Facebook’s international headquarters, located in Dublin, Ireland, are currently being audited by the Irish Data Protection Commissioner’s office and could face a modest fine, following a lengthy list of complaints filed by an Austrian student over the fact that Facebook held onto his deleted wall posts, chat messages and other personal data.
Now, TPM has learned more about the DPC audit, including when it began, when it will be completed, and the fact that Facebook is doing what it takes to avoid being fined.
“Facebook is cooperating fully with the audit and we would anticipate that it will implement any necessary changes to comply with any requirements identified without the need for any use of powers by the Commissioner,” said Gary Davis, Ireland’s deputy commissioner of data protection, in an email to TPM. Davis declined to say specifically what changes Facebook would be implementing.
“We expect to complete and publish the results of the audit by year end,” Davis added.
Davis also told TPM that the office commenced the audit towards the end of October, shortly after the Guardian published a report on the fact that Facebook could face a fine of up to 100,000 Euros ($136,610 USD) if found to have violated the 1998 Data Protection Act, a U.K. law that states, “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes. Data controllers must therefore review the information they hold on a regular basis and delete any information no longer required.”
A Facebook spokesperson emailed TPM with the following statement in response to the Irish DPC audit: “Facebook is cooperating fully with the Office of the Data Protection Commissioner as part of its routine audit, which began this week. We believe that we are fully compliant with EU data protection laws and look forward to welcoming the DPA to our EU headquarters in Dublin to demonstrate this. The Irish DPA audits several companies each year and we expect the whole process to be complete by January 2012.”
Davis confirmed to TPM that “The Office conducts about 30 such audits each year.”
Austrian law student Max Schrems nearly singlehandedly catalyzed the Irish Facebook audit when he filed 22 complaints with the DPC in Fall 2011 after requesting all of his personal data from Facebook and receiving, via snail mail, a CD containing 1,200 printed pages worth of Schrems’ Facebook correspondence, including all of the correspondence he deleted on the website.
Schrems and several of his fellow Austrian law students and other friends have launched a grassroots organization, Europe v. Facebook, to coordinate complaints against Facebook in an effort to make the world’s social network more transparent and “opt-in” instead of “opt-out.”
“By now the audit should have come to an end,” read a message posted on the Europe v. Facebook website.
However, Davis and another DPC spokesman told TPM the audit remains in progress.
Further, the Irish DPC “does not have powers to directly levy fines against organizations which have been found to have breached the Data Protection Acts,” according to Davis, but rather, has powers to “to take summary proceedings,” in which a court may determine the fines.
However, Davis said he does not think it will come to this because Facebook is moving to comply with the Data Protection Act.
As Davis further explained: “Once this Office receives valid complaints it is obliged to investigate them. We do so in co-operation with the organisation against whom the complaint is submitted with a view to reaching an amicable resolution that is satisfactory to all parties.”
That’s likely to be music to Facebook founder Mark Zuckerberg’s ears, especially since Facebook is reportedly on the precipice of settling another government privacy investigation stateside, conducted by the Federal Trade Commission in response to the social network’s massive user privacy settings overhaul in 2009.
But no matter how the Irish DPC’s audit turns out, it is clear that Facebook is facing increased pressure from European regulators. The European Commissioner for Data Protection in Hamburg, Germany on Thursday said that it was preparing legal action against Facebook for the social network’s facial recognition photo tagging suggestions feature.
We’ve contacted the Hamburg DPC for more information on the German case and will update when we receive a response.
