Hamburg's state data protection authority is preparing legal action against Facebook, saying 'further negotiations are pointless.' Meanwhile, German and EU officials have discussed a new pan-EU law on data protection.
On Thursday, Hamburg's state data protection authority said that it is preparing legal action against Facebook for the company's use of automatic facial recognition features, which can automatically recognize faces in a user's network and suggest tags for that person.
"This requires storing a comprehensive database of the biometric features of all users," the organization wrote in a German-language statement published on its website.
"Facebook has introduced this feature in Europe, without informing the user and without obtaining the required consent. Unequivocal consent of the parties is required by both European and national data protection law."
The organization went on to say that in previous conversations, Facebook said it would explicitly inform users of this feature, but instead that it went ahead anyway. In August, the Hamburg authority publicly complained about Facebook's behavior and said it was in talks with the company.
Consumer Protection Minister Ilse Aigner has come out in favor of updating the EU's data protection laws
"Given this background, further negotiations are pointless," the new statement continued.
In a statement sent to Deutsche Welle, Facebook denied any wrongdoing.
"We believe that any legal action is completely unnecessary," wrote Tina Kulow, a Facebook spokesperson in Germany, in an e-mail sent to Deutsche Welle. "[The] tag suggest feature on Facebook is fully compliant with EU data protection laws."
Despite Facebook's insistance that its practices are legal, and noting that anyone can opt-out of the facial recognition feature, one of the founding principles of German data protection law is that users must opt-in, or in other words, give explicit permission before data can be collected about them.
Behavior 'out of proportion,' Austrian law student argues
In July, Max Schrems, an Austrian law student, who has spearheaded an effort called Europe versus Facebook, filed a formal complaint to the Irish Data Protection Commissioner - as Facebook's international headquarters are in Ireland, largely for tax reasons - arguing that Facebook is in violation of European law.
"It is totally out of proportion to generate biometric data about 800 million people just to avoid one click when tagging photos on Facebook," he wrote in an e-mail sent to Deutsche Welle.
Facebook's founder Mark Zuckerberg is facing more and more legal challenges from Europe
"This data set means a massive risk when there are data breaches or hacking attempts. If a hacker (or e.g. one of Facebook's employees) manages to get this data out of the system the users will be trackable by their face anywhere in the world and on any picture on the Internet."
Some legal experts agreed with this assessment.
"The whole question demonstrates again the incredible intransparency of Facebook," said Thomas Hoeren, a law professor at the University of Münster, in an e-mail sent to Deutsche Welle. "I think that Facebook is not willing to accept EU data protection standards and is clearly misleading its users."
This new legal action follows an audit issued last week by Johannes Caspar, head of the Hamburg data protection authority, who said that Facebook has no justification for adding user-tracking cookies to browsers – even for those without Facebook accounts.
Representatives from the California company met with German parliamentarians at a sub-committee hearing last month.
But, because Facebook has no servers in Germany, German authorities currently have little ability to do something about possible violations of national data protection laws.
Viviane Reding, the EU's justice commissioner, is working on updating the data protection laws
New European laws may be in the works
Germany's Federal Minister for Consumer Protection, Ilse Aigner, met with the EU's justice commissioner, Viviane Reding, in a meeting in Brussels on Monday, to discuss the possibility of creating a pan-European law for companies that do business in Europe, regardless of whether or not their hardware is physically located in Europe.
"We both believe that as a result of this reform process, consumers in Europe should see their data strongly protected, regardless of the EU country they live in and regardless of the country in which companies, which process their personal data, are established," they said in a joint statement.
"This also applies to social networks with users in the EU. We have to make sure that they comply with EU law and that EU law is enforced, even if it is based in a third country and even if its data are stored in a 'cloud'."
However, such legislation would likely take years to fully implement across the 27-member nation bloc.
Author: Cyrus Farivar
Editor: Sarah Steffen