Facebook is taking the introduction of the General Data Protection Regulation (GDPR) next month as an opportunity to reintroduce a controversial facial recognition for European users.
The company has begun asking European and Canadian users to revisit their privacy preferences ahead of the GDPR’s introduction on 25 May, and one of its questions asks if they want to opt into facial recognition.
The move comes as the social network weathers a scandal over the allegedly improper acquisition and use of data on Facebook users by political consultancy Cambridge Analytica.
As Facebook chief Mark Zuckerberg answered questions before Congress last week, lawmakers revisited the company’s long track record of poor data privacy.
Facebook suspended facial recognition for European users seven years ago after the practice was deemed illegal, becaue it stored biometric data without users’ explicit consent.
The company also currently faces a class action lawsuit for billions of dollars on similar grounds in the US, alleging it broke an Illinois state law on the storage of biometric data .
The feature creates an internal number for each user, called a “template”, and uses image data from photos in which the user has been identified – such as their profile picture – to build up a visual profile of the user’s appearance.
It then prompts the user and others to tag photos uploaded to the service with individuals’ names.
It uses the image data to suggest connections on the platform, so that users spend more time on the network and view more ads. Facebook also uses the data for security purposes, to warn a user if someone else is using their picture as a profile image.
Facial recognition hasn’t been introduced in Canada until now, but was launched elsewhere in 2011.
Facebook said it would launch privacy controls similar to those being introduced this week in the EU and Canada for other countries, at an unspecified later date. But users outside the EU and Canada will continue to be automatically enrolled in facial recognition, unless they choose to opt out of it.
The new system gives users a single check box to tick to accept its terms and continue using the platform, and they will also have the option of clicking a “don’t allow” button to exclude the feature. If they want to opt out of facial recognition at a later time, they must do so in the service’s data settings.
The data protection commissioner in Ireland, where Facebook has its European base, said it has not yet agreed the system complies with the GDPR.
“The Irish DPC is querying the technology around facial recognition and whether Facebook needs to scan all faces – ie those without consent as well – to use the facial recognition technology,” the commissioner told the BBC. “The issue of compliance of this feature with GDPR is therefore not settled at this point.”
The new controls ask for consent in two new areas as required under the GDPR – whether a user wishes to continue sharing information on their religious or political views or sexual orientation, and whether they authorise data gathered from third parties to be used to target ads to them.
The third parties in question include websites and apps that use Facebook “Like” buttons, which monitor a the browsing habits of users (as well as non-users), and utilise the information for advert targeting.
For users under the age of 16, the service also now asks for the consent of a parent or guardian to display ads targeted at them based on their interests, to include religious or political views in their profiles or to allow the user to register their sexual orientation by indicating whether they are “interested” in men, women or both.
Facebook said it asks those younger users themselves to provide contact information for the parent or guardian, and does not plan to carry out its own identity checks.
How much do you know about privacy? Try our quiz!