Facebook's data retention practices are under investigation by Ireland's Data Protection Commissioner following a series of complaints filed by a European group critical of the social networking site.
A total of 22 complaints have been filed with the Data Protection Commissioner by Europe v. Facebook, a group that claims the company is at odds with European privacy laws governing how companies manage personal data.
[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Facebook has sought to deflect criticism over its data handling practices, maintaining that it complies with data protection laws around the world.
Many of the issues brought up by Europe v. Facebook came about after members of the group asked Facebook for personal data stored on them by the site. Facebook is required under European law to respond to such requests. The group published redacted data obtained by some of its supporters to show what kind information Facebook stores. The group's website contains instructions for how people can request the data Facebook stores about them.
The Data Protection Commissioner's office was already planning to audit Facebook before the complaints were filed, but the process has now been accelerated, said Ciara O'Sullivan, spokeswoman for the office.
The Data Protection Commissioner will undertake an investigation of the complaints and also an audit of Facebook, which will involve visiting the company's facilities in Dublin and "looking more generally at how they process personal data," O'Sullivan said. The audit will begin next month.
The commissioner is not obligated to make the findings public, but due to the size of the investigation and scrutiny of Facebook, O'Sullivan said she expects some findings to be publicly released by the end of the year.
Facebook said in a statement on Friday that it has regular contact with the Data Protection Commissioner, and "we look forward to demonstrating our commitment to the appropriate handling of user data as part of this routine audit."
The company did briefly address in its statement some of the issues in the complaints. People who requested their Facebook data found that information they thought they had deleted was still present in the file.
Facebook said that "this is mostly likely due to the user removing a post from a specific place on Facebook rather than deleting it, or because we needed to retain information for a limited period for an investigation. We're continuing to work on ways to make this process as seamless as possible."
The company also addressed a claim that photo tags are applied without a person's consent. In August, Facebook changed the tagging feature so that people can choose to approve a tag before the photo shows up in their own profile. Users can also adjust their privacy settings to turn off "Tag Suggestions," a feature that uses facial recognition to help a user's Facebook friends to automatically identify and tag the user in their photos.
But data protection officials in Germany do not believe that feature that complies with the law. Hamburg's Data Protection Agency (DPA) contends that Facebook should obtain users' consent before their biometric data, used to enable the tagging feature, is stored.
The DPA has been regular contact with Facebook on the issue over the last couple of months, said Johannes Caspar, head of the agency, on Friday. Facebook is supposed to come back with a solution that is satisfactory for the DPA by Oct. 15, he said.
"There are a lot of detailed questions that are not solved at this point," Caspar said. "For me, it's disappointing to see how long we have to discuss these things."
Send news tips and comments to firstname.lastname@example.org.