Out-Law / Your Daily Need-To-Know

Selling user data to advertisers is legitimate, watchdog says in Facebook audit report

Out-Law News | 21 Dec 2011 | 4:52 pm | 6 min. read

It is "legitimate" for Facebook Ireland to use information users provide about themselves on the social networking site to enable advertisers to serve targeted ads, the Office of the Irish Data Protection Commissioner (ODPC) has said.

The finding was one of a number detailed by the ODPC in a report into its recent audit of Facebook Ireland's privacy policies and practices. Facebook Ireland has responsibility for all Facebook users outside of the USA and Canada.

"Facebook Ireland provides a service that is free to the user. Its business model is based on charging advertisers to deliver advertisements which are targeted on the specific interests disclosed by users. This basic 'deal' is acknowledged by the user when s/he signs up to [the site] and agrees to the statement of rights and responsibilities and the related data use policy," Gary Davis, deputy Irish Data Protection Comissioner, said in the audit report (149-page / 3.42MB PDF).

"A key focus of the audit was the extent to which the 'deal' could reasonably be described as meeting the requirements of fair collection and processing under the Data Protection Acts," said Davis, who led the audit. "While acknowledging that this is a matter of judgment – ultimately by Irish and European Courts – the general conclusion was that targeting advertisements based on interests disclosed by user’s [sic] in the ‘profile’ information they provide on FB was legitimate."

"We also concluded that, by extension, information positively provided by users through ‘Like’ buttons etc could legitimately be used as part of the basic 'deal' entered into between the user and Facebook Ireland," he said. "The legitimacy of such use is, in all cases, predicated on users being made fully aware, through transparent notices, that their personal data would be used in this manner to target advertisements to them. And any further use of personal data should only be possible on the basis of clear user consent. Various recommendations have also been made for general 'best practice' improvements in this area."

Under the EU's Data Protection Directive personal data must be "processed fairly and lawfully" and be collected for "specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes". Extra emphasis is placed on the protection of rights around sensitive personal data. The law also provides that, generally, personal data may only be processed if a person has given their unambiguous consent and that the consent is explicitly given.

Following recommendations from the ODPC, Facebook Ireland has committed to improving a number of its policies and practices in order to achieve "best practice" in privacy. Facebook must be transparent about the way advertisers target users, the ODPC said. Facebook has agreed to clarify its data use policy before the end of March, it said.

Facebook Ireland will work with the ODPC to better explain to users how their personal data is used, give users "a basis to exercise meaningful choice" over that use, including by Third Party Apps. It will also make its data use and privacy policies more accessible and prominent during and subsequent to user registration with the site, the audit report said.

Facebook Ireland said it will only retain identifying 'ad-click' data for two years after the ODPC said the current unlimited retention of the information was "unacceptable". After this period the information will be anonymised, it said

The ODPC has also ordered Facebook Ireland to provide users with all the personal data it stores about them within 40 days upon a 'subject access' request. Under EU data protection laws individuals are entitled to ask for and receive details of the personal data organisations hold about them. Facebook Irealnd will also introduce controls that will enable users to delete friend requests, pokes, tags, posts and messages, the ODPC's report said.

Facebook Ireland said it will also take steps to delete data it no longer needs, particularly in relation to logged-out or non-users of the site, it said.

"For people who are not Facebook users or who are Facebook users in a logged out state, Facebook Ireland will take two steps with respect to the data that it receives and records through social plugins within 10 days after such a person visits a website that contains a social plugin," the ODPC report said. "First, Facebook Ireland will remove from social plugin impression logs the last octet of the IP address when this information is logged. Second, Facebook Ireland will delete from social plugin impression logs the browser cookie set when a person visits Facebook.com."

"For all people regardless of browser state (logged in, logged out, or non-Facebook users), Facebook Ireland will delete the information it receives and records through social plugin impressions within 90 days after a person visits a website that includes a social plugin," the report said.

Further plans to anonymise data available through Facebook's search within six months have also been committed to by the social network site, whilst it will also agree a period for which it can retain log-in information with the ODPC.

The ODPC determined that Facebook does not use cookies provided by individuals' interaction with social plugins to build profiles of users or non-users. Facebook said it would anonymise the social plugin data it does collect from logged-out and non-users within 10 days and delete it after 90 days. Logged-in users will have data from their social plugin interactions "aggregated and/or anonymised within 90 days".

Further plans to make it easier for Facebook users to control what information third party apps can see will be implemented, while the company said it is implementing ODPC recommendations that would force details of third party requests for Facebook user data to be logged.

The ODPC said Facebook's decision to introduce facial recognition technology on an 'opt-out' basis should have been handled "in a more appropriate manner". Facebook Ireland said it would notify users up to three times in order to give users more information on adjusting their settings for the feature. Facebook uses facial recognition technology automatically to suggest the names of people featured in photos uploaded by users.

The ODPC also said that Facebook should be able to delete information contained on user accounts within 40 days of receiving a request to do so. Facebook Ireland said it was working towards achieving the ODPC's requirement.

The ODPC said it wants Facebook Ireland to implement any new developments to the site in line with Irish and EU data protection laws and give users more control over information they post on friends' profiles.

A further audit of Facebook in Ireland will be conducted in July next year to assess its efforts in meeting ODPC's recommendations, the regulator said.

In a statement reacting to the audit report Facebook said the audit proved the social network is compliant with EU data protection laws.

"We are pleased that the report demonstrates how Facebook adheres to European data protection principles and complies with Irish law. Of course, the report highlights some areas where we can improve and reach best practice - but these recommendations are built on a foundation of data protection and legal compliance," Facebook said.

Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that users' appetite to control their settings will be central to whether the audit materially alters Facebook privacy.

"The success of the audit in forcing Facebook to subscribe to better privacy practices in the long-term will depend on whether Facebook implements the recommendations the ODPC has made in their spirit rather than just in the letter. Regulators will find it difficult to keep up with the innovative nature of Facebook developments so it is possible that Facebook could use technological workarounds in order to overcome changes the ODPC has called for," Wynn said.

"A main focus of the audit places extra emphasis on Facebook improving the transparency of information it provides users about is data use and privacy practices and also giving users more control over how their data is used and shared," she said. "However, whether user interaction with Facebook changes much with the introduction of improved transparency and controls will largely depend on users’ appetite for reading the information and actively using the controls."

"Users that share large volumes of information about themselves on Facebook already may remain more willing to continue that behaviour in spite of changes to Facebook’s privacy policies and controls, whereas existing cautious users are perhaps more likely to manage their information,” Wynn said. “Therefore, perhaps Facebook’s positive response to the ODPC’s recommendations is, in part, due an underlying confidence that, in practice, this will have little impact on Facebook’s business."

The ODPC had considered complaints about Facebook's privacy practices made by campaign group Europe v Facebook. The group has claimed that Facebook's processing and storage of personal data violates EU data protection laws. The group raised 22 complaints with the ODPC about the alleged practices of the social networking company in handling personal data.