Ms Helen Dixon:

In answer to the Chairman's opening question about the harvesting of friends' data, which was restricted when Facebook implemented a platform upgrade in May 2014, and why there was a delay of 18 months between the recommendation and the platform upgrade, the recommendations in the DPC audit arose in the context of what was essentially the wholesale import into Europe of a US platform that operates on a global basis. The audits that were undertaken by the DPC in 2011 and the follow-up audit in 2012, which were published by Facebook, looked into a whole range of areas and sought to resolve a whole range of issues that were identified in respect of the compliance of this US platform with European data protection law.

Issues that were resolved more expeditiously included, for example, the application of facial recognition on the platform in Europe and, in fact, facial recognition has not up to this point run on the platform in Europe partly as a result of the work undertaken by the Data Protection Commissioner.

The issue of access to friends' data when app developers access data on the Facebook platform was the subject of a recommendation by the Data Protection Commissioner. It recommended it could not see a proportionate basis for access to friends' data when a user engaged with an app and it sought a resolution of the issue with Facebook. The correspondence that ensued between Facebook and the Data Protection Commissioner between the recommendation and the platform upgrade in May 2014 is really reflective of the fact the guiding principle in data protection law around this type of access is that processing must be fair and proportionate. The laws are high-level, technology-neutral and principles-based. An iterative process was engaged in, whereby Facebook asserted its legitimate interests to implement the feature in that way. It argued the in-app experience of users was greatly enhanced, that the very purpose of these apps was to enhance the experience of users who engaged, and that this experience was enhanced by the inclusion of users' friends when they engaged with an app.

An iterative process took place. Facebook did not agree with the recommendation. The Data Protection Commissioner persisted, as I have said, in the iterative process, resulting in the platform upgrade 18 months later. It is probably worth mentioning in the context of the response that there are obviously many ways to go about persuading a company to make a change to comply with data protection laws or to comply with our interpretation of data protection laws. One way is to go about a litigation route. We have taken that route with Facebook on the issue of transfers of data from the EU to the US. We made an application to the High Court in May 2016 seeking a reference to the European Court of Justice. The High Court ruled in October 2017 that it would make a reference and that reference is still pending. The life cycle of litigation is uncertain and very lengthy. In this regard, I might just mention an important piece of litigation that has been undertaken by the Belgian data protection commissioner, who is litigating against Facebook on social plug-ins. The litigation started in 2014 and it is not yet resolved four years later. The life cycle of taking a litigation enforcement route can be long.

With regard to Deputy Dooley's questions on whether the segments are published, and he spoke specifically about Facebook, in fact Facebook users can go in and look at what segments they have been placed into with regard to interest-based advertising. On every advertisement served on a user on Facebook one can look to see why it has been served. A user may well see it is because he is male and in a certain age category. There is a certain amount of information with regard to the segments, and users can opt out of receiving interest-based advertising based on their placement in any of those segments.

Under the GDPR there will be additional obligations on data controllers to publish more information on the fact of their profiling of individuals and how they profile individuals. They will also need to publish the basic logic of the algorithms they are supplying. We anticipate we will see from all of the platforms, including Facebook, significant improvements in transparency come 25 May 2018.

In relation to the tracking of Facebook users once they leave the Facebook environment, Facebook will, of course, confirm the position to the committee when it comes before it later, but it is the case that users are tracked once they leave the Facebook environment. There are means by which users can switch off the tracking, but the issues around all of the control settings that Ms Neary outlined earlier relate to how accessible they are and how transparent it is to the users in the first instance that the default is that they are being tracked.

All of these issues are under active examination by our office with Facebook.