Facebook could be fined up to €100,000 (£80,000) if it does not comply with the orders of Irish regulators within four weeks.
The social media site was warned last year to make widespread changes by the office of the Irish data protection commissioner (DPC), which included tightening its privacy practices and deleting unneeded data sooner.
The DPC carried out an audit on FacebookIreland (FB-I) as the international headquarters is responsible for millions of users outside the US and Canada.
The internet giant – which went public on the stock market in May – still has to comply with several recommendations in relation to targeted advertising utilising sensitive data, the retention of data on inactive or deactivated accounts, and educating users over settings.
Commissioner Billy Hawkes confirmed that the maximum penalty was a €100,000 court fine if enforcement action had to be taken.
But he stressed he was satisfied the internet giant had made clear commitments to comply with its data protection responsibilities in line with Irish and EU laws.
“I am particularly encouraged in relation to the approach it has decided to adopt on the tag suggest/facial recognition feature by in fact agreeing to go beyond our initial recommendations, in light of developments since then, in order to achieve best practice,” Hawkes said.
The feature has already been turned off for new users in the EU and templates for existing users will be deleted by 15 October, but will not be changed for users in the US and Canada.
The DPC review found the majority of its recommendations were fully implemented, particularly in the areas of:
• better transparency for the user in how their data is handled
• increased user control over settings
• the implementation of clear retention periods for the deletion of personal data or an enhanced ability for the user to delete items.
Deputy Commissioner Gary Davis, who led the initial audit and followup review, warned the office would use enforcement powers if needed.
“There were a number of items on which progress was not as fully forward as we had hoped and we have set a deadline of four weeks for these matters to be brought to a satisfactory conclusion,” he said.
“It is also clear that ongoing engagement with the company will be necessary as it continues to bring forward new ways of serving advertising to users and retaining users on the site.
“The value of such engagement to identify and deal with any data protection concerns prior to launch of new products and services is fully accepted by FB-I.”
Facebook said it was confident it could continue to resolve the outstanding issues given the progress it has made on other matters in recent months.
It also vowed to continue to work with the Irish regulator to ensure it remains compliant with European data protection laws as new products and features are created.
“As our regulator in Europe, the Irish office of the data protection commissioner is constantly working with us to ensure that we keep improving on the high standards of control that we have built into our existing tools,” said a spokesman.
“This audit is part of an ongoing process of oversight, and we are pleased that, as the data protection commissioner said, the latest announcement is confirmation that we are not only compliant with European data protection law but we have gone beyond some of their initial recommendations and are fully committed to best practice in data protection compliance.”