Facebook users outside of the U.S., you can breathe a little easier: The social media giant has been told that it can no longer indefinitely keep data about which ads you’ve been clicking on, and it’ll have to think twice about its data collection security in general, following an official review of its international operations.
The 143-page review, carried out by the Irish Data Protection Commissioner–Facebook’s headquarters for non-U.S. operations is based in Dublin–was launched following a number of protests about Facebook’s data harvesting, which some alleged broke European data privacy laws. After three months of investigation that the commissioner politely described as a “challenging engagement” for all participants, the company has agreed to a number of changes moving forward.
Among the changes will be a simplification of the site’s privacy policies, which will also be made more readily available to users (per the review’s instructions). Click-through advertising data will only be held for two years maximum, and all data collected from third-party sites requiring a Facebook log-in will be made anonymous and must be deleted within 90 days. Users can no longer be added to groups without their consent, and they will also be able to control (or even block) social ads via their privacy settings.
Facebook, which was ultimately praised by the commissioner for its “positive approach and commitment” to privacy despite the changes prescribed, will begin implementing the changes immediately, with a revised data use policy due in the first quarter of 2012 and a progress report targeted for July of the same year.
Graeme McMillan is a reporter at TIME. Find him on Twitter at @Graemem or on Facebook at Facebook/Graeme.McMillan. You can also continue the discussion on TIME’s Facebook page and on Twitter at @TIME.