Irlande: nouvel audit sur Facebook (et reconnaissance faciale)

En décembre 2011, le Data Protection Commissioner d'Irlande a indiqué dans son rapport d'enquête sur les pratiques de Facebook en matière de protection des renseignements personnels qu'un nouvel audit serait publié courant 2012 (billet).

Le 21 septembre 2012, l'autorité irlandaise a rendu public les conclusions de ce nouvel audit portant sur la mise en oeuvre des points suivants: 1) Privacy and data use policy; 2) Advertising; 3) Access requests; 4) Retention of data; 5) Cookies / Social plugs-ins; 6) Third party apps; 7) Disclossures to third parties; 8) Facial recognition / Tag suggest; 9) Data security; 10) Detention of accounts; 11) Friend finder; 12) Tagging; 13) Posting on other profiles; 14) Facebook credits; 15) Pseudonymous profiles; 16) Abuse reporting; et 17) Compliance management / Governance

On peut lire dans le communiqué que:  

"[...] The Review finds that the great majority of the recommendations have been fully implemented to the satisfaction of this Office, particularly in the following areas:  

- The provision of better transparency for the user in how their data is handled, 

- The provision of increased user control over settings.

- The implementation of clear retention periods for the deletion of personal data or an enhanced ability for the user to delete items, 

- The enhancement of the user’s right to have ready access to their personal data and the capacity of FB-I to ensure rigorous assessment of compliance with Irish and EU data protection requirements.

Those recommendations which are not implemented by FB-I as of yet are highlighted with a clear timescale for implementation listed.

The Irish Data Protection Commissioner, Billy Hawkes said, “I am satisfied that the Review has demonstrated a clear and ongoing commitment on the part of FB-I to comply with its data protection responsibilities by way of implementation or progress towards implementation of the recommendations in the Audit Report.  I am particularly encouraged in relation to the approach it has decided to adopt on the tag suggest/facial recognition feature by in fact agreeing to go beyond our initial recommendations, in light of developments since then, in order to achieve best practice.  This feature has already been turned off for new users in the EU and templates for existing users will be deleted by 15 October, pending agreement with my Office on the most appropriate means of collecting user consent.  By doing so it is sending a clear signal of its wish to demonstrate its commitment to best practice in data protection compliance.”

Deputy Commissioner, Gary Davis who led the both the Audit and the Review stated that “the outcome reflects months of detailed engagement between Facebook Ireland and this Office.  The discussions and negotiations that have taken place, while often robust on both sides, were at all times constructive with a collective goal of compliance with data protection requirements.  There were a number of items on which progress was not as fully forward as we had hoped and we have set a deadline of 4 weeks for these matters to be brought to a satisfactory conclusion.   

It is also clear that ongoing engagement with the company will be necessary as it continues to bring forward new ways of serving advertising to users and retaining users on the site.  The value of such engagement to identify and deal with any data protection concerns prior to launch of new products and services is fully accepted by FB-I.”"  

(Source: Data Protection Commissioner, Press Release, September 21, 2012)

Il est à noter que depuis la publication de cet audit, plusieurs commentateurs, comme l'Electronic Privacy Information Center (EPIC), soulignent le fait que 

"Facebook has agreed to give users the choice over the use of facial recognition, to grant users access to their facial recognition template, and to delete the facial recognition data of EU citizens by October 15"

(Source: EPIC, Press Release, September 21, 2012) 

Rappelons que le recours à la reconnaissance faciale est dans la mire de plusieurs autorités: Allemagne, Norvège, Luxembourg, Groupe de l'article 29, Federal Trade Commission, par exemple (billet)


Pour plus de détails: 

• IRISH DATA PROTECTION COMMISSIONER, Facebook Ireland Ltd - Report of Re-Audit, 21 September 2012
• IRISH DATA PROTECTION COMMISSIONER, "Report of Review of Facebook Ireland’s Implementation of Audit Recommendations Published – Facebook turns off Tag Suggest in the EU", Press Release, September 21, 2012. 

• ELECTRONIC PRIVACY INFORMATION CENTER, "Facebook Ceases Facial Recognition in European Union", Press Release, September 21, 2012.

•  Somini SENGUPTA and Kevin J. O'BRIEN, "Facebook Can ID Faces, but Using Them Grows Tricky", New York Times, September 21, 2012. 
• "En Europe, Facebook ne reconnaît plus ses utilisateurs", Libération, 21 septembre 2012. 
• "Facebook suspend sa reconnaissance faciale en Europe", Le Monde, 22 septembre 2012.
• Julien L., "Facebook interrompt la reconnaissance faciale en Europe", Numerama, 22 septembre 2012.