The Hamburg Data Protection Authority (DPA) is starting preliminary procedures to bring legal action against Facebook over the facial recognition feature used for photo tagging on the social network. The authority decided that further negotiation is futile after the social networking giant didn't agree to obtain consent from users retroactively.
German data protection laws require companies to clearly inform users about how their personal information is being used and the Hamburg data protection agency says that this didn't happen when Facebook began using facial recognition technology for photo-tag suggestions.
As a compromise, Facebook proposed the introduction of a checkbox for users to accept terms and conditions and guidelines on data usage, but the DPA feels that such a solution is not enough to legitimize the collection and use of biometric facial characteristics.
Furthermore, this checkbox would only be available to new users, which means that people who already signed up will not be asked for their consent. Johannes Caspar, the Hamburg commissioner for Data Protection and Freedom of Information, described the results of months of talks with the social networking company as disappointing.
Hamburg Data Protection Authority spokesman Maik Möller said that the authority has been elected by the other German DPAs to act in this case. Legal action will be brought in the Hamburg Administrative Court and could result in a fine of up to €300,000 (US$407,000) and a prohibition order, he added.
The company doesn't agree with the German authority and believes that legal action is unnecessary because its tag suggestion feature is compliant with E.U. data protection laws.
"We have given comprehensive notice and education to our users about tag suggest and we provide very simple tools for people to opt out if they do not want to use this feature. We have considered carefully different options for making people even more aware of our privacy policies and are disappointed that the Hamburg DPA has not accepted these," the company said in a statement.
There is, however, an issue related to jurisdiction, since Facebook's European office is based in Ireland. Professor Joseph Cannataci, who is an expert consultant on European data protection for the Council of Europe and the coordinator of the EU-funded CONSENT research project, explained that while the German Constitution protects the right of personality and informational self-determination, fundamental laws in other E.U. countries may not do it in the same manner. The CONSENT project focuses on privacy issues related to on-line social networks and user-generated content.
The European Data Protection Directive of 1995 does not explicitly provide the right of informational self-determination, like the German Constitution, Cannataci said. Furthermore, the directive is not transposed in the legislation of member states in the same way, so not all European data protection authorities can take identical action against Facebook as the Hamburg DPA.
"The European Commission is doing good to launch, carry out, and implement, a comprehensive reform of the data protection regime," Cannataci said, referring to Monday's announcement by E.U. Justice Commissioner Viviane Reding and Germany's Federal Minister for Consumer Protection Ilse Aigner that proposals to reform the E.U. Data Protection Directive will be made by the end of January 2012.
Facebook is also having privacy-related legal issues in the U.S. where it is reportedly close to settling accusations of deceptive trade practices brought by the Federal Trade Commission. The FTC investigated Facebook after it made certain user details public in December 2009 as a result of changes to its privacy settings.
(Additional reporting by Jeremy Kirk in London.)