Another data protection authority says Facebook's facial recognition feature violates European data protection law

News & Analysis
Another data protection authority says Facebook's facial recognition feature violates European data protection law

On the 2nd of August 2011 the Hamburg Commissioner for Data Protection and Freedom of Information has called on Facebook  to delete the feature on the social networking site that automatically recognizes facial features and "tags" users when others upload photos of them. According to the local German data protection authority the feature is a violation of local and European data protection laws, and Facebook should adapt the feature to European data protection law or suspend the use of the facial recognition technology. The Commissioner calls the facial recognition technology a "serious interference with the informational self-determination of a person. Even a company that operates globally must respect that." Facebook faces severe fines if they do not comply with the order to shutdown their auto-tagging system in Germany. Facebook has rejected the claim.

The short statement of the Commissioner, who has earlier initiated legal proceedings against Facebook for accessing and saving non-users' personal information, is not very surprising since it merely reiterates some of the claims that the Electronic Privacy Information Center made two months ago in its complaint against Facebook with the Federal Trade Commission.

EPIC alleged that "users could not reasonably have known that Facebook would use their photos to build a biometric database in order to implement a facial recognition technology under the control of Facebook." EPIC warned that "absent injunctive relief by the Commission, Facebook will likely expand the use of the facial recognition database it has covertly established for purposes over which Facebook users will be able to exercise no meaningful control."

To be clear: the main problem does not lie in the 'automatic' recognition of people. As Tim O'Reilly points out, Facebook's approach is that they aren't using the technology to actually tag people in photos; its technology can't be used to identify any of its hundreds of millions of users simply by analyzing their faces. Facebook uses the technology to alert people on your friends list that you might have appeared in a photo, and relying on those people to add the tags. Facebook detects phots that apparently resemble us, but in the end our "friends" are invited to tag us. Not the machine recognizes our faces, but our friends do.

The Hamburg Commissioner seems to make a point along the same lines, saying that not the use of the feature as such is a problem, but rather the database of pictures with people tagged in. The risk of "the world's largest biometric database" with a total of of 75 billion photo's in which a total of 450 million people are tagged, is immense, according to the Commisioner.

The facial recognition option is switched on by default on the site, which means that users have to update their privacy settings within Facebook to opt-out of the system. They can do this by disabling the "Suggest photos of me to friends" in the "Things Others Share" option in the "Customize Settings". If you opt out of this feature however, it does not remove the summary information drawn from comparing any tagged photos of you from Facebook's database. EPIC and the Commissioner call this opt-out option 'misleading', since users might expect this removal by disabling the facial recognition option in the first place. Especially since there is no "delete data from photo comparison database" option which can be selected. In order to do this, a user has to go to Facebook's online help function, where you have to contact the "Facebook photo team". Facebook has earlier explained that the data is in fact deleted when a user disables the tag suggestion feature, but it seems that the help file and the control panel don’t match.

In any case this opt-out option is not only difficult to find for the average user, but it's not sufficient for the Commissioner, since European data protection requirements require a pre-issued, unambiguous consent by the affected person in advance of the collection of the data. If Facebook continues to maintain this feature, it must ensure that only data is included from those individuals that have effectively declared their consent to the storage of their biometric facial profiles in advance.

The Commissioner's demand is the latest official source in Europe to voice criticism over Facebook's new feature.  In Europe, the EU's Article 29 Working Party has already announced in June that it is planning to investigate whether the facial recognition technology is violation EU data protection law. Gerard Lommel, a member of the Article 29 Working Party, stated that “tags of people on pictures should only happen based on people’s prior consent and it can’t be activated by default.”  It is unclear whether a formal investigation by the Working Party is under way. The UK Information Commissioner’s Office (“ICO”) and the Irish data protection authority are also looking into the issue. EPIC urged the FTC to require Facebook to suspend the program pending a full investigation. To be continued.

Mathias Vermeulen is a Research Fellow at the European University Institute (IT) and a Phd Candidate at the Centre for Law, Science and Technology (LSTS) at the Free University in Brussels. He is also an Advisory Board member of Privacy International. Find him online @legalift.

This blog post is also available in Dutch at the EMSOC-website.

Target Profile