Facebook, as I’m sure we all know, thrives on being able to collect data on its users for better integration of services and serving targeted ads. For the most part, Facebook has had a free reign in the United States although the FTC did just recently force Facebook to sign a privacy agreement. In Europe, on the other hand, Facebook seems to be colliding with European data protection laws at every turn it makes. In this particular situation, Facebook’s collection of user facial biometric data is facing stiff opposition in Europe, particularly Germany.
In June 2011 Johannes Caspar, Hamburg’s Data Protection Commissioner, opened an investigation into Facebook because of reports that Facebook is collecting facial biometric data on people through photos uploaded by Facebook’s users without explicit consent. In June 2012 Casper suspended his investigation because he felt Facebook was moving towards complying with German demands. Now Casper has reopened his investigation after being stonewalled by Facebook and Facebook’s refusal to change how it operates.
The crux of the disagreement between Facebook and Germany is opt-in vs opt-out. Currently how Facebook operates is it automatically collects facial recognition data on people and allows people to opt-out if they don’t want their biometrics being recorded. Germany wants Facebook to scrub this practice and instead ask people’s explicit permission before collecting any biometric data. In other wards, Germany wants Facebook to implement an opt-in as opposed to the current opt-out.
Facebook maintains that the practice of collecting facial recognition data on people without their explicit consent is legal in Ireland, which is where Facebook’s European headquarters is situated. Indeed last year, after an audit of Facebook, the Office of the Irish Data Protection Commissioner told Facebook that it informing people that their biometrics is being collected on Facebook’s website would suffice as opposed to asking for their explicit permission. However, since that time last year the Article 29 Working Party (European Union top panel on privacy) has stepped into the fray and issued a statement that the collection of biometrics without explicit consent is illegal in the European Union. This opinion by the Article 29 Working Party has put pressure on Ireland, which has opened a second audit into Facebook and convinced Facebook to disable face tagging, the feature that leads to facial data collection, for new European Facebook users that join after June 1, 2012. Ireland will finish its second audit later this year.
Aside from wanting Facebook to change from opt-out to opt-in, Germany wants Facebook to destroy all existing facial recognition data Facebook has on Germans. As it turns out, if Facebook doesn’t comply there doesn’t appear to be much Germany can do. Caspar himself admits that aside from fining Facebook 25,000 euros (about US$31,000), he can’t force Facebook to comply with his demands because Facebook is not based in Germany and all Facebook operations in Germany are limited to to marketing, which is unrelated to the feature in question. Caspar could try to take Facebook to court but would have difficulty in asserting German jurisdiction over it.
Try as hard it wants, it doesn’t look like Germany can force Facebook to do anything Facebook doesn’t want to do itself. But at least they are trying. Now it is up to the rest of us to shame Facebook into changing the way it does things. Like, you know, stop using Facebook altogether. *Gasp*