The Swedish Data Protection Authority (DPA) has imposed a fine the municipality of a school, for using facial recognition technology to monitor the attendance of students.
The high school in Skellefteå conducted a pilot program, which took place in autumn 2018, to monitor 22 students' attendance over a period of three weeks with the help of facial recognition technology, instead of usual roll call.
This doesn't appeal DPA, as it found that the program violated several GDPR articles.
"The High School Board in Skellefteå has violated several of the provisions of the Data Protection Regulation in a way that we now issue a penalty fee," said Lena Lindgren Schelin, the Director General of the Data Inspectorate.
Because the school violated European Union's data protection, as well as failing to consult the DPA before launching its program. the school was fined almost €19,000 (200,000 SEK).
According to the DPA, this is considered a serious offence, as the school unlawfully processed sensitive biometric data on its students. But the school was left off the hook slight lightly, considering that the maximum fine could amount to almost €1 million.
In its defense, the school said that it had its students’ consent, but the DPA found there was no valid legal basis for this, as there’s a “clear imbalance between the data subject and the controller.”
According to Ranja Bunni, a lawyer at the Data Inspectorate who participated in the review: "The high school board cannot use consent in this case because the students are in a position of dependence on the board."
"Facial recognition technology is in its infancy, but development is fast. We therefore see a great need to create clarity about what applies to all actors," said Lena Lindgren Schelin.
Biometric data, used in face recognition, is considered sensitive personal data. This is why it needs extra protection and that explicit exceptions are required to handle them.
In its decision, the Data Inspectorate said that facial recognition meant to monitor students in their everyday environment, was an intrusion on their integrity, and that control can be done in other ways that are less privacy violating than facial recognition.
While the Swedish DPA’s ruling is not big compared to other GDPR fines, it’s clear that the GDPR enforcement is starting to pick up traction across the continent
It’s also an example of Europeans in fighting back to regain its citizens' privacy, in the wake of the widely-used facial recognition technology and other tracking devices.
In the meantime, the EU is also reportedly looking into ways to imposing stricter limits on the technology's usage than it already is under GDPR.
Related: Teemo, The First Company That Failed Europe's GDPR Compliance