Facebook to delete all European facial recognition data
Facebook complied with most recommendations set by the Irish data protection authority
IDG News Service - Facebook will delete all facial recognition data it stores about its European users, going beyond recommendations of the Irish data protection authority, the agency said on Friday.
Facebook has complied with most, but not all, of the recommendations that the agency made last year, the Irish Data Protection Commissioner (DPC) said in a new audit report detailing its review of Facebook's policy changes since the first audit in December 2011.
With regard to a feature that uses facial recognition to suggest people to tag in users' photographs, Facebook has gone beyond the initial recommendations at the request of the Irish data authority to accommodate views of other data protection authorities in Europe, said deputy commissioner Gary Davis.
This feature has already been turned off for new users in the E.U. and templates for existing users will be deleted by Oct. 15, the DPC said. "This resets the clock for facial recognition in Europe," said Davis during a conference call discussing the findings. Facebook needed "a bit of convincing" to agree to delete the template, he said. "But in the end Facebook saw the benefit on moving on the issue," he said.
The news upended a decision announced Friday by the Hamburg Commissioner for Data Protection and Freedom of Information, Johannes Caspar. While earlier in the day he said that he would start proceedings against Facebook over the storage of facial recognition data, he subsequently said there was no longer an issue if Facebook deletes the data. "We are happy that the Irish Data Protection Commissioner could achieve this," Caspar said, adding that this is more than what he asked for.
A new audit showed that "most of the recommendations have been fully implemented to our full satisfaction," wrote Davis in the report.
There is better transparency for the user, better control over user settings and an enhanced ability for users to delete data and clear retention periods for deleted personal data, according to Davis. There are also improvements to users' rights to have ready access to their personal data and the capacity of Facebook to ensure rigorous assessment of compliance with Irish and E.U. data protection requirements, he said.
In some areas, however, full compliance has not yet been achieved but is planned by a deadline four weeks out, he wrote. Action is needed on user education, the deletion of data shared with third-party sites and fully verified account deletion, Davis added. Facebook still needs to be monitored going forward, especially since the social network is constantly adding features to its service, he said.
If Facebook does not comply with the demands within four weeks, the social network could face a fine of up to A!100,000 (US$130,000), said Davis. But he did not expect that regulatory proceedings were necessary since Facebook has been cooperative. "We are confident Facebook will comply," he said.
Facebook will not be monitored as intensely as it has been in the last couple of months, he said. The monitoring will "depend on the pace Facebook sets" with adding new features, he said.
The Irish data protection authority released a critical privacy audit of Facebook in December 2011 and the agency had more then a dozen recommendations for how Facebook could change its policies and improve its privacy protections. If Facebook complied with the recommendations, chances were small that the social network would be found to infringe on Irish privacy laws, the data protection commissioner said at the time.
Shortly after the audit, Facebook said it planned to change the way it retained data and revamp privacy controls to comply with the Irish recommendations. Last April Facebook added to its data download tool log-in and log out information, unconfirmed friendship requests and information about pokes, among other categories requested by the authority.
Facebook is required to provide users with personal data it holds about them on request under European Law. A recent check of the data stored by the social network revealed that Facebook does not disclose everything it stores upon a users' request and gave insight in the way it targets its users with advertising.
The Irish DPC said on Friday that as with the earlier audit report, the re-audit "does not involve formal decisions by the Office on the complaints it had received" about Facebook. But it could be expected that some issues have been dealt with and the DPC will address outstanding complaints separately.
"This audit is part of an ongoing process of oversight, and we are pleased that,A as the Data Protection Commissioner said, the latest announcement is confirmation that we are not only compliant with European data protection law but we have gone beyond some of their initial recommendations and are fully committed to best practice in data protection compliance, Facebook said in an emailed statement.
- Getting Real About Management and "Big Data" It's an exciting yet daunting time to be a security professional. Security threats are becoming more aggressive and voracious. Governments and industry bodies...
- The Big Data Security Analytics Era Is Here Security management must be based upon continuous monitoring and data analysis for situational awareness and data-driven security decisions. Organizations have entered the era...
- Transforming Information Security: Future-Proofing Processes This report provides a valuable set of recommendations from 19 of the world'd leading security officers to help organizations build security strategies for...
- How JPMorgan Chase Adopted DMARC to Stop Cyberattacks and Protect their Brand When JP Morgan Chase decided to take action against phishing attacks, the problem turned out to be much bigger than anticipated. Learn how,...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the Arcserve team will...
- Establish Cyber Resiliency: Developing a Continuous Response Architecture Many enterprises fail to proactively prepare the battlefield for a data breach by only leveraging outdated techniques that focus on the perimeter or... All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!