United States: The Many Faces Of Google's Arts & Culture App (Except In Illinois And Texas)

Those of our readers who frequent social media may have noticed a newly-popular juxtaposition between selfies and art (or perhaps one should say between selfies and other forms of art)—a feature in the Google Arts & Culture app that matches a user's selfie to a portrait in Google's database.

But not every aspiring selfie artist can compare their work with that of the great painters of yesteryear.  As the Wall Street Journal reports, users in Illinois and Texas are unable to use the app's selfie match feature.  (For those without access to the Journal, there are plenty of Illinois- and Texas-based news organizations explaining the situation.)

As we detailed in this space last month, Illinois and Texas are two of just a handful of states that have enacted laws creating privacy protections for biometric data.  Google, it appears, is wary of running afoul of those statutory provisions through the Arts & Culture selfie feature.

Is this caution well-placed?  Will Illinoisans and Texans still be able to compare their selfies to paintings anytime soon?  Probably, and possibly.

To the first point, Google already has experience with the Illinois Biometric Information Privacy Act ("BIPA") generally, and its application to facial recognition software specifically.  In an ongoing case before the United States District Court for the Northern District of Illinois (Rivera v. Google, LLC, docket number 1:16-cv-02174), individuals who had their photos uploaded to Google Photos and then scanned by a facial recognition process allege that their BIPA privacy rights were violated.  Nearly a year ago, the court denied Google's motion to dismiss the case.

To understand why, and to understand why it's an oddly tricky question, consider what BIPA does.  (Texas's biometric privacy law contains similar protections, albeit with a weaker enforcement mechanism and consequently less litigation to which we can look for illumination.)  BIPA restricts the collection and use of both "biometric identifiers" and "biometric information."

The statute says exactly what counts as a biometric identifier: "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry."  It further says what does not count, including signatures, photographs, tattoo descriptions, X-rays, and a number of other things that are unique to an individual human and/or human body but are nonetheless not classified as protected biometric identifiers.

Biometric information, which is also protected, is information, derived from a biometric identifier, used to identify a person.  To really make things clear, the statute clarifies that information derived from things specifically excluded from the definition of biometric identifiers—like signatures, photographs, and so forth—is not protected biometric information.

A "scan of . . . face geometry," therefore, is clearly a biometric identifier.  But Google (and other companies using facial recognition software) have argued that facial scans only count as biometric identifiers when the scans are done of a live person, rather than a photo.  The argument goes like this:  (1) A photograph is explicitly excluded from BIPA's definition of a biometric identifier.  (2) Any information derived from the photograph is therefore explicitly excluded from BIPA's definition of biometric information.  (3) If such information is explicitly excluded from being biometric information, it would make no sense to include it as a biometric identifier.

Multiple courts have accepted the first two points but nonetheless rejected the third.  Even if scans that derive information from photographs are not biometric information protected by statute, scans that scan faces are explicitly defined as biometric identifiers—and there is nothing in the statute that says the scanned faces must be live and in person, rather than captured in a photograph.

It's a quirky argument either way, but the upshot is this: To the extent Google's selfie app scans a selfie for facial geometry, it is probably dealing with biometric data protected by Illinois and Texas statute.

There may still be hope, though, for aspiring selfie artists in Illinois and Texas.  Lawsuits against Google and other platforms for photo sharing have been brought by plaintiffs who allege that their photos were uploaded without their knowledge, and scanned without their consent.  BIPA does not ban all collection of biometric identifiers and information, but collection without notice and consent; and further imposes requirements on the manner in which collected biometric data is used, retained, and eventually destroyed.  Google's blog post on the selfie feature alludes to the narrow use and prompt destruction of collected data, data which by its nature should be uploaded by a consenting user.

My take on this all?  If Google's selfie feature doesn't already comply with BIPA's stringent privacy protections, it wouldn't be impossible to tweak it so it does.  But as with so much in this evolving area of technology and law, we'll have to wait and see.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.