A US federal judge has thrown out a lawsuit that Google's non-consensual use of facial recognition technology violated users' privacy rights, allowing the tech giant to continue to scan and store their biometric data.
The lawsuit, filed in 2016, alleged that Google violated Illinois state law by collecting biometric data without their consent. The data was harvested from their pictures stored on Google Photos.
The plaintiffs wanted more than $5 million in damages for hundreds of thousands of users affected, arguing that the unauthorized scanning of their faces was a violation of the Illinois Biometric Information Privacy Act, which completely outlaws
the gathering of biometric information without consent.
Google countered claiming that the plaintiffs were not entitled to any compensation, as they had not been harmed by the data collection. On Saturday, US District Judge Edmond E. Chang sided with the tech giant, ruling that the plaintiffs had not
suffered any concrete harm, and dismissing the suit.
As well as allowing Google to continue the practice, the ruling could have implications for other cases pending against Facebook and Snapchat. Both companies are currently being sued for violating the Illinois act.
Google has been fined 50 million euros by the French data censor CNIL, for a breach of the EU's data protection rules.
CNIL said it had levied the record fine for lack of transparency, inadequate information and lack of valid consent regarding ads personalisation. It judged that people were not sufficiently informed about how Google collected data to personalise
advertising and that Google had not obtained clear consent to process data because essential information was disseminated across several documents. The relevant information is accessible after several steps only, implying sometimes up to five or
six actions, CNIL said.
In a statement, Google said it was studying the decision to determine its next steps.
The first complaint under the EU's new General Data Protection Regulation (GDPR) was filed on 25 May 2018, the day the legislation took effect.The filing groups claimed Google did not have a valid legal basis to process user data for ad
personalisation, as mandated by the GDPR.
Many internet companies rely on vague wording such as 'improving user experience' to gain consent for a wide range of data uses but the GDPR provides that the consent is 'specific' only if it is given distinctly for each purpose.
Perhaps this fine may help for the protection of data gathered on UK porn users under the upcoming age verification requirements. Obtaining consent for narrowly defined data usages may mean actions could be taken to prevent user identity and
browsing history from being sold on.