Personal privacy is always a major concern and today’s technology makes your personal privacy more vulnerable than ever. New facial recognition software makes it easy for the government and companies track your all of your movements. In a promising move for privacy advocates, the EU will be mandating that companies make their customers opt into facial recognition services instead of only opting out. The Electronic Frontier Foundation elaborates on the decision:
Last summer, the Article 29 Working Party—an advisory body formed under the EU Data Protection Directive—initiated an investigation into this issue in response to Facebook’s European launch of its face recognition technology. Given the many new face recognition applications subsequently launched, the opinion wisely does not focus on Facebook and instead provides general recommendations on how the EU Data Protection Directive applies to automatic face recognition in online and mobile applications.
The Directive requires EU countries to adopt privacy protections for the automatic processing of personal data, which according to the opinion includes both photos from which individuals can be identified and the measurements of their facial features. As face recognition technology automatically processes photos and measurements to identify or categorize individuals, it is subject to the Directive. A provider using automatic face recognition in its online service or mobile application must therefore notify the individuals that they will be identified with this technology and seek their permission.
The opinion clarifies that “informed consent” cannot be obtained simply by providing opt-out settings, although those settings are still important to ensure that individuals can easily retract their consent. Terms and conditions that discuss the face recognition process are also insufficient except if the main purpose of the application is face recognition. But a face recognition app may still need to get specific permission from the individuals in the photos if it uses photos or facial measurements from another application, such as a general-purpose social network. Notably, a person cannot consent to face recognition by simply uploading a photo to an application because the person may not anticipate that the photo will be used for this purpose and the photo could contain personal data of other individuals.