Facebook could be fined up to 100,000 euro (£80,000) if it does not comply with the orders of Irish regulators within four weeks.
The social media site was last year warned to make widespread changes by the office of the Irish Data Protection Commissioner (DPC), which included tightening its privacy practices and deleting unneeded data sooner.
The DPC carried out audit on Facebook Ireland (FB-I) as the international headquarters is responsible for millions of users outside the US and Canada.
The internet giant - which went public on stock market in May - still has several recommendations to comply with in relation to targeted advertising utilising sensitive data, the retention of data on inactive or deactivated accounts, and educating users over settings.
Commissioner Billy Hawkes confirmed that if enforcement action has to be taken, the maximum penalty is a 100,000 euro court fine.
But he stressed he was satisfied the internet giant had made clear and ongoing commitments to comply with its data protection responsibilities in line with Irish and EU laws.
"I am particularly encouraged in relation to the approach it has decided to adopt on the tag suggest/facial recognition feature by in fact agreeing to go beyond our initial recommendations, in light of developments since then, in order to achieve best practice," he said.
The feature has already been turned off for new users in the EU and templates for existing users will be deleted by October 15, but will not be changed for users in the US and Canada.
The DPC review found the majority of its recommendations were fully implemented, particularly in the areas of:
* better transparency for the user in how their data is handled;
* increased user control over settings;
* the implementation of clear retention periods for the deletion of personal data or an enhanced ability for the user to delete items.
Deputy Commissioner Gary Davis, who led the initial audit and follow-up review, warned the office would use enforcement powers if needed.
"There were a number of items on which progress was not as fully forward as we had hoped and we have set a deadline of four weeks for these matters to be brought to a satisfactory conclusion," he said.
"It is also clear that ongoing engagement with the company will be necessary as it continues to bring forward new ways of serving advertising to users and retaining users on the site.
"The value of such engagement to identify and deal with any data protection concerns prior to launch of new products and services is fully accepted by FB-I."