First GDPR Facial Recognition Fine For Sweden School

By Charles Rollet, Published on Aug 22, 2019

A school in Sweden has been fined $20,000 for using facial recognition to keep attendance in what is Sweden's first GDPR fine. Notably, the fine is also the EU's first GDPR fine for facial recognition, adding some clarity to use of the technology in the GDPR era.

IPVM Image

In this post, we examine the fine and its impact, including:

  • First Sweden GDPR fine ever
  • First GPDR facial recognition
  • What happened at the school
  • How the school justified it
  • The role of a data protection impact assessment
  • How the fine was calculated
  • Warning for further use
  • GDPR compliance for facial recognition
  • Negative market impact of such precedent
  • UPDATE: school will appeal

IPVM Image

First ****** **** **** ****

**** ** *** ***** GDPR **** ** ****** ever, ** ****** ** the****** *******:

IPVM Image

First **** ****** *********** **** ****

********* ** ** **** review ** **** *****, including ******* *** *************** *********** *******, **** ** *** first **** * **** fine *** **** ****** for ****** ***********.

What ********

IPVM Image

*********** * ************** ** ********** **** ********** ********* ('Datainspektionen'), ** ******** ** Anderstorp’s ***** ********* ****** in*********å *************** ***** ********** ******** via ****** *********** *** a * **** ***** period ** ****. **** was **** ****** ** a ************ ****** ***** at *** ******** ** a *********; ***** **** no ******* ***** *** camera's ***** ** **** software *** ****.

********* ** *** ********, the ****** ****** *** system *** ** **** time ******** ********, ***** takes ** **** **,*** working ***** *** ****:

** ******** ********** ********* to *** **** ******, a *********** *** ***** 10 ******* *** ****** and ** ***** **** recognition ********** *** ********** control ** *****, ********* to *** ****** *****, save **,*** ***** * year ** *** ******* school.

** ** *** **** how ******** **** **, though *** ****** ******* said ****** ********** *** each ****** ********, *******, whether ** **** ** minutes *** ***** ****** is *******.

Legal ***** *** **********: *******

*** *******' **** ***** for ********** *** *******, as *** ******** ******** had ****** ******* *****. The ****'******** ***** ********** ********** ****** for * *** **********, including "******** *******" **** data ********.

GDPR ******** ** ******* *** *****

******'* *** ***** ******* major **** **********. *******, it ********** **** *** Article * ******* ************* was *** *****, ***** there ** ** ******* balance ** ***** ******* the ****** *** *** students, **** ******* ***** not **"****** *****":

** *******, ** ** clear **** *** ******* is ** * ********* position ** *** ****** in ***** ** ******, funding, *********, *** **** future **** ** ***** opportunities.

Other **** *********: ****************

*** ****'******** ******* **** ******** **** collection ** "********, ******** and ******* ** **** is *********" *** *** purpose ** **********. *******, the *** ****** ***** facial *********** ******* ****** in * "********** ********" ** *** school *** "**************** ** relation ** *** *******" of *** **********, ******:

********** ****** *** ** done ** ***** **** that *** ******* ******* violation *** ********.

No **** ********** ****** **********

*** ***** **** ********* was **** *** **** school, ***** ** ******* out * **** **********, did *** ******* * Data ********** ****** ********** as ********** ******** ** the****'* ******* **.

***** *** ******** **** any ********** "***** *** technologies" **** ******** "********** on * ***** ***** of ******* ********** ** data" [*.*. **********]. ***** must ******* ******** ************ of ********* "***** ** the ****** *** ********" and * "********* *** proportionality" **********.

***********, *******'* ******* ********** **** *********** "******* the *********** *********" ***** to ********** ** *** DPIA ********* ** "***** result ** * **** risk" ******* ********** ********.

*** **** ****** *** not ******* * **** nor ******* **** ******'* DPA, ********* ******** ** and **.

How *** **** *** **********

*** ******* *** ********** the ************* "***********" *********** that "*** ********* *** ******** sensitive ******** **** ********** children *** ***** * ********** ******** in ******** ** *** high ******." ************, ********* Articles * *** * was ********** "**** *******" than ***** **** ********.********** ******* ******** **** only ** ******** **** involved *** *** **** period *** ******* (* weeks).

****, * **** ** 200,000 ******* *****, ** slightly **** **** $**,***, was **********. *** **** school ***** *** ****** the ****.

******* *** ******* ***

***********, *** ****** ******** says **** **** ** continue ** *** **, prompting *** ******* **** Protection ********* ** ******* a *******:

*** **** ****** ***** of *********å ************ *** stated **** **** ****** to ******** *** **** recognition *** ********' ******** control. ***** ********** **** similarly ******* *** ********** of **** ********** **********. Due ** *** **** of ****** ********** ** In ********** **** *** planned **********, * ******* is *** *****

UPDATE */*/**: ****** *********

*** **** *** ******** by *** ****** ** September *,********* ** ** *******************, * ******* ***** for ***** ***** ********, which ******** *** ******:

*** ******** *********å'* ******** to ******. ** **** be ** *********** ** deepen *** ******* *** Data ************'* ******** *** conclusions. ** ******** ******** and ******* ** *** members' ******* *** ****** development ** * ******* age, **** ***** *********, Director ** *** ********** of ************ ** ***.

**** **** ***** **** appeal *** ****** **** it ** *******.

******** ****** ******

******* *** *** ** the ******* ****** ******* for ****** *********** ****** the *****. **** ****** could **** * ******** effect ** ***** ******* that *** ** *********** using ****** *********** *** increases *** ********** *** risks ** ******* ****** to **** ****** *********** to *******.

**** ***********

**** *********** *******:

  • ** ****** *********** ****** on *******, ** **** be "********" *** "****** given" ** ********** ** the ****. ** ***** is * ***** ********** in *** ******* ** power ******* *** ********** and *** **** *******, Data ********** *********** *** not ******** ** *****.
  • ***** *** **** ********* for *** *** ** facial *********** ***** ***** result "** * **** risk ** *** ****** and ******** ** ******* persons". ***** **** ******'* DPA *** ********* **** filming ******** *** ********** constitutes **** * ****, this ***** *** *** can ** ***** ****** reached.
  • ***** ** ****** *********** must ******** ******* **'* proportionate - *** *******, is ***** * ****** way ** ** **** without **** ** ********* technology?
  • ****** *********** **** ***** are ****** ** ** higher **** ***** ****, with *** ******* *** explicitly ****** **** ** fines ******* * (*.*. biometrics) ***** **** *******.

Comments (22)

**** * ******* ****** providing **** ******* ** this ******:

** ****** * ********** upper ********* ******. ************ those **** ** ******* have ********* **** **** attendance. ****** *** ********* between **-** ***** ** age *** * *** less ********* ******** ** students ******** **** *********** and **********/******* *********** ***************. What * ** ****** to *** ** **** attendance ****** ***** ********** be * *********. ********** is **** ********* ** a ******** (********** ** federal ***** ** *** US) ***** ********* ** approx. *** ******* * month. ****’* *** ********** checks *** *********.

******* ***** *** *** class – ** * here? ***/*** ******* ***** say. “***, *** ****** now.” *** **** * doesn’t **** **. ******** that ***** *** **-** students ** * ***** - ** ******* ***** quite **********.

*** ******* ***** ******* interviewing *** ** ******* of *** ******, *** ********:

*** **** ******'* ** strategist ***** ******** ** surprised *** *** **** expecting ****** ******* ** was * ***** ******* project.

- * ** *** understand ***** ********** *****, moreover ** *** **** out ** ** ******** were **, *** ****** did *** ****** *** approval, ******** ***** ********.

*** ************ *** *** yet ******* ******* ** will ****** ******* *** authority's ********.

*** ** ** ******** were **, *** ****** did *** ****** *** approval, ******** ***** ********.

*'* ** ******... ******* ********** ** ******** * pretty ****** ***** *** appeal ***...

*** **** ************'* ******** of '********** ** ******* of *****' ** ******** undermined ** *** ***** from **. ******** *****.

#***********

*** ****** *** *** submit *** ********

****, ** *** ****** did *** ****** *** approval, **** *** **** make ** ***** ***** GDPR? ******* ******* ** required *** ********* ********** unless ***** ** ****** interest, ***** **** *** apply ****. ***/**, *******?

* **** ***** ** saying **** *** * students *** *** *** 'opt **' **** *** used ** *** *****....

* ***'* **** **** that *****, *** *'* like ** **** *** explanation *** *** *** 7 **** ********, *** if ** *** **** this ** ** *** case * ***** ** has ****** ******* *** appealing *** *********.

* ***** **** *** pursued ********* ******* ***** ignored *** *****-******** *** guidelines ********* **** ** has ** **** **** before ******** *** *** technology - ***** ** didn't **.

**** ************ ******** *******

* ***** **** **** means ** **** ** out ** ** ******** signed ******* *****, **** the **** ****** ***, i.e. ***** * **** not ******** ********** ** all. ** ***** *** IT *******'* ******** ***** is: '***, ** *** students *** *** ** this, *** **** ***, but ** ***** *** sanctioned'.

*******, **** ******* **** students ***** *** *** no **** ****** ***** the ****. *** **** issue *********** ** *** data ********** ********* ** the ***** ********* ******* students *** *** ****** ("** ** ***** **** the ******* ** ** a ********* ******** [** the ******]"), ******* ******* cannot ** "****** *****." There ** ******* ** the **** ******** **** factor **** ******* **** data ******** ****** ** opt ***. ******* ******:

** ***** ** ****** that ******* ** ****** given, ******* ****** *** provide * ***** ***** ground *** *** ********** of ******** **** ** a ******** **** ***** there ** * ***** imbalance ******* *** **** subject *** *** **********, in ********** ***** *** controller ** * ****** authority

***** * **** *** facially ********** ** ***

**, *** **** **** work ************? ** *** camera *** ** ** such * *** **** the ******** *** ***** out *** ********** ***** the **** **** *** facial *********** ****** ** covering?

***** * **** *** opted *** **** *** being ******** ********** ** the ***** **** **** did *** ******* *******/********* that ******* *** ******** to ***** **** *** record ***** **********, ** was **** **** *** other ** ****, *** the ******* *** ******:

*** *********** **** *** been ********** *********** **** ** *** form ** ****** ****** as **** ** ***** and **** *****.

** ***** * **** never ******** ***** **** to ** **** ** the ******. *** ****** was *** * **** controller ** ***** ********** information. **** **** **** not * ***** ** the ****.

*******, ***'** ******* **** if ***** * **** were ************ ***** ****** by * ************ ******, even ** **** ****'* provide ***** **** ********** and **** **** *** being *******, **'* ***** considered ********** ********** **** requires ***** *******, ** we *** **** ****** ** ************ *** *********** ***** states **** **** ******* need ******* **** ******** being ******, *** **** the ****:

*** *** ***** ****'* unclear **** *** ******* DPA's ****** ** ******* there *** * ************ camera ** *** ********* recording *** *** ********, or ** ******-******* **** system **** ********** **** student ************ (*** ******* via * ****** *********** terminal):

** ** *** ** access *******-**** ******, ***** would ** ** **** issue **** ***** * students *** *** *** consent, ** **** ***** easily ***** ***** ****** altogether. *******, ** ***** was * ************ ****** filming *** ***** *********, for ** ** ** fully **** *********, ** would **** ** ***** filming *** ***-********** ******** - ****** ** ******** them **** *** ******'* FoV ** ***** **** kind ** ******* ******.

*'** ******** ** **** the ******* *** ****** what **** ** ****** was ** *** *** will ****** **** ******* upon ********.

"** ***** ** ****** that ******* ** ****** given, ******* ****** *** provide * ***** ***** ground *** *** ********** of ******** **** ** a ******** **** ***** there ** * ***** imbalance ******* *** **** subject *** *** **********, in ********** ***** *** controller ** * ****** authority"

"*** **** ***** *********** by *** **** ********** authority ** *** ***** imbalance ******* ******** *** the ******"

*** *** *** *********** agencies ********* ****** *** EU **** ******* *** facial *********** ***** ***************** * ***** ********* of ***** ** ********?

**** ** * **** question *** *** *** correct **** ***** ** always * **** ********* of ***** ******* ** individual *** * ****** force. *******, ** *********** are **** ***** ** this, ***** ** *** they ***** ***** *** the "*******" ************* **** the ****'******** *- ******* **** *** the "*********** ****** ********" justification, ***** ** ****** separate *** *****:

*** **** **** *** cover *** *** ** personal **** *** *** enforcement ********. ***** ** a ******** ***** ********** that ****** **** ****** the *** *********** *********.

***'** ******* ******, ***** about ** ******* *********** #1. ****** *** ****'******** *('******** *****') ********** ******** law ***********:

****** *********** ************* ******* ******* ********** of ******** **** **** facial ***********, ******* ** is *********

***** ** ******* **** where ******** *********, ******* to *********** ********** *** the ****** *** ******** of *** **** *******

*** ********** **** **** meet *** ** *** three ********* **********:

****** ***, ** **** for ** ****** ** obtain ******* *** ****** recognition.

** * ***...

*** ********** *** ** used ** *** ***********, but *** ****** ****.

**** ****** ****.

***** ** ***** * need ** ** ***** about ******* (******** *****) and ************* **** *** law ***********, **** **** sure **** ****** ******. Transparency **** * **** way ** ******* **** of ***** ******. ** someone *** *** ******** this ********** (**) *** over ** ***** (********* in ******** ** ****), we ******* ***** ******* long ***.

**** **** ** ** are ********* ** ** that ********** *** ****** its ********** ** *** GDPR **** *** ********** Consumer ******* *** ** the ***** ** *** FCC’s *********** ** *** Neutrality **** *** ********* of *** **** **** Internet *****. *’* *** saying ****** ** ***** laws *** *** ‘** all’ ‘*** ***’ ******** toward ******** *** ****** privacy **********, *** ** least **** *** ** and ********** ********** ***** was ** ***** *** both *** ****** **** faith ******* ****** ********** address *** ****** ******* protection.


**** ** ********** ** more ******* ****** ********* Net ********** *** *** current ***’* ******* ** acknowledge, *** ***** *******, the ******’* ****** ********* Internet ******. *** ******* FCC, ***** *** ************ of **** ***, ****** Verizon ******, *** ******* developed * ******* **** of ******* ** ****** the **************, ******* *********, redlining, ********, **********, **** prioritization (“************** *** *** purposes ** ****** *****, not *** ****** ****** or *** *********** ********”), and **** ****-****** — “the ******** ** ********* certain ***** ** ******* from ******** ******* * data *** (***** ***** an ********* ******* *** ISP *** *** ********)” to ******** *** **** Open ******** ***** ***** the ****** *** ************ Tom *******.

***** ** ** **** Face *** ** ****** among ********** ** *** fact **** *** ********* signal, ****** *** ****, is ****** ** ******* 24/7. ** **** ** would ** ********** ** it ****'*.

** *** *** ****** about **** *******? *** iris *** ******, **** protection ***** *****. *** isn't * **** ******* taken *** ********' **********? License? ******** ** ************ all *** ****? **** is *** ***** ** penalties *** *** ************ data ** ******** ** safeguard?

****, ** *** **** place */* *** ********* of *** ********** ***** identified *** ***. **** most ***** ********** ***** is ******* * ***** interaction. **** ***** ** another *** ***** ** could ** **** */* user ******* ** *** taking *****. **** ** why ****** *** ************ about *** ****** ** surveillance *******. *** **** issues ***** ** *** use ** ******** ****, including **********, ** ** just *** **** **** the ** *** **** can **** ********* *********** realities. ** **** **** opt-in ***** **** ****** as ****'* * **** in *** ******* **** assessment.

*** ********* ** **** sure *** ****** **** in*****

******: ** *'** **** added ** *** ****, the **** *** **** appealed ** *** ****** on ********* *,********* ** ** *******************, * ******* ***** for ***** ***** ********, which ****:

*** ******** *********å'* ******** to ******. ** **** be ** *********** ** deepen *** ******* *** Data ************'* ******** *** conclusions. ** ******** ******** and ******* ** *** members' ******* *** ****** development ** * ******* age, ********* *********,******** ** *** ********** of ************ ** ***.

**** **** ***** **** and ****** **** ** is *******.

Read this IPVM report for free.

This article is part of IPVM's 6,594 reports, 889 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

The US Fight Over Facial Recognition Explained on Jul 08, 2020
The controversy around facial recognition has grown significantly in 2020,...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Facial Recognition: Weak Sales, Anti Regulation, No Favorite, Says Security Integrators on Jul 07, 2020
While facial recognition has gained greater prominence, a new IPVM study of...
Herta Facial Recognition Plus Masks Tested on Aug 19, 2020
Masks increase face recognition errors, but facial recognition developer...
U.S. Government Accountability Office Urges Facial Recognition Regulation on Aug 27, 2020
The US Government Accountability Office (GAO) is urging facial recognition...
Microsoft Azure Presents Live Video Analytics on Oct 15, 2020
Microsoft Azure presented its Live Video Analytics offering at the September...
Defendry Presents AI Active Shooter Security System on Jul 14, 2020
Defendry presented its Active Shooter security system at the May 2020 IPVM...
Gait Recognition Examined on Sep 14, 2020
Facial recognition faces increasing ethical and political criticisms while...
Chilean Official Investigated for Motorola And Hikvision Contracts on Sep 17, 2020
A corruption investigation is underway in Chile after a crime prevention...
CDW Sells School District 36 Low-Res, No Blackbody Hikvision Fever Cameras With Federal Funds on Oct 01, 2020
Mega IT distributor CDW sold low-resolution Hikvision fever cameras with no...
YOLOv5 Released Amidst Controversy on Jul 27, 2020
YOLO has gained significant attention within video surveillance for its...
Startup Actuate Presents AI Threat Detection on Aug 18, 2020
Actuate presented its AI threat detection offering at the 2020 IPVM Startups...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
UK Court Rules Police Facial Recognition Needs Reform on Sep 01, 2020
A UK court has ruled that the South Wales Police use of facial recognition is...
Startup Monitoreal Presents Home Object Detection AI on Aug 24, 2020
Monitoreal presented its on-premise only object detection AI at the 2020 IPVM...

Recent Reports

VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic i-PRO presented its X-Series cameras and AI video analytics at the...