The DPC carried out an audit on Facebook Ireland (FB-I) as the international headquarters is responsible for millions of users outside the US and Canada.

A review found most issues had been addressed, but revealed some outstanding recommendations in relation to targeted advertising utilising sensitive data, the retention of data on inactive or deactivated accounts, and educating users over settings.

Commissioner Billy Hawkes confirmed that if enforcement action has to be taken, the maximum penalty is a 100,000 euro court fine.

But he stressed he was satisfied the internet giant had made clear and ongoing commitments to comply with its data protection responsibilities in line with Irish and EU laws.

“I am particularly encouraged in relation to the approach it has decided to adopt on the tag suggest/facial recognition feature by in fact agreeing to go beyond our initial recommendations, in light of developments since then, in order to achieve best practice,” he said.

The feature has already been turned off for new users in the EU and templates for existing users will be deleted by October 15, but will not be changed for users in the US and Canada.

Facebook – which went public on the stock market in May – said it is confident it can continue to resolve the outstanding issues given the progress it has made on other matters in recent months.

It also vowed to continue to work with the Irish regulator to ensure it remains compliant with European data protection laws as new products and features are created.

“As our regulator in Europe, the Irish Office of the Data Protection Commissioner is constantly working with us to ensure that we keep improving on the high standards of control that we have built into our existing tools,” said a spokesman.

“This audit is part of an ongoing process of oversight, and we are pleased that, as the Data Protection Commissioner said, the latest announcement is confirmation that we are not only compliant with European data protection law but we have gone beyond some of their initial recommendations and are fully committed to best practice in data protection compliance.”

The DPC review found the majority of its recommendations were fully implemented, particularly in the areas of:

:: Better transparency for the user in how their data is handled;

:: Increased user control over settings;

:: The implementation of clear retention periods for the deletion of personal data or an enhanced ability for the user to delete items.

Deputy Commissioner Gary Davis, who led the initial audit and follow-up review, warned the office would use enforcement powers if needed.

“There were a number of items on which progress was not as fully forward as we had hoped and we have set a deadline of four weeks for these matters to be brought to a satisfactory conclusion,” he said.

“It is also clear that ongoing engagement with the company will be necessary as it continues to bring forward new ways of serving advertising to users and retaining users on the site.”