Facebook Must Face Biometric Privacy Class Action After Losing Appeal

Mark Zuckerberg - F8 Facebook Developer Conference - Getty - H 2018
Justin Sullivan/Getty Images

Facebook's photo-tag suggestion technology could someday be used to identify individuals from surveillance photos or to get past a facial-recognition lock on a smartphone and poses a threat to a privacy, according to a federal appeals court. 

Nimesh Patel, Adam Pezen and Carlo Licata in May 2015 filed a class-action lawsuit against the tech giant, arguing the technology Facebook uses to suggest photo tags violates the Illinois Biometric Information Privacy Act by collecting and storing their biometric data without consent. 

U.S. District Judge James Donato denied the social network's motion to dismiss the complaint and certified the class. He rejected the proposition that it should include any Illinois resident whose photo was uploaded to Facebook because, in part, it doesn't work accurately for everyone. So the class is defined as "Facebook users located in Illinois for whom facebook created and stored a face template after June 7, 2011," the date tag suggestions launched. (The suit is seeking damages of $1,000 for each negligent violation or $5,000 for each reckless violation for potentially millions of Illinois residents who use the service.)

Facebook appealed, arguing the plaintiffs failed to allege a concrete injury to establish standing, and on Thursday the 9th Circuit upheld Donato's decision. (Read the full opinion below.)

The appeals court used a two-step process to decide whether the violation of such a statute causes a concrete injury. First, it looks at whether the statutory provisions were established to protect concrete interests. Then, it asks whether the violations cause harm or present a material risk of harm. The 9th Circuit found that BIPA was established to protect an individual's concrete privacy interests and that violations of the statute cause harm or pose risk of harm — noting that one of the allegations in the complaint is that Facebook has no guidelines for destroying biometric identifiers and this creates potential for the company to create, use and retain a face template "for all time."

"Once a face template of an individual is created, Facebook can use it to identify that individual in any of the other hundreds of millions of photos uploaded to Facebook each day, as well as determine when the individual was present at a specific location," writes U.S. Circuit Judge Sandra S. Ikuta in the opinion. "Facebook can also identify the individual’s Facebook friends or acquaintances who are present in the photo. ... [I]t seems likely that a face-mapped individual could be identified from a surveillance photo taken on the streets or in an office building. Or a biometric face template could be used to unlock the face recognition lock on that individual’s cell phone. We conclude that the development of a face template using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests."

The 9th Circuit also agreed with Donato's certification of the class, despite Facebook's argument that Illinois lawmakers didn't intend for BIPA to apply to conduct outside the state and none of its servers where the templates are stored are in Illinois. Writes Ikuta, "[I]t is reasonable to infer that the General Assembly contemplated BIPA’s application to individuals who are located in Illinois, even if some relevant activities occur outside the state."

Facebook has not yet responded to a request for comment on the decision, but on Friday asked the court to give it until Sept. 5 to file a petition for rehearing.