Out-Law News 3 min. read
16 Aug 2012, 2:17 pm
The Hamburg data protection authority has re-opened its investigation into the issue and called on Facebook to delete the biometric data it has collected of its users through the use of automated facial recognition technology. It said the social network must obtain users' opt-in consent before compiling information about users through the use of the feature, according to a report by the New York Times.
Facebook uses automated facial recognition technology to suggest to users the identity of other members of the site when they feature in pictures the users are uploading to the social network. Those users can choose to 'tag' those individuals based on the suggestions, meaning the pictures are labelled with pop-up captions to enable people who view the photos to identify who is in the shot by hovering their mouse over the picture.
Under the EU's Data Protection Directive personal data can only be processed under strict conditions. Personal data must be "processed fairly and lawfully" and generally it can only be collected for "specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes".
Organisations must generally obtain "unambiguous consent" from individuals in order for personal data processing to be legitimate, according to the Directive. However, in circumstances where data is "capable by their nature of infringing fundamental freedoms or privacy" organisations generally are prohibited from processing the information without obtaining "explicit consent" from individuals.
Earlier this year the EU's privacy watchdog the Article 29 Working Party elaborated on its interpretation of those rules in the context of facial recognition technology. It said social networking sites needed to obtain users' "informed consent" before suggesting to other users that those individuals feature in photos that they are uploading to the site.
The Working Party, which is a committee featuring representatives of all the EU's national data protection regulators, said that the networks can process the images legitimately without the consent of those featured in the photos under EU data protection laws in order to assess whether that consent has been given. However, it said that sites processing images in order to verify consent must delete that information "immediately after" that processing is complete.
Facebook's facial recognition feature was first introduced in the US in 2010. Last year the company announced that the feature had been made available to users in most countries, including in the EU. However, users must actively opt-out of having their information processed by the feature through their privacy settings if they do not wish their details to be collected and referenced for 'tagging' purposes.
Johannes Caspar, data protection commissioner in Hamburg, said that he had tried and failed to get Facebook to alter its policy in order to obtain users' opt-in consent to the facial recognition technology.
“We have met repeatedly with Facebook but have not been able to get their cooperation on this issue, which has grave implications for personal data,” Caspar said, according to the New York Times report.
However, Facebook said that its facial recognition feature was compliant with EU data protection laws and that it had agreed with the Irish data protection regulator how to better inform users about it.
"We believe that the photo tag suggest feature on Facebook is fully compliant with EU data protection laws,” Facebook said, according to the newspaper's report. "During our continuous dialogue with our supervisory authority in Europe, the Office of the Irish Data Protection Commissioner, we agreed to develop a best practice solution to notify people on Facebook about photo tag suggest."
Last year the Office of the Irish Data Protection Commissioner (ODPC) conducted a privacy audit of Facebook Ireland. Facebook Ireland has responsibility for all Facebook users outside of the USA and Canada.
At the time the ODPC said Facebook's decision to introduce facial recognition technology on an 'opt-out' basis should have been handled "in a more appropriate manner". In response Facebook Ireland said it would notify users up to three times in order to give users more information on adjusting their settings for the feature.
The ODPC has conducted a second audit of Facebook Ireland and is due to report its findings next month, according to the New York Times.
Facebook has currently suspended the use of its facial recognition feature for new EU users of its service whilst it discusses the issue with regulators, according to a report by the BBC.
"It is to be welcomed that Facebook clearly recognises that the process of collecting biometric data is at least not in accordance with data protection law in Europe," Caspar said, according to the BBC's report. "But Facebook can't just stay halfway there."
