First GDPR Facial Recognition Fine For Sweden School

By Charles Rollet, Published Aug 22, 2019, 08:57am EDT

A school in Sweden has been fined $20,000 for using facial recognition to keep attendance in what is Sweden's first GDPR fine. Notably, the fine is also the EU's first GDPR fine for facial recognition, adding some clarity to use of the technology in the GDPR era.

IPVM Image

In this post, we examine the fine and its impact, including:

  • First Sweden GDPR fine ever
  • First GPDR facial recognition
  • What happened at the school
  • How the school justified it
  • The role of a data protection impact assessment
  • How the fine was calculated
  • Warning for further use
  • GDPR compliance for facial recognition
  • Negative market impact of such precedent
  • UPDATE: school will appeal

IPVM Image

First ****** **** **** ****

**** ** *** ***** GDPR **** ** ****** ever, ** ****** ** the****** *******:

IPVM Image

First **** ****** *********** **** ****

********* ** ** **** review ** **** *****, including ******* *** *************** *********** *******, **** ** *** first **** * **** fine *** **** ****** for ****** ***********.

What ********

IPVM Image

*********** * ************** ** ********** **** ********** ********* ('Datainspektionen'), ** ******** ** Anderstorp’s ***** ********* ****** in*********å *************** ***** ********** ******** via ****** *********** *** a * **** ***** period ** ****. **** was **** ****** ** a ************ ****** ***** at *** ******** ** a *********; ***** **** no ******* ***** *** camera's ***** ** **** software *** ****.

********* ** *** ********, the ****** ****** *** system *** ** **** time ******** ********, ***** takes ** **** **,*** working ***** *** ****:

** ******** ********** ********* to *** **** ******, a *********** *** ***** 10 ******* *** ****** and ** ***** **** recognition ********** *** ********** control ** *****, ********* to *** ****** *****, save **,*** ***** * year ** *** ******* school.

** ** *** **** how ******** **** **, though *** ****** ******* said ****** ********** *** each ****** ********, *******, whether ** **** ** minutes *** ***** ****** is *******.

Legal ***** *** **********: *******

*** *******' **** ***** for ********** *** *******, as *** ******** ******** had ****** ******* *****. The ****'******** ***** ********** ********** ****** for * *** **********, including "******** *******" **** data ********.

GDPR ******** ** ******* *** *****

******'* *** ***** ******* major **** **********. *******, it ********** **** *** Article * ******* ************* was *** *****, ***** there ** ** ******* balance ** ***** ******* the ****** *** *** students, **** ******* ***** not **"****** *****":

** *******, ** ** clear **** *** ******* is ** * ********* position ** *** ****** in ***** ** ******, funding, *********, *** **** future **** ** ***** opportunities.

Other **** *********: ****************

*** ****'******** ******* **** ******** **** collection ** "********, ******** and ******* ** **** is *********" *** *** purpose ** **********. *******, the *** ****** ***** facial *********** ******* ****** in * "********** ********" ** *** school *** "**************** ** relation ** *** *******" of *** **********, ******:

********** ****** *** ** done ** ***** **** that *** ******* ******* violation *** ********.

No **** ********** ****** **********

*** ***** **** ********* was **** *** **** school, ***** ** ******* out * **** **********, did *** ******* * Data ********** ****** ********** as ********** ******** ** the****'* ******* **.

***** *** ******** **** any ********** "***** *** technologies" **** ******** "********** on * ***** ***** of ******* ********** ** data" [*.*. **********]. ***** must ******* ******** ************ of ********* "***** ** the ****** *** ********" and * "********* *** proportionality" **********.

***********, *******'* ******* ********** **** *********** "******* the *********** *********" ***** to ********** ** *** DPIA ********* ** "***** result ** * **** risk" ******* ********** ********.

*** **** ****** *** not ******* * **** nor ******* **** ******'* DPA, ********* ******** ** and **.

How *** **** *** **********

*** ******* *** ********** the ************* "***********" *********** that "*** ********* *** ******** sensitive ******** **** ********** children *** ***** * ********** ******** in ******** ** *** high ******." ************, ********* Articles * *** * was ********** "**** *******" than ***** **** ********.********** ******* ******** **** only ** ******** **** involved *** *** **** period *** ******* (* weeks).

****, * **** ** 200,000 ******* *****, ** slightly **** **** $**,***, was **********. *** **** school ***** *** ****** the ****.

******* *** ******* ***

***********, *** ****** ******** says **** **** ** continue ** *** **, prompting *** ******* **** Protection ********* ** ******* a *******:

*** **** ****** ***** of *********å ************ *** stated **** **** ****** to ******** *** **** recognition *** ********' ******** control. ***** ********** **** similarly ******* *** ********** of **** ********** **********. Due ** *** **** of ****** ********** ** In ********** **** *** planned **********, * ******* is *** *****

UPDATE */*/**: ****** *********

*** **** *** ******** by *** ****** ** September *,********* ** ** *******************, * ******* ***** for ***** ***** ********, which ******** *** ******:

*** ******** *********å'* ******** to ******. ** **** be ** *********** ** deepen *** ******* *** Data ************'* ******** *** conclusions. ** ******** ******** and ******* ** *** members' ******* *** ****** development ** * ******* age, **** ***** *********, Director ** *** ********** of ************ ** ***.

**** **** ***** **** appeal *** ****** **** it ** *******.

******** ****** ******

******* *** *** ** the ******* ****** ******* for ****** *********** ****** the *****. **** ****** could **** * ******** effect ** ***** ******* that *** ** *********** using ****** *********** *** increases *** ********** *** risks ** ******* ****** to **** ****** *********** to *******.

**** ***********

**** *********** *******:

  • ** ****** *********** ****** on *******, ** **** be "********" *** "****** given" ** ********** ** the ****. ** ***** is * ***** ********** in *** ******* ** power ******* *** ********** and *** **** *******, Data ********** *********** *** not ******** ** *****.
  • ***** *** **** ********* for *** *** ** facial *********** ***** ***** result "** * **** risk ** *** ****** and ******** ** ******* persons". ***** **** ******'* DPA *** ********* **** filming ******** *** ********** constitutes **** * ****, this ***** *** *** can ** ***** ****** reached.
  • ***** ** ****** *********** must ******** ******* **'* proportionate - *** *******, is ***** * ****** way ** ** **** without **** ** ********* technology?
  • ****** *********** **** ***** are ****** ** ** higher **** ***** ****, with *** ******* *** explicitly ****** **** ** fines ******* * (*.*. biometrics) ***** **** *******.

Comments (22)

**** * ******* ****** providing **** ******* ** this ******:

** ****** * ********** upper ********* ******. ************ those **** ** ******* have ********* **** **** attendance. ****** *** ********* between **-** ***** ** age *** * *** less ********* ******** ** students ******** **** *********** and **********/******* *********** ***************. What * ** ****** to *** ** **** attendance ****** ***** ********** be * *********. ********** is **** ********* ** a ******** (********** ** federal ***** ** *** US) ***** ********* ** approx. *** ******* * month. ****’* *** ********** checks *** *********.

******* ***** *** *** class – ** * here? ***/*** ******* ***** say. “***, *** ****** now.” *** **** * doesn’t **** **. ******** that ***** *** **-** students ** * ***** - ** ******* ***** quite **********.

*** ******* ***** ******* interviewing *** ** ******* of *** ******, *** ********:

*** **** ******'* ** strategist ***** ******** ** surprised *** *** **** expecting ****** ******* ** was * ***** ******* project.

- * ** *** understand ***** ********** *****, moreover ** *** **** out ** ** ******** were **, *** ****** did *** ****** *** approval, ******** ***** ********.

*** ************ *** *** yet ******* ******* ** will ****** ******* *** authority's ********.

*** ** ** ******** were **, *** ****** did *** ****** *** approval, ******** ***** ********.

*'* ** ******... ******* ********** ** ******** * pretty ****** ***** *** appeal ***...

*** **** ************'* ******** of '********** ** ******* of *****' ** ******** undermined ** *** ***** from **. ******** *****.

#***********

*** ****** *** *** submit *** ********

****, ** *** ****** did *** ****** *** approval, **** *** **** make ** ***** ***** GDPR? ******* ******* ** required *** ********* ********** unless ***** ** ****** interest, ***** **** *** apply ****. ***/**, *******?

* **** ***** ** saying **** *** * students *** *** *** 'opt **' **** *** used ** *** *****....

* ***'* **** **** that *****, *** *'* like ** **** *** explanation *** *** *** 7 **** ********, *** if ** *** **** this ** ** *** case * ***** ** has ****** ******* *** appealing *** *********.

* ***** **** *** pursued ********* ******* ***** ignored *** *****-******** *** guidelines ********* **** ** has ** **** **** before ******** *** *** technology - ***** ** didn't **.

**** ************ ******** *******

* ***** **** **** means ** **** ** out ** ** ******** signed ******* *****, **** the **** ****** ***, i.e. ***** * **** not ******** ********** ** all. ** ***** *** IT *******'* ******** ***** is: '***, ** *** students *** *** ** this, *** **** ***, but ** ***** *** sanctioned'.

*******, **** ******* **** students ***** *** *** no **** ****** ***** the ****. *** **** issue *********** ** *** data ********** ********* ** the ***** ********* ******* students *** *** ****** ("** ** ***** **** the ******* ** ** a ********* ******** [** the ******]"), ******* ******* cannot ** "****** *****." There ** ******* ** the **** ******** **** factor **** ******* **** data ******** ****** ** opt ***. ******* ******:

** ***** ** ****** that ******* ** ****** given, ******* ****** *** provide * ***** ***** ground *** *** ********** of ******** **** ** a ******** **** ***** there ** * ***** imbalance ******* *** **** subject *** *** **********, in ********** ***** *** controller ** * ****** authority

***** * **** *** facially ********** ** ***

**, *** **** **** work ************? ** *** camera *** ** ** such * *** **** the ******** *** ***** out *** ********** ***** the **** **** *** facial *********** ****** ** covering?

***** * **** *** opted *** **** *** being ******** ********** ** the ***** **** **** did *** ******* *******/********* that ******* *** ******** to ***** **** *** record ***** **********, ** was **** **** *** other ** ****, *** the ******* *** ******:

*** *********** **** *** been ********** *********** **** ** *** form ** ****** ****** as **** ** ***** and **** *****.

** ***** * **** never ******** ***** **** to ** **** ** the ******. *** ****** was *** * **** controller ** ***** ********** information. **** **** **** not * ***** ** the ****.

*******, ***'** ******* **** if ***** * **** were ************ ***** ****** by * ************ ******, even ** **** ****'* provide ***** **** ********** and **** **** *** being *******, **'* ***** considered ********** ********** **** requires ***** *******, ** we *** **** ****** ** ************ *** *********** ***** states **** **** ******* need ******* **** ******** being ******, *** **** the ****:

*** *** ***** ****'* unclear **** *** ******* DPA's ****** ** ******* there *** * ************ camera ** *** ********* recording *** *** ********, or ** ******-******* **** system **** ********** **** student ************ (*** ******* via * ****** *********** terminal):

** ** *** ** access *******-**** ******, ***** would ** ** **** issue **** ***** * students *** *** *** consent, ** **** ***** easily ***** ***** ****** altogether. *******, ** ***** was * ************ ****** filming *** ***** *********, for ** ** ** fully **** *********, ** would **** ** ***** filming *** ***-********** ******** - ****** ** ******** them **** *** ******'* FoV ** ***** **** kind ** ******* ******.

*'** ******** ** **** the ******* *** ****** what **** ** ****** was ** *** *** will ****** **** ******* upon ********.

"** ***** ** ****** that ******* ** ****** given, ******* ****** *** provide * ***** ***** ground *** *** ********** of ******** **** ** a ******** **** ***** there ** * ***** imbalance ******* *** **** subject *** *** **********, in ********** ***** *** controller ** * ****** authority"

"*** **** ***** *********** by *** **** ********** authority ** *** ***** imbalance ******* ******** *** the ******"

*** *** *** *********** agencies ********* ****** *** EU **** ******* *** facial *********** ***** ***************** * ***** ********* of ***** ** ********?

**** ** * **** question *** *** *** correct **** ***** ** always * **** ********* of ***** ******* ** individual *** * ****** force. *******, ** *********** are **** ***** ** this, ***** ** *** they ***** ***** *** the "*******" ************* **** the ****'******** *- ******* **** *** the "*********** ****** ********" justification, ***** ** ****** separate *** *****:

*** **** **** *** cover *** *** ** personal **** *** *** enforcement ********. ***** ** a ******** ***** ********** that ****** **** ****** the *** *********** *********.

***'** ******* ******, ***** about ** ******* *********** #1. ****** *** ****'******** *('******** *****') ********** ******** law ***********:

****** *********** ************* ******* ******* ********** of ******** **** **** facial ***********, ******* ** is *********

***** ** ******* **** where ******** *********, ******* to *********** ********** *** the ****** *** ******** of *** **** *******

*** ********** **** **** meet *** ** *** three ********* **********:

****** ***, ** **** for ** ****** ** obtain ******* *** ****** recognition.

** * ***...

*** ********** *** ** used ** *** ***********, but *** ****** ****.

**** ****** ****.

***** ** ***** * need ** ** ***** about ******* (******** *****) and ************* **** *** law ***********, **** **** sure **** ****** ******. Transparency **** * **** way ** ******* **** of ***** ******. ** someone *** *** ******** this ********** (**) *** over ** ***** (********* in ******** ** ****), we ******* ***** ******* long ***.

**** **** ** ** are ********* ** ** that ********** *** ****** its ********** ** *** GDPR **** *** ********** Consumer ******* *** ** the ***** ** *** FCC’s *********** ** *** Neutrality **** *** ********* of *** **** **** Internet *****. *’* *** saying ****** ** ***** laws *** *** ‘** all’ ‘*** ***’ ******** toward ******** *** ****** privacy **********, *** ** least **** *** ** and ********** ********** ***** was ** ***** *** both *** ****** **** faith ******* ****** ********** address *** ****** ******* protection.


**** ** ********** ** more ******* ****** ********* Net ********** *** *** current ***’* ******* ** acknowledge, *** ***** *******, the ******’* ****** ********* Internet ******. *** ******* FCC, ***** *** ************ of **** ***, ****** Verizon ******, *** ******* developed * ******* **** of ******* ** ****** the **************, ******* *********, redlining, ********, **********, **** prioritization (“************** *** *** purposes ** ****** *****, not *** ****** ****** or *** *********** ********”), and **** ****-****** — “the ******** ** ********* certain ***** ** ******* from ******** ******* * data *** (***** ***** an ********* ******* *** ISP *** *** ********)” to ******** *** **** Open ******** ***** ***** the ****** *** ************ Tom *******.

***** ** ** **** Face *** ** ****** among ********** ** *** fact **** *** ********* signal, ****** *** ****, is ****** ** ******* 24/7. ** **** ** would ** ********** ** it ****'*.

** *** *** ****** about **** *******? *** iris *** ******, **** protection ***** *****. *** isn't * **** ******* taken *** ********' **********? License? ******** ** ************ all *** ****? **** is *** ***** ** penalties *** *** ************ data ** ******** ** safeguard?

****, ** *** **** place */* *** ********* of *** ********** ***** identified *** ***. **** most ***** ********** ***** is ******* * ***** interaction. **** ***** ** another *** ***** ** could ** **** */* user ******* ** *** taking *****. **** ** why ****** *** ************ about *** ****** ** surveillance *******. *** **** issues ***** ** *** use ** ******** ****, including **********, ** ** just *** **** **** the ** *** **** can **** ********* *********** realities. ** **** **** opt-in ***** **** ****** as ****'* * **** in *** ******* **** assessment.

*** ********* ** **** sure *** ****** **** in*****

******: ** *'** **** added ** *** ****, the **** *** **** appealed ** *** ****** on ********* *,********* ** ** *******************, * ******* ***** for ***** ***** ********, which ****:

*** ******** *********å'* ******** to ******. ** **** be ** *********** ** deepen *** ******* *** Data ************'* ******** *** conclusions. ** ******** ******** and ******* ** *** members' ******* *** ****** development ** * ******* age, ********* *********,******** ** *** ********** of ************ ** ***.

**** **** ***** **** and ****** **** ** is *******.

Read this IPVM report for free.

This article is part of IPVM's 6,817 reports, 914 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports