Social networking giant Facebook has agreed to delete data collected from EU users for its facial-recognition feature by mid-October.
The company, which has its international headquarters in Dublin, could be fined up to €100,000 if it does not comply with the orders from the Data Protection Commissioner (DPC) within four weeks.
The social media site was last year warned to make widespread changes by the office of the commissioner, which included tightening its privacy practices and deleting unneeded data sooner.
The DPC carried out an audit on Facebook Ireland which is responsible for millions of users outside the US and Canada.
The DPC said the company still has several recommendations to comply with in relation to targeted advertising utilising sensitive data, the retention of data on inactive or deactivated accounts, and educating users over settings.
Commissioner Billy Hawkes confirmed if enforcement action had to be taken, the maximum penalty could be a €100,000 court fine.
He was satisfied, however, the company had made clear and ongoing commitments to comply with its data protection responsibilities in line with Irish and EU laws.
“I am particularly encouraged in relation to the approach it has decided to adopt on the facial recognition feature by in fact agreeing to go beyond our initial recommendations, in light of developments since then, in order to achieve best practice,” he said.
The feature has been turned off for new users in the EU and templates for existing users will be deleted by Oct 15, but will not be changed for users in the US and Canada.
The DPC review found that the majority of its recommendations were fully implemented, particularly in the areas of:
nBetter transparency for the user in how their data is handled;
nIncreased user control over settings;
nThe implementation of clear retention periods for the deletion of personal data or an enhanced ability for the user to delete items.
Deputy Commissioner Gary Davis warned the office would use enforcement powers if needed.
“There were a number of items on which progress was not as fully forward as we had hoped and we have set a deadline of four weeks for these matters to be brought to a satisfactory conclusion,” he said.
Facebook said it was confident it could continue to resolve the outstanding issues given the progress it has made on other matters.
It also vowed to continue to work with the regulator to ensure it remains compliant with European data protection laws as new products and features are created.
However, lobby group Europe v Facebook, which initially brought the privacy complaints to the DPC, expressed concern Facebook has not fully implemented the recommendations