Facebook has undertaken to make significant changes to its privacy policy as a result of a comprehensive audit undertaken by the Data Protection Commissioner of Ireland, potentially affecting 600 million users of the social networking giant.
The report recommended changes to policy in a number of areas including issues surrounding third party "apps", users' control over the tagging of photos and increased transparency and controls for the use of personal data for advertising purposes.
Although the commissioner found Facebook broadly met its responsibilities under Irish and European data protection law, it has told the social networking giant to make a number "best practice" changes to its privacy policies.
The commissioner found that, in order to fully understand the use of their information the user has to read Facebook's full privacy policy, statement of rights and responsibilities, advertising policy and information on the use of social plugins among other information.
"It is clearly impractical to expect the average user, never mind a 13-year-old joining the site for the first time to digest and understand this information and make informed choices," the report said.
It recommended Facebook move towards simpler explanations of its privacy policies and easier accessibility and prominence of those policies. Facebook has agreed to implement changes to its privacy policy and has committed to give more prominence to such policies.
In relation to the targeted advertising of users, the commissioner said the "general conclusion was" that targeting advertisements based on interests disclosed by users in the profile information they provide on Facebook was legitimate.
However, it said this was "predicated on users being made fully aware, through transparent notices, that their personal data would be used in this manner to target advertisements to them".
It also found Facebook's policy to hold user ad click data indefinitely was "completely unacceptable" and recommended that Facebook draw up a retention policy as a matter of priority. Such data will now have to be deleted within two years.
On the issue of tagging, the data commissioner's report said "there does not appear to be a compelling case as to why a member cannot decide to prevent tagging of them once they fully understand the potential loss of control and prior notification that comes with it".
By the middle of next year, Facebook will have to have shown progress on giving users the ability to delete information such as friend requests, "pokes" and photo "tags" over which users currently have limited control.
The report, which was published this afternoon by the Office of the Data Protection Commissioner, found Facebook had "found a positive approach and commitment on the part of Facebook Ireland to respecting the privacy rights of its users" and the company had agreed to a wide-range of "best-practice" improvements to be made over the next six months.
Facebook said it would examine the implications of this recommendation and would engage further during a formal review of processes which will be carried out by the data commissioner's office next July.
A spokeswoman for Facebook said the report demonstrated the website adheres to European data protection principles and complies with Irish law.
As Facebook's European is headquartered in Dublin, the Irish data protection commissioner has jurisdiction over the social network's users outside the US and Canada, affecting 600 million users worldwide.
Watchdogs from several of the EU's 27 member states have said they will investigate possible privacy violations in a feature on Facebook that uses facial-recognition software to suggest people to tag in photos without their permission.
A German data protection agency said it may fine Facebook over facial recognition. Norway's privacy watchdog is also investigating.
The Irish audit was planned before the office received 22 complaints related to an Austrian law student's experience with how Facebook kept storing data users had removed from their pages.
