Facebook made an announcement on 28 February this year relating to its efforts to prepare for the coming into force of the GDPR. As part of its preparation, it would be testing certain new features on a select number of users in the EU, with the intention of eventually rolling them out to all EU-users.
One of the new features referred to in the announcement is the use of facial recognition technology. This technology would allow users to be notified when another user uploads a photo of them as a profile picture to prevent impersonation, as well as in the event a user appears in a photo in which they have not been tagged. The feature is also intended to make it easier for visually impaired users to know who appears in photos where they are not tagged.
Facebook emphasised in the announcement that the use of the facial recognition technology would be entirely at each user’s discretion and that they would have to opt in to use it.
The Article 29 Working Party (“WP29”), an advisory body on data protection, wrote to Facebook on 11 April to request further information on the use of the facial recognition technology. Some of the issues on which the WP29 sought clarity include the following:
- Whether Facebook would seek to obtain explicit consent for each of the features of facial recognition mentioned above, or whether they would be relying on a “global consent”.
- Would the technology be applied to all photos uploaded on Facebook, both before and after the implementation of the technology?
- In order to recognise a particular user, would the technology need to analyse and/or create biometric templates of all individuals appearing in the pictures, regardless of whether they are aware of the use of the technology or have consented to such use?
- What information is given to users in relation to the use of facial recognition technology, as well as to non-Facebook users who appear in the photos?
- Is the personal data processed in connection with facial recognition shared with WhatsApp?
WP29 has reserved the right to raise further queries, particularly in relation to the processing of special categories of personal data.