Privacy group to appeal Ireland's Facebook audit

A data-privacy advocacy group known as Europe v. Facebook says it plans to take the Irish authorities to court to put teeth into data protection in Europe.

The privacy group, which is based in Austria, has been campaigning for more privacy and greater data protection for the 1-billion-plus members of the social network. It has thus far won some concessions, such as Facebook switching off its facial recognition feature for European users.

But the group says the concessions made by Facebook do not go far enough. To push for greater protections, it wants to take the Irish government to court over an audit of Facebook but needs through a crowdsourced platform to raise 100,000 to 300,000 euros ($130,000 to $392,000) to fund the effort. Facebook has its international offices in Ireland, which is why the group has been pursuing its claims there.

"We now hope for a soon settlement of our complaints. Simultaneously, we have to assume that the authority in many cases won't decide in the favor of users but in the favor of Facebook. Such a decision can be contested by us at court," the group said today in a statement.

The privacy group also aired its disappointment with a report about Facebook from Ireland's data protection authority. In response, the group published a counter-report in which it details its 22 complaints. The group also wants legally binding agreements between the Irish government and Facebook to resolve the group's concerns.

A Facebook spokesperson responded to the announcement with a defense of the Irish government's handling of complaints:

We are committed to providing a service that enables millions of European citizens to connect and share with their friends here and around the world. The way Facebook Ireland handles European personal data has been subject to thorough review by the Irish Data Protection Commissioner over the past year. The two detailed reports that the DPC has produced by the DPC demonstrate that Facebook Ireland complies with European data protection principles and Irish law. Nonetheless we have some vocal critics who will never be happy whatever we do and whatever the DPC concludes.

Speaking to Reuters, Ireland's deputy data protection commissioner, Gary Davies, denied an accusation that Facebook's investment in the country swayed or influenced the regulation of the company.

"We have handled this in a highly professional and focused way and we have brought about huge changes in the way Facebook handles personal data," Davies said.

But the Europe v. Facebook group takes issue with his view. "After a detailed analysis of the 'audit' documents it became clear that the authority has taken very important first steps, but that it has not always delivered accurate and correct results," the group said. "The Irish authority has taken many important steps which moved privacy on Facebook forward, but when looked at it in more detail, has not always delivered solid and fact based results. Facebook's statements were simply adopted, even though many of them can be disproven with a few screenshots."

Europe v. Facebook is also critical of the social network for allegedly reaching only "half the way to compliance" with the law. It notes that more than 40,000 Facebook users have requested a copy of all their data from the social network, but many have yet to receive it. The legal deadline of 40 days to deliver the data to users "has passed 13 times," the statement noted.

"In our test the tools which allow to access all data have often times just produced white pages." (The counter-report notes a screenshot detailing this, which can be found here.)

"It seems like Facebook has also fooled the authority in some cases or did at least not stick to their promises. None of our complaints are currently resolved, since many were just worked on superficially," the group said. "The non-binding audit [by Irish data protection regulators] has led to improvements, but many are just going half the way to compliance with the law."

Correction at 8:00 a.m. PT: The story incorrectly stated who the privacy group is planning to sue. The group is planning to take the Irish government to court.