FaceApp v GDPR

This summer's hot app, FaceApp, is facing a wave of criticism related to its use of data collection, storage, and retention following a viral tweet that highlighted various parts of their privacy policy. The AI-powered app has seen its usage skyrocket this year as countless users took to social media to participate in the #FaceAppChallenge.

While the company's founder has tried to quell some of the concern by providing clarity on its data practices, there are still plenty of questions left unanswered. Particularly worrisome is its collection of user data, including images and metadata, and its transfer to countries "where FaceApp...maintains facilities" such as Russia - a country that fails to meet the adequate level of data protection required by the EU's General Data Protection (GDPR).

As regulators in the EU ramp up efforts to clamp down on GDPR violations, we took a look at FaceApp's current practices and compared it to a few of GDPR's provisions to see how they might be considered non-compliant.

Art. 8: Conditions on Child's Consent

FaceApp's Privacy Policy states that users under the age of 16 should not be using the app, though a search through pictures shared by Twitter users shows that their enforcement is not surprisingly lax. This, and the fact that their AppStore age-rating is only 4+, calls into questions whether they are actively enforcing their policy. Assuming they're not actively filtering out underage users, what does GDPR have to say about the use of data collection of users under the age of 16:

Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

FaceApp has a responsibility to ensure that users under the age of 16 are properly consenting to their collection, capture, and transfer of personal data - in this case images and metadata - in order for the data collection to be deemed lawful. Article 8 clarifies that lawful consent for underage users must show a "reasonable effort" to verify that the parent or legal guardian of the underage user has given their permission for the exchange to take place. Without any active measures in place to patrol the usage by underage users, it falls on FaceApp to show that it's properly gaining parental consent - something that doesn't seem to be currently happening.

Art. 45: Transfers on the basis of an adequacy decision

Article 45 of the GDPR requires that data collected, processed, and stored from EU data subjects stay within the EU or within a country that meets the "adequate" standards of data protection. The intent of this safeguard is clear: protection of one's private and personal information shouldn't end simply because the data is transferred out of country.

A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection

Listed in their privacy policy, FaceApp discloses that processing and storage of personal data may be done within "...any...country in which FaceApp, its Affiliates, or Service Providers maintain facilities." Setting aside the ambiguous nature of such a statement, this line could mean that processing and storage can occur in countries that fail to meet adequate standards for processing such as Russia - where FaceApp's research and development teams are located. FaceApp admits this in plain language later in their privacy policy:

"...please note that we may transfer information, including personal information, to a country and jurisdiction that does not have the same data protection laws as your jurisdiction."

FaceApp suggests that by using their services you agree to this transfer and storage of data - which is questionable given that consent has not yet been proven as a lawful means to overcome Article 45. They also mention that they take "reasonable" safeguards to ensure protection throughout this process. Typically, companies that transfer data cross-borders will rely on something like a Binding Corporate Rule (BCRs) to highlight the measures taken to safeguard user data. Best practice is to disclose the use of BCRs like eBay's example in its privacy center. However, FaceApp's rather ambiguous privacy policy, lack of mention of BCRs, and suggestion that consent to transfer and storage of data outside the adequacy clause is assumed by use of the app, are all items that are likely to receive scrutiny from GDPR regulators.

This list is far from exhaustive and there are plenty of additional challenges within GDPR that FaceApp might face given their lack of transparency. It's why we strongly recommend that organizations provide as much detail - in a readable and digestible format - within their privacy policy. Much of the controversy and issues surrounding FaceApp could've been alleviated with a policy that's clearer and transparent. Of course, none of this should be considered legal advice and we'll likely know where FaceApp stands as regulators start digging in but it's clear that their current practices either need to change or need to be better disclosed to users.

Let's see what happens.