• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
 
Facebook Ireland Ltd
 
Report of Audit
21 December 2011
 
 2
Table of Contents
 
Chapter 1 Introduction 21Chapter 2 Audit 24Chapter 3 Subject Matter Areas examined during the audit 303.1 Privacy Policy 303.2 Advertising 443.3 Access Requests 633.4 Retention 693.5 Cookies/Social Plug-ins 813.6 Third-Party Apps 873.7 Disclosures to Third Parties 983.8 Facial Recognition/Tag Suggest 1013.9 Data Security 1063.10 Deletion of Accounts 1133.11 Friend Finder 1193.12 Tagging 1273.13 Posting on Other Profiles 1293.14 Facebook Credits 1323.15 Pseudonymous Profiles 1353.16 Abuse Reporting 1393.17 Compliance Management/Governance 143
 
APPENDICES
 
Appendix 1 Technical Report and AnalysisAppendix 2 Summary of ComplaintsAppendix 3 Overview of Team Functions (Provided by Facebook Ireland)Appendix 4 Structure of European Offices (Provided by Facebook IrelandAppendix 5 Law Enforcement Requests (Provided by Facebook Ireland)Appendix 6 Minors
 
 3
Executive Summary
 
This is a report of an audit of Facebook-Ireland (FB-I) carried out by the Office of the DataProtection Commissioner of Ireland in the period October-December 2011. It builds on workcarried out by other regulators, notably the Canadian Privacy Commissioner, the US Federal TradeCommission and the Nordic and German Data Protection Authorities. It includes consideration of 
a number of specific issues raised in complaints addressed to the Office by the “Europe
-versus-
Facebook” group, the Norwegian Consumer
Council and by a number of individuals.The audit was conducted with the full cooperation of FB
 –
I. It found a positive approach andcommitment on the part of FB-I to respecting the privacy rights of its users. Arising from the audit,FB-I has already c
ommitted to either implement, or to consider positively, further specific “bestpractice” improvements recommended by the audit team. A formal review of progress is planned
in July 2012.The audit was conducted by reference to the provisions of the Data Protection Acts, 1988 and
2003, which give effect to the European Union’s Data Protection Directive 95/46/EC. Account wastaken of guidance issued by the EU’s Article 29 Working Party
1
. The audit team followed thestandard audit methodology used by the Office
2
.Facebook is a platform for users to engage in social interactions of various kinds
 –
making
comments (“posts”) on various issues, setting up groups, exchanging photographs and other
personal material. It has some 800 million users, spread throughout the globe. FB-I is the entitywith which users based outside the United States and Canada have a contractual relationship. FB-I
is the “data controller” in respect of the personal data of these users.As a “data controller”, FB
-I has to comply with the obligations set out in the law. The report
summarises the audit team’s conclusions on how FB
-I gives effect to the basic principles of data
protection law: that personal data should be collected “fairly”; that the individual should be given
comprehensive information on how personal data will be used by FB-I; that the personal dataprocessed by FB-I should not be excessive; that personal data should be held securely and deletedwhen no longer required for a legitimate purpose; and that each individual should have the rightto access all personal data held by FB-I subject to limited exemptions.In addition to examining FB-
I’s practices under standard data protection headings, the team also
examined in detail the data protection aspects of some specific aspects of FB-
I’s operations, suchas it’s use of facial recognition technology for the “tagging” of individuals, the use of social plug
-ins
(the FB ‘Like’ button), the “Friends Finder” feature and the 3
rd
 
Party Applications (‘Apps’)
operating on the FB platform.In examining FB-
I’s practices and policies, it was necessary to examine its responsibilities in two
distinct areas. The first is the extent to which it provides users with appropriate controls over thesharing of their information with other users and information on the use of such controls
 –
 
including in relation to specific features such as “tagging”. This also includes the rights of non
- 
1
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp163_en.pdf  
2
 http://www.dataprotection.ie/documents/enforcement/AuditResource.pdf  
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...