Subject to the FaceApp Terms of Use https://faceapp.com/terms, each user of the application grants a non-exclusive license to use the copyrights of the photographs. Facebook, Instagram as well as every other social media platform do the same. Thus, FaceApp’s terms are nothing new or strange compared to other cloud-based services.
The situation is confusing when assessing the terms of FaceApp’s processing of personal data at https://www.faceapp.com/privacy. The information provided is rather modest and there are not many answers.
FaceApp is a service provider of the Russian company Wireless Lab OOO, and according to the data processing explanation, the data is stored in the USA and may be transferred to the territory of any country. According to the company’s manager, users’ photos are stored on Amazon and Google cloud servers and are usually deleted within 48 hours.
This is where the problems begin. First, developers must bear in mind that there are a number of restrictions regarding the processing of European citizens’ personal data, for example, data can be transferred only to countries that offer an adequate level of protection recognized by the EU (which does not include Russia).
The USA is not on this list, however, there is a list (the Privacy Shield Framework) of US companies that the EU recognizes. Wireless Lab OOO is not on this list because it is not a US company.
In addition, foreign service providers must appoint a representative in the EU to process personal data of EU citizens. Wireless Lab OOO does not have such contact.
What worries the world, however, is the fact that Russia has rules that require local IT companies to store data in Russia and provide access to national security authorities (e.g., such requests have been made to Telegram and Tinder). It is not yet known whether such an obligation also applies to Wireless Lab OOO.
