LONDON — Mark Zuckerberg promised to extend Europes revamped privacy rules across all of Facebooks global empire. That pledge is already running into trouble.
Amid an international uproar over alleged mishandling of personal data that affected as many as 87 million Facebook users worldwide, European and U.S. privacy experts are raising concerns that the social networks rollout of facial recognition across the 28-member bloc may not comply with new EU data protection standards that come into force on May 25.
The technology, which reviews uploaded photos to automatically identify individuals faces on the social network, was barred in Europe in 2011 after local regulators claimed Facebook had not obtained peoples consent for their images to be included in such widespread scans of online images. Facebook now uses the technology outside of the EU, including in the United States.
As part of Europes pending privacy overhaul, the social networking giant said it would ask Europeans to opt in to use the technology, and it has started running tests with a small percentage of its EU users.
Those plans, according to some privacy campaigners and lawyers, do not comply with the regions strict privacy standards because the images on Facebook of people who have not opted into the technology may be analyzed without their explicit consent — a strict requirement under the Continents new privacy standards known as the General Data Protection Regulation, or GDPR. Failure to comply with these rules may result in fines of up to €20 million or 4 percent of a companys global revenue, whichever is greater.
“Well get the right level of consent to use facial recognition going forward” — Stephen Deadman, Facebooks global deputy chief privacy officer
“Facebook is, by design, running facial recognition on people who have explicitly not given their consent,” said Simon McGarr, director of Data Compliance Europe, a consultancy that advises companies about how to abide with Europes privacy rules, in Dublin. “They have no legal basis for doing that.”
A group of U.S. consumer groups also filed a complaint on Friday with the Federal Trade Commission, the American agency in charge of consumers privacy rights, against Facebooks use of its facial recognition technology, accusing the tech giant of failing to gain peoples consent before scanning peoples digital images.
“This automated, deceptive, and unnecessary identification of individuals undermines user privacy, ignores the privacy settings of Facebook users, and is contrary to law in many parts of the world,” the U.S. complaint said.
Facebook rejected claims that it did not comply with European and U.S. privacy standards, adding that all photos on Facebook were already processed by the company to comply with its terms of service, including the removal of explicit imagery like child pornography from the social network.
The company said only photos of people who had opted into its facial recognition technology would then be scanned — a process, according to Facebook, that would help to protect users from their photos being misused on the digital platform without their knowledge.
“Well get the right level of consent to use facial recognition going forward,” Stephen Deadman, Facebooks global deputy chief privacy officer, said in an interview last month in reference to the technologys pending rollout in Europe.
The renewed focus on Facebooks privacy standards comes days before Zuckerberg, the companys 33-year-old chief executive, will testify to U.S. lawmakers about the companys role in how data from almost 90 million of its users was illegally obtained by Cambridge Analytica, a London-based data firm that worked for Donald Trumps 2016 U.S. presidential campaign. Both companies deny any wrongdoing.
Zuckerberg said Facebook will extend the privacy controls available under Europes new data protection rules, including the ability for individuals to remove their consent on how companies use their data whenever they chose, across the companys global network of 2.2 billion users. Under Facebooks current privacy setting, its non-EU users can already opt out of the facial recognition technology.
“We need to figure out what makes sense in different markets with the different laws and different places,” Facebooks chief executive said in reference to Europes privacy standards. “But — let me repeat this — well make all controls and settings the same everywhere, not just in Europe.”
“Facial recognition must be strictly limited to those users who have opted in to that technology” — Johannes Caspar, Hamburgs data protection commissioner
Much will now depend on the privacy regulator in Ireland, which oversees the data protection rights for the companys non-American users because Facebooks international headquarters are in the low-tax country.
The regulator said it was working with its counterparts in France, Germany and the United Kingdom, where Facebook is testing its facial recognition technology. Authorities have asked Facebook whether it would need to scan all of its European users faces as part of the companys plans. Until those questions are answered, it is unclear if the company would be able to use the technology across the bloc.
“The issue of compliance of this feature with the GDPR is therefore not settled at this point,” said Graham Doyle, a spokesman for the Irish privacy watchdog.
Facebook co-founder and CEO Mark Zuckerberg | Drew Angerer/Getty Images
Other European regulators are similarly keeping a close eye on Facebooks plans ahead of the companys expected rollout of its facial recognition technology by the end of May, when Europes new privacy standards come into full force.
“Facial recognition must be strictly limited to those users who have opted in to that technology,” Johannes Caspar, Hamburgs data protection commissioner, said in an email. “We expect Facebook to take all necessary safeguards and be transparent to users and supervisors.”