Facebook is being probed by the Norwegian Data Protection Authority over concerns regarding its facial recognition tool that automatically suggests people's names to tag in pictures. Facebook started rolling out the Tag Suggestions feature worldwide in June 2011, and ever since has faced backlash from privacy groups in Europe.
When you upload new photos, Facebook uses software similar to that found in many photo editing tools to match your new photos to other photos you're tagged in. Similar photos are grouped together and, whenever possible, Facebook suggests the names of your friends in the photos. In other words, the square that magically finds faces in a photo also suggests names of your Facebook friends to streamline the tagging process, which can be especially useful when you have the same friends in multiple uploaded shots.
"It's a very powerful tool Facebook has and it's not yet clear how it all really works," Bjorn Erik Thon, Norway's data protection commissioner, told Bloomberg. "They have pictures of hundreds of millions of people. What material Facebook has in its databases is something we need to discuss with them."
Facebook insists the tag-suggesting feature is fully compliant with European Union law and maintains that it has properly informed users about the technology, which they can turn off if they prefer. "We have given comprehensive notice and education to our users about tag suggest, and we provide very simple tools for people to opt out if they do not want to use this feature," a Facebook representative said in a statement. "We stop processing facial recognition data when someone chooses to opt out."
Data protection is currently policed by separate regulators in Europe. The EU wants to simplify the system so companies deal with only one data protection regulator in the 27-country bloc. Though Norway isn't in the EU, Facebook would of course still prefer to deal with just one privacy group.
The Norwegian investigation has thus been referred to the Office of the Data Protection Commissioner (ODPC). Facebook has more than 955 million monthly active users, but its U.S. headquarters in Menlo Park, Calif., is not responsible for the majority of them. Facebook's international headquarters is in Dublin, meaning all users outside the U.S. and Canada are subject to Irish and European data protection laws. Facebook chose Dublin for the tax incentives: businesses are charged approximately 2 percent tax in Dublin compared with 35 percent tax in the U.S.
This past December, the ODPC completed a three-month privacy audit of Facebook's activities. A follow-up review was scheduled for July 2012 but has been pushed back to October 2012. The Norwegian authority plans to send a facial recognition questionnaire to Facebook once it has seen the Irish report.