2012 08 16 NYT Germany Reopens Investigation of Facebook’s Photo Archiving – NYTimes.com
Germans Reopen Investigation on Facebook Privacy
BERLIN — Data protection officials in Germany reopened an investigation into Facebook’s facial recognition technology Wednesday, saying that the social networking giant was illegally compiling a huge database of members’ photos without their consent.
The data protection commissioner in Hamburg, Johannes Caspar, suspended the inquiry in June, but said he reopened it after attempts to persuade Facebook to change its policies had failed.
“We have met repeatedly with Facebook but have not been able to get their cooperation on this issue, which has grave implications for personal data,” Mr. Caspar said in an interview.
The company’s use of analytic software to compile photographic archives of human faces, based on photos uploaded by Facebook’s members, has been problematic in Europe, where data protection laws require people to give their explicit consent to the practice.
Instead of using such an opt-in system, Facebook requires them to opt out instead.
The Hamburg regulator is demanding that Facebook destroy its photographic database of faces collected in Germany and revise its Web site to obtain the explicit consent of members before it creates a digital file based on the biometric data of their faces.
Mr. Caspar, who led Germany’s investigation into Google’s illegal collection of personal Internet data during its Street View project, said he had met with Facebook executives several times on the issue since he opened his investigation in June 2011, but closed it a year later when Facebook appeared to be complying with his demands.
In their meetings, Facebook representatives acknowledged that the company was compiling biometric data on users, Mr. Caspar said, but have maintained that the practice is legal in Ireland, where Facebook’s European operation is incorporated.
Mr. Caspar said he planned to end his investigation and make a formal request to Facebook to amend its practices by the end of September.
Facebook said in a statement that it was not breaking European Union law with facial recognition software, which prompts members to “tag,” or identify, people in photos uploaded to the service.
“We believe that the photo tag suggest feature on Facebook is fully compliant with E.U. data protection laws,” the statement said. “During our continuous dialogue with our supervisory authority in Europe, the Office of the Irish Data Protection Commissioner, we agreed to develop a best practice solution to notify people on Facebook about photo tag suggest.”
Irish officials appeared to dispute that view, and were concluding a second audit of the company’s data protection practices. Gary Davis, Ireland’s deputy data commissioner, said the agency was continuing its talks with Facebook and hoped to reach a settlement on obtaining a consent agreement and on the status of photo archives compiled from European users.
Facebook, Mr. Davis said, had voluntarily agreed to suspend its tagging feature for all Europeans who join the network as of July 1. The situation for others “remains under active discussion,” he said.
“Those discussions are continuing, and we remain hopeful that they will be concluded satisfactorily shortly.”
European data protection officials have limited means to compel global companies like Facebook to alter their businesses to conform with local law.
In Germany, Mr. Caspar could fine Facebook up to 25,000 euros, or about $31,000, should it refuse to destroy its biometric database and alter its consent practices.
He could also sue Facebook and try to obtain a court order to compel it to alter its German operations. But establishing legal jurisdiction would be difficult, especially over a global online company with headquarters in the United States, said Ulrich Börger, a privacy lawyer in Hamburg with the law firm Latham & Watkins.
“The fines are ridiculously small for a company the size of Facebook,” Mr. Börger said. “The most important thing for Facebook is the reputational risk.”
Mr. Caspar said he was exploring that option but agreed that his staff had difficulty establishing jurisdiction over Facebook, which maintains that its activities at its German headquarters in Hamburg are limited to marketing activities, and not the technical and privacy-related functions relevant to Facebook’s collection of biometric data.
In March, in response to the dispute, the European Union’s top advisory panel on privacy, the Article 29 Working Party, released an opinion that the collection of biometric data without the explicit consent of users was illegal.
The decision by the privacy panel, which is made up of regulators from the 27 member countries of the European Union, prompted the Irish regulator to reopen its own negotiations with Facebook. After an audit of Facebook last year, the Irish regulator advised the company that it could simply inform people of its biometric data collection practices and Facebook did so on its Web site this year.
But the decision by the European panel has increased pressure on Irish regulators to toughen their stance.
Ciara O’Sullivan, a spokeswoman for the Irish data protection agency, said that in September it planned to publish the results of an new audit of Facebook’s privacy practices conducted last month.