Canadian users of Facebook may be familiar with the process of “tagging” photos – adding the names of the people to images – but they may not be familiar with the ‘Tag Suggestion’ feature on Facebook. Tag Suggestions, which automatically scans photos uploaded to the social media site in an attempt to identify for the names of those pictured, has not been available in Canada or Europe, despite being introduced in the US in 2010, due to stricter privacy laws. The feature was the subject of a recent putative class action ruling from the United States District Court in California.
The privacy concerns about this automated analysis are central to this recent litigation, in which the plaintiffs allege that Facebook has unlawfully collected and stored biometric information derived from their faces. This case addresses two fundamental questions – are there privacy laws that cover the biometric analysis in question, and do these laws have jurisdiction over Facebook. These questions illustrate both the privacy concerns surrounding biometric analysis and the increasing difficulty addressing informational privacy across jurisdictions in the age of the internet.
“Tagging” on Facebook is when a user identifies by name individuals in photos that have been uploaded to the site. “Tag Suggestions” is intended to encourage more tagging by users. It works by scanning uploaded photographs and analyzing them using “state-of-the-art facial recognition technology” to extract biometric identifiers. These identifiers are based on the geometric relationship of facial features unique to each person, such as the distance between the eyes, ears, and nose. Facebook then creates and stores this information as a digital representation, known as template, and automatically tag recognized individuals in all pictures in which they appear.
A chief concern articulated in the case is that the biometric information stored in these templates is biologically unique, and so once compromised, “the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions”, though the plaintiffs acknowledge that “[t]he full ramifications of biometric technology are not fully known”.
In Canada the application of privacy laws to biometric information is no different than the application of privacy laws to any other type of personal information. As of March 2013, the Office of the Privacy Commissioner of Canada (OPC) has not received any complaints under The Personal Information Protection and Electronic Documents Act (PIPEDA) involving facial recognition.
However, in their report on Automated Facial Recognition in the Public and Private Sectors, the OPC made it clear in no uncertain terms that recognition would likely trigger the application of PIPEDA when used by organizations in the course of a commercial activity. Commenting specifically on Facebook, the OPC stated that “of significant privacy concern is the fact that Facebook has the ability to combine facial biometric data with extensive information about users, including biographic data, location data, and associations with ‘friends’.”
In the US, the scope of what constitutes personal information is narrower, and biometric information is unregulated federally. However, the plaintiffs in this case reside in Illinois, which has its own Biometric Information Privacy Act (BIPA).
Facebook asserts that the Illinois BIPA does not apply to Tag Suggestions, and even if it did, that the plaintiffs cannot pursue a claim under the Illinois BIPA because California state law, not that of Illinois, governs disputes with Facebook.
Unlike Illinois, California has not legislatively recognized a right to privacy in personal biometric data and has not implemented any specific protections for that right or afforded a private cause of action to enforce violations of it. The Facebook Terms of Service (as at January 30, 2015) state that “The laws of the State of California will govern this Statement, as well as any claim that might arise between you and us, without regard to conflict of law provisions.”
However, the presiding judge ruled that adhering to Facebook’s terms would essentially override the ability of Illinois to draft legislation to protect the privacy rights of its citizens, and that “enforcing the contractual choice of California law would be contrary to this policy in the starkest way possible”. Thus, BIPA applies to Illinois Facebook users.
Facebook has remained compliant with Canadian law, since the Tag Suggestions feature has not been available for Canadian Facebook users, or for photos they upload. Facebook has come into conflict with with Canada’s stricter privacy rules in the past, and responded by instituting appropriate changes to the site’s privacy terms.
Despite Facebook’s encouraging compliance with the OPC, there is a concern left unaddressed. There is no reason to assume that pictures of Canadians uploaded to Facebook derive only from users in Canada. It is reasonable to assume that plenty of American Facebook users have uploaded images of Canadians, taken in Canada or elsewhere. Under the current process, these images are automatically scanned, profiled, and tagged. There is no way to filter out Canadians in advance, since there is no way to identify individuals as Canadian until the Tag Suggestions feature has run. The biometric informational privacy of Canadians is still intruded upon.
Facebook is not concerned about this because in its view the process occurs solely in the US, and is therefore not subject to PIPEDA, even though Canadians are involved. This illustrates a fundamental limitation of current informational privacy law – it is limited by geographical borders while information, once online, is not.
Lucas Gindin is an IPilogue Editor and a JD Candidate at Osgoode Hall Law School.