Hamburg’s data protection authority (DPA) doesn’t like Facebook’s facial recognition system, claiming it violates EU law (pdf in German). If you’ve uploaded any images to Facebook since late last year, there’s a fairly good chance you’ve encountered the system, which locates faces in your photographs, and tries to identify which of your friends it is — with mixed results. Sure, every time it misidentifies a baby as your aunt you wince a little, but it does a fairly solid job.
The DPA claims that the feature amounts to storing “biometric data”, which is illegal in the EU without explicit consent. Facebook’s service is automatically turned on, and users have to opt-out in order to switch it off. The DPA claims to have repeatedly asked Facebook to remove the feature, and that they may face a €300,000 fine if a deal isn’t reached.
Facebook maintains they’ve done nothing wrong, with spokesperson Tina Kulow saying:
Facebook is hardly the only service to do this. iPhoto does it, Aperture does it, Picasa/Google Photos does it. The American military is trying to figure out how to do something similar with photo backgrounds. We don’t know if Germany has issue with any of these, but they did famously go after Google Street View, in a move which prompted the service to blur faces and license plates in order to preserve privacy.
From what I can gather it seems like the problem here is that the service is opt-out rather than opt-in. If Facebook just rolled out the feature and put in a big banner announcement telling people to turn it on, they could get around this whole thing — and people who don’t want it would be able to easily avoid it.
What do you think? Is Facebook in the right for auto-tagging images you upload? Or is this too far beyond the pale? What about the other webservices?