The Swedish data protection agency (DPA) has issued the country’s first GDPR fine, after a school was found improperly using facial recognition technology to monitor the attendance of its students.
The Swedish watchdog fined the school in Skellefteå, which is in the north of Sweden, 200,000 Swedish Krona (£16,800) for flouting privacy laws.
Interestingly, the DPA indicated that the fine would have been bigger had the trial been longer.
The school was found to have unlawfully processed sensitive biometric data on its students. The maximum fine could have been almost £907,000.
In Sweden, public authorities can be fined a total of 10 million krona for violation of GDPR – a sign of how seriously European countries are trying to take data protection.
The trial at Anderstorp’s High School, involved tracking 22 students over three weeks in autumn 2018 and detecting when each pupil entered a classroom.
The trial had been so successful that the local authority was even considering extending it.
The GDPR, classes facial images and other biometric information as being a special category of data, with added restrictions on its use.
The school had failed to consult the Swedish watchdog before launching its program and didn’t do a proper impact assessment.
The school maintains it had its students’ consent, but the DPA found there was no valid legal basis for this as there’s a “clear imbalance between the data subject and the controller.”
However, Jorgen Malm, who oversees Anderstorp’s High School and Naturbruk’s High School for the municipality, told SVT that the technology was “fairly safe”.
Computer Sweden reported that Swedish authorities decided to investigate after reading media reports.
The local authority told Swedish state broadcaster SVT Nyheter in February that teachers had been spending 17,000 hours a year reporting attendance, and the authority had decided to see whether facial-recognition technology could speed up the process.
Students, they said, had a certain expectation of privacy when they entered a classroom even though some parts of the school could be deemed to be “public”.
They also did not feel that it was a legally adequate reason to collect such sensitive personal data.
It said there were less intrusive ways that their attendance could have been detected without involving camera surveillance.
They concluded that Skelleftea’s local authority had unlawfully processed sensitive biometric data, as well as failing to complete an adequate impact assessment, which would have included consulting the regulator and gaining prior approval before starting the trial.