Facebook faces up to the data commissioner

The Irish regulator’s prompt report called for improvements, but wasn’t overly critical

LAST YEAR, the Irish office of the Data Protection Commissioner faced its biggest challenge when it was tasked with assessing whether various practices of social media mammoth Facebook complied with European and Irish data protection and privacy laws.

The job fell to Ireland’s modest office because Facebook, which has about 800 million members, has its European headquarters here, with responsibility for Facebook operations, content and compliance outside North America.

Given Facebook Ireland’s operational significance, the Data Protection Commissioner had already notified the company at the start of 2011 that it intended to conduct a general audit on its Irish data protection policies.

But a body of complaints, most significantly 22 filed with the Irish commissioner by an organisation called Europe v Facebook, set up by an Austrian law student at the University of Vienna, pushed the commissioner’s office to integrate an additional investigation alongside the audit.

With Facebook in the news regularly over privacy and data management issues, such an investigation was always going to receive significant international scrutiny. Sure enough, when the 149-page report was finally published just days before Christmas, more than 500 articles, blog posts and analysis pieces appeared worldwide.

Commissioner Billy Hawkes had promised prompt assessment and analysis of the complaints and swift publication of a report, and such was the case, despite the small size of his office. The full project was completed in less than four months, though the final result almost certainly – and unfortunately – elicited less broad discussion than it would have had it not come out days before a major holiday.

Scrutinising the report, it doesn’t seem that haste made for an inadequate assessment, though perhaps the assessment isn’t quite what some would have expected. Overall, the commissioner found that Facebook was in general compliance with data protection laws, so there was no hellfire and brimstone in the report – a disappointment for those who were hoping to hear the sound of resounding slaps and accompanying penalties.

Each of the 22 complaints is probed and a detailed response given. Wisely, the commissioner brought in a technologist from UCD to assess the technical functions and impact of various practices that can be, to put it neutrally, opaque. The end result is a list of a dozen major improvements the commissioner wants to see, with a review of progress planned for July.

The 12 areas deal with several of the concerns many users and privacy advocates have had with the social networking site – such as how long data is retained even after deleted by a user, how much control a user has over their own data, how clearly privacy features and data retention practices are highlighted to users, and the extent to which data is provided to advertisers and in what contexts, and with what degree of transparency to the user.

Facebook, for its part, has agreed to the privacy changes, at least for users in Ireland and the EU. It said it may or may not implement some or all of the recommendations in other parts of the world.

Do the recommendations constitute significant improvements in how Facebook manages data and protects privacy? Do they have any real bite? And do they imply any real criticism of how Facebook does business?

To some degree, the answer must be yes, but real impact is hard to assess.

International media reports had it all ways, indicating the result was in no way obvious. The Wall Street Journal’s All Things D tech news site said the commissioner gave Facebook “a passing grade”, while an online industry publication headlined its story, “Facebook gets ‘liked’ by the Irish Data Protection Commissioner”. ComputerWorld UK saw it quite differently: “Facebook slammed in Irish data protection audit.”

So which was it – and can we ever know? Probably not. What is clear is that Facebook has been asked to alter practices that have been criticised internationally and that many have long wanted to see addressed.

Hawkes said he told Facebook that, if it did so, it would be unlikely to fall foul of Irish, and hence European, data protection laws.

Nonetheless, one legitimate concern is the degree to which Facebook worked with the commissioner on the assessment and report. Unlike other investigations taken by the office, the results of the audit and investigation were announced in a joint press release and joint press conference.

The report indicates that, at all times, Facebook was involved in working with the office to produce the report. There have been media reports that there was much negotiating about the terms and language of the agreement until close to publication. This can be viewed two ways. One side would argue for more rigorous separation between investigator and investigated. The other would credit Facebook for its willingness to open its doors, allow scrutiny, and work towards meeting any concerns.

Personally, I think it commendable that Facebook was open and co-operative in working with the commissioner’s office, and good that the Data Protection Commissioner was able to get inside, establish a working relationship, and get its hands dirty with Facebook’s technology and functions.

But I think it is wrong to have issued a joint press release and held a joint conference, which had overtones of cosiness and comfort that one hopes were misleading but made the two organisations seem more like dancing than sparring partners.

A few weeks before the Irish report, the US Federal Trade Commission (FTC) had already required Facebook to make major privacy improvements and many will argue that these will have longer-term significance.

Nonetheless, the commissioner’s office carried off this major and unprecedented challenge with commendable speed and focus, and produced a list of spot-on recommendations that will benefit all European Facebook users in a brave new era of social networking. Kudos for that.