Facial recognition technology has been implemented on a trial basis in the UK since 2016, both in London by the Met and in South Wales by the SWP. In South Wales, the AI system is notorious for its error rate. In 2018, the SWP was found to have misidentified 2,300 people as potential criminals.

In London, an 2019 independent study found that the Met’s system had an 81 percent error rate. Although the Met’s own analysis claimed the error rate was far lower, although clearly they too were unsatisfied with the system. In 2020, it switched to Clearview AI.

Clearview AI combines surveillance footage and images pulled from the internet in an attempt to mass identify individuals in public spaces. That has provoked accusations that the technology is dystopian, not helped because Clearview scraped pictures from social media sites, including Facebook, without permission. 

Facebook Dating is the company’s rival to Tinder and OKCupid, harnessing the combined power of Facebook, Instagram and WhatsApp to help people connect. That includes the ability to use Instagram stories as dating pictures and to list secret crushes just in case they feel the same way. Facebook had initially said, back when it rolled out in the US, that it would be coming to Europe in “early 2020.”

Europe’s comprehensive privacy law, the GDPR, requires companies to look at the potential effects of how they process data. Broadly speaking, if a business wants to do some hot-and-heavy data mashing, necessary for running a dating website, it needs to demonstrate that it’s thought it through. That involves handing over an impact assessment to the local regulator, essentially to show the processing is safe and lawful.

Since Facebook’s (and Google’s) European HQ is based in Dublin, the Irish Data Protection Commission is the local supervisory authority. That means that it needed to be told about the plans for Facebook Dating well in advance of the product’s rollout in Europe. The law doesn’t give a specific period of time for such disclosures to be made, but Article 36 suggests between eight and fourteen weeks.

By comparison, Facebook made its notification on February 3rd, saying that it would commence rolling out Facebook Dating on the 13th. That’s significantly shorter than the expected period of time for such an initiative. “Our initial concerns were around the fact that [Facebook] had only told us on the 3rd, and intended to roll out ten days later,” Graham Doyle, Deputy Data Protection Commissioner at Ireland’s Data Protection Commission, told Engadget.

Officials were further concerned when Facebook appeared to not have the required impact assessment, the key legal document that showed Facebook was complying with the law. “We didn’t receive any documentation with the notification of intent to roll it out,” said Doyle, who added that the paperwork couldn’t be a token gesture. Instead, regulators would expect a lengthy bundle of documents demonstrating that Facebook Dating was GDPR compliant. Facebook’s statement, below, disagrees, saying that it shared the impact assessment when requested.

In a statement, Ireland’s Data Protection Commission said that “no information/documentation was provided.” On Monday, February 10th, officials visited Facebook’s Dublin HQ to gather relevant documentation to try and resolve the situation. Two days later, on February 12th, and Facebook announced that it had suspended the roll-out of Facebook Dating.

In a statement, a Facebook spokesperson said: “It’s really important that we get the launch of Facebook Dating right so we are taking a bit more time to make sure the product is ready for the European market. We worked carefully to create strong privacy safeguards, and complete the data processing impact assessment ahead of the proposed launch in Europe, which we shared with the IDPC when it was requested.”

As the local regulator for all of Facebook’s European operations, the Data Protection Commission has a duty to keep its eye on the network. It currently has 11 current investigations into Facebook group companies, including eight on the social network itself, two concerning WhatsApp, and one on Instagram.

Twitter is already putting the Privacy Center to use. In a post shared on the page, it explains that it is making a few privacy policy updates, effective January 1st. Those will comply with the California Consumer Privacy Act (CPPA), which requires large businesses to give consumers more transparency and control over their personal information, Reuters reports.

Among the changes, for users outside of the US and EU, the entity that provides Twitter is switching from Twitter International Company, based in Dublin, Ireland, to Twitter Inc., based in San Francisco. That will allow Twitter to experiment with new features and settings, some of which may have been prohibited by Europe’s General Data Protection Regulation (GDPR).

Earlier this year, Twitter announced that it simplified the language around its policies, but it also accidentally stored and shared some users’ location data, shared data with advertisers without users’ permission, exposed private tweets of some Android users and admitted your phone number may have been used for targeting ads.

“Twitter is not perfect at privacy and data protection,” the company admitted in a blog post. It promises its privacy and data protections are evolving. Time will tell if the Privacy Center improves privacy or just makes it easier to stay up-to-date on bugs and breaches.

In September last year, hackers stole the data of anyone who booked a flight through the BA website over a two-week period, affecting around 380,000 people. The pilfered data included login details, payment information, travel booking information, and addresses. The attack was coordinated by a well-established group who were also responsible for other security breaches like the one affecting ticket website Ticketmaster UK.

The ICO blamed the incident on “poor security” at BA. Information Commissioner Elizabeth Denham said: “People’s personal data is just that — personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear — when you are entrusted with personal data you must look after it.”

Previous fines given out by ICO have been for pocket change, like the paltry £15,000 which Cambridge Analytica was fined for failing to hand over its data on an American citizen, or the £500,000 charged to Facebook for its role in the same Cambridge Analytica scandal. This is a drop in the ocean for a huge company like Facebook, although it was the maximum allowable fine at the time at which the incident occurred.

However, with the General Data Protection Regulation (GDPR) now in place, potential fines for businesses which lose customer data can be much higher. The ICO has shown it is willing to crack down in a serious way, by imposing a fine of 1.5% of BA’s global turnover for the year. For airlines which run on very slim margins, this is a significant cut.

Alex Cruz, British Airways chairman and chief executive, said: “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused.”

The airline may have responded quickly to the breach, but it is still responsible for the poor security which allowed the hackers to access the data in the first place. BA has said it intends to appeal the finding, which the ICO has said it will consider before making a final decision.