The Swedish Data Protection Authority (DPA) has fined the Skelleftea municipality 200,000 Swedish Krona (£16,800, $20,700) for breaching the European Union General Data Protection law (GDPR) by trialling facial recognition on high-school students in Sweden to keep track of attendance.
The school at the centre of the GDPR breach claimed, during the investigation into the incident, that the process was consensual. However, the Swedish DPA argued that a consensual agreement could not have a valid legal basis because of the imbalance of power between the data subject and the controller.
The facial recognition technology trial was being conducted, with IT company Tieto, in order to monitor student attendance for three weeks towards the end of 2018. The trial included the use of security cameras and facial recognition technology to monitor the attendance of 22 students at school. The school was hoping to ascertain if facial recognition technology could be used in place of standard roll calls in classes. It was hoped that the use of technology would negate the requirement, under Swedish legislation, for schools to complete a roll call at the start of each lesson. This duty can impact the amount of actual teaching time during each class period. The school claimed that it was losing 17,280 hours a year simply marking attendance. T
The DPA determined the school violated several articles of GDPR, despite having the best intentions in conducting the trial. It ruled that the school unlawfully processed the biometric data of its students and did not conduct an adequate impact assessment or notify the DPA about the pilot. Facial recognition data is treated as sensitive information and requires greater protection that other, less-sensitive data types.
Representatives of the school at the hearing claimed it had obtained consent from all students involved in the pilot. However, the DPA found that the consent was invalid as there was “a clear imbalance between the data subject [student] and the controller [municipality].”
GDPR was introduced on May 25 2018, after a two year ‘bedding in’ period, in order to safeguard the privacy of EU citizens and give them more power in relation to the use of their personal data. The financial penalty could have been as high as €1 million ($1.1 million) for the violations under the GDPR penalty structure.