Facebook plans to change how it retains data and revamp some privacy controls following the release of a critical audit from the Office of the Data Protection Commissioner (DPC).
Data protection commissioner Billy Hawkes said if Facebook follows the recommendations it is unlikely that the social networking site would be found in violation of data protection laws.
The agency had more than a dozen recommendations for how Facebook can improve privacy protections and data-handling practices.
Facebook has agreed to the recommendations, and a review on the company's progress is scheduled for next July. Facebook said it would make the changes even in instances where it believes existing practices are in legal compliance.
"Meeting these commitments will require intense work over the next six months," Facebook said in a statement published on its blog.
Facebook said some of the changes will be implemented worldwide, while others will only be visible to European users or to users in areas with local laws that the company is seeking to comply. Facebook Ireland operations have a contractual obligation only to users outside the US and Canada.
Last month, Facebook agreed to implement a comprehensive privacy program after the US Federal Trade Commission found it made deceptive claims over how it shared people's personal data.
The audit covered many of the issues raised in more than 180 complaints on data retention and disclosure filed with the DPC, although those complaints did not specifically trigger the audit. The results of the audit will be communicated to the complainants.
Twenty-two of those complaints were filed Europe v. Facebook, a group run by Max Schrems, a law student at the University of Vienna. The group contends that Facebook does not disclose all of the data it holds on users on request, which it and other data controllers are required to do under EU law.
In a press release, Europe v. Facebook wrote that Facebook's business model, which revolves around the heavy processing of personal data, could face limitations following the audit. The group was also leery of the close work between the DPC and Facebook.
"The report was written in cooperation with Facebook and can therefore not be seen as fully independent," Europe v. Facebook said. "Within the last days there were very extended negotiations between the DPC and Facebook to reach an agreement on the text."
As part of the audit, Facebook has agreed to add new user data to the download tool it provides to let users see the data it holds. The download tool, however, at present downloads information from a person's profile.
Facebook's new timeline feature combined with other data such as a user's activity log will "present a more comprehensive set of access controls" for users to see their data than other comparable services, said Richard Allan, Facebook's director of policy for Europe.
Facebook has also agreed to changes around the use of its 'Like' button, a widely used social plug-in used to share content from external websites on Facebook profiles.
he button collects IP addresses for users who are not even members of Facebook, reporting the key identifier back to the company. It will also do that for people who are Facebook members but are logged out of the service.
As a result of the audit, Facebook said it will now remove the last octet of an IP addresses it logs from a social plug-in within 10 days. For all users, whether logged in or logged out or not even a member, Facebook said it will delete its logs collected by a social plug-in after 90 days.
The DPC did rebuke Facebook over its facial recognition feature, which stores biometric information on users' faces in order to enable an automatic photo tagging feature.
The DPC said Facebook "should have handled the implementation of this feature in a more appropriate manner." Facebook has agreed to quickly change how it is presented by the end of the first week in January and will notify users a total of three times about the feature.
The DPC said it confirmed that if a person that does not want to use the feature - called 'tag suggestions' - their facial profile data will be deleted.
IDG News Service