Facebook's facial recognition could violate 'privacy interests'
An appeals court ruled that Facebook's facial recognition violates Illinois' biometrics law.
A class action over Facebook’s facial recognition technology will go forward after a federal appeals court found that the social media site’s app could “violate the plaintiffs’ substantive privacy interests.”
Last Thursday, the U.S. Court of Appeals for the Ninth Circuit unanimously affirmed a district court ruling granting certification of a class action alleging Facebook’s facial recognition feature called “Tag Suggestions” violated the Illinois Biometric Information Privacy Act. Backed by the U.S. Chamber of Commerce, Facebook had argued that the three plaintiffs, all residents of Illinois, lacked standing to sue because they suffered no harm, as required under the U.S. Supreme Court’s 2016 ruling in Spokeo, Inc. v. Robins.
The Ninth Circuit disagreed.
Dispute over privacy violation
‘The plaintiffs allege that a violation of these requirements allows Facebook to create and use a face template and to retain this template for all time,” wrote Judge Sandra Ikuta. “Because the privacy right protected by BIPA is the right not to be subject to the collection and use of such biometric data, Facebook’s alleged violation of these statutory requirements would necessarily violate the plaintiffs’ substantive privacy interests.”
Joe Osborne, a spokesman for Menlo Park, California-based Facebook, said the social media site planned to seek further review of the decision.
“We have always disclosed our use of face recognition technology and that people can turn it on or off at any time,” he wrote in an email.
New York attorney Lauren Goldman, co-head of the Supreme Court & Appellate group of Mayer Brown, represented Facebook.
Shawn Williams, a San Francisco partner at Robbins Geller Rudman & Dowd, who represented the plaintiffs, said in an emailed statement, “The Ninth Circuit’s opinion further confirms availability of legal redress for the growing privacy intrusions by large corporations surreptitiously amassing mountains of personal information from consumers.”
Aaron Lawson, an associate at Edelson PC in San Francisco, argued the case for the plaintiffs.
The ruling comes as Facebook has increasingly faced pressure over alleged privacy violations. Last month, the Federal Trade Commission levied a record $5 billion fine against Facebook over consumer privacy violations. This week, two U.S. senators wrote letters to Facebook’s chief executive, Mark Zuckerberg, questioning alleged security problems in its Messenger Kids’ app.
Risks in biometrics
The biometrics case against Facebook, filed in 2015, addressed the strictest law in the nation protecting biometric data, which includes fingerprints and iris scans. The Illinois law requires companies to obtain a written release to collect someone’s biometric data, which they must destroy after a specific period of retention.
The Ninth Circuit sidelined a planned July 2018 trial when it granted Facebook’s request for an interlocutory appeal of U.S. District Judge James Donato’s 2018 ruling granting class certification.
The Chamber, in an amicus brief, said Donato had certified “a class of millions of Facebook users seeking potentially billions of dollars in damages without requiring any showing of harm beyond a bare statutory violation.” Facebook also got support from Internet Association, a lobbying group for technology companies, that called Donato’s ruling “a dangerous precedent,” according to its amicus brief.
The American Civil Liberties Union, the Electronic Frontier Foundation, the Electronic Privacy Information Center and several other groups sided with the plaintiffs.
“The collection of biometric information presents profound risks to privacy, safety, and security,” wrote Electronic Privacy Information Center president Marc Rotenberg in an amicus brief.
The Ninth Circuit cited “common law roots to the right of privacy” and constitutional protections in the Fourth Amendment that the U.S. Supreme Court has recognized amid “advances in technology,” such as GPS monitoring and tracking cell-cite locations.
“Once a face template of an individual is created, Facebook can use it to identify that individual in any of the other hundreds of millions of photos uploaded to Facebook each day, as well as determine when the individual was present at a specific location,” Ikuta wrote of the tool that launched in 2010. “We conclude that the development of a face template using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests.”
The Ninth Circuit relied on the Illinois Supreme Court’s Jan. 25 decision in Rosenbach v. Six Flags Entm’t Corp., which found that the amusement park’s use of fingerprints for guests violated the state’s biometrics law. The Ninth Circuit also looked to the Illinois legislature’s intent in passing the law in 2008.
“They got it exactly right with respect to determining whether Article III had been satisfied with a violation of the statute, especially when they relied on the Rosenbach decision out of the Illinois Supreme Court, which said that the Illinois legislature intended for this harm to be a harm that could be redressed in court,” Williams said in an interview. “And that the biometric information and data is so sensitive that the public welfare needed to be protected by the statute.”
Addressing a second argument raised by Facebook, the Ninth Circuit found that the class complied with the Federal Rule 23 of Civil Procedure. Facebook had contended that Donato, in finding predominance, failed to consider that Facebook’s nine servers, which store the face templates, are not in Illinois, leading to potential variances among class members. The Ninth Circuit said where the alleged violation took place is a “threshold question” that could be decided after class certification.
The panel also brushed off concerns about gargantuan damages resulting from the Illinois law, which assesses statutory penalties of between $1,000 and $5,000 for each violation.
“Here, nothing in the text or legislative history of BIPA indicates that a large statutory damages award would be contrary to the intent of the General Assembly,” Ikuta wrote.
Related: