Facebook will delete all facial recognition data it stores about its European users, going beyond recommendations of the Irish data protection authority, the agency said today.
Facebook has complied with most, but not all, of the recommendations that the agency made last year, the Irish Data Protection Commissioner (DPC) said in a new audit report detailing its review of Facebook's policy changes since the first audit in December 2011.
With regard to a feature that uses facial recognition to suggest people to tag in users' photographs, Facebook has gone beyond the initial recommendations at the request of the Irish data authority to accommodate views of other data protection authorities in Europe, said deputy commissioner Gary Davis.
This feature has already been turned off for new users in the EU and templates for existing users will be deleted by October 15, the DPC said. "This resets the clock for facial recognition in Europe," Davis said. Facebook needed "a bit of convincing" to agree to delete the template, he said. "But in the end Facebook saw the benefit on moving on the issue," he said.
The news upended a decision announced Friday by the Hamburg Commissioner for Data Protection and Freedom of Information, Johannes Caspar. While earlier in the day he said that he would start proceedings against Facebook over the storage of facial recognition data, he subsequently said there was no longer an issue if Facebook deletes the data. "We are happy that the Irish Data Protection Commissioner could achieve this," Caspar said, adding that this is more than what he asked for.
A new audit showed that "most of the recommendations have been fully implemented to our full satisfaction," wrote Davis in the report.
There is better transparency for the user, better control over user settings and an enhanced ability for users to delete data and clear retention periods for deleted personal data, according to Davis. There are also improvements to users' rights to have ready access to their personal data and the capacity of Facebook to ensure rigorous assessment of compliance with Irish and EU data protection requirements, he said.
In some areas, however, full compliance has not yet been achieved but is planned by a deadline four weeks out, he wrote. Action is needed on user education, the deletion of data shared with third-party sites and fully verified account deletion, Davis added. Facebook still needs to be monitored going forward, especially since the social network is constantly adding features to its service, he said.
If Facebook does not comply with the demands within four weeks, the social network could face a fine of up to €100,000 (£80,000), said Davis. But he did not expect that regulatory proceedings were necessary since Facebook has been cooperative. "We are confident Facebook will comply," he said.
Facebook will not be monitored as intensely as it has been in the last couple of months, he said. The monitoring will "depend on the pace Facebook sets" with adding new features, he said.
The Irish data protection authority released a critical privacy audit of Facebook in December 2011 and the agency had more then a dozen recommendations for how Facebook could change its policies and improve its privacy protections. If Facebook complied with the recommendations, chances were small that the social network would be found to infringe on Irish privacy laws, the data protection commissioner said at the time.
Shortly after the audit, Facebook said it planned to change the way it retained data and revamp privacy controls to comply with the Irish recommendations. Last April Facebook added to its data download tool log-in and log out information, unconfirmed friendship requests and information about pokes, among other categories requested by the authority.
Facebook is required to provide users with personal data it holds about them on request under European Law. A recent check of the data stored by the social network revealed that Facebook does not disclose everything it stores upon a users' request and gave insight in the way it targets its users with advertising.
The Irish DPC said that as with the earlier audit report, the re-audit "does not involve formal decisions by the Office on the complaints it had received" about Facebook. But it could be expected that some issues have been dealt with and the DPC will address outstanding complaints separately.
"This audit is part of an ongoing process of oversight, and we are pleased that, as the Data Protection Commissioner said, the latest announcement is confirmation that we are not only compliant with European data protection law but we have gone beyond some of their initial recommendations and are fully committed to best practice in data protection compliance, Facebook said.