Ireland's data protection commissioner has asked Facebook to improve its privacy practices and offer users more information about how the social network stores and shares their personal data.
The regulator performed a three-month audit of Facebook, described by the DPC as "the most comprehensive and detailed ever undertaken" by the office. The commissioner's report follows less than a month after the U.S. Federal Trade Commission settled charges Facebook "deceived" consumers by changing its privacy policies.
Though the DPC's investigation did not conclude Facebook had violated local laws, certain practices by the social networking site concerned regulators, who have asked Facebook to simplify its privacy policies, reduce the time it stores certain data, allow users to delete information, and more clearly explain what personal details can be accessed by third parties, including apps and advertisers.
Facebook's policy of indefinitely storing ad-click data was deemed "unacceptable" by the DPC in its report. Facebook noted it would "immediately" revise its practices and store that data for a maximum of two years.
The commissioner faulted Facebook for its rollout of a facial recognition feature used to tag individuals in photos, noting that Facebook Ireland "should have handled the implementation of this feature in a more appropriate manner" and urging the site to ensure it properly obtained consent from its users.
The DPC also took issue with the manner in which Facebook monitors third party app developers and their use of user data. The regulator urged Facebook to take additional preemptive measures, rather than spot-checking developers and trusting them to follow the site's rules.
"We do not consider that reliance on developer adherence to best practice or stated policy in certain cases is sufficient to ensure security of user data," the DPC wrote in its report. "We expect FB-I [Facebook Ireland] to take additional steps to prevent applications from accessing user information other than where the user has granted an appropriate permission."
Facebook was further encouraged to boost internal security systems to prevent employees from inappropriately accessing user data.
On the whole, the DPC said it was satisfied with Facebook's policies.
The audit "found a positive approach and commitment on the part of FB-I to respecting the privacy rights of its users," wrote Gary Davis, deputy commissioner of the DPC. "Arising from the audit, FB-I has already committed to either implement, or to consider positively, further specific 'best practice' improvements recommended by the audit team."
The DPC will review Facebook's efforts to implement the recommendations in July 2012.
"We are pleased that following three months of rigorous examination, the DPC report demonstrates how Facebook adheres to European data protection principles and complies with Irish law," Facebook wrote. "The DPC recognized that Facebook’s success rests in part from our constant evolution and innovation. We appreciate that the DPC acknowledges that the pace at which we offer new products and features requires continual dialogue with regulators to ensure that adequate protections are in place."