Germany Questions Facebook About Facial Recognition Feature

Facebook is facing fresh concerns from German data protection officials that its automatic facial recognition feature may violate European privacy regulations.

Hamburg’s Data Protection Agency (DPA) sent a letter to Facebook on Tuesday saying the social networking site should get users’ consent before their biometric data, used to enable the tagging feature, is stored, said Johannes Caspar, head of the agency, on Thursday. Although users can opt out of the feature, the DPA contends that the process is unclear, he said.

Facebook enabled the facial recognition feature in December in the U.S. and has now rolled it out in most countries. The system makes suggestions for tags based on faces in other photographs that have been tagged. Users are notified only after they’ve been tagged.

Users can opt out of the facial recognition feature within the privacy settings on their Facebook accounts. To do that, a user would need to go into the “Customize Settings” panel and disable “Suggest photos of me to friends.” A person can still be tagged manually but only by their friends.

Caspar said European Union privacy regulations require that users give their consent before their data is stored, including data used to enable tagging.

“It is clear that everybody whose data will be stored has to consent, and consent is something more than not to reject,” Caspar said.

Facebook has two weeks to respond to the letter. The DPA has also notified the Article 29 Data Protection Working Party, which advises the European Commission on data protection issues.

In a statement, Facebook said “we will consider the points the Hamburg Data Protection Authority have made about the photo tag suggest feature but firmly reject any claim that we are not meeting our obligations under European Union data protection law.”

The company further contended that its users like the photo tag suggest feature, “which makes it easier and safer for them to manage their online identities.”

If the two sides can’t reach an agreement, Caspar could fine Facebook up to €300,000 (US$426,000). But Caspar said his agency has a good working relationship with Facebook, and the two sides reached agreement earlier this year on Facebook’s “Friend Finder” feature.

Friend Finder imports e-mail addresses from user contact lists on other e-mail services and then sends out invitations to non-Facebook users to join the site. The DPA contended Facebook was collecting e-mail addresses without a user’s consent and that it was unclear to users why they were receiving an invite.

Under the agreement, Facebook tweaked its systems so that a person who is not signed up with the social networking site can opt out of receiving further invitations from that initial invitation.

“We had a successful negotiation,” Caspar said.

Hamburg’s DPA has taken a leading role in data protection issues in Europe. In 2009, the agency launched an extensive investigation into Google’s Street View imagery program, questioning how the company stored data for users who did not want their properties shown and how thoroughly it censors parts of images such as people’s faces.

Google and the DPA eventually reached an agreement on a dozen or so concerns the agency had about Street View.

Send news tips and comments to jeremy_kirk@idg.com