When Facebook earlier this week revealed changes to its privacy settings in order to comply with new EU laws, one interesting aspect of its announcement was that Facebook intends to reintroduce facial recognition technology to its European services.
The technology allows Facebook to suggest tags for people in photos, and to detect when a person is using a photo of someone else as their profile picture. However, back in 2012, Facebook had to stop using facial recognition in the EU because German and Irish privacy regulators said people weren’t really giving their consent to having their faces scanned and labelled. The Irish watchdog also forced Facebook to delete all the facial recognition data it had gathered on EU citizens.
So, does Facebook’s reintroduction of facial recognition tech to the EU mean it’s fixed the legal problems it had before? Not so fast, says the Irish Data Protection Commissioner (DPC).
According to CNBC, Facebook briefed the DPC on its plans before announcing them, but the regulator has not given the all clear. In fact, it and other national regulators are still concerned that not everyone getting their faces scanned may have consented to that happening.
It is true that Facebook’s new settings, which it is rolling out this week in Europe, ask users to opt into the social network’s facial recognition feature. However, people don’t just upload photos of themselves—their pictures on the platform will include other people, and those people may not have consented to having their faces scanned, in order to see if they match the faces in Facebook’s book.
That means Facebook may still not be fully complying with EU privacy law, in particular the General Data Protection Regulation (GDPR) that comes into effect next month. The GDPR is the main driver behind Facebook’s new settings.
“The Irish DPC is querying the technology around facial recognition and whether Facebook needs to scan all faces (i.e. those without consent as well) to use the facial recognition technology. The issue of compliance of this feature with GDPR is therefore not settled at this point,” the Irish regulator said in a statement quoted by CNBC.
“We have also provided details to the IDPC about how our facial recognition technology works. They came with some questions which we are working to address,” a Facebook spokesperson told CNBC.
The Irish DPC has jurisdiction over Facebook because its international services all run out of its Irish headquarters—all users outside North America currently agree to the terms of services coming out of that office. However, Reuters reported on Thursday that Facebook would be changing its legal situation so that only European users fall under the Irish terms, so that those in Africa, Asia, Australia and Latin America are not subject to the GDPR law.
Facial recognition isn’t just an issue that upsets people in the EU, though. Facebook is also facing a class action lawsuit in the U.S. over its use of facial recognition. The plaintiffs in that case claim Facebook broke Illinois state law on the issue of biometric privacy.