Facebook has axed its facial recognition functionality for users in the EU, in order to satisfy the concerns of privacy regulators.
The Irish data protection commissioner (DPC) issued his assessment (PDF) on Friday of Facebook’s compliance with recommendations the regulator made last December. The DPC had been forced into the issue following complaints by a group of Austrian law students calling themselves ‘Europe v Facebook’, and had told Facebook that it had to be more upfront about giving users privacy choices.
The review suggested that Facebook had “fully implemented” most of the DPC’s recommendations, and those that had not been implemented would be taken care of “with a clear timescale” in place.
And one of those moves is apparently to stop recording people’s facial characteristics in order to automatically suggest photo tags.
“I am particularly encouraged in relation to the approach it has decided to adopt on the tag suggest/facial recognition feature by in fact agreeing to go beyond our initial recommendations, in light of developments since then, in order to achieve best practice,” DPC Billy Hawkes said in a statement. “This feature has already been turned off for new users in the EU and templates for existing users will be deleted by 15 October, pending agreement with my Office on the most appropriate means of collecting user consent.”
Facebook, which was targeted in Ireland because that’s where all its non-North American business is based, is also crowing about going beyond the call of duty:
“The latest announcement is confirmation that we are not only compliant with European data protection law but we have gone beyond some of their initial recommendations and are fully committed to best practice in data protection compliance.”
But guess what? That’s not the end of the story.
Facebook’s been under fire over precisely the same feature in Germany, where privacy chiefs have accused the social network of “illegally compiling a vast photo database of users without their consent” – remember, this is the home of data protection law we’re talking about here.
When that last bit of bother struck just one month ago, Facebook insisted that:
“We believe that the Photo Tag Suggest feature on Facebook is fully compliant with EU data protection laws.”
So what gives?
Essentially, Facebook has found itself fighting on too many fronts. What began as an obscure concern of people in German-speaking countries has spread: the Norwegian data protection regulator also started probing the feature, and – crucially – so did the Article 29 Working Party (WP29).
The WP29 is a group of privacy regulators from all over the EU, and its recommendations get taken very seriously indeed. In July it said facial recognition features such as photo-tag suggestions should only be allowed when the user gives their explicit consent (and that means the user being tagged, as well as the one doing the tagging).
So yes, Facebook has just gone beyond the Irish DPC’s original recommendation, but only because a higher authority is waving a bigger stick at it, and because the company’s realized it’s not going to win this one.
In any case, even though Facebook is wiping the facial recognition templates it’s already recorded for its EU users, it intends to bring the system back once it’s figured out a “holistic approach” to properly informing those users.
As for Europe v Facebook, they’re still not happy (no surprise there) but tell me this victory is “totally going in the right direction”.
To give Facebook its due, here are the areas in which the DPC says the company has fully implemented its recommendations:
• The provision of better transparency for the user in how their data is handled,
• The provision of increased user control over settings,
• The implementation of clear retention periods for the deletion of personal data or an enhanced ability for the user to delete items,
• The enhancement of the user’s right to have ready access to their personal data and the capacity of FB-I [Facebook Ireland] to ensure rigorous assessment of compliance with Irish and EU data protection requirements.