Saving Face: Facebook loses facial recognition appeal

August 22, 2019

3 min read

Sign up to our mailing list! 👇

What's going on here?

Facebook’s appeal against a class action case has been thrown out by a US federal appeals court in San Francisco. The lawsuit could go on to cost Facebook billions of dollars if they are found to have fallen foul of Illinois’ Biometric Information Privacy Act (BIPA).

What does this mean?

Back in 2015, Facebook users in Illinois started a class action lawsuit (where a group of people collectively make a lawsuit) against Facebook on the grounds that they had illegally harvested their biometric data and had then used that data to identify them in other images. Facebook collected the data through its “tag suggestions” feature, which allows users to recognise their Facebook friends from photos that others have uploaded. Facebook appealed to the court on two grounds, arguing that the plaintiffs had failed to show concrete injury and that the lower court was incorrect in classifying the case as a class action lawsuit

The appeal was unanimously rejected in a 3-0 decision. The alleged use of facial-recognition without user consent was said to invade an individual’s private affairs; the court stated that BIPA was created to protect these “concrete interests in privacy”. The court also rejected Facebook’s challenge to the class action which was that each case was unique. The case will now be handed back to a lower court who could impose fines of $1000 – $5000 per violation

Shawn Williams, the respondents’ lawyer, underlined the importance of treating biometric data with care, explaining that “you can’t change your face.” Whilst the case has been supported by the American Civil Liberties Union, Facebook has announced that they plan to appeal the decision, claiming that users can choose to switch off the facial recognition technology at any time.

What's the big picture effect?

Facebook will be worried that their appeal has been so firmly dismissed in a unanimous ruling, because a fine of up to $5000 for each of the 7 million users in the class action could bear a serious financial burden. Moreover, Facebook was recently fined $5 billion by the Federal Trade Commission (for more on that see our article here) and could well face more hefty fines from class action cases in Europe under the GDPR, something that has already hit BA (see our article on that here) and Marriot International with 9 figure fines. Renowned data rights activist Max Schrems noted that a class action case against Facebook on something like the Cambridge Analytica scandal could “ruin Facebook”.

The fines that Facebook have suffered thus far are but a speeding ticket. In any case, they have maintained strong financials with a global turnover of $55.8 billion in 2018 and stronger than anticipated results in 2019. This is in spite of a track record of carelessness on Facebook’s part in managing personal data:

  • In 2013 a “technical glitch” left 6 million of Facebook’s users’ phone numbers and email addressed “inadvertently” exposed.
  • In 2018 the Cambridge Analytica scandal revealed that over 77 million Facebook user’s data had been harvested without their consent.
  • In 2019 Facebook “unintentionally” copied the email contacts of 1.5 million users without their consent (read about that story here).

It is a sign of hope that the courts in Illinois have stayed strong in their decision to reject Facebook’s appeal and adequately investigate and punish Facebook’s invasion into its users’ “private affairs”. However, despite their best efforts, US regulators and legislators lag behind in the protection of data rights. So the question must be asked, can the law keep pace with the constantly evolving tech giants, like Facebook, and better protect the people?

Report written by Will Holmes

If you’d like to write for LittleLaw, click here!

Share this now!

Check out our recent reports!