You probably noticed the #10yearchallenge meme, which encouraged people to post pictures of themselves today and ten years ago onto their social media accounts. I certainly enjoyed looking through my friends’ pictures, and was also inspired to compare my latest and first profile pictures to see how much fashion—and, yes, my own face, too—has changed over the past decade.
12.2.2019
#10yearchallenge – The Many Faces of Facial Recognition
Related services
Soon after the start of the craze, people started posting about whether the meme was perhaps a data collection ploy started by Facebook in an effort to train its facial recognition algorithms to recognise the signs of aging. What easier way to gather the necessary data than to start an innocent meme to get users themselves to upload data into a large, organised database while entertaining themselves and their network. Facebook has denied these allegations and claimed that the phenomenon originated with its users and reminded users that they can switch off facial recognition at any time.
How is Facial Recognition Used?
There isn’t necessarily anything wrong with developing facial recognition technology — quite the opposite. If used correctly, it could change the world for the better, for example, by helping to diagnose illnesses early. Wired, an American magazine, recently published an article written by Kate O’Neill in which the writer – also inspired by the #10yearchallenge – brings up the pros and cons posed by facial recognition technology. According to her, facial recognition algorithms that recognise the signs of aging could be used, for example, to find missing children years later.
We encounter facial recognition technology every day, for example, when using our smartphones: a glance is enough to unlock your phone, many apps use facial recognition, and even your photo gallery often uses facial recognition to automatically group your pictures by person. Facial recognition can also make daily life easier: in Finland, we have piloted facial recognition to approve payments, and the technology is used in border checks to speed up the movement of people.
Technology is being developed for cars to monitor the condition of drivers to improve traffic safety. In the US, facial recognition has been used to help law enforcement to identify and arrest criminals. However, this kind of mass surveillance has been criticised, because if abused, it could lead to discrimination and threaten democracy.
Data collected by facial recognition technology that identifies the signs of aging combined with other data, such as location data, online behaviour or health data, could in future open the door to more extensive uses. For example, there are already insurance policies in which the policyholder agrees to hand over exercise and sleep data as well as health and lifestyle data to the insurer in exchange for discounted insurance premiums.
A Threat to Privacy?
It is clear that facial recognition technology has many good applications. However, if abused, it could become a threat to privacy. Facial recognition uses images of people’s faces, which in the data protection world are considered personal data. More specifically, they are classified as biometric data if an individual can be identified from the images or if they confirm the unique identification of an individual. Other biometric data includes fingerprint data used, for example, in access management.
Because facial recognition involves risks, there is an ongoing global debate about the necessity of regulation. In the EU, the use of facial recognition technology is regulated by the EU’s General Data Protection Regulation, which sets a framework for the processing of biometric data that is slightly stricter than the conditions for processing normal personal data. As with all personal data, it is important to consider the purpose for which facial recognition data is processed. If biometric data is used, for example, to uniquely identify a person, such data can only be processed with the express consent of the person, in cases provided by law or, for example, if people make the data public themselves — perhaps by publishing a profile picture on a public social media account.
As users of social media, it is important to think about what our data is being used for and whether it is being processed lawfully, but we should also remember to respect our own data and privacy, as O’Neill suggests in her article. Social media platforms have long been filled with apps and games mainly intended to collect data for later use, for example, in advertising. On the other hand, as long as we keep in mind what data we are sharing, who we are sharing it with and what purposes our data is being used for, we probably don’t need to start making tinfoil hats. Understanding the risks related to data processing puts us on safer footing.
Latest insights
Article published 10.10.2024 – Data & Technology
New act on dual-use items entered into force in September – what companies need to know
Article published 5.9.2024 – Data & Technology
Technology acquisitions can boost companies’ growth – or cause them to fail
Article published 6.5.2024 – Employment
Outsourcing company functions – four key points for success
Article published 7.12.2023 – Data & Technology
Agreements define data sharing and re-use
Kim Parviainen & Lauri Laatunen
Topi Lusenius, Anders Forss & Kim Parviainen
Tomi Kemppainen, Kim Parviainen & Eija Warma-Lehtinen
Latest references
LähiTapiola and OP Henkivakuutus – Successful representation of insurance companies in Supreme Administrative Court health data processing cases
We successfully represented insurance companies LähiTapiola and OP Henkivakuutus in two cases concerning an important point of principle: the right of insurance companies to process health data as part of the insurance application process. The Supreme Administrative Court handed down twin decisions ( one published as precedent ) addressing the matter in light of contrary DPA decisions. Under the Finnish Data Protection Act, insurance companies may, to simplify, process health data concerning “insured persons” (vakuutettu, försäkrad) to determine liability under the insurance. This rule constitutes an exception to Article 9 GDPR. At issue was whether the term “insured person” also covers people in the process of obtaining insurance coverage or only people who are already covered. In more practical terms: can an insurance company rely on the rule when considering whether/how to grant the insurance in the first place? The SAC answered in the affirmative and thus upheld the traditional industry approach over the DPA’s contrary view. The SAC noted that the Data Protection Act did not define the term “insured person” and thus looked at insurance legislation for guidance. As argued by the insurance companies, that legislation also uses the term in the context of describing the insured person’s pre-contractual informational obligations. Thus, and in view of the underlying purpose of the rule at issue, the SAC found that an “insured person” could be someone in the process of obtaining coverage, not just a person already covered. The outcome clarifies the scope of the local rule at the insurance application stage for the Finnish insurance industry.
Case published 22.1.2026
SuperOffice – Acquisition of Lyyti
We acted as Finnish counsel to SuperOffice AS, backed by Axcel, in its acquisition of Lyyti Oy from Finnish private equity firm Vaaka Partners and other sellers. Lyyti is a leading event management software company for physical, digital and hybrid events with a strong customer base in Finland, Sweden and France. SuperOffice is a leading provider of customer relationship management (CRM) software for small and medium-sized businesses across Northern Europe. Axcel is a Nordic private equity firm with a focus on technology, business services and industrials, healthcare, and consumer sectors.
Case published 9.12.2025
Lantmännen – Acquisition of Leipurin from Aspo
We advised Lantmännen ek för in its contemplated acquisition of Leipurin from Aspo Plc. Lantmännen is an agricultural cooperative and Northern Europe’s leader in agriculture, machinery, bioenergy and food products. Lantmännen is owned by 17,000 Swedish farmers and has 12,000 employees in over 20 countries. Leipurin is a leading Nordic supplier of bakery ingredients, equipment, and expert services to professional bakeries, confectioneries, and food manufacturers. The company operates across Finland, Sweden, and the Baltic countries with subsidiaries located in the aforementioned countries, providing comprehensive solutions to the baking industry. The closing of the transaction remains subject to regulatory approvals.
Case published 25.8.2025
Oomi – Expansion into mobile telecommunications
We assisted Oomi Oy in its expansion into the mobile telecommunications market with the launch of Oomi Mobiili, a new MVNO brand. Our work covered the preceding due diligence process as well as structuring and negotiating key partner agreements, laying a solid foundation for Oomi’s entry into the new market. Oomi Mobiili will operate as a virtual mobile network operator, offering customers the option to purchase a mobile subscription together with their electricity contract. The phased launch is set to begin in autumn 2025, with nationwide availability targeted for early 2026.
Case published 15.8.2025