2011 may be remembered as the year of the Big Privacy Audit, with the Federal Trade Commission using consent decree powers to commit both Facebook and Google to decades of regular third-party oversight and reporting on privacy. You may not have realized that a very important Facebook audit was already underway, initiated by the Irish Data Protection Commission. Now with the publication of specific requirements from this process (painstakingly cataloged at Techcrunch), we can start to see how privacy audits will work and what it means for users world-wide.
Of the 45 different changes required by the Irish DPC in the audit report, here are a few that I found most interesting:
Limit data collection from social plugins, restrict access to this data, and delete it on schedule, though social plugin data is not currently used in ad targeting – Immediately
Switch from retaining ad-click data indefinitely to a 2 year retention period – Review in July 2012
Anonymize data about a user’s searches on Facebook with 6 months
Anonymize all ad click data after 2 years
Roll out updated granular data permissions dialog box to all applications – End of February 2012, review in July 2012
Implement a tool that determines if links to app privacy policies are live. First, Facebook will asses the technical feasibility of such as tool – Review progress towards implementation in July 2012
Improve system for disclosing data to law enforcement by requiring validation from a senior officer and a full explanation for why the data is needed – Commence in January 2012, review in July 2012
Many of these requirements are more substantive than would be possible under the FTC’s consent decree with Facebook, which is limited (more or less) to ensuring that Facebook doesn’t change its policies in the future without appropriate notice and consent. While Irish authorities can’t bind Facebook to these changes world-wide, as a practical matter it’s hard to see Facebook maintaining significantly distinct versions of the service based on local privacy rules (except perhaps where highly valuable data would be lost). In this way, more stringent requirements from Europe may end up leading the way when it comes to defining best privacy practices and oversight.