CHICAGO (CN) – A federal judge ruled Saturday that Google does not violate Illinois privacy laws by automatically creating a face template when Android users upload photos taken on their smartphone to the company’s cloud-based photo service.
Illinois’s Biometric Information Privacy Act, enacted in 2008, was the first state law in the U.S. to regulate the collection of biometric information, which includes facial-recognition data, and remains the only law that allows private individuals to sue for damages stemming from a violation.
As a result, Illinois has become a testing ground for many new uses of biometric information by social media companies, photo apps, and employers.
But a ruling issued by U.S. District Judge Edmond Chang on Saturday found that the law cannot be used to protect users from the non-consensual collection of information about what many consider to be private – their face.
Lead plaintiff Lindabeth Rivera alleges a photo taken of her on a friend’s Google Android device was automatically uploaded to the company’s cloud-based service, Google Photos, where her facial features were scanned to create a unique face template without her consent.
Co-plaintiff Joseph Weiss says Google used photographs from his Android device to “unlawfully create a face scan.”
On behalf of a proposed class, Rivera and Weiss accused the company of violating the Illinois Biometric Information Privacy Act because the photos were taken by Google devices in the Prairie State.
Google, without permission, allegedly used the templates to recognize their unique characteristics, including gender, race, age and location.
Last year, Judge Chang rejected the tech giant’s request to dismiss the case, disagreeing with Google’s contention that face-scan measurements derived from a photograph are not biometric identifiers.
But he granted Google’s motion for summary judgment Saturday.
“The Seventh Circuit has definitively held that retention of an individual’s private information, on its own, is not a concrete injury sufficient” to establish standing, the 28-page opinion states.
Further, there are no allegations that hackers have stolen the plaintiffs’ information or that there has been other unauthorized access to the Google Photos accounts.
“Plaintiffs cannot show – and do not argue – that Google ‘intruded into a private place’ by receiving photographs of plaintiffs voluntarily uploaded to Google photos” by themselves or others, Judge Chang said.
He added, “Plaintiffs do not offer evidence to dispute that their faces are public – just that their facial biometrics are. This is consistent with Fourth Amendment case law that rejects an expectation of privacy in a person’s face.” (Emphasis in original.)
Creating a face template with public information does not qualify as a “highly offensive” intrusion into the plaintiffs’ privacy, the judge concluded, especially when there is no evidence Google used the face templates for commercial purposes.
Chang acknowledged that Google could, in the future, use its facial technology for targeted advertising and filtering content – indeed, plaintiffs’ evidence included a chain email among Google employees discussing similar likely uses.
But this evidence is not enough to show that Google “likely will do so in the future without consent, or that Google used plaintiffs’ data in this way,” Chang said.