FTC Audit Agreement
According to various news reports, Facebook and the FTC are about to enter into an agreement which will subject Facebook to privacy audits for the next 20 years. The agreement will apparently require Facebook to obtain prior express consent before making public any information to which the user had granted limited access only. The agreement is a direct response to complaints over the changes Facebook made to its privacy policy in 2009, when previously private information became accessible to the public and users had to take active steps in order to return to their accustomed privacy settings.

Since 2009, the importance of data privacy has gained much broader recognition, and privacy advocates will likely celebrate the FTC agreement as a victory. Facebook’s reluctance, however, to show adequate consideration for the concerns raised by European data protection agencies suggests that celebrations may be premature.

Considering what made Facebook’s business model so successful, it is hardly surprising that Facebook would be reluctant in addressing European privacy concerns. It will likely always be a struggle to reconcile the business model built on a global platform with 800 million users publicly sharing information with the right to the protection of personal data granted by Article 8 of the Charter of Fundamental Rights of the European Union. Two recent press releases by a German data protection agency highlight these conflicts.

Purpose and Function of Cookies
On November 2, 2011, the Hamburg Commissioner for Data Protection and Freedom of Information released the results of an investigation related to Facebook’s use of cookies. According to Facebook, these cookies serve as security mechanisms to allow the restoration of passwords or to prevent children from creating accounts. The investigation report (which, in its German version, can be downloaded here) demonstrated that these goals were accomplished only to a minimal extent in relation to some purely optional functions and only if the functions were set accordingly by the user.

From these results, the agency concluded that the cookies likely served, for Facebook, a different primary purpose altogether—namely to create tracking profiles of Facebook users. Should this suspicion be confirmed, and provided that German law is applicable to Facebook, the company would be in violation of the German Telemedia Act (“TMG”). Despite Facebook’s assertion that it does not fall under the jurisdiction of the TMG, it has nonetheless indicated a willingness to discuss the underlying technical processes and the Commissioner appears cautiously optimistic that a solution can be reached which will comply with the German data protection laws, including the TMG.

Facial Recognition
The most recent press release, again by the Hamburg Commissioner for Data Protection and Freedom Information, was issued on November 10, 2011 and addressed Facebook’s biometric database. Facebook is using a facial recognition feature which, according to the Commissioner, requires express user consent in order to comply with German and European data protection laws. The feature which Facebook calls “tag suggestions” uses a face-mapping technology to identify individuals in photos on the site.

To address the compliance issues raised by the agency, Facebook and the Commissioner discussed the implementation of a procedure through which Facebook could obtain valid, informed consent. Following the familiar pattern of past exchanges, Facebook entered negotiations on the premise that it was in full compliance with EU law, insisting that its current practice of an opt-out check box provided easy and sufficient notice to its users about the tag suggestions and individual user ability to disable the feature.

Not surprisingly, German authorities did not agree with Facebook’s assessment of current compliance and expressed concern especially related to those users whose biometric facial characteristics were incorporated into the database prior to the introduction of the feature. Any opt-out solution offered by Facebook would only apply to future use of the facial recognition feature and not address the need to obtain the retrospective, explicit and informed consent, which the German authorities clearly consider a prerequisite to meeting EU privacy law standards. 

While negotiations are currently at a stand-still, it seems that the German authorities ought to be able to take advantage of the timing and content of Facebook’s pending FTC settlement. The proposed FTC terms mirror the Working Party’s Consent Opinion to a remarkable degree as both focus on the data subject’s right to limit the scope of the collection and processing of personal data. If Facebook promises to the FTC that it will first obtain user consent before exposing previously collected data to a broader audience than initially intended by the user, the company must also acknowledge that, under EU privacy law, the same consent procedure is required for the introduction of features such as facial recognition.

Obviously, the Commissioner’s request that Facebook obtain retrospective consent is much more extensive than the purported FTC agreement. The burden associated with tracing all (approximately 20 million people) whose pictures were allegedly added prior to the introduction of the feature is onerous enough to explain Facebook’s unwillingness to negotiate. One has to wonder, however, whether the current impasse is not an indicator of more comprehensive developments in the relationship between Facebook and the German data protection agencies and whether both sides are finally preparing to square off in court.