It seems that Germany has an ongoing war with Facebook this August: two different regional data protection authorities found Facebook in breach of EU and local data protection laws regarding the face recognition utility and the ‘like’ button found on websites.
1. On the 2nd of August, the Hamburg data protection authority ruled that Facebook’s facial recognition feature, violates German privacy laws. Johannes Caspar, the head of the authority, said Facebook should not be collecting users’ biometric data – such as their face shape and the distance between their eyes – without getting their explicit consent. He has demanded that the social networking site change or disable the feature. All data collected so far should be deleted.
The problem is not with the facial recognition itself, but the data that is stored in the background to allow the system to recognise a face,” Mr Caspar told the Financial Times. “Facebook needs to design a new kind of system to get consent from people before their data is stored.”
2. On the 19th of August, the Scleswig-Holstein data protection authority decided that the ‘like’ button found on countless websites accessible in Germany is in violation of EU and German data protection laws. Thilo Weichert, who works for the authority, said the social network’s application allowing internet users to express their appreciation of something online, illegally cobbled together a profile of their web habits.
“Facebook can trace every click on a website, how long I’m on it, what I’m interested in,” he said. According to Weichert, all the information was sent to the US company even if someone was not a Facebook member. He said Facebook probably used the data for advertising purposes and provided website operators an analysis of user traffic. Websites in the German region have to remove the ‘like’ button from their offerings by the end of September or face a fine up to 50.000 euros. (More on the story, HERE)
Of course, Facebook rejected both allegations.
It is important to note that both German authorities are not courts. Nevertheless, regarding data protection laws, they act as supervisors and are entitled to fine whoever breaches the law. Facebook will probably challenge the eventual fines in front of a judge.
Facebook should expect a domino effect in the EU
But what is truly interesting about these two pieces of information is that the decisions of the German local authorities can trigger a series of similar decisions against Facebook allover the European Union, where data protection law is very strict. All of the 27 Member States have implemented Directive 46/95 and have national data protection authorities functioning according to almost identical rules. If Facebook will not pay enough attention to EU data protection Directive and its national laws of implementation in the 27 MS, than the company should expect huge fines or a sudden significant reduction of its market.