FaceApp v GDPR
FaceApp's "Age" filter as shown on faceapp.com
While the company's founder has tried to quell some of the concerns by providing clarity on its data practices, there are still plenty of questions left unanswered. Particularly worrisome is its collection of user data, including images and metadata, and its transfer to countries "where FaceApp...maintains facilities" such as Russia - a country that fails to meet the adequate level of data protection required by the EU's General Data Protection (GDPR).
As regulators in the EU ramp up efforts to clamp down on GDPR violations, we took a look at FaceApp's current practices and compared it to a few of GDPR's provisions to see how they might be considered non-compliant.
Art. 8: Conditions on Child's Consent
Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
FaceApp has a responsibility to ensure that users under the age of 16 are properly consenting to their collection, capture, and transfer of personal data - in this case images and metadata - in order for the data collection to be deemed lawful. Article 8 clarifies that lawful consent for underage users must show a "reasonable effort" to verify that the parent or legal guardian of the underage user has given their permission for the exchange to take place. Without any active measures in place to patrol the usage by underage users, it falls on FaceApp to show that it's properly gaining parental consent - something that doesn't seem to be currently happening.
GDPR Article 45: Transfers on the basis of an adequacy decision
GDPR Article 45 requires that data collected, processed, and stored from EU data subjects stay within the EU or within a country that meets the "adequate" standards of data protection. The intent of this safeguard is clear: protection of one's private and personal information shouldn't end simply because the data is transferred out of the country.
A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection
"...please note that we may transfer information, including personal information, to a country and jurisdiction that does not have the same data protection laws as your jurisdiction."
Let's see what happens.