Facebook plans to change how it retains data and revamp some privacy controls following the release Wednesday of a critical audit from Ireland's data protection authority.
Ireland's Data Protection Commissioner, Billy Hawkes, said if Facebook follows the recommendations, it is unlikely that the social-networking site would be found in violation of Irish data protection laws, which are based on European Union laws.
The agency had more than a dozen recommendations for how Facebook can improve privacy protections and data-handling practices.
Facebook has agreed to the recommendations, and a review on the company's progress is scheduled for next July. Facebook said it would make the changes even in instances where it believes existing practices are in legal compliance.
"Meeting these commitments will require intense work over the next six months," Facebook said in a statement published on its blog.
Facebook said some of the changes will be implemented worldwide, while others will only be visible to European users or to users in areas with local laws that the company is seeking to comply. Facebook Ireland operations have a contractual obligation only to users outside the U.S. and Canada.
Last month, Facebook agreed to implement a comprehensive privacy program after the U.S. Federal Trade Commission found it made deceptive claims over how it shared people's personal data.
Whether the extensive Irish audit forces Facebook to implement better privacy practices in the long term will depend on whether the company makes the changes in "spirit rather than just in the letter," said Kathryn Wynn, a data protection expert with the law firm Pinsent Masons.
"Regulators will find it difficult to keep up with the innovative nature of Facebook developments, so it is possible that Facebook could use technological workarounds in order to overcome changes the ODPC [Office of the Data Protection Commissioner] has called for," she said.
The Irish audit covers many of the issues raised in more than 180 complaints on data retention and disclosure filed with the DPC, although those complaints did not specifically trigger the audit. The results of the audit will be communicated to the complainants, Hawkes said.
Twenty-two of those complaints were filed Europe v. Facebook, a group run by Max Schrems, a law student at the University of Vienna. The group contends -- among many other complaints -- that Facebook does not disclose all of the data it holds on users on request, which it and other data controllers are required to do under E.U. law.
As part of the audit, Facebook has agreed to add new user data to the download tool it provides to let users see the data it holds. The download tool, however, at present downloads information from a person's profile.
Sign up for CIO Asia eNewsletters.