Hamburg’s Data Commissioner Doesn’t Want To Let Facebook Off The Hook On Facial Recognition

Earlier today European regulators collectively scored a victory for privacy when the Irish Data Protection Commissioner revealed it had managed to get Facebook to drop all facial recognition activity on its platform, as part of a wider investigation and process to get Facebook more in line with EU regulations on data protection and consumer transparency — most of which Facebook appears to have passed successfully. So: done and done? Not quite.

Over in Germany, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI), long a thorn in Facebook’s side, today issued an administrative order against Facebook over its facial recognition technology.

This appears to have been done more or less independently of whatever was happening over in Dublin. In an interview earlier today with Bloomberg, Johannes Caspar, the Hamburg regulator, said that he hadn’t seen the full report from the Irish Data Protection Commissioner, but if Hamburg’s concerns ultimately get addressed through the process in Ireland, “then all is fine.” In other words, think of this as a presentation of what those concerns are:

The commissioner wants Facebook to change its automatic face detection service to comply with EU standards, retrospectively and in future. Specifically: “The company has to make sure that biometric profiles of its already registered users will only be created and stored with their active consent. Additionally, users have to be informed about risks of the practice in advance.”

Furthermore, if Facebook cannot sort it out, “the existing data base has to be deleted.” That rule would apply only to Hamburg, although the commissioner notes that “Other German authorities have already announced similar administration procedures.”

This is an issue that goes back to June 2011 in Germany, with today’s announcement coming on top of another ongoing facial recognition investigation by the HmbBfDI. Although today’s appears to be a new administrative order, the points are the same as those made in the earlier order, which was reopened in the middle of August.

Reached for comment, Facebook brushed off this latest salvo from Hamburg. “As it has been clearly stated by the Irish DPC earlier today, we are going to work together in order to find the most appropriate way to obtain users’ consent under EU law,” a spokesperson told TechCrunch in an email. “Since we did not work out this plan yet, I do not understand what the Hamburg DPA is complaining about.”

Although Ireland’s decision has wider EU ramifications because Facebook’s international headquarters are in that country, Hamburg maintains that Facebook still needs to comply with local regulations in Germany.

But so far, it doesn’t look like Facebook has been giving Hamburg as much consideration as Hamburg has been giving to Facebook. The two have been in “lengthy negotiations” already, the commissioner’s office notes. “Facebook would not accept to adjust its practice to European standards of data protection by negotiation. Even during the hearing proceedings before the issue of the act Facebook has not delivered any new arguments or propositions.”

Caspar, meanwhile, does not want Hamburg to be made out as the technophobe in all this: “It is not the aim of this decision to prevent the use of this technology, but to give tools to the users which enables them to a conscious and active decision whether or not to participate in this technology that is not unproblematic.”

So there may be a rapprochement in the end, because implementing the technology (yes, with more transparency) is kind of where Facebook ultimately wants to end up, too. Talking to me earlier today about what happens next to facial recognition after the Irish regulator’s report came out, a Facebook spokesperson said:

“It’s worth us reiterating that once we have a agreed an approach on the best way to notify and educate users with the DPC, we hope to bring back this useful tool.”