II-11.8: Facebook's facial recognition system criticized by German regulators

Context and Summary

Facebook Europe is based in Ireland and operates from there in European countries. Its success in Germany is more recent than in countries such as France, especially because it was at first in competition with another social network for students, Studivz. Yet, Facebook occupies now the foreground of Germany’s web consumption habits, occupying 16,2% of the time spent on the Internet by Germans. Yet, recently, two public representatives claimed that Facebook was infringing their national and European law on privacy.

The first one is Thilo Weichert, Representative for Data Protection for the Land of Schleswig-Holstein. He argued that the "Like"-button of Facebook, which enables companies or organizations to gather their consumers or sympathizers on a specific page, infringed the rules on data protection. M. Weichert believes that the data storage taking place when a Facebook member presses the "Like"-button is illegal, because it automatically transfers the data to Facebook’s headquarters in the USA, and thus demanded that every public organization shuts its page down. Yet, his demand remained a dead letter.

More importantly, Johannes Caspar, Responsible for Data Protection for the Land of Hamburg, demanded that Facebook complies with European and German standards on privacy. Indeed, Facebook developed a facial recognition software thanks to its tremendous data storage. It enables the company to identify most of its users on a picture, and to communicate this to their friends, without his or her authorization. Most importantly, this technology gives Facebook the opportunity to develop a massive database with the facial details of millions of user’s faces, without them being aware or informed of it. Indeed, the company stores more than 75 billion pictures, all of them enabling it to identify more than 450 million users. The existence of such a database bears with it important risks for consumer protection and privacy rights, to M. Caspar’s mind.

Since M. Caspar cannot demand that Facebook suppresses this function, he asked Facebook Ireland to erase the data. On November 2nd, Facebook and other Internet companies met the German Minister for Home Affairs, Hans-Peter Friedrich, to plead for their cause. Alleging that they respect European law, they proposed the adoption of a Code of Good Behavior, letting the Minister decide whether or not Germany will bring this case before the European Court of Justice. M. Friedrich’s decision is expected for the beginning of 2012.

Brief commentary

This case could become an interesting case of law if the ECJ has to state whether or not Facebook's data storage is illegal with regards to European standards. Yet, it should be noted that German rules on data and privacy protection are stronger than in other European countries. Due to the past experiences of Germany under Nazi and communist governments, the country, and its representatives, are very demanding on data protection, but also, the public opinion sees with a distrustful eyes attempts by the authority to restrict an individual's freedom to decide what he or she wants to do with his private data.

Indeed, M. Weichert's campaign has been half-heartedly welcomed by Internet users, who judged it "paternalist" and suspicious the fact that an official would decide for the users on how they use their privacy rights.

Yet, as for Facebook's facial recognition database, the questions raised are much more critical. In the UK also, an spokesperson for the Information Commissioner's Office, the ICO, stated that "the privacy issues that this new software might raise are obvious and users should be given as much information as possible to give them the opportunity to make an informed choice about whether they wish to use it." Indeed, Facebook acknowledged the fact that several European regulators expressed their suspicion with regards to the compatibility of such software with European law, stating that it would take into account these critics. Eventually, Facebook will provide an opt-out system, enabling users to 'untag' themselves from the pictures on which they are identified. First, tag suggestion would only be made to friends of the person, and the users can switch off the features to prevent their names from being put forward.

The opt out system is still controversial. Indeed, Facebook did not specify which information will be linked with facial recognition. E-mail addresses, phone numbers, locations could be instantly linked with a picture, This would take place without user's participation, their agreement being solely requested at the end of the process. An opt in system similar as the one installed by Apple iPhoto's software, would be much more conform to privacy norms.

The European reception of such a technology in the legal framework will be interesting to follow. Recently, Google held back a facial recognition application enabling people who took a picture of somebody with their smartphones to search the Internet to identify them. This was not made public because of privacy standards. If Facebook manages to convince European authorities that its facial recognition software respects privacy standards, it will progressively enlarge the scope of what is public information available to all, achieving M. Zuckerberg's statement of April 2010 that "privacy is no longer a social norm".