on the company's progress is scheduled for next July. Facebook said it would make the changes even in instances where it believes existing practices are in legal compliance.
"Meeting these commitments will require intense work over the next six months," Facebook said in a statement published on its blog.
Facebook said some of the changes will be implemented worldwide, while others will only be visible to European users or to users in areas with local laws that the company is seeking to comply. Facebook Ireland operations have a contractual obligation only to users outside the US and Canada.
Last month, Facebook agreed to implement a comprehensive privacy programme after the US Federal Trade Commission found it made deceptive claims over how it shared people's personal data.
Whether the extensive Irish audit forces Facebook to implement better privacy practices in the long term will depend on whether the company makes the changes in "spirit rather than just in the letter," said Kathryn Wynn, a data protection expert with the law firm Pinsent Masons.
"Regulators will find it difficult to keep up with the innovative nature of Facebook developments, so it is possible that Facebook could use technological workarounds in order to overcome changes the ODPC [Office of the Data Protection Commissioner] has called for," she said.
The Irish audit covers many of the issues raised in more than 180 complaints on data retention and disclosure filed with the DPC, although those complaints did not specifically trigger the audit. The results of the audit will be communicated to the complainants, Hawkes said.
Twenty-two of those complaints were filed by Europe v. Facebook, a group run by Max Schrems, a law student at the University of Vienna. The group contends -- among many other complaints -- that Facebook does not disclose all of the data it holds on users on request, which it and other data controllers are required to do under EU law.
In a press release, Europe v. Facebook wrote that Facebook's business model, which revolves around the heavy processing of personal data, could face limitations following the Irish audit. The group was also leery of the close work between the DPC and Facebook.
"The report was written in cooperation with Facebook and can therefore not be seen as fully independent," Europe v. Facebook said. "Within the last days there were very extended negotiations between the DPC and Facebook to reach an agreement on the text."
As part of the audit, Facebook has agreed to add new user data to the download tool it provides to let users see the data it holds. The download tool, however, at present downloads information from a person's profile.
Facebook's new timeline feature combined with other data such as a user's activity log will "present a more comprehensive set of access controls" for users to see their data than other comparable services, said Richard Allan, Facebook's director of policy for Europe.
Facebook has also agreed to changes around the use of its "Like," button, a widely used social plug-in used to share content from external websites on Facebook profiles.
Much controversy has surrounded what data the Like button collects and how it is used. The button collects IP addresses for users who are not even members of Facebook, reporting the key identifier back to the company. It will also do that for people who are Facebook members but are logged out of the service.
As a result of the audit, Facebook said it will now remove the last octet of an IP addresses it logs from a social plug-in within 10 days. For all users, whether logged in or logged out or not even a member, Facebook said it will delete its logs collected by a social plug-in after 90 days.
Ireland's DPC found that Facebook does not use information collected by the Like button for targeted advertising.
The DPC did rebuke Facebook over its facial recognition feature, which stores biometric information on users' faces in order to enable an automatic photo tagging feature.
The DPC said Facebook "should have handled the implementation of this feature in a more appropriate manner." Facebook has agreed to quickly change how it is presented by the end of the first week in January. Facebook will notify users a total of three times about the feature.
"We think that’s a very reasonable approach by Facebook on that issue," said Gary Davis, deputy data protection commissioner for Ireland, during a conference call.
The DPC said it confirmed that if a person that does not want to use the feature -- called "tag suggestions" -- their facial profile data will be deleted.
The complete report is available on the DPC website.