The Irish data protection commissioner has recommended widespread changes to improve privacy on Facebook.
They include making its terms and conditions clearer and offering users greater control over how their data is used on the site.
The findings are particularly significant because Facebook Ireland was given responsibility for all non-US and Canadian data in September 2010.
Facebook has six months to implement the changes.
Commissioner Billy Hawkes will conduct a formal review of its progress in July.
Commenting on the report, he said: "This was a challenging engagement both for my office and for Facebook Ireland. The audit has found a positive approach and commitment on the part of FB-I [Facebook Ireland] to respecting the privacy rights of its users."
The review was conducted partly in response to complaints about Facebook's data and partly as routine assessment of firm conducted by the commission.
Facebookwelcomed the review, saying: "We are pleased that the report demonstrates how Facebook adheres to European data protection principles and complies with Irish law.
"Of course, the report highlights some areas where we can improve and reach best practice."
The report suggested widespread changes, including:
- a mechanism for users to make informed choices about how their information is used and shared on the site, including in relation to third party apps
- increased transparency and controls over how personal data is used for advertising purposes
- transparency and control for users via the provision of all personal data held to them on request and as part of their everyday interaction with the site
One of the first changes users will notice in the new year will be prominent notices informing them about the facial recognition tag which suggests names for labelling photos. Users will be offered the chance to disable it.
The report recognised that Facebook was entitled to use customer data for advertising purposes, but requested that the control allowing people to decide whether advertising was linked to profile information be made more prominent.
One of the main complaints against Facebook came from a group of Austrian students. They launched the lobby group Europe v Facebook following requests to see all the data Facebook had stored on them. After receiving CDs full of personal information, they claimed Facebook created "shadow profiles" on users. The audit found no evidence of this.
"People have put two and two together and made 12. They think that we have all this data so therefore we must be creating profiles out of it. The audit found we were not doing that kind of shadow profiling," said Richard Allen, director of public policy for Facebook in Europe.
Mr Allan denied that the recommendations represented a victory for the Europe v Facebook group.
"This is business as usual for us. Individuals raise concerns and take them to the regulatory authorities and we have a conversation with them. It is right that individuals raise concerns and that we respond to them," he said.
Facebook is changing the way that people can see the data it has stored on them, following 40,000 such requests in recent months. Instead of sending people a CD with all the details on it, users can now download an information tool or look at an activity log.
"These kind of arrangements are more secure, more readily available and can be delivered at no cost," said Mr Allan, who said that it would still allow users to access all the information stored on them.
Deputy Irish data commissioner Gary Davis, who conducted the audit, said that the "Darwinian nature" of Facebook, where new features are constantly being introduced, meant it needed "robust mechanisms" to ensure privacy kept pace with new tools.
The review is the latest in a series of privacy investigations into the social networking giant. Last month the US Federal Trade Commission said the social network giant had engaged in "unfair and deceptive" practices over changes made to its privacy settings in 2009.
In a blog post at the time, Facebook founder Mark Zuckerberg said the company had made a "bunch of mistakes".
But he added that this had often overshadowed the good work that the social networking site, which has more than 800 million users, had done.
Other changes demanded by Ireland's data protection commissioner include:
- the deletion of information held on users and non-users via what are known as social plug-ins, and more generally the deletion of data held from user interactions with the site much sooner than at present
- an additional form of notification for users in relation to facial recognition/"tag suggest" that, it is considered, will ensure Facebook Ireland is meeting best practice in this area from an Irish law perspective
- an enhanced ability for users to control tagging and posting on other user profiles
- an enhanced ability for users to control their addition to groups by friends