European privacy regulators look at facial recognition in online/mobile services

When you next log-in to your Facebook account, have a look at your privacy settings. You should see an option to select “who sees tag suggestions when photos that look like you are uploaded”.

You can choose either your “Friends” or “No one”.

Facebook explain this feature as follows: “When a photo that looks like you is uploaded, we’ll suggest adding a tag of you. This helps save time when adding tags to photos, especially when labelling many photos from one event. Suggestions can always be ignored and no one will be tagged automatically.”

Facebook isn’t the only online service offering this kind of photo tagging functionality. Google+, Windows Live Gallery and Apple’s iPhoto all have similar features.

Broadly speaking, in order for a tag suggestion to be triggered when a photo that “looks like you” is uploaded, the service provider’s facial recognition technology compares that photo with reference templates created for each registered user, so that when there’s a match, a suggestion for a tag can be made.

Facial recognition isn’t new. The development of computer systems and algorithms capable of detecting human faces dates back to the 60s. However, there’s been a rapid increase in its use in mainstream consumer services. This prompted the Article 29 Working Party to publish an opinion a few months ago (Opinion 02/2012) on facial recognition in online and mobile services.

The Working Party is a body made up of representatives from the data protection regulators from each European member state – its opinions aren’t legally binding but they are indicative of the European data protection regulators’ views.

The interesting aspect of facial recognition systems is that, in addition to the relevant digital image of a person, the system usually involves the creation of a template stored for reference for future comparison so that the face can be recognised. In its opinion, the Working Party concluded that, as the reference template contains a set of distinctive features of an individual’s face, it too (in addition to the digital image of the person’s face) would constitute personal data, provided that it’s associated with an individual’s record, profile or the original image. A reference template which merely contains geometric information about the proportions of an individual’s face won’t constitute personal data unless it enables the relevant individual to be identified.

An important aspect of the opinion is that the Working Party found that, because of the particular risks involved with biometric data, the prior informed consent of the user is required before any digital images are processed for the purposes of facial recognition.

This presents somewhat of a practical difficulty because, in certain cases, the facial recognition system may need to determine whether a user has provided his/her consent in the first place.

Fortunately for service providers, the Working Party acknowledged this and conceded that this kind of processing would be justifiable on the basis that it’s in the “legitimate interest” of the service provider to comply with the relevant legal requirement (i.e. to determine whether consent has been granted).

However, service providers should be aware that any data processed in this “initial” stage should only be used for the limited purpose of verifying the user’s consent and should be deleted immediately afterwards.

Using the social network / photo tagging example above, prior to a user uploading a photo, according to the Working Party, the service provider must first clearly inform the user that the image will be subject to a facial recognition system. The user must then be given the choice regarding whether he/she consents to a “reference template” being created and stored in the service provider’s database.

It will be a real challenge for social network providers to obtain this kind of prior informed consent without providing an overly detailed and unnecessarily technical explanation of the mechanics of how the facial recognition system operates.

An important practical consideration to arise out of the Working Party’s opinion is that, as far as the Working Party is concerned, consent to facial recognition can’t be obtained by getting a user to accept a service’s overall terms and conditions. This is on the basis that facial recognition is generally an additional feature of online/mobile services and users may not necessarily expect facial recognition to be activated when they initially register for the service.

Following this opinion, social network (and other service) providers would be well advised to ensure a sufficiently clear and prominent notice and prior consent process is implemented for any facial recognition features they introduce.

The original and extended version of this article is available here. This article was first published in Privacy & Data Protection.