A new wearable technology product from Facebook has come under scrutiny from both the Irish Data Protection Commission (DPC) and the Italian Data Protection Regulator, the Garante. Facebook collaborated with eyewear giant EssilorLuxottica to launch its Ray-Ban Stories smart sunglasses earlier in September. The glasses allow the wearer to record short videos, take photos, listen to music and take phone calls, all using voice and touch control.
Despite containing two 5 MP cameras mounted on the front of the frames, they look like a normal pair of Ray-Ban sunglasses, and this, from a data protection perspective, is primarily where the issue lies. A small LED light, also mounted on the frames, comes on when the glasses are recording or a photo is being taken. However, both the Irish DPC and the Garante are concerned that this light might not be obvious enough to effectively notify people that they are being recorded. Unlike a camera or mobile phone which both carry a general assumption a photo is being taken or an image recorded, people may not automatically assume this is the case when they see someone wearing a pair of Ray-Bans and are also unlikely to be looking for a light on the frames.
Both regulators are calling on Facebook to demonstrate that the LED indicator light is an effective form of notification, as well as asking it to run an information campaign alerting the public as to how this product could lead to the less obvious recording of their images. The Garante has allegedly asked for information on what measures Facebook has put in place to protect people (in particular children) who are inadvertently filmed, whether footage is anonymised, and for details on how the voice assistant operates the glasses.
Concern about the product stems from the transparency requirements under GDPR which give individuals the right to be informed about the collection and use of their personal data. It feeds into the current trend of increased regulatory focus on transparency and transparency related fines, including WhatsApp’s recent 225 million EUR fine by the Irish DPC and TikTok’s 750,000 EUR fine by the Dutch DPA. The previous two fines both concerned a failure to provide clear or sufficient privacy information to WhatsApp and TikTok users about the processing of their personal data, whereas arguably the potential transparency failings of the Ray-Ban Stories glasses fall one step before this. If people are unaware they are being recorded and their personal data collected in the first instance, it becomes very difficult to subsequently provide them with the required privacy information under GDPR.
The Irish DPC and Garante have yet to comment on the content of Facebook’s Supplemental Facebook View Data Policy that deals explicitly with processing of personal data collected via the Ray-Ban Stories glasses. However, these initial questions highlight the importance of data protection considerations from the outset when designing new tech products (privacy by design), and companies need to be prepared to justify how products satisfy the requirements of the GDPR.
It has not been demonstrated to the DPC and Garante that comprehensive testing in the field was done by Facebook or Ray-Ban to ensure the indicator LED light is an effective means of giving notice.