The serious side to having internet firms based here

NET RESULTS: Expect the Irish data protection office to have to carry out more audits like its current one on privacy on Facebook

NEWS LAST week that the office of the Irish Data Protection Commissioner would be tasked with conducting a privacy audit of Facebook, to consider whether some of its practices go beyond what is allowable under European privacy legislation, rapidly drew global interest.

Quite rightly, the story was picked up by media across the world. The issues outlined in some of the 22 individual complaints made by an Austrian group called Europe versus Facebook, which form the context of the audit, have been controversial, and many privacy advocates had predicted either a court or regulator challenge was coming.

As Europeans have greater privacy protections on how their personal data is used by organisations, Europe was always likely to be an eventual flashpoint for an investigation.

But it isn’t just a European concern. Some similar complaints were filed in the US at the end of September with the Federal Trade Commission by major privacy advocate groups and others alarmed by new applications that enable what Facebook calls “frictionless sharing” of members’ entertainment interests, generating personal data that could be incorporated into advertising campaigns.

The ability of Facebook to track user activity elsewhere on the web through cookies, even after they have logged off their Facebook account, was also raised in the complaint.

The Irish investigation will scrutinise the Austrian group’s concerns and will attempt to clarify whether certain practices are happening or not. If they are happening, it will consider whether they violate European data privacy protections.

This is a critical point for the giant social networking site. Facebook has had a turbulent relationship, not just with privacy advocates, but with ordinary users exasperated at learning some of the ways in which their information is used.

Users have been particularly outspoken on an earlier ill-fated attempt to use personal data for advertising campaigns, called Beacon.

The company has also been pushed to reconsider and restructure ways in which users can manage their profiles and privacy settings.

Ironically, some of the current complaints are the result of Facebook’s most recent round of supposedly pro-privacy changes to the site, which critics say often make it harder rather than easier to manage personal privacy settings or to know what the company is doing with personal information.

Not all users are bothered by the elements that concern privacy advocates. Some have argued that a social network is just that – social – and that users need to accept that, if they are going to post up information about themselves online, they might as well give up any claim to privacy.

I don’t buy that. These formal complaints are not concerned with the fact that people, often naively – or stupidly – share details and forget how many people might see it. Instead, the complaints pinpoint practices about which users may not be adequately informed, if they are told at all.

The Data Protection Commissioner’s office will need to decide where the balance lies between the fact that a social network is predicated on the notion that people choose to share personal information, and a reasonable expectation of how that information could be used and whether the way in which information is gathered, held and potentially re-used by Facebook meets data protection requirements for European users of the site.

They are all very big issues with potentially a very big impact on a popular, breathtakingly enormous service that boasts 800 million users worldwide.

Deciding on such issues has fallen to the relatively small Irish Data Protection Commissioner’s office because Facebook’s European headquarters is in Ireland – where it is also seen as a choice member of the foreign direct investment (FDI) community and a valued employer.

Like many of our international technology companies – companies that have been pivotal, according to the Central Statistics Office, in driving a return to growth in the Irish economy – Facebook was intensely wooed by the agencies and government before deciding to base here.

Government ministers are rightly proud of Ireland’s success in attracting such companies. Current strategy is to push to make Ireland a European centre for internet, games, mobile content and social media companies. This is where policymakers, rightly, see future economic growth for the state.

But the Facebook audit signals a serious and previously overlooked aspect of having such companies here. Most of them do business in an area that, potentially, has major data protection and data privacy issues, mostly untested and untried, many not yet even realised in this cutting edge area.

Similar privacy questions are likely to surface over time. And when they do, it will again fall to the Irish Data Protection Commissioner to adjudicate on privacy concerns that may require time and labour-intensive, internationally-significant investigations – as with Facebook.

If the Government wants such companies here, it must give consideration to this issue and properly resource and staff the commissioner’s office to make sure all audits are thorough, comprehensive and considered and can bear up to international scrutiny – especially if Ireland is to be seen as a fair and reasonable regulatory environment for FDI.

And not least, because the office also has domestic issues to consider and resolve, and the number of complaints the office has received has continued to rise over time, Irish privacy issues should not be subordinated to European responsibilities.