Facebook’s facial recognition software has drawn negative media attention in Europe and is the subject of increasing scrutiny worldwide. Since it was launched, Facebook’s controversial technology has been used to analyze facial features, for instance, the distance between the eyes, nose and ears, to suggest who might be in an uploaded picture. This technology originally belonged to an Israeli firm called Face.com, which develops and provides facial recognition software.
Problems in Germany
According to the state of Hamburg’s data protection regulator, Facebook’s use of facial recognition software breaks EU privacy laws, as it collects biometric data without user consent. The social networking site uses facial recognition software to identify people in uploaded photos and makes suggestions for name tags to be associated with those photos.
According to the office of the Hamburg Commissioner for Data Protection and Freedom of Information, the facial recognition function requires a comprehensive database containing the biometric characteristics for every user. As it operates on an opt-out basis, Facebook does not have explicit consent to collect this data.
The Commissioner said in a statement: “Facebook has introduced this function in Europe without informing users and acquiring the necessary consent. Unambiguous consent from those affected is required by the European as well as the German data protection law.”
Thus far, Facebook has not complied with its demands to bring their automatic face recognition function in line with European and German data protection regulations. According to the German Commissioner, “For users whose biometric facial characteristics have already been incorporated into the database operated by Facebook, this consent needs to be acquired retrospectively.”
At the time, Facebook denied the allegations, insisting that any legal action was completely unnecessary.
Complaints Lead to Action
Facebook’s privacy practices also garnered unwanted attention by the Irish data protection agency. An investigation was launched after a complaint made by an Austrian law student regarding the company’s privacy practices. This resulted in a list of recommendations released by the Irish Data Protection Commission.
Following these legal troubles, Facebook decided to delete all of its European photo tagging facial recognition data. After reviewing the company’s source code and deletion process, the Irish Data Protection Commissioner confirmed that the regulatory agency was satisfied with the social network’s compliance. A report confirmed that a code review was performed to ensure that when a user disables the tag suggestions feature, facial recognition data for that user is deleted.
Additional removal confirmation came from Hamburg’s Data Protection Authority, which also reviewed the firm’s software to ensure that its standards were met. Once the deletion was confirmed, the Authority dropped proceedings against the company asking it to obtain explicit consent from German Facebook users before using this kind of feature.
Finally, a Facebook spokesperson confirmed that the data had been deleted and that the social network has no plans to reinstate facial recognition software in Europe anytime soon.
After a debacle with both the Irish and German data protection authorities, Facebook was forced to delete all of its European photo tagging facial recognition data. The facial recognition software and tagging feature drew much controversy and was said to have violated European data protection legislation.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) and Certified Information Privacy Professional/Europe (CIPP/E), a privacy professional should be comfortable with topics related to this post, including:
- Purposes and uses of PII (I.C.c.; CIPP/IT)
- Privacy expectations (II.A., CIPP/IT)
- Personalization – end user benefits and privacy concerns (II.C.a.; II.C.b.; CIPP/IT)
- European data protection – legislative framework (I.C.; CIPP/E)