Udoc in English
Udoc in Norwegian

Executive Summary
This is a report of an audit of Facebook-Ireland (FB-I) carried out by the Office of the Data Protection Commissioner of Ireland in the period October-December 2011. It builds on work carried out by other regulators, notably the Canadian Privacy Commissioner, the US Federal Trade Commission and the Nordic and German Data Protection Authorities. It includes consideration of a number of specific issues raised in complaints addressed to the Office by the “Europe-versus-Facebook” group, the Norwegian Consumer Council and by a number of individuals.
The audit was conducted with the full cooperation of FB–I. It found a positive approach and commitment on the part of FB-I to respecting the privacy rights of its users. Arising from the audit, FB-I has already committed to either implement, or to consider positively, further specific “best practice” improvements recommended by the audit team. A formal review of progress is planned in July 2012.
The audit was conducted by reference to the provisions of the Data Protection Acts, 1988 and 2003, which give effect to the European Union’s Data Protection Directive 95/46/EC. Account was taken of guidance issued by the EU’s Article 29 Working Party1. The audit team followed the standard audit methodology used by the Office2.
Facebook is a platform for users to engage in social interactions of various kinds – making comments (“posts”) on various issues, setting up groups, exchanging photographs and other personal material. It has some 800 million users, spread throughout the globe. FB-I is the entity with which users based outside the United States and Canada have a contractual relationship. FB-I is the “data controller” in respect of the personal data of these users.
As a “data controller”, FB-I has to comply with the obligations set out in the law. The report summarises the audit team’s conclusions on how FB-I gives effect to the basic principles of data protection law: that personal data should be collected “fairly”; that the individual should be given comprehensive information on how personal data will be used by FB-I; that the personal data processed by FB-I should not be excessive; that personal data should be held securely and deleted when no longer required for a legitimate purpose; and that each individual should have the right to access all personal data held by FB-I subject to limited exemptions.
In addition to examining FB-I’s practices under standard data protection headings, the team also examined in detail the data protection aspects of some specific aspects of FB-I’s operations, such as it’s use of facial recognition technology for the “tagging” of individuals, the use of social plug-ins (the FB ‘Like’ button), the “Friends Finder” feature and the 3rd Party Applications (‘Apps’) operating on the FB platform.
In examining FB-I’s practices and policies, it was necessary to examine its responsibilities in two distinct areas. The first is the extent to which it provides users with appropriate controls over the sharing of their information with other users and information on the use of such controls – including in relation to specific features such as “tagging”. This also includes the rights of non