German regulators reopen investigation of Facebook’s face recognition technology

Data protection regulators in Germany accused Facebook of illegally stockpiling photos of users without consent as they reopened a probe into the company’s face recognition technology.

Hamburg’s data protection commissioner, Johannes Caspar, resumed an investigation after initial attempts to get Facebook to alter its policy had failed, according to the New York Times. The inquiry was suspended in June.

Facebook added the technology in December 2010, but it didn’t become widely available until last June, when Facebook began using it to suggest tags. Facebook tries to recognize your friends’ faces in photos, and guesses which friends you might wish to tag.

The practice has caused consternation in Europe, largely because Facebook automatically switched on the feature for many of its users, rather than asking them to enable it themselves. The opt-out approach caught the attention of privacy regulators throughout Europe, including those in Germany.

Caspar claimed he’d met with Facebook officials several times over the past year. His office wants Facebook to delete the data it collected using the facial recognition system and ensure it obtains users’ explicit consent before storing biometric information about those users’ faces.

Facebook claimed that it is not contravening European Union law with the software, nor is it violating biometric data regulations in Ireland, where its European arm is based.

“We believe that the Photo Tag Suggest feature on Facebook is fully compliant with E.U. data protection laws,” Facebook told the New York Times. “During our continuous dialogue with our supervisory authority in Europe, the Office of the Irish Data Protection Commissioner, we agreed to develop a best practice solution to notify people on Facebook about Photo Tag Suggest.”

Ireland’s data protection agency plans to publish a report in September of an audit carried out on Facebook last month. The deputy data commissioner, Gary Davis, says the office hopes to reach an agreement with Facebook about consent and the existing data. Davis added that Facebook has turned off the feature for those who joined after July 1.

Caspar plans to formally ask Facebook to change its practices by the end of next month. He can fine Facebook up to €25,000 ($30,705 USD) if it refuses to kill its database and fails to obtain users’ explicit consent. There’s also the option of suing Facebook—a process the Hamburg Data Protection Authority set out on last November—or forcing it to change its policy via court order.

While a $30,000 fine is relatively small for a company of Facebook’s size, the main drawback for Facebook is the reputational hit it could take, according to privacy lawyer Ulrich Börger.
Aside from the face recognition tussle, the company’s had several issues with German officials over the last year or so.

Politicians called for a ban on parties organised on Facebook after some got out of control. Last August, the state of Schleswig-Holstein told government offices to remove the Like button from their sites and close their Facebook pages. In March, Facebook lost a court battle over how it attempts to grab new users by using existing members’ email addresses.

In an attempt to stymie such issues, Facebook signed a voluntary code of privacy with Germany last September. It doesn’t seem like that agreement satisfied Caspar, though.

Photo by familymwr/Flickr