Out-Law News 4 min. read

Facebook agrees to delete facial recognition image 'templates' in response to EU privacy concerns

Facebook Ireland has agreed to delete the "template" images it stores of its EU users in response to concerns raised by privacy bodies, the Irish data protection watchdog has said.

The Office of the Irish Data Protection Commissioner (ODPC) said that it had "requested" that Facebook Ireland go beyond the watchdog's "initial recommendations" with regards the social network's 'tag suggest' feature in order to satisfy the demands of other data protection authorities in the trading bloc.

Facebook Ireland has therefore agreed to "delete collected templates for EU users by 15 October," the ODPC said. The company will also seek the "consent" of the ODPC if it "chooses to provide the feature to EU users again". Facebook Ireland has responsibility for all Facebook users outside of the USA and Canada.

Facebook uses automated facial recognition technology to suggest to users the identity of other members of the site when they feature in pictures the users are uploading to the social network. Those users can choose to 'tag' those individuals based on the suggestions, meaning the pictures are labelled with pop-up captions to enable people who view the photos to identify who is in the shot by hovering their cursor over the picture.

In order for the 'tag suggest' feature to work, Facebook has collected 'template' images of users in order to use them as reference points for its facial recognition technology.

However, last month the Hamburg data protection authority said that Facebook had not obtained individuals' consent to store the pictures. At the time the Hamburg authority said it had re-opened its investigation into the issue and said Facebook should have to delete the data. It said the social network must obtain users' opt-in consent before compiling information about users through the use of the feature.

Facebook previously stated that its facial recognition feature was compliant with EU data protection laws.

Under the EU's Data Protection Directive personal data can only be processed under strict conditions. Personal data must be "processed fairly and lawfully" and generally it can only be collected for "specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes".

Organisations must generally obtain "unambiguous consent" from individuals in order for personal data processing to be legitimate, according to the Directive. However, in circumstances where data is "capable by their nature of infringing fundamental freedoms or privacy" organisations generally are prohibited from processing the information without obtaining "explicit consent" from individuals.

Earlier this year the EU's privacy watchdog the Article 29 Working Party elaborated on its interpretation of those rules in the context of facial recognition technology. It said social networking sites needed to obtain users' "informed consent" before suggesting to other users that those individuals feature in photos that they are uploading to the site.

The Working Party, which is a committee featuring representatives of all the EU's national data protection regulators, said that the networks can process the images legitimately without the consent of those featured in the photos under EU data protection laws in order to assess whether that consent has been given. However, it said that sites processing images in order to verify consent must delete that information "immediately after" that processing is complete.

The ODPC announced Facebook's actions with regards to its 'tag suggest' feature in a report (186-page / 16.2MB PDF) detailing the results of a "re-audit" it conducted of the company's privacy policies and practices earlier this year.

In an initial audit the ODPC conducted in 2011, the watchdog had said Facebook's decision to introduce facial recognition technology on an 'opt-out' basis should have been handled "in a more appropriate manner". In response the social network said it would notify users up to three times in order to give users more information on adjusting their settings for the feature. However, the company has now gone beyond that initial requirement in a bid to resolve the concerns of regulators.

In its latest report the ODPC also said that it had given Facebook Ireland four weeks to "address concerns" it has expressed about the way that "sensitive data" is used to help deliver "targeted advertising" to users. It said that Facebook had not yet "achieved" its requirement that the social network minimise "the potential for ad targeting based on words and terms that could be considered to be sensitive personal data". The watchdog said, though, that it expects Facebook to change its policy in this regard within the next four weeks.

In its first audit report the ODPC had determined that it was "legitimate" for Facebook Ireland to use information users provide about themselves on the social networking site to enable advertisers to serve targeted ads.

At the time Gary Davis, deputy Irish Data Protection Commissioner, said that the "legitimacy of such use is, in all cases, predicated on users being made fully aware, through transparent notices, that their personal data would be used in this manner to target advertisements to them" and that "any further use of personal data should only be possible on the basis of clear user consent."

The ODPC said that, to its "satisfaction", Facebook Ireland had "fully implemented" the "great majority of the recommendations" it made following its initial audit.

"I am particularly encouraged in relation to the approach it has decided to adopt on the tag suggest/facial recognition feature by in fact agreeing to go beyond our initial recommendations, in light of developments since then, in order to achieve best practice," Billy Hawkes, the Irish Data Protection Commissioner, said in a statement. "This feature has already been turned off for new users in the EU and templates for existing users will be deleted by 15 October, pending agreement with my Office on the most appropriate means of collecting user consent."

"By doing so it is sending a clear signal of its wish to demonstrate its commitment to best practice in data protection compliance," Hawkes added.

Davis added that the ODPC would be in regular contact with Facebook to discuss compliance issues relating to new initiatives the company may look to introduce.

"It is also clear that ongoing engagement with the company will be necessary as it continues to bring forward new ways of serving advertising to users and retaining users on the site," the deputy Commissioner said. "The value of such engagement to identify and deal with any data protection concerns prior to launch of new products and services is fully accepted by [Facebook Ireland]."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.