Privacy, Data Protection and Retention
Google Spain SL v. Agencia Española de Protección de Datos
Spain
Closed Expands Expression
Global Freedom of Expression is an academic initiative and therefore, we encourage you to share and republish excerpts of our content so long as they are not used for commercial purposes and you respect the following policy:
Attribution, copyright, and license information for media used by Global Freedom of Expression is available on our Credits page.
This case is available in additional languages: View in: Español View in: Français View in: العربية
The United States Court of Appeals for the Ninth Circuit held that facial-recognition technology used to create face templates without prior consent invades individuals’ interests and privacy. In 2010, Facebook started using facial-recognition technology to develop its Tag Suggestions feature without the users’ prior written consent and without a retention schedule of the biometric information. Three Facebook users in Illinois filed a complaint in 2015, alleging that Facebook´s facial-recognition technology violated the Illinois Biometric Information Privacy Act. The Court affirmed the decision of the United States District Court for the Northern District of California, confirming that Facebook´s facial-recognition technology affected users´ privacy and personal affairs, and noted the impact technological advances may have on privacy.
In 2010, Facebook implemented a new feature, Tag Suggestions, that used facial recognition technology to identify individuals in photographs uploaded by a user who had enabled the Tag Suggestions function. This feature allowed for automatic tagging of other users in photographs uploaded onto Facebook: it went beyond the original tagging which was manual and allowed a user to identify other users in their photographs, with a link to those users’ profiles. The technology Facebook applied scanned photographs when they had been uploaded and extracted “the various geometric data points that make a face unique, such as the distance between the eyes, nose, and ears, to create a face signature or map”, compared that “map” to templates of users’ faces saved in its databases and then suggested tagging that particular user in the photograph.
In August 2015, three Facebook users living in Illinois, U.S., Nimesh Patel, Adam Pezen and Carlo Licata, acting as class representatives, filed an operative complaint against Facebook, alleging that Facebook´s facial-recognition technology violated the Illinois Biometric Information Privacy Act (BIPA). Patel, Pezen and Licata had been Facebook users since 2008, 2005 and 2009 respectively. The BIPA had been adopted in 2008 and defines a “biometric identifier” as including “a “scan of hand or face geometry” [p. 8]
The users argued that Facebook violated sections 15(a) and 15(b) of the BIPA because it collected and used users´ biometric information, specifically their face templates, without their prior written consent to develop the Tag Suggestions feature. They also argued that Facebook violated the BIPA because it did not have a retention schedule for the destruction of biometric identifiers.
Section 15(a) states: “A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.”
Section 15(b) states: No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information, unless it first: (1) informs the subject or the subject’s legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject or the subject’s legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject’s legally authorized representative.
The BIPA acknowledged that “[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information” because they were “biologically unique” to an individual and could never be changed if their integrity was compromised. The Illinois Legislature described the purpose of the legislation as being that “[t]he public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information”.
Facebook filed a motion to dismiss the complaint arguing that the users did not prove the existence of an injury-in-fact.
The District Court certified the class and denied Facebook´s motion. Facebook appealed the District Court´s decision to the United States Court of Appeals for the Ninth Circuit.
Judge Ikuta delivered the judgment for the three-judge bench. The main issue before the Court was whether Facebook’s facial-recognition technology violated sections 15(a) and 15(b) of the BIPA and the users’ right to privacy. The issue was whether the “violation of statutory requirements amounted to a violation of their substantive privacy rights” [p. 13].
The users argued that Facebook violated sections 15(a) and 15(b) of the BIPA and the plaintiffs´ privacy rights.
Facebook argued that the users described procedural violations in the complaint and did not allege an injury-in-fact.
The Court explained that it must apply a two-step approach in cases like these, namely, to determine whether there is “an invasion of a legally protected interest which is (a) concrete and particularized; and (b) actual or imminent, not conjectural or hypothetical” [p. 10].
The Court examined the history of the right to privacy, noting that courts first recognized the common law right after Samuel D. Warren and Louis D. Brandeis published an article, “The Right to Privacy” in the Harvard Law Review in 1890. It added that the Supreme Court cases of U.S. Dep’t of Justice v. Reporters Comm. for Freedom of the Press, 489 U.S. 749, 763 & n. 15 (1989) and Cox Broadcasting Corp. v. Cohn, 420 U.S. 469, 488 (1975) accepted those “common law roots of the right to privacy” [p. 15]. However, the Court stressed that “[t]hese common law privacy rights are intertwined with constitutionally protected zones of privacy” and referred to the cases of Gibson v. Fla. Legislative Investigation Comm., 372 U.S. 539, 569 n.7 (1963) and Kyllo v. United States, 9th Cir. 533 U.S. 27 (2001) which had held that the right to privacy formed part of the constitutional protections under the First Amendment (the right to freedom of expression) and the Fourth Amendment (the prohibition of unreasonable searches and seizures). In respect of the Fourth Amendment, the Court noted that the Supreme Court’s jurisprudence “recognized that advances in technology can increase the potential for unreasonable intrusions into personal privacy” [p. 16].
The Court described the threats to privacy posed by Facebook’s facial recognition technology and noted that the technology currently allowed Facebook to identify individual Facebook users, their locations and their friends, and that in future this could enable the identification of individuals from surveillance photographs. The Court concluded that the “development of a face template using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests” [p. 17]. The Court noted that, when adopting the BIPA, the Illinois General Assembly had recognized the threats to privacy biometric data posed and that, in the case of Rosenbach v. Six Flags Entertainment Corp., IL 123186 (2019 the Illinois Supreme Court had found that the BIPA’s purpose was to protect biometric privacy [p. 17-18]. The Rosenbach case also established that an individual could suffer harm due to the violation of BIPA when a private entity does not comply with its obligations under section 15 because that violation causes an invasion of the individuals’ rights.
Accordingly, the Court held that the BIPA provisions protect individuals´ concrete interests and privacy and “not merely procedural rights” [p. 18].
In assessing the second question – “whether the specific procedural violations alleged in this case actually harm, or present a material risk of harm to, such interests” – the Court referred to the Rosenbach case in noting that the BIPA provisions are essential to protect privacy rights in a digital world. The Court emphasized that the BIPA protects biometric privacy, Facebook’s collection of that data “necessarily” violates the users’ “substantive privacy rights” [p. 19].
Accordingly, the Court held that the users had alleged a “concrete and particularized harm” [p. 20].
The Court also held that the District Court was correct in certifying the class action.
Decision Direction indicates whether the decision expands or contracts expression based on an analysis of the case.
The Court recognized the protection of biometric privacy under the statute, and affirmed that infringement of that statutory protection is sufficient to find a violation of the right to privacy.
Global Perspective demonstrates how the court’s decision was influenced by standards from one or many regions.
Case significance refers to how influential the case is and how its significance changes over time.
Let us know if you notice errors or if the case analysis needs revision.