Sweden issues first GDPR fine, against a high school that used facial recognition to check attendance

Sweden issues first GDPR fine, against a high school that used facial recognition to check attendance
Digital sovereignty

A Swedish municipality has been fined for trialing facial recognition in a high school to track student attendance, in Sweden’s first fine under the EU’s General Data Protection Regulation (GDPR) data privacy rules, according to BBC News.

The Skelleftea municipality in northern Sweden was fined 200,000 Swedish Krona, or about £16,800, for violating privacy laws. 

The trial lasted about three weeks and included just 22 students, according to Gizmodo. The high school board claimed that the students’ parents had given consent for data collection. However, Sweden’s Data Protection Authority (DPA) found that it was still a violation to collect biometric data, “given the clear imbalance between the data subject and the controller,” the European Data Protection Board said Thursday.

Ranja Bunni, a lawyer for the DPA, said that consent wasn’t a valid argument since students depend on the board, and also highlighted the fact that there are so many alternatives available for gauging school attendance that are less intrusive and invasive. They argued that students are entitled to a certain expectation of privacy in classrooms. 

The agency said the school board had violated portions of the GDPR that set rules on collecting sensitive biometric data, failing to carry out an impact assessment, and failing to gain approval from the DPA before the trial was conducted. 

The agency also noted that the fine would have been larger if the trial had been longer. Swedish authorities can issue fines of up to 10 million krona, or about £840,000, for GDPR violations. 

The August 2018 trial was considered successful by the school board at the time, and they considered extending it. School board authorities told a Swedish state broadcaster that teachers had been spending 17,000 hours a year checking attendance, and that they were aiming to streamline the process. 

Under the GDPR, which came into effect in May of 2018, facial images and biometric data constitute a special category of data, and are subject to additional restrictions. Among the strictest data privacy rules in the world, the GDPR was enacted largely with powerful tech companies in mind—and the fine was miniscule compared with those levied against tech giants like Google or Facebook. A recent fine against British Airways totaled £183.4 million. But the move does show that regulators are willing to use the laws against public authorities as well. 

Photo by © Cody Logan / Wikimedia Commons / Security camera, September 2018