A high school in Sweden has become the first organization to be issued a General Data Protection Regulation fine by Sweden’s Data Protection Authority (DPA).
The school in Skellefteå, in the north-east of Sweden, was fined 200,000 SEK (€19,000/$21,000) for using facial recognition technology in classrooms for three weeks in early 2018. The study, run in conjunction with IT company Tieto, saw the school use CCTV cameras and facial recognition technology to monitor the attendance of 22 students at school.
The school wished to test whether the facial recognition technology could be used in place of standard roll calls in classes. Swedish law requires schools to take attendance at the start of each lesson, which places a considerable administrative burden on teachers and reduces the time spent teaching students.
According to Tieto, the school was losing 17,280 hours a year by designating several minutes at the beginning of each class to take attendance. That equates to 10 full-time jobs and therefore has significant financial consequences for the school.
According to the school and Tieto, the pilot study was conducted with the ‘best of intentions’ and was a genuine attempt at improving efficiency. However, following an investigation into the use of the technology, Sweden’s DPA determined the school violated several articles of GDPR.
The DPA determined the school unlawfully processed the biometric data of its students and failed to conduct a proper impact assessment. Facial recognition data is treated as sensitive information and requires greater protection that other, less-sensitive data types.
The school also failed to properly inform the DPA that the study was being run and that they were collecting and processing student biometric information.
The school maintained it had obtained consent from all students involved in the pilot, but the DPA determined the consent to be invalid as there was “a clear imbalance between the data subject [student] and the controller [municipality].”
The financial penalty could have been much more severe. The GDPR penalty structure permitted a maximum fine of €1 million ($1.1 million) for the violations.
GDPR was introduced in May 2018. In the year since several organizations have fallen foul of the regulations and have incurred significant fines. GDPR is a complex piece of legislation, and it is expected that while organizations are still trying to adjust their policies and procedures to comply with its stringent rules, DPAs will be investigating a large number of organizations and issuing fines as appropriate.