Facebook on government audit: “We could have been more transparent.”

After a thorough audit from the Irish government, Facebook has stepped forward with a statement on how it could have handled some privacy issues a little bit better.

While the company said the Office of the Irish Data Protection Commissioner (DPC) commended its security measures, its lack of user-tracking software and its real-names-only policy, the DPC also noted a few areas where improvement was needed — and Facebook agreed.

For facial recognition features in Tag Suggest, which surprised many users with its seeming knowledge of faces in photos of all kinds, Facebook said the feature “could have been done in a more transparent fashion.”

Overall, though, the DPC didn’t hand Facebook a wrist-slap of any kind, as the company and its business practices were found to be fully compliant with Irish law. (Facebook’s international headquarters is based in Ireland.)

However, the DPC did ask Facebook to make some improvements in the areas of advertising, third-party apps and the Friend Finder.

Facebook stated today that it would be working on those recommendations in a few explicit ways. First, the company said it would start offering additional notifications to European users to clarify the function of the Tag Suggest feature and decide whether or not to let their own images receive the Tag Suggest/facial recognition treatment.

Facebook will also be changing some of its data retention and deletion practices and will be collecting less information about people when they’re not logged in to Facebook. Finally, Facebook said it would be giving users more and better information about how to control their personal data on Facebook and in Facebook-linked apps.

“The DPC’s review of our existing operations highlighted several opportunities to strengthen our existing practices,” wrote Facebook director of public policy Richard Allan today on the company blog.

“Facebook has committed to either implement or to consider other best-practice improvements recommended by the DPC, even in situations where our practices already comply with legal requirements.”

Facebook will undergo a follow-up review with the DPC in six months.

“This audit was the most comprehensive and detailed ever undertaken by our office,” said commissioner Gary Davis to PCMag.

The DPC is asking Facebook to take the following steps or institute the following features or practices:

• A mechanism for users to convey an informed choice for how their information is used and shared on the site including in relation to third-party apps.
• A broad update to the Data Use Policy/Privacy Policy to take account of recommendations as to where the information provided to users could be further improved.
• Transparency and control for users via the provision of all personal data held to them on request and as part of their everyday interaction with the site.
• The deletion of information held on users and non-users via what are known as social plugins and more generally the deletion of data held from user interactions with the site much sooner than presently.
• Increased transparency and controls for the use of personal data for advertising purposes.
• An additional form of notification for users in relation to facial recognition/”tag suggest” that is considered will ensure Facebook Ireland is meeting best practice in this area from an Irish law perspective.
• An enhanced ability for users to control tagging and posting on other user profiles.
• An enhanced ability for users to control whether their addition to Groups by friends.

Image courtesy of Jolie O’Dell.