Facebook, facial recognition and GDPR

Now Facebook is seeking permission to use facial recognition software - is it off its face? When George Orwell wrote his famous book, 1984, technology was not like it is today. Facial recognition software was not a concept Orwell was familiar with, but had he been, it is not hard to imagine how Big Brother and the thought police would have been altogether more scary. But facial recognition is a concept that AI experts have been familiar with for some time. It’s an area to have seen massive strides in recent years, but is it a little spooky? Now Facebook, with its boss, freshly back from Congress, where he kindly explained to Senators the difference between surveillance and what Facebook does, is going down the facial recognition route in Europe and Canada. In case you are interested, it turns out that the difference is in permission - Facebook asks permission to process your data, surveillance does not, or so said Mr Zuckerberg. Even so, it does rather feel as if he trying ever so hard to beggar belief. With shares still down some 13 or so per cent from the day before the Cambridge Analytica saga, Facebook is asking users permission to use facial recognition to identify them on photos and videos. Err, except it is doing so in the European Economic Area because of GDPR and Canada, which famously puts a high priority on privacy. Facebook will be applying a similar set of privacy rules elsewhere, but with one difference: users not wishing to give permission will be required to opt-out, under GDPR consent means no pre-ticked boxes and users need to proactively opt-in. In the US, Facebook is facing a class-action lawsuit over claims that it unlawfully applied facial recognition without consent. So much for Mark Zuckerberg’s erstwhile claim that its users will be afforded the same rights as you get under GDPR, worldwide. At least when asked by a Congressman whether Facebook will be applying GDPR safety standards in the US, Mr Zuckerberg said: “yes.” Although further on in the hearing, some ambiguity did set in. Then again, GDPR is not only about protecting our human rights regarding privacy. It also recognises that data is a vital part of the fourth industrial revolution, it seeks to create an environment in which data can be processed, without breaching trust from users. And images are just data. Under GDPR, subject to one of the basis of lawful use of data, including consent and legitimate interests, companies can process data. So in a funny way, GDPR by bringing certainty where once there was ambiguity, is helping Facebook re-introduce facial recognition toEurope, after dropping it in 2012. Of course, in Europe. it has to abide by GDPR in its entirety. To give or not not give consent for image recognition using Facebook, users will be given a choice of giving consent or reviewing privacy settings. Whether that is sufficient under GDPR may prove debatable. It seems that with the Facebook system, not giving consent does entail quite a lot of hassle. But there is a wider point. Facebook has faced a PR disaster. It may or may not be perfectly acceptable to apply image recognition under GDPR - but given the public reaction and sense of antipathy towards Facebook, it does seem somewhat tactless. Facebook may have been better off leaving it a few months. One thing is for sure, if third parties, even if they are breaking Facebook terms and conditions, get hold of the data created by facial recognition and use it in anyway that rouses suspicion, the backlash against Facebook will be ferocious.

GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at http://www.gdprsummit.london/