On 21 September 2012, the Data Protection Commissioner ("DPC") published his second audit report on Facebook Ireland following on from the initial detailed audit report that was published in December 2011. In total, the reports stretch to over 300 pages. So what have we learned?
First Report – December 2011
In December 2011, the DPC published his initial comprehensive audit report on Facebook. The audit was triggered by specific complaints raised by the "Europe-v-Facebook" group, the Norwegian Consumer Council and others. The job fell to the DPC due to the fact that Facebook's non-US operations are headquartered in Ireland. Under Section 10(1)(b) of the Data Protection Acts 1988 and 2003 ("DPAs"), the DPC is obliged to investigate all complaints, unless they are frivolous or vexations, and to seek to resolve them in the first instance through amicable resolution.
Second Report – September 2012
The Second Report was the product of the follow-up audit which had been pre-planned as a means of assessing progress made in respect of the implementation of the recommendations in the first report. As with the first audit, the DPC focused on the complaints it was investigating under Section 10 of the DPAs while it also liaised with the Data Protection Supervisory Authorities in other EU Member States to address specific concerns raised by them.
Lesson 1 – Ireland is a Focal Point for Data Protection Regulation
As with the First Report, the Second Report attracted global media attention with detailed commentary and analysis appearing instantly, including in the New York Times and the Financial Times. Given Ireland's positioning as a hub for data centres and "big data" operator, the integrity and credibility of the reports was important. In this regard, while opinions will differ in relation to the pros and cons of the audit report recommendations, the DPC's office is to be commended in producing two comprehensive reports in what must have been trying circumstances.
The broad message from the reports was a positive one in that the DPC's office will work constructively with those on the cutting edge of data while at the same time cooperating with our European partners to ensure that genuine privacy concerns are addressed. This is a strong and powerful message to those with existing or potential data operations in Ireland.
Lesson 2 – Transparency is in the eye of the Beholder
In keeping with the overarching principle of "fair processing", the DPC has also convinced Facebook to provide users with more information so as to enable them to make more informed choices "inline" or "just in time" before any use of their data commences. The adoption of a "welcome dashboard" with enhanced privacy settings will also empower users to adjust their settings to suit their specific preferences at any time.
It would be interesting to know what percentage of Facebook users actually link through to existing privacy policies and/or change their default privacy settings. Presumably the vast majority of Facebookers will continue to enjoy the benefits of the service without worrying unduly about adjusting their data protection settings, even if they are only vaguely aware that their data is being commercially exploited in the background. However, for the increasing number of new and existing Facebookers who are anxious to guard their privacy, the additional transparency measures will be welcomed.
Lesson 3 – There is a shift towards empowering the Customer
The move towards increased transparency is consistent with a shift that is starting to emerge globally. In recent years, many large online operators have realised that hiding away their privacy policies and disguising their data management practices is not a strategy that will ultimately cut the mustard with regulators, nor will it alleviate the concerns of individual customers and privacy advocates. However, there is a disconnect between the ever increasing complexity behind the uses of personal data online (e.g. behavioural advertising, social plug-ins/cookies etc) and providing individuals with simple and clear choices to manage their preferred privacy standards.
In some cases, an "ideal" privacy option (as viewed by a privacy regulator) will either eliminate the commerciality of the underlying product and/or severely reduce performance for the user. For companies such as Facebook who are reliant on the commercial application of customised advertising content to turn a profit, this is set to be a perpetual challenge. For consumers, the challenge will be understanding the cause and effect of exercising whatever privacy options are made available to them. In any event, "Privacy Dashboards", such as those already in use by Google, are likely to become all the more familiar to Internet users as a replacement to the bewildering number of privacy-related FAQs which users currently face when they seek to understand or adjust their privacy settings.
Lesson 4 – Facial Recognition is a Red Flag Issue
Facebook's 1 billion users upload 300 million images a day. While that does not in itself present a data protection "no no", the photo tagging feature introduced by Facebook overstepped the mark. The DPC determined that there was no compelling case as to why Facebook members cannot exercise their right to prevent their image being tagged, notwithstanding the potential loss of control and prior notification that may come with that choice. Interestingly, this appears to have been an issue where the DPC felt that Facebook had gone further than was strictly necessary under Irish law. The Second Report notes that the feature has been removed to assuage the concerns of supervisory authorities in other jurisdictions. Perhaps there is a hint here that the DPC in Ireland was less exercised about the issue than his colleagues elsewhere. In any event, Facebook has disabled the feature for now. Given the technological developments that are ongoing in the area of biometrics and facial recognition, this is likely to be an issue that will emerge again.
Lesson 5 – The Right to be Erased
The DPC has insisted upon "fully verified" account deletion at the end of the customer life cycle. In addition, Facebook has been required to improve the information provided to users in relation to what happens to deleted or removed content (e.g. friend requests, received pokes, removed groups and tags, deleted posts etc). Users should also be able to delete friend requests, pokes, tags, posts and messages and "so far as is reasonably possible delete on a per item basis". These recommendations reflect the underlying data protection principle not to retain personal data for longer than necessary, a very challenging principle for a company of Facebook's scale. However, it is interesting to note that the DPC acknowledges the practical challenges associated with removing data and this provides Facebook with an ability to implement changes without necessarily restructuring huge parts of its service.
Lesson 6 - Privacy by Design is here already
Judging by the audit reports, the proposed introduction of "Privacy by Design" under the new Regulation is here already. The DPC has agreed with Facebook that Facebook will put in place a more comprehensive mechanism, "resourced as appropriate", for ensuring that the introduction of new products or uses of user data take full account of Irish data protection law. In so doing, Facebook has agreed that it will consult with the DPC during the process of improving and enhancing existing initiatives prior to their implementation.
While the recommendations and findings will not please anyone, the DPC audits were robust. They have produced a large volume of guidance material to illustrate how the DPC and the broader EU Data Protection Supervisory Authorities view the application of the current Data Protection Directive in the particularly difficult context of social networks.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.