First GDPR Facial Recognition Fine For Sweden School
A school in Sweden has been fined $20,000 for using facial recognition to keep attendance in what is Sweden's first GDPR fine. Notably, the fine is also the EU's first GDPR fine for facial recognition, adding some clarity to use of the technology in the GDPR era.
In this post, we examine the fine and its impact, including:
- First Sweden GDPR fine ever
- First GPDR facial recognition
- What happened at the school
- How the school justified it
- The role of a data protection impact assessment
- How the fine was calculated
- Warning for further use
- GDPR compliance for facial recognition
- Negative market impact of such precedent
- UPDATE: school will appeal
First ****** **** **** ****
**** ** *** ***** **** **** in ****** ****, ** ****** ** the****** *******:
First **** ****** *********** **** ****
********* ** ** **** ****** ** GDPR *****, ********* ******* *** *************** *********** *******, **** ** *** ***** **** a **** **** *** **** ****** for ****** ***********.
What ********
*********** * ************** ** ********** **** ********** ********* ('****************'), ** ******** ** **********’* ***** Secondary ****** ***********å *************** ***** ********** ******** *** ****** recognition *** * * **** ***** period ** ****. **** *** **** thanks ** * ************ ****** ***** at *** ******** ** * *********; there **** ** ******* ***** *** camera's ***** ** **** ******** *** used.
********* ** *** ********, *** ****** behind *** ****** *** ** **** time ******** ********, ***** ***** ** over **,*** ******* ***** *** ****:
** ******** ********** ********* ** *** high ******, * *********** *** ***** 10 ******* *** ****** *** ** using **** *********** ********** *** ********** control ** *****, ********* ** *** school *****, **** **,*** ***** * year ** *** ******* ******.
** ** *** **** *** ******** that **, ****** *** ****** ******* said ****** ********** *** **** ****** occurred, *******, ******* ** **** ** minutes *** ***** ****** ** *******.
Legal ***** *** **********: *******
*** *******' **** ***** *** ********** was *******, ** *** ******** ******** had ****** ******* *****. *** ****'******** ***** ********** ********** ****** *** * few **********, ********* "******** *******" **** data ********.
GDPR ******** ** ******* *** *****
******'* *** ***** ******* ***** **** violations. *******, ** ********** **** *** Article * ******* ************* *** *** valid, ***** ***** ** ** ******* balance ** ***** ******* *** ****** and *** ********, **** ******* ***** not **"****** *****":
** *******, ** ** ***** **** the ******* ** ** * ********* position ** *** ****** ** ***** of ******, *******, *********, *** **** future **** ** ***** *************.
Other **** *********: ****************
*** ****'******** ******* **** ******** **** ********** ** "adequate, ******** *** ******* ** **** is *********" *** *** ******* ** processing. *******, *** *** ****** ***** facial *********** ******* ****** ** * "********** ********" ** *** ****** *** "disproportionate ** ******** ** *** *******" of *** **********, ******:
********** ****** *** ** **** ** other **** **** *** ******* ******* violation *** ********.
No **** ********** ****** **********
*** ***** **** ********* *** **** the **** ******, ***** ** ******* out * **** **********, *** *** conduct * **** ********** ****** ********** as ********** ******** ** *******'* ******* **.
***** *** ******** **** *** ********** "using *** ************" **** ******** "********** on * ***** ***** ** ******* categories ** ****" [*.*. **********]. ***** must ******* ******** ************ ** ********* "risks ** *** ****** *** ********" and * "********* *** ***************" **********.
***********, *******'* ******* ********** **** *********** "******* *** *********** authority" ***** ** ********** ** *** DPIA ********* ** "***** ****** ** a **** ****" ******* ********** ********.
*** **** ****** *** *** ******* a **** *** ******* **** ******'* DPA, ********* ******** ** *** **.
How *** **** *** **********
*** ******* *** ********** *** ************* "aggravating" *********** **** "*** ********* *** ******** ********* ******** data ********** ******** *** ***** * ********** ******** ** ******** to *** **** ******." ************, ********* Articles * *** * *** ********** "more *******" **** ***** **** ********.********** ******* ******** **** **** ** students **** ******** *** *** **** period *** ******* (* *****).
****, * **** ** ***,*** ******* krona, ** ******** **** **** $**,***, was **********. *** **** ****** ***** can ****** *** ****.
******* *** ******* ***
***********, *** ****** ******** **** **** plan ** ******** ** *** **, prompting *** ******* **** ********** ********* to ******* * *******:
*** **** ****** ***** ** *********å Municipality *** ****** **** **** ****** to ******** *** **** *********** *** students' ******** *******. ***** ********** **** similarly ******* *** ********** ** **** protection **********. *** ** *** **** of ****** ********** ** ** ********** with *** ******* **********, * ******* is *** *****
UPDATE */*/**: ****** *********
*** **** *** ******** ** *** school ** ********* *,********* ** ** *******************, * ******* ***** *** ***** civil ********, ***** ******** *** ******:
*** ******** *********å'* ******** ** ******. It **** ** ** *********** ** deepen *** ******* *** **** ************'* analysis *** ***********. ** ******** ******** and ******* ** *** *******' ******* and ****** *********** ** * ******* age, **** ***** *********, ******** ** the ********** ** ************ ** ***.
**** **** ***** **** ****** *** update **** ** ** *******.
******** ****** ******
******* *** *** ** *** ******* target ******* *** ****** *********** ****** the *****. **** ****** ***** **** a ******** ****** ** ***** ******* that *** ** *********** ***** ****** recognition *** ********* *** ********** *** risks ** ******* ****** ** **** facial *********** ** *******.
**** ***********
**** *********** *******:
- ** ****** *********** ****** ** *******, it **** ** "********" *** "****** given" ** ********** ** *** ****. If ***** ** * ***** ********** in *** ******* ** ***** ******* the ********** *** *** **** *******, Data ********** *********** *** *** ******** it *****.
- ***** *** **** ********* *** *** use ** ****** *********** ***** ***** result "** * **** **** ** the ****** *** ******** ** ******* persons". ***** **** ******'* *** *** concluded **** ******* ******** *** ********** constitutes **** * ****, **** ***** the *** *** ** ***** ****** reached.
- ***** ** ****** *********** **** ******** whether **'* ************* - *** *******, is ***** * ****** *** ** do **** ******* **** ** ********* technology?
- ****** *********** **** ***** *** ****** to ** ****** **** ***** ****, with *** ******* *** ********** ****** that ** ***** ******* * (*.*. biometrics) ***** **** *******.
*** ******* ***** ******* ************ *** IT ******* ** *** ******, *** ********:
*** **** ******'* ** ********** ***** Lindmark ** ********* *** *** **** expecting ****** ******* ** *** * small ******* *******.
- * ** *** ********** ***** assessment *****, ******** ** *** **** out ** ** ******** **** **, the ****** *** *** ****** *** approval, ******** ***** ********.
*** ************ *** *** *** ******* whether ** **** ****** ******* *** authority's ********.
*** ** ** ******** **** **, the ****** *** *** ****** *** approval, ******** ***** ********.
*'* ** ******... ******* ********** ** ******** * ****** ****** basis *** ****** ***...
*** **** ************'* ******** ** '********** of ******* ** *****' ** ******** undermined ** *** ***** **** **. Lindmark *****.
#***********
*** ****** *** *** ****** *** approval
****, ** *** ****** *** *** submit *** ********, **** *** **** make ** ***** ***** ****? ******* consent ** ******** *** ********* ********** unless ***** ** ****** ********, ***** does *** ***** ****. ***/**, *******?
* **** ***** ** ****** **** the * ******** *** *** *** 'opt **' **** *** **** ** his *****....
* ***'* **** **** **** *****, and *'* **** ** **** *** explanation *** *** *** * **** excluded, *** ** ** *** **** this ** ** *** **** * think ** *** ****** ******* *** appealing *** *********.
* ***** **** *** ******* ********* because ***** ******* *** *****-******** *** guidelines ********* **** ** *** ** tell **** ****** ******** *** *** technology - ***** ** ****'* **.
* ***** **** **** ***** ** that ** *** ** ** ******** signed ******* *****, **** *** **** opting ***, *.*. ***** * **** not ******** ********** ** ***. ** seems *** ** *******'* ******** ***** is: '***, ** *** ******** *** out ** ****, *** **** ***, but ** ***** *** **********'.
*******, **** ******* **** ******** ***** out *** ** **** ****** ***** the ****. *** **** ***** *********** by *** **** ********** ********* ** the ***** ********* ******* ******** *** the ****** ("** ** ***** **** *** ******* is ** * ********* ******** [** the ******]"), ******* ******* ****** ** "freely *****." ***** ** ******* ** the **** ******** **** ****** **** because **** **** ******** ****** ** opt ***. ******* ******:
** ***** ** ****** **** ******* is ****** *****, ******* ****** *** provide * ***** ***** ****** *** the ********** ** ******** **** ** a ******** **** ***** ***** ** a ***** ********* ******* *** **** subject *** *** **********, ** ********** where *** ********** ** * ****** authority
***** * **** *** ******** ********** at ***
**, *** **** **** **** ************? Is *** ****** *** ** ** such * *** **** *** ******** who ***** *** *** ********** ***** the **** **** *** ****** *********** camera ** ********?
***** * **** *** ***** *** were *** ***** ******** ********** ** the ***** **** **** *** *** provide *******/********* **** ******* *** ******** to ***** **** *** ****** ***** attendance, ** *** **** **** *** other ** ****, *** *** ******* DPA ******:
*** *********** **** *** **** ********** is********* **** ** *** **** ** facial ****** ** **** ** ***** and **** *****.
** ***** * **** ***** ******** their **** ** ** **** ** the ******. *** ****** *** *** a **** ********** ** ***** ********** information. **** **** **** *** * focus ** *** ****.
*******, ***'** ******* **** ** ***** 7 **** **** ************ ***** ****** by * ************ ******, **** ** they ****'* ******* ***** **** ********** and **** **** *** ***** *******, it's ***** ********** ********** ********** **** requires ***** *******, ** ** *** from ****** ** ************ *** *********** ***** ****** **** such ******* **** ******* **** ******** being ******, *** **** *** ****:
*** *** ***** ****'* ******* **** the ******* ***'* ****** ** ******* there *** * ************ ****** ** the ********* ********* *** *** ********, or ** ******-******* **** ****** **** recognized **** ******* ************ (*** ******* via * ****** *********** ********):
** ** *** ** ****** *******-**** system, ***** ***** ** ** **** issue **** ***** * ******** *** did *** *******, ** **** ***** easily ***** ***** ****** **********. *******, if ***** *** * ************ ****** filming *** ***** *********, *** ** to ** ***** **** *********, ** would **** ** ***** ******* *** non-consenting ******** - ****** ** ******** them **** *** ******'* *** ** using **** **** ** ******* ******.
*'** ******** ** **** *** ******* DPA ****** **** **** ** ****** was ** *** *** **** ****** this ******* **** ********.
"** ***** ** ****** **** ******* is ****** *****, ******* ****** *** provide * ***** ***** ****** *** the ********** ** ******** **** ** a ******** **** ***** ***** ** a ***** ********* ******* *** **** subject *** *** **********, ** ********** where *** ********** ** * ****** authority"
"*** **** ***** *********** ** *** data ********** ********* ** *** ***** imbalance ******* ******** *** *** ******"
*** *** *** *********** ******** ********* within *** ** **** ******* *** facial *********** ***** ***************** * ***** ********* ** ***** vs ********?
**** ** * **** ******** *** you *** ******* **** ***** ** always * **** ********* ** ***** between ** ********** *** * ****** force. *******, ** *********** *** **** aware ** ****, ***** ** *** they ***** ***** *** *** "*******" justification **** *** ****'******** *- ******* **** *** *** "*********** public ********" *************, ***** ** ****** separate *** *****:
*** **** **** *** ***** *** use ** ******** **** *** *** enforcement ********. ***** ** * ******** legal ********** **** ****** **** ****** the *** *********** *********.
***'** ******* ******, ***** ***** ** mistake *********** #*. ****** *** ****'******** *('******** *****') ********** ******** *** ***********:
****** *********** ************* ******* ******* ********** ** ******** data **** ****** ***********, ******* ** is *********
***** ** ******* **** ***** ******** necessary, ******* ** *********** ********** *** the ****** *** ******** ** *** data *******
*** ********** **** **** **** *** of *** ***** ********* **********:
****** ***, ** **** *** ** police ** ****** ******* *** ****** recognition.
** * ***...
*** ********** *** ** **** ** law ***********, *** *** ****** ****.
**** ****** ****.
***** ** ***** * **** ** be ***** ***** ******* (******** *****) and ************* **** *** *** ***********, then **** **** **** ****** ******. Transparency **** * **** *** ** address **** ** ***** ******. ** someone *** *** ******** **** ********** (FR) *** **** ** ***** (********* in ******** ** ****), ** ******* these ******* **** ***.
**** **** ** ** *** ********* to ** **** ********** *** ****** its ********** ** *** **** **** its ********** ******** ******* *** ** the ***** ** *** ***’* *********** of *** ********** **** *** ********* of *** **** **** ******** *****. I’m *** ****** ****** ** ***** laws *** *** ‘** ***’ ‘*** all’ ******** ****** ******** *** ****** privacy **********, *** ** ***** **** the ** *** ********** ********** ***** was ** ***** *** **** *** making **** ***** ******* ****** ********** address *** ****** ******* **********.
**** ** ********** ** **** ******* issues ********* *** ********** *** *** current ***’* ******* ** ***********, *** alone *******, *** ******’* ****** ********* Internet ******. *** ******* ***, ***** the ************ ** **** ***, ****** Verizon ******, *** ******* ********* * storied **** ** ******* ** ****** the **************, ******* *********, *********, ********, throttling, **** ************** (“************** *** *** purposes ** ****** *****, *** *** public ****** ** *** *********** ********”), and **** ****-****** — “*** ******** of ********* ******* ***** ** ******* from ******** ******* * **** *** (often ***** ** ********* ******* *** ISP *** *** ********)” ** ******** the **** **** ******** ***** ***** the ****** *** ************ *** *******.
***** ** ** **** **** *** is ****** ***** ********** ** *** fact **** *** ********* ******, ****** the ****, ** ****** ** ******* 24/7. ** **** ** ***** ** suspicious ** ** ****'*.
** *** *** ****** ***** **** privacy? *** **** *** ******, **** protection ***** *****. *** ***'* * face ******* ***** *** ********' **********? License? ******** ** ************ *** *** long? **** ** *** ***** ** penalties *** *** ************ **** ** requires ** *********?
****, ** *** **** ***** */* the ********* ** *** ********** ***** identified *** ***. **** **** ***** biometrics ***** ** ******* * ***** interaction. **** ***** ** ******* *** where ** ***** ** **** */* user ******* ** *** ****** *****. This ** *** ****** *** ************ about *** ****** ** ************ *******. The **** ****** ***** ** *** use ** ******** ****, ********* **********, it ** **** *** **** **** the ** *** **** *** **** different *********** *********. ** **** **** opt-in ***** **** ****** ** ****'* a **** ** *** ******* **** assessment.
*** ********* ** **** **** *** attend **** *******
******: ** *'** **** ***** ** the ****, *** **** *** **** appealed ** *** ****** ** ********* 5,********* ** ** *******************, * ******* ***** *** ***** civil ********, ***** ****:
*** ******** *********å'* ******** ** ******. It **** ** ** *********** ** deepen *** ******* *** **** ************'* analysis *** ***********. ** ******** ******** and ******* ** *** *******' ******* and ****** *********** ** * ******* age, ********* *********,******** ** *** ********** ** ************ at ***.
**** **** ***** **** *** ****** once ** ** *******.
**** * ******* ****** ********* **** context ** **** ******: