I spent a number of hours last night reading and rereading the report from the Irish Data Protection Commissioner on their Audit and Investigation of Facebook. At over 200 pages it was not for the faint hearted but it did set out clearly the findings and the areas of gap and weakness which were identified, as well as a number of surprising twists where Facebook had, almost by accident, started to do things in a sensible manner respectful of privacy.
However, despite the statement from Facebook and the positive tone adopted by the Irish Data Protection Commissioner in media comment, this was not a clean bill of health for Facebook. This was a statement of gaps, with a clear message that the gaps need to be addressed rapidly in advance of a July 2012 rematch. Facebook may not have a bloodied lip from this encounter but the organisation has had (yet another) wake up call to the need to do Privacy better and to do it by design rather than happy accident.
Of course, the Data Protection Commissioner does not come off unscathed in this report either. On my reading of the report there were a number of instances where the operation of Facebook processes contravened either the Data Protection Acts or the ePrivacy regulations. Each of these instances represented a cluster of prosecutable events. But this opportunity seems to have been missed, or at best deferred until another day. As a Privacy professional I am somewhat disappointed by this apparent failure to push the agenda resulting in a somewhat limp, albeit broadly welcomed, outcome.
The key question is What next?
Facebook has given undertakings to the DPC to have taken certain actions by January and to have completed or be demonstrably progressing other actions by July 2012. Will the DPC issue enforcement notices in 2012 if these undertakings have not been complied with?
Will we see the David of the Data Protection Commission (total staff less than 20 and a total budget in 2009/2010 of less than â‚¬1.5million to run a Data Protection Authority in a country that is host to some of the most complex data processing companies in the world and wants to entice more in) staring down the giant of Facebook armed only with the pebble of SI336 of 2011 and the slingshot of the Data Protection Acts 1988 and 2003? Given that Facebookâ€™s global turnover is estimated at being in the region of US$1.5 billion. Given that their recent settlement with the FTC requires them to keep their privacy nose clean, they would doubtless fight any prosecution to the fullest as it affects their core business.
So, our under resourced, under funded, and increasingly overstretched Data Protection Commissioner seems to be wisely avoiding fights that it would find costly to win. But in this it is possible that they are playing for time.
While the national government here seems to have been happy to long finger Data Protection reforms (to the point that we were 8 years late enacting the legislation to support Directive 95/46/EC) the noises from the European Commission are that the long awaited revised Directive will actually arrive in January as a Regulation. This will change the nature of the DPCâ€™s role as they will become in effect the local outpost of a larger, more standardised and federalised Data Protection regime.
This will result in larger penalties for breaches. It will also introduce increased requirements for transparency around data processing, including clearer obtaining of consent and clearer documentation of internal controls and processes.
All of which are elements of the findings in the Facebook Audit.
The next question is What now?
The Data Protection Commissioner has stated that this report is the beginning of a longer term and long running series of engagements with Facebook. In other words, they will be working them over regularly to raise standards. With the Regulation expected to take until 2014 to come into full effect, this would give ample time to fix the problems that have been found thus far and any new balls of crazy that the Facebook cat would care to spit out on our collective shoes.
Of course, this would require the Government to step up to the plate and properly resource the DPC and begin to promote Ireland as a good place to run compliant businesses. The era of light touch/no touch regulation of Data Protection needs to come to an end as we move into the era of Balanced Privacy.