GDPR is red herring. Current laws already require opt-in when collecting biometric data. From 2011:
> The Hamburg data protection authority on Tuesday ruled that Facebook’s facial recognition feature, which attempts to identify people in photos uploaded to the site, violates German privacy laws.
> Johannes Caspar, the head of the authority, said Facebook should not be collecting users’ biometric data – such as their face shape and the distance between their eyes – without getting their explicit consent. He has demanded that the social networking site change or disable the feature. All data collected so far should be deleted.
> Mr Caspar has given Facebook two weeks to respond. If the company is unable to make changes, Mr Caspar said the Hamburg authority would consider bringing legal action against it.
???? nobody and nothing has made fb or google move about this like GDPR. Local laws are made to be broken. If a court in Hamburg tells fb to do something then they can easily play it along.
GDPR enforces fines of 4% of their global revenue so that's the only reason for them to respect it.
Of course penalties for non-compliance have gone up. But collecting biometric data without explicit and informed opt-in, is already against the laws of many EU member states, and has been for nearly a decade. Facebook is walking on thin ice.
It seems they ask for permission, so the title that users are auto-enrolled may be misleading. But if they do auto-enroll: It is against the privacy laws already, no need to wait for GDPR.
About respecting local laws, I find this a difficult issue. What to do with draconian local laws that forbid ridiculing a president? But if it has to be a yes-no: I'd say, yes, obey local laws when you serve users there. Remove comments from Turkish IPs that slander their president, but keep comments from German IPs that ridicule Turkey's leader.
> The Hamburg data protection authority on Tuesday ruled that Facebook’s facial recognition feature, which attempts to identify people in photos uploaded to the site, violates German privacy laws.
> Johannes Caspar, the head of the authority, said Facebook should not be collecting users’ biometric data – such as their face shape and the distance between their eyes – without getting their explicit consent. He has demanded that the social networking site change or disable the feature. All data collected so far should be deleted.
> Mr Caspar has given Facebook two weeks to respond. If the company is unable to make changes, Mr Caspar said the Hamburg authority would consider bringing legal action against it.