Kevin J. O’Brien reports:
Data protection officials in Germany reopened an investigation into Facebook’s facial recognition technology Wednesday, saying the social networking giant was illegally compiling a vast photo database of users without their consent.
The data protection commissioner in Hamburg, Johannes Caspar, said he had reopened his investigation, which he had suspended in June, after repeated attempts to persuade Facebook to change its policies had failed.
Read more on NY Times, where O’Brien discusses the possible outcomes or consequences. Overall, this case illustrates how difficult it may be for countries to compel compliance with EU privacy laws when the company is headquartered in the U.S. In this case, Facebook also has a headquarters in Ireland, but the Irish Data Protection Commissioner had previously concluded that notice, not consent, was required. The Irish DPC came under pressure when the EU privacy panel indicated that consent – and not just notice – was required.
During the comment period for the FTC’s proposed settlement with Facebook, EPIC wrote to the FTC about the issue of photo tagging and compilation of biometric data. The FTC responded:
(2) You urge the Commission to prohibit Facebook from creating facial recognition profiles without users’ express consent.
The comprehensive privacy program described above will require Facebook to implement practices that are appropriate to the sensitivity of the “covered information” in question, which is very broadly defined in the order and would include biometric data. Moreover, the biennial audits of its privacy practices will help ensure that Facebook lives up to these obligations. Although the order does not specifically require that Facebook obtain a user’s consent for the creation of facial recognition data, the order’s broad prohibition on deception is designed to ensure that Facebook will be truthful with users about such practices. Likewise, the affirmative express consent requirement, described above, is designed to ensure that Facebook upholds privacy settings that it offers to users to protect such information.
So there’s no help there in closing the gap between EU privacy and U.S. privacy law.