The social network was ordered to make widespread changes by the office of the Irish data protection commissioner (DPC) last year, and is still to comply with several of the requested measures.
The DPC recommended that the internet giant tighten its privacy practices and delete unneeded data faster when it carried out an audit of its Irish base (FB-I).
Commissioner Billy Hawkes has now said that Facebook could still incur the maximum fine of €100,000, but admitted that the watchdog is satisfied with the firm’s commitment to implementing the changes.
“I am particularly encouraged in relation to the approach it has decided to adopt on the tag suggest/facial recognition feature by in fact agreeing to go beyond our initial recommendations, in light of developments since then, in order to achieve best practice,” Hawkes said.
A follow-up review by the DPC has found that Facebook has fully implemented a number of its recommendations, such as increasing user control over settings, and setting clear detention periods for when personal data is deleted.
However, Deputy Commissioner Gary Davis noted that the company is lagging behind in other areas, placing it under mounting pressure to meet the deadline.
“There were a number of items on which progress was not as fully forward as we had hoped and we have set a deadline of four weeks for these matters to be brought to a satisfactory conclusion,” he said.
“It is also clear that ongoing engagement with the company will be necessary as it continues to bring forward new ways of serving advertising to users and retaining users on the site.
“The value of such engagement to identify and deal with any data protection concerns prior to launch of new products and services is fully accepted by FB-I.”
Facebook pledged to work with the DPC to implement the remaining recommendations, insisting that it is “fully committed” to meeting the standards set by the watchdog.