German data privacy authorities on Wednesday reopened [press release, PDF, in German] an investigation into facial recognition software used by Facebook [website; JURIST news archive] that automatically recognizes facial features in pictures and "tags" users when others upload photos of them. Hamburg Commissioner for Data Protection and Freedom of Information Johannes Caspar [official website, in German] claims that Facebook is illegally compiling a huge database [NYT report] of members' photos without their consent, and the archive should be destroyed because European data protection laws require explicit consent of users for a company to employ such analytic software to compile a photographic database of human faces. Facebook's model works on an opt-out basis, automatically including users rather than having them opt-in to the feature up front. The original investigation [JURIST report] was announced last year, but Caspar suspended the inquiry while Facebook was audited by Irish authorities at the social networking giant's EU headquarters in Dublin. Facebook ultimately blocked the feature as of July 1, but only for new users. Caspar welcomed the decision but maintains that Facebook did not go far enough [BBC report] for compliance purposes.
Facebook has frequently been under scrutiny for violating privacy laws in Germany. Mirroring Caspar's position, Patricia Rogosch, a research assistant for the EU Project CONSENT Institute for Information, Telecommunication and Media Law, wrote in August 2011 that the Facebook facial recognition feature violates European data protection laws [JURIST comment] because the software was introduced without notifying users and it requires users to opt out instead of opting in. In July 2010 Caspar initiated legal proceedings [JURIST report] against Facebook for accessing and saving non-users' personal information, stated the social networking site could be fined tens of thousands of euros for violating Germany's strict privacy laws. Caspar was alerted that non-users had been contacted by Facebook because their e-mail addresses were listed in Facebook users' e-mail contacts.