Updated to reflect comment from Facebook
Facebook’s facial recognition software has been causing a stir in Europe for the last few years, with investigations by multiple countries, as well as the European Union, into whether it violated EU data-protection rules. A report released by the Irish Data Protection Commissioner (DCP) on Friday seemed to show that Facebook had finally appeased the EU by turning off its facial recognition software, but that doesn’t mean that everyone happy just yet.
On Friday, after the DCP released a statement praising Facebook for complying with its demands, the Hamburg Commissioner for Data Protection and Freedom of Information released a statement, issued an administrative order against Facebook for not complying with German law.
“The order obliges the US-company to change its longtime criticized practice of automatic face detection to comply with data protection standards even retrospectively. The company has to make sure, that biometric profiles of its already registered users will only be created and stored with their active consent,” the German commissioner wrote.
“Additionally, users have to be informed about risks of the practice in advance. If Facebook does not make an objection against the administrative act within one month, it will come into force. The demands of the Hamburg data protection supervision will then have to be fulfilled. If the implementation is not achieved in due course, the existing data base has to be deleted.”
This may, however, just be a case of the commissioner not yet having all the facts. In an interview with Bloomberg on Friday, Johannes Caspar, the Hamburg regulator, said that he had not yet seen the report issued by the DCP, and if the concessions made by Facebook also comply with German law, “then all is fine.”
"In light of discussions with our regulator in Ireland, we have agreed to suspend the Tag Suggest feature in Europe, while we work with the Office of the Irish Data Protection Commissioner in Ireland on the appropriate way to obtain user consent for this kind of technology under European rules. As the Commissioner said, this is a further demonstration of our commitment to best practice in data protection compliance," a Facebook spokesperson told VatorNews.
What's all the fuss about?
At issue is Facebook's ability to scan and recognize faces when pictures are uploaded onto the website.
When a user uploads new photos onto Facebook, the social network uses software to scan the pictures and matches them to photos of both the user and their friends. The site will suggest possible tags for the people in your photos, in an attempt to simplify and shorten the time it time it takes to tag people.
In an opinion from March of this year from the EU’s Article 29 Data Protection Working Party, it was established that facial recognition software might only be used with user consent.
“In order to consider the consent valid, adequate information about the data processing must have been given. Users should always be provided with the possibility to withdraw consent in a simple manner. Once consent is withdrawn processing for the purposes of facial recognition should stop immediately,” the opinion said.
Ireland has been conducting its own investigation into whether or not Facebook has been violating EU data-protect rules since 2011.
In December, the Irish Data Protection Commissioner completed a privacy audit which concluded that Facebook was, in fact, complying with EU privacy rules. A follow-up report was expected in July, but was then pushed back to October. The report finally came out yesterday and the DCP seemed pleased with what it found.
“I am satisfied that the Review has demonstrated a clear and ongoing commitment on the part of FB-I to comply with its data protection responsibilities by way of implementation or progress towards implementation of the recommendations in the Audit Report,” The Irish Data Protection Commissioner, Billy Hawkes said in a statement.
“I am particularly encouraged in relation to the approach it has decided to adopt on the tag suggest/facial recognition feature by in fact agreeing to go beyond our initial recommendations, in light of developments since then, in order to achieve best practice.”
In August, Norway began its own investigation into the software. As Norway is not currently in the European Union, it coordinated its investigation with Ireland, a country that is a member of the EU.
“It’s a very powerful tool Facebook has and it’s not yet clear how it all really works,” Bjorn Erik Thon, Norway’s data- protection commissioner, said at the time.
“They have pictures of hundreds of millions of people. What material Facebook has in its databases is something we need to discuss with them.”
You can read the DCP's full report on Facebook's facial recognition software below:
(Image source: http://mashable.com/)