Facebook's new face recognition policy astonishes German privacy regulator

Turning on facial recognition again in Germany might be illegal, the privacy regulator said

A German privacy regulator is astonished that Facebook has added facial recognition to a proposed new privacy policy it published on Thursday.

"It is astonishing to find the facial recognition again in the new proposed privacy policy that Facebook published yesterday. We therefore have directly tried to contact officials from Facebook to find out if there is really a change in their data protection policy or if it is just a mistake of translation," Hamburg Commissioner for Data Protection and Freedom of Information Johannes Caspar said in an email on Friday.

The Hamburg data protection commissioner, already at odds with Facebook over its use of face recognition technology, reopened its proceedings against the company in August last year, telling the company to either obtain explicit consent for face recognition from users, delete the data, or face a lawsuit, Caspar said at the time.

Facebook turned off facial recognition for all European users in September last year, and said it would delete all face recognition templates for existing users in Europe.

The German commissioner stopped its proceedings against Facebook in February, when it confirmed that the company had deleted the facial recognition data gathered on German users without their consent.

Turning on facial recognition again in Germany might be illegal, Caspar said, adding that it depends on how Facebook implements it. The social network should ask for the explicit and informed consent of the user, Caspar said.

"That means that there has to be offered an opt in for users," he added.

Facebook initially deleted the face recognition data in response to recommendations from the Irish Data Protection Commissioner that it adjust its privacy policy. The company's Irish subsidiary is responsible for the data of users outside the U.S. and Canada, and therefore falls under the jurisdiction of the Irish DPC, which also confirmed independently that Facebook had deleted the face recognition data .

On Thursday, Facebook proposed changes to its privacy policy on Thursday, including one related to the tag suggest feature that uses facial recognition in order to let users easily tag friends in photos they upload.

Tag suggest is used in the U.S. in the same way it was used in Europe before it was turned off. Facial recognition software is used to calculate a unique template of a user's appearance based on facial features using variables such as the distance between the eyes, nose and ears.

"We are able to suggest that your friend tag you in a picture by scanning and comparing your friend's pictures to information we've put together from your profile pictures and the other photos in which you've been tagged. You can control whether we suggest that another user tag you in a photo using the 'Timeline and Tagging' settings," the proposed change reads.

Facebook proposed the change in its U.S. privacy policy, and also in translated versions of the policy for European countries, including Germany.

However, according to the Irish DPC, Facebook does not yet intend to offer the service in Europe.

Facebook Ireland consulted the Irish DPC in relation to its proposed privacy policy changes and confirmed that this feature is not yet available in Europe, said Ciara O'Sullivan of the Office of the Data Protection Commissioner in an email. "Any proposed changes to this position would be discussed with our Office," she said.

The Irish DPC suggested to Facebook Ireland that it clarify to its users that the tag suggest feature is not currently available in Europe, she added.

Facebook is still working with regulators to find a way to turn face recognition back on in Europe, a Facebook Germany spokeswoman said in an email.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicessecuritysocial mediainternetprivacyFacebook

More about EUFacebookIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts