First GDPR Facial Recognition Fine For Sweden School

By Charles Rollet, Published Aug 22, 2019, 08:57am EDT

A school in Sweden has been fined $20,000 for using facial recognition to keep attendance in what is Sweden's first GDPR fine. Notably, the fine is also the EU's first GDPR fine for facial recognition, adding some clarity to use of the technology in the GDPR era.

IPVM Image

In this post, we examine the fine and its impact, including:

  • First Sweden GDPR fine ever
  • First GPDR facial recognition
  • What happened at the school
  • How the school justified it
  • The role of a data protection impact assessment
  • How the fine was calculated
  • Warning for further use
  • GDPR compliance for facial recognition
  • Negative market impact of such precedent
  • UPDATE: school will appeal

IPVM Image

First ****** **** **** ****

**** ** *** ***** GDPR **** ** ****** ever, ** ****** ** the****** *******:

IPVM Image

First **** ****** *********** **** ****

********* ** ** **** review ** **** *****, including ******* *** *************** *********** *******, **** ** *** first **** * **** fine *** **** ****** for ****** ***********.

What ********

IPVM Image

*********** * ************** ** ********** **** ********** ********* ('Datainspektionen'), ** ******** ** Anderstorp’s ***** ********* ****** in*********å *************** ***** ********** ******** via ****** *********** *** a * **** ***** period ** ****. **** was **** ****** ** a ************ ****** ***** at *** ******** ** a *********; ***** **** no ******* ***** *** camera's ***** ** **** software *** ****.

********* ** *** ********, the ****** ****** *** system *** ** **** time ******** ********, ***** takes ** **** **,*** working ***** *** ****:

** ******** ********** ********* to *** **** ******, a *********** *** ***** 10 ******* *** ****** and ** ***** **** recognition ********** *** ********** control ** *****, ********* to *** ****** *****, save **,*** ***** * year ** *** ******* school.

** ** *** **** how ******** **** **, though *** ****** ******* said ****** ********** *** each ****** ********, *******, whether ** **** ** minutes *** ***** ****** is *******.

Legal ***** *** **********: *******

*** *******' **** ***** for ********** *** *******, as *** ******** ******** had ****** ******* *****. The ****'******** ***** ********** ********** ****** for * *** **********, including "******** *******" **** data ********.

GDPR ******** ** ******* *** *****

******'* *** ***** ******* major **** **********. *******, it ********** **** *** Article * ******* ************* was *** *****, ***** there ** ** ******* balance ** ***** ******* the ****** *** *** students, **** ******* ***** not **"****** *****":

** *******, ** ** clear **** *** ******* is ** * ********* position ** *** ****** in ***** ** ******, funding, *********, *** **** future **** ** ***** opportunities.

Other **** *********: ****************

*** ****'******** ******* **** ******** **** collection ** "********, ******** and ******* ** **** is *********" *** *** purpose ** **********. *******, the *** ****** ***** facial *********** ******* ****** in * "********** ********" ** *** school *** "**************** ** relation ** *** *******" of *** **********, ******:

********** ****** *** ** done ** ***** **** that *** ******* ******* violation *** ********.

No **** ********** ****** **********

*** ***** **** ********* was **** *** **** school, ***** ** ******* out * **** **********, did *** ******* * Data ********** ****** ********** as ********** ******** ** the****'* ******* **.

***** *** ******** **** any ********** "***** *** technologies" **** ******** "********** on * ***** ***** of ******* ********** ** data" [*.*. **********]. ***** must ******* ******** ************ of ********* "***** ** the ****** *** ********" and * "********* *** proportionality" **********.

***********, *******'* ******* ********** **** *********** "******* the *********** *********" ***** to ********** ** *** DPIA ********* ** "***** result ** * **** risk" ******* ********** ********.

*** **** ****** *** not ******* * **** nor ******* **** ******'* DPA, ********* ******** ** and **.

How *** **** *** **********

*** ******* *** ********** the ************* "***********" *********** that "*** ********* *** ******** sensitive ******** **** ********** children *** ***** * ********** ******** in ******** ** *** high ******." ************, ********* Articles * *** * was ********** "**** *******" than ***** **** ********.********** ******* ******** **** only ** ******** **** involved *** *** **** period *** ******* (* weeks).

****, * **** ** 200,000 ******* *****, ** slightly **** **** $**,***, was **********. *** **** school ***** *** ****** the ****.

******* *** ******* ***

***********, *** ****** ******** says **** **** ** continue ** *** **, prompting *** ******* **** Protection ********* ** ******* a *******:

*** **** ****** ***** of *********å ************ *** stated **** **** ****** to ******** *** **** recognition *** ********' ******** control. ***** ********** **** similarly ******* *** ********** of **** ********** **********. Due ** *** **** of ****** ********** ** In ********** **** *** planned **********, * ******* is *** *****

UPDATE */*/**: ****** *********

*** **** *** ******** by *** ****** ** September *,********* ** ** *******************, * ******* ***** for ***** ***** ********, which ******** *** ******:

*** ******** *********å'* ******** to ******. ** **** be ** *********** ** deepen *** ******* *** Data ************'* ******** *** conclusions. ** ******** ******** and ******* ** *** members' ******* *** ****** development ** * ******* age, **** ***** *********, Director ** *** ********** of ************ ** ***.

**** **** ***** **** appeal *** ****** **** it ** *******.

******** ****** ******

******* *** *** ** the ******* ****** ******* for ****** *********** ****** the *****. **** ****** could **** * ******** effect ** ***** ******* that *** ** *********** using ****** *********** *** increases *** ********** *** risks ** ******* ****** to **** ****** *********** to *******.

**** ***********

**** *********** *******:

  • ** ****** *********** ****** on *******, ** **** be "********" *** "****** given" ** ********** ** the ****. ** ***** is * ***** ********** in *** ******* ** power ******* *** ********** and *** **** *******, Data ********** *********** *** not ******** ** *****.
  • ***** *** **** ********* for *** *** ** facial *********** ***** ***** result "** * **** risk ** *** ****** and ******** ** ******* persons". ***** **** ******'* DPA *** ********* **** filming ******** *** ********** constitutes **** * ****, this ***** *** *** can ** ***** ****** reached.
  • ***** ** ****** *********** must ******** ******* **'* proportionate - *** *******, is ***** * ****** way ** ** **** without **** ** ********* technology?
  • ****** *********** **** ***** are ****** ** ** higher **** ***** ****, with *** ******* *** explicitly ****** **** ** fines ******* * (*.*. biometrics) ***** **** *******.

Comments (22)

From a Swedish source providing some context on this school:

It mostly a vocational upper secondary school. Historically those type of schools have struggled more with attendance. Pupils are typically between 16-19 years of age and a bit less motivated compared to students studying more theoretical and university/college preparatory specializations. What I am trying to say is that attendance issues could definitely be a challenge. Attendance is also connected to a national (equivalent to federal level in the US) study allowance of approx. 130 dollars a month. That’s why attendance checks are important.

Teacher might ask the class – is A here? His/her buddies might say. “Yes, any minute now.” and then A doesn’t show up. Assuming that there are 20-25 students in a class - 10 minutes seems quite reasonable.

Agree: 2
Disagree
Informative: 6
Unhelpful
Funny

New Swedish Radio episode interviewing the IT manager of the school, key excerpts:

The high school's IT strategist Tommy Lindmark is surprised and had been expecting praise because it was a small limited project.

- I do not understand their assessment there, moreover it was that out of 29 students were 22, the others did not submit any approval, explains Tommy Lindmark.

The municipality has not yet decided whether it will appeal against the authority's decision.

Agree
Disagree
Informative: 1
Unhelpful
Funny

out of 29 students were 22, the others did not submit any approval, explains Tommy Lindmark.

i'm no lawyer... but this alone seems to indicate a pretty strong basis for appeal imo...

the Data Inspectorate's position of 'inequality of balance of power' is severely undermined by the quote from Mr. Lindmark above.

#ImWithTommy

Agree: 2
Disagree
Informative
Unhelpful
Funny

the others did not submit any approval

Wait, if the others did not submit any approval, does not this make it worse under GDPR? Because consent is required for biometric processing unless there is public interest, which does not apply here. Yes/no, Charles?

Agree: 1
Disagree
Informative
Unhelpful
Funny

I read Tommy as saying that the 7 students who did not 'opt in' were not used in his trial....

I don't know what that means, and I'd like to hear his explanation for how the 7 were excluded, but if he can show this to be the case I think he has strong grounds for appealing the sanctions.

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

I think this was pursued primarily because Tommy ignored the newly-anointed AHJ guidelines mandating that he has to tell them before trialing any new technology - which he didn't do.

Agree
Disagree
Informative
Unhelpful
Funny

Data Inspectorate channels Cartman

Agree
Disagree
Informative
Unhelpful
Funny: 2

I think what this means is that 22 out of 29 students signed consent forms, with the rest opting out, i.e. those 7 were not facially recognized at all. It seems the IT manager's implicit point is: 'hey, we let students opt out of this, and some did, but we still got sanctioned'.

However, just because some students opted out has no real weight under the GDPR. The core issue highlighted by the data protection authority is the power imbalance between students and the school ("it is clear that the student is in a dependent position [to the school]"), meaning consent cannot be "freely given." There is nowhere in the GDPR negating this factor just because some data subjects decide to opt out. The GDPR states:

In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority

Agree
Disagree
Informative: 1
Unhelpful
Funny

those 7 were not facially recognized at all

Ok, how does that work logistically? Is the camera set up in such a way that the students who opted out can physically avoid the area that the facial recognition camera is covering?

Agree
Disagree
Informative
Unhelpful
Funny

Those 7 kids who opted out were not being facially recognized in the sense that they did not provide selfies/portraits that allowed the software to match them and record their attendance, as was done with the other 22 kids, per the Swedish DPA report:

The information that has been registered is biometric data in the form of facial images as well as first and last names.

So those 7 kids never provided their info to be part of the system. The school was not a data controller of their biometrics information. They were thus not a focus of the case.

However, you're correct that if those 7 kids were nevertheless being filmed by a surveillance camera, even if they didn't provide their info beforehand and they were not being matched, it's still considered biometrics processing that requires their consent, as we saw from the new EU guidelines on VIP recognition which states that such systems need consent from everyone being filmed, not just the VIPs:

But one thing that's unclear from the Swedish DPA's report is whether there was a surveillance camera in the classroom recording all the students, or an access-control type system that recognized each student individually (for example via a facial recognition terminal):

If it was an access control-type system, there would be no GDPR issue with those 7 students who did not consent, as they could easily avoid being filmed altogether. However, if there was a surveillance camera filming the whole classroom, for it to be fully GDPR compliant, it would need to avoid filming the non-consenting students - either by omitting them from the camera's FoV or using some kind of privacy filter.

I've followed up with the Swedish DPA asking what kind of system was in use and will update this comment upon response.

Agree
Disagree
Informative: 1
Unhelpful
Funny

"In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority"

"The core issue highlighted by the data protection authority is the power imbalance between students and the school"

How can law enforcement agencies operating within the EU ever legally use facial recognition since they always possess a clear imbalance of power vs citizens?

Agree
Disagree
Informative: 3
Unhelpful
Funny

That is a good question and you are correct that there is always a huge imbalance of power between an individual and a police force. However, EU authorities are well aware of this, which is why they would never use the "consent" justification from the GDPR's Article 9 - instead they use the "substantial public interest" justification, which is wholly separate and reads:

Agree
Disagree
Informative
Unhelpful
Funny

The GDPR does not cover the use of personal data for law enforcement purposes. There is a separate legal instrument that covers this called the Law Enforcement Directive.

Agree
Disagree
Informative
Unhelpful
Funny

You're correct Robert, sorry about my mistake Undisclosed #1. Indeed the GDPR's Article 2 ('material scope') explicitly excludes law enforcement:

The Law Enforcement Directive does address special categories of personal data like facial recognition, stating it is lawful but

shall be allowed only where strictly necessary, subject to appropriate safeguards for the rights and freedoms of the data subject

The processing must also meet any of the three following conditions:

Either way, no need for EU police to obtain consent for facial recognition.

Agree
Disagree
Informative
Unhelpful
Funny

oh I see...

the technology can be used by law enforcement, but not anyone else.

that sounds fair.

Agree
Disagree
Informative
Unhelpful
Funny

There is still a need to be clear about purpose (redlined above) and justification even for law enforcement, then make sure that notice exists. Transparency goes a long way to address most of these issues. As someone who has deployed this technology (FR) for over 30 years (initially in Heathrow in 1986), we learned these lessons long ago.

Agree
Disagree
Informative
Unhelpful
Funny

What many of us are oblivious to is that California has passed its equivalent to the GDPR with its California Consumer Privacy Act on the heels of the FCC’s dismantling of Net Neutrality with its reversing of the 2015 Open Internet order. I’m not saying either of these laws are the ‘be all’ ‘end all’ solution toward ensuring our online privacy protection, but at least both the EU and California recognized there was an issue and both are making good faith efforts toward addressing address our online privacy protection.


This is emblematic of more serious issues involving Net Neutrality and the current FCC’s refusal to acknowledge, let alone protect, the public’s rights regarding Internet access. Our current FCC, under the chairmanship of Ajit Pai, former Verizon lawyer, has already developed a storied past of actions to enable the monopolization, digital exclusion, redlining, blocking, throttling, paid prioritization (“prioritization for the purposes of making money, not for public safety or for specialized services”), and even zero-rating — “the practice of exempting certain types of traffic from counting against a data cap (often under an agreement between the ISP and web platform)” to overcome the 2015 Open Internet Order under the former FCC Commissioner Tom Wheeler.

Agree: 1
Disagree
Informative: 1
Unhelpful
Funny

Seems to me that Face Rec is unique among biometrics in the fact that the biometric signal, namely the face, is openly on display 24/7. In fact it would be suspicious if it wasn't.

So why the uproar about data privacy? For iris and finger, data protection makes sense. But isn't a face picture taken for students' enrollment? License? Captured on surveillance all day long? What is the point of penalties for not safeguarding data is requires no safeguard?

Agree: 2
Disagree
Informative
Unhelpful
Funny

Skip, FR can take place w/o the knowledge of the individual being identified for one. With most other biometrics there is usually a clear interaction. Gait would be another one where it could be done w/o user knowing it was taking place. This is why notice and transparency about the nature of surveillance matters. The same issues apply to any use of personal data, including biometrics, it is just the case that the FR use case can have different operational realities. In this case opt-in would have helped as that's a flag in any privacy risk assessment.

Agree
Disagree
Informative
Unhelpful
Funny

And meanwhile to make sure you attend yoga in India

Agree
Disagree
Informative
Unhelpful
Funny
Agree
Disagree
Informative
Unhelpful
Funny

UPDATE: As I've just added to the post, the fine has been appealed by the school on September 5, according to an announcement from SKL, a Swedish union for local civil servants, which said:

SKL supports Skellefteå's decision to appeal. It will be an opportunity to deepen and clarify the Data Inspectorate's analysis and conclusions. It provides guidance and support in our members' ongoing and future development in a digital age, says Jenny Birkestad, Director of the Department of Digitization at SKL.

IPVM will track this and update once it is decided.

Agree
Disagree
Informative: 1
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,324 reports and 971 tests and is only available to subscribers. To get a one-time preview of our work, enter your work email to access the full article.

Already a subscriber? Login here | Join now
Loading Related Reports