Facebook made "unacceptable" changes to its privacy settings at the end of last year that are detrimental to users, a coalition of European data protection officials warned the social-networking sites on Wednesday.
The warning, contained in a letter to Facebook from the Article 29 Data Protection Working Party, could spell more difficulties for Facebook, which was hit with a complaint to U.S. regulators over similar concerns earlier this month.
The working party told Facebook of the need for default settings that would only allow access to profile information and friends to self-selected contacts, and that access by search engines should be the explicit choice of users.
Facebook has moved to make even more of its users' information publicly available. The defaults settings are typically the most permissive, and users must manually change to more restrictive settings.
Privacy groups have said the settings are confusing, frequently change and some users aren't aware of the options, putting their personal data at risk.
Facebook's default settings allow certain information in a person's profile to be indexed by search engines unless a user changes it, according to the social network's policy.
In recent months, Facebook has modified its site to automatically share profile information with partners such as Microsoft Docs.com, Pandora and Yelp. Users must opt out by unchecking a specific box within Facebook's settings.
Facebook also expanded the amount of information publicly shared, allowing other personal information and preferences to be exposed even if a user has limited it to their circle of friends.
The Article 29 working party also sent letters to 20 other social network operators but highlighted its criticism with Facebook in a press release published on Wednesday.
In response, Facebook said it agreed with some of the contents of the letter, a copy of which was not available. But Facebook said it disagreed with a suggestion that people be allowed to use pseudonyms.
Facebook's policy that people must use their real names is also part of the May 5 complaint before the U.S. Federal Trade Commission, filed by the Electronic Privacy Information Center and 14 other privacy and consumer protection groups.
On Thursday, the company defended its stance on privacy, citing new controls for excluding indexing profiles by search engines and greater control over how Facebook applications handle user data.
"We feel that Facebook has been in the forefront of all kinds of sites, not just social networking sites, in giving our users granular controls which enable each user to customize many individual settings in order to share, or protect, as much information as they feel comfortable with," the company said in an e-mail statement.
The Article 29 working party doesn't have enforcement power, said Struan Robertson, a technology lawyer with Pinsent Masons. But the group is composed of data protection officials throughout Europe who could decide to refer a case to prosecutors for violation of European data protection regulations, he said.
The working groups is saying "that Facebook has crossed a line" where it is no longer sufficient to just give notice of changes but actively obtain users' consent, Robertson said.
"I think Facebook is at serious risk of losing its users' trust," Robertson said. "That may be the biggest threat to Facebook than European regulators or European courts."