The European Union’s new General Data Protection Regulation (GDPR), which comes into effect later this month, has been widely heralded as ushering in a new era of digital rights and online privacy for the European Union’s citizenry, mitigating many of the privacy concerns that have been at the heart of recent concerns over the ownership and control we have of our digital selves. Yet, lost among all of this praise and excitement is the fact that GDPR may actually inadvertently give legal cover to some of the more controversial data practices, like facial recognition, which have to date not been available in the EU due specifically to legal uncertainty, essentially expanding and entrenching some of the very practices that the law seeks to eliminate.
GDPR is a large and complex piece of legislation with a wide array of impacts to the way data-driven companies do business with EU citizens. On paper the new rules provide substantial protections and rights to ordinary internet users, placing them on equal footing with the massive billion-dollar companies that turn their daily lives into digital archives for commercial mining. Of course, like any legislation on such a contentious issue, there are copious legal affordances that mean that most companies will be able to find creative ways of accommodating the new rules with minimal disruptions to their business beyond a few feel-good feature additions that have little impact on their bottom lines. Indeed, many data-rich companies I've spoken with have suggested they foresee only minimal impacts on their business models.
Yet, one intriguing aspect of GDPR’s inadvertent impact may be found in Facebook’s announcement last month of the steps it is taking to comply with GDPR. Buried in the otherwise unremarkable summary of reorganized privacy options is this line: “We’ve offered products using face recognition in most of the world for more than six years. As part of this update, we’re now giving people in the EU and Canada the choice to turn on face recognition.”
Facebook has long noted that its facial recognition tools are not available in Canada and the EU due to their enhanced privacy protections that place far greater controls over the use of people’s biometric information compared to the US. This legal landscape was not friendly to the kind of mass biometric modeling and corporate ownership of user’s physical selves central to Facebook’s system.