In response to an audit by Irish data protection officials, Facebook has agreed to be more transparent about its facial-recognition feature and how its European users' data is used, the social network announced today.

In response to an audit by Irish data protection officials, Facebook has agreed to be more transparent about its facial-recognition feature and how its European users' data is used, the social network announced today.

"There should be room for improvement in how Facebook Ireland handles the personal information of users," deputy Irish data commissioner Gary Davis said in a statement

In particular, European Facebook users will receive more alerts about how the face-based, photo-tagging feature works so they can decide whether or not to use the program.

Facebook said it will also change "a number of policies" regarding data retention, like how data is logged when people access Web sites with Facebook plug-ins "to minimize the amount of information collected about people who are not logged in to Facebook."

Finally, Facebook will also work with Irish officials to "improve the information that people using Facebook are given about how to control their information both on Facebook and when using applications," Facebook said.

The Office of the Irish Data Protection Commissioner (DPC) will follow up with Facebook in July 2012 to make sure these changes have been put in place.

"This audit was the most comprehensive and detailed ever undertaken by our office," Davis said.

Reports of this nature are often not released, Facebook and the DPC said, but they "felt it was important that the outcome be published and opened to public comment and scrutiny," Davis said.

The DPC has been in talks with Facebook for several months on privacy-related issues, stemming from a over its facial-recognition technology. The feature is intended to allow for quick photo tagging; if you upload 200 photos from one party, for example, Facebook can detect certain faces and offer up suggestions ("Is this Chloe?") to speed up the tagging process. The social network rolled out the option without much warning, however, prompting security concerns.

Facebook has apologized for the rollout snafu, and said the DPC found that the tag suggest feature "could have been done in a more transparent fashion."

"Despite these concerns, the DPC did not find that the launch of Tag Suggest breached Irish data protection law, and confirmed that the function used to delete the user's facial profile is invoked when the user disables 'tag suggestions,'" Facebook said. "The DPC recommended we take a 'best practice' approach in this area and display additional notifications to users in Europe, to help them learn more about the feature. Both the Irish DPC and Facebook agree that this approach will increase transparency to people using the product while enabling Facebook to continue to meet their obligations under relevant data protection law."

The DPC examined Facebook privacy across the board, though, including the security of third-party apps, whether or not users are tracked when they leave Facebook, and how data is stored.

According to Facebook, the DPC found that serving up targeted ads based on a users' designated interests "is legitimate." The DPC also "verified that it was not possible for an application to access personal data over and above that to which an individual gives their consent or enabled by the relevant settings," Facebook said.

Facebook security in Europe made headlines back in October after a 24-year-old Austrian law student, Max Schrems, asked Facebook to turn over the data it had stored about his Facebook activity and was shocked to find just how much information that included. Since issues concerning Facebook users outside of the U.S. and Canada are handled by Facebook's Dublin office, Schrems filed 22 separate complaints with the DPC, asking them to investigate.

Among those complaints was one accusing Facebook of creating "shadow profiles" with the data imported from various outside services, like mobile phones, email contact lists, instant messaging services, invites to friends not on Facebook, and more.

Facebook said today that the DPC investigation concluded that Facebook is not building these shadow profiles.

"While certain data which could be used to build what we have seen termed as a 'shadow profile' of a non-user was received by Facebook, no actual use of this nature was made of such data [and] neither is there any profile formed of non-users which could be attributed to a person on becoming a user," according to the DPC report.

Facebook has agreed to delete "information held on users and non-users via what are known as social plugins," the DPC said.

U.S. officials recently reached some harsher conclusions about Facebook. The Federal Trade Commission last month that requires the social network to be more transparent about its privacy policies. According to the FTC, Facebook "deceived customers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public."

A mechanism for users to convey an informed choice for how their information is used and shared on the site including in relation to third-party apps.

A broad update to the Data Use Policy/Privacy Policy to take account of recommendations as to where the information provided to users could be further improved.

Transparency and control for users via the provision of all personal data held to them on request and as part of their everyday interaction with the site.

The deletion of information held on users and non-users via what are known as social plugins and more generally the deletion of data held from user interactions with the site much sooner than presently.

Increased transparency and controls for the use of personal data for advertising purposes.

An additional form of notification for users in relation to facial recognition/"tag suggest" that is considered will ensure Facebook Ireland is meeting best practice in this area from an Irish law perspective.

An enhanced ability for users to control tagging and posting on other user profiles.

An enhanced ability for users to control whether their addition to Groups by friends.

The Compliance management/Governance function in Dublin will be further improved and enhanced to ensure that the introduction of new products or new uses of user data take full account of Irish data protection law.

A full list of the DPC requirements for Facebook is listed below. Facebook is required to come up with: