Facebook Inc. is being probed by Norway’s data-protection regulator over concerns a facial-recognition program that automatically suggests people’s names to tag in pictures breaches privacy rights.
“It’s a very powerful tool Facebook has and it’s not yet clear how it all really works,” Bjorn Erik Thon, Norway’s data-protection commissioner, said in a phone interview today. “They have pictures of hundreds of millions of people. What material Facebook has in its databases is something we need to discuss with them.”
Data-protection regulators from the 27-nation European Union have been looking into Facebook’s facial-recognition feature. Earlier this year, the EU’s so-called Article 29 Data Protection Working Party said the feature can only be used with people’s consent.
“Users should always be provided with the possibility to withdraw consent in a simple manner,” the Article 29 group, which issues guidelines for national regulators, said in their March 22 opinion. “Once consent is withdrawn processing for the purposes of facial recognition should stop immediately.”
A spokeswoman for Facebook declined to immediately comment. The Menlo Park, California-based company has lost more than $35 billion in market value since its May initial public offering as it fails to assuage concerns about how it can make more money from almost a billion users.
Norway, which isn’t part of the EU, is coordinating its investigation with their Irish counterparts, Thon said. The Irish regulator has been reviewing Facebook’s compliance with Irish and EU data-protection rules since last year. The company’s Irish office is Facebook’s main service provider to users outside the U.S. and Canada, said the regulator.
An audit report released by the Irish agency in December said Facebook has to overhaul its service in Europe to increase “transparency and controls for the use of personal data for advertising purposes” and to delete “data held from user interactions with the site much sooner.”
The regulator carried out a review of the company’s progress in implementing the changes last month and will release a second report later this year.
The Norwegian authority plans to send a questionnaire that will probably focus on facial recognition to Facebook once it has seen the Irish report, Thon said.
A German privacy regulator in June suspended its probe of Facebook into facial recognition pending the Irish audit.
Data protection is currently policed by separate regulators across the 27-nation EU. The EU’s executive body wants to simplify the system so companies deal with only one data-protection regulator in the bloc.