Once again, Facebook comes under criticism. Once again, the criticism is aimed at the neglect of data protection. After its Friend Finder tool and data leakage, now it is Facebook's facial recognition that catches everybody's attention. While the facial recognition tool was implemented in the US in late 2010, the function was only introduced in Europe in June.
The software scans users' newly uploaded photos, comparing the faces in the photos with previously labeled photos to see if they match any of the people in the database. Once a match is found, Facebook alerts the person uploading the photos and asks him or her to tag, or identify, the person in the photo. The facial recognition function is problematic for two reasons.
Firstly, introducing such a function is very questionable, in terms of data protection, to Germany and the EU. Facebook has automatically enabled the feature in users' settings. A user who is not interested in the facial recognition function needs to become active by switching the function off. In addition to that, the feature was introduced without any notification to the users. Johannes Casper, the Hamburg Commissioner for Data Protection and Freedom of Information, as well as Gerard Lommel, member of the Article 29 Data Protection Working Party that advises the European Commission on privacy issues, rightly criticize possible violations of European data protection law. Users have to be informed about the introduction of a new function before its activation. Furthermore, the non-transparent procedure of opting out as is the case with the facial recognition is not permitted. For consent to be valid, it is not sufficient that the user is just not exercising his or her objection. An unambiguous consent by the affected persons before activation is indispensable.
Secondly, the facial recognition tool itself is questionable as well. Facebook creates a biometric database that can, due to its large number of members and its enormous amount of uploaded photos, assume unknown proportions. Moreover, it is unclear if the deactivation of the feature actually prevents the whole process or if it is simply not visible to the user anymore. Another question is what Facebook is able to do with such a gigantic biometric database. Uncontrolled dissemination and constantly improving technology may lead to yet unknown risks.
As a conclusion, it can be said that the facial recognition function as it currently exists in Facebook depicts an incursion into the right of informational self-determination. Users are no longer able to decide who knows what and when about themselves. Facebook itself is taking care of those decisions and for that reason, cancels consent and its function. The lack of transparency and information ahead of the introduction of a new feature leads to the inability of users to control their personal data.
At least in Europe, data-protection-friendly default settings are inevitable. Facial recognition as well as other functions have to be inactive until the user consciously activates them. Before Facebook changes its terms of service the user needs to be informed. Changes are only possible if users freely give specific, informed and unambiguous consent.
Facebook and other user generated content services must comply with the existing European laws. Data protection authorities need to control such services better. If a violation is discovered, radical enforcement such as imposing high fines is necessary. Consequently, Facebook needs to either adapt to European and national data protection laws or cut off the facial recognition tool in Europe.
Patricia Rogosch studied law at the University of Münster, where she graduated with certificates in intellectual property law and foreign law and language.
Suggested citation: Patricia Rogosch, Facebook Facial Recognition Violates European Privacy Laws, JURIST - Hotline, Aug. 16, 2011, http://jurist.org/hotline/2011/08/patricia-rogosch-facebook-privacy.php.
This article was prepared for publication by Edward SanFilippo, an associate editor for JURIST's professional commentary service. Please direct any questions or comments to him at firstname.lastname@example.org