My personal thoughts on the Facebook Audit

This post was originally published on the Irish Computer Society Data Protection blog. I am republishing it here as it is my original work and I am moving my Data Protection musings into one place.

Over on my personal blog [this one] I’ve written a short piece about my thoughts re: the Facebook Audit by the DPC.

All in all I welcome the findings (and at 40 or so discrete findings it is not a clean bill of health by any stretch of the imagination regardless of spin and positioning) but feel that, given the breadth of potential scope for any audit and the limited resources and time available to the DPC’s office, it was inevitable that some issues could be missed.

I am personally dismayed that the DPC did not prosecute some or all of the offences that they identified, particularly those in relation to breaches of the ePrivacy directives (where clear penalties and court precedents exist). A high profile prosecution would have made it a lot easier dealing with clients and prospective clients as it would have focussed the attention on issues.

Also a number of unasked questions remain unanswered. For example, what is the position of Apps which process data outside the EEA? Does Facebook as a Data Controller not need to ensure that these apps (processors) are undertaking their activities in “safe countries” or under terms consistent with the Model Contracts approved by the European Commission.

I’d like to think that this is part of a long term strategy by the DPC to develop a “poster child” for compliance (“hey, look… if Facebook can do it so can you”), whittling down issues and changing the Facebook mindset over time.

But I am fearful that proper regulation and enforcement of Data Protection rules may be seen by the Irish Government as a barrier to enticing foreign investment in the data storage and services sectors and as such the independence of the DPC’s office may be threatened and its ability to effectively carry out its duties may be weakened.

The Office of the Data Protection Commissioner does a sterling job with a small cohort of staff, a massive remit and scope of responsibility, and a budget that, in their 2010 Annual report was less than €1.5 million. My instinct is that they opted not to blow that budget on prosecutions and instead elected to work the network of International authorities (Canada’s OPC, various German Authorities, the FTC) to keep the pressure on to drive change rather than levy penalties.

After all, any visit to Courts with a prosecution is a roll of the dice as to whether the judge accepts the full weight of the offences and agrees the penalties requested. The DPC could have spent quite a lot to achieve, in effect, the same result.

However, I await with interest the findings of the rematch in July 2012. Will Facebook win gold for privacy then? Or will we see the true stamina of the Data Protection Commissioner in a legal tussle? All we can hope for is either an Olympic performance from the “New Facebook” or a Herculean stand by the DPC in defence of individual privacy.