A school in Sweden has been fined $20,000 for using facial recognition to keep attendance in what is Sweden's first GDPR fine. Notably, the fine is also the EU's first GDPR fine for facial recognition, adding some clarity to use of the technology in the GDPR era.
In this post, we examine the fine and its impact, including:
From a Swedish source providing some context on this school:
It mostly a vocational upper secondary school. Historically those type of schools have struggled more with attendance. Pupils are typically between 16-19 years of age and a bit less motivated compared to students studying more theoretical and university/college preparatory specializations. What I am trying to say is that attendance issues could definitely be a challenge. Attendance is also connected to a national (equivalent to federal level in the US) study allowance of approx. 130 dollars a month. That’s why attendance checks are important.
Teacher might ask the class – is A here? His/her buddies might say. “Yes, any minute now.” and then A doesn’t show up. Assuming that there are 20-25 students in a class - 10 minutes seems quite reasonable.
The high school's IT strategist Tommy Lindmark is surprised and had been expecting praise because it was a small limited project.
- I do not understand their assessment there, moreover it was that out of 29 students were 22, the others did not submit any approval, explains Tommy Lindmark.
The municipality has not yet decided whether it will appeal against the authority's decision.
Wait, if the others did not submit any approval, does not this make it worse under GDPR? Because consent is required for biometric processing unless there is public interest, which does not apply here. Yes/no, Charles?
I read Tommy as saying that the 7 students who did not 'opt in' were not used in his trial....
I don't know what that means, and I'd like to hear his explanation for how the 7 were excluded, but if he can show this to be the case I think he has strong grounds for appealing the sanctions.
I think this was pursued primarily because Tommy ignored the newly-anointed AHJ guidelines mandating that he has to tell them before trialing any new technology - which he didn't do.
I think what this means is that 22 out of 29 students signed consent forms, with the rest opting out, i.e. those 7 were not facially recognized at all. It seems the IT manager's implicit point is: 'hey, we let students opt out of this, and some did, but we still got sanctioned'.
However, just because some students opted out has no real weight under the GDPR. The core issue highlighted by the data protection authority is the power imbalance between students and the school ("it is clear that the student is in a dependent position [to the school]"), meaning consent cannot be "freely given." There is nowhere in the GDPR negating this factor just because some data subjects decide to opt out. The GDPR states:
In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority
Ok, how does that work logistically? Is the camera set up in such a way that the students who opted out can physically avoid the area that the facial recognition camera is covering?
Those 7 kids who opted out were not being facially recognized in the sense that they did not provide selfies/portraits that allowed the software to match them and record their attendance, as was done with the other 22 kids, per the Swedish DPA report:
The information that has been registered is biometric data in the form of facial images as well as first and last names.
So those 7 kids never provided their info to be part of the system. The school was not a data controller of their biometrics information. They were thus not a focus of the case.
However, you're correct that if those 7 kids were nevertheless being filmed by a surveillance camera, even if they didn't provide their info beforehand and they were not being matched, it's still considered biometrics processing that requires their consent, as we saw from the new EU guidelines on VIP recognition which states that such systems need consent from everyone being filmed, not just the VIPs:
But one thing that's unclear from the Swedish DPA's report is whether there was a surveillance camera in the classroom recording all the students, or an access-control type system that recognized each student individually (for example via a facial recognition terminal):
If it was an access control-type system, there would be no GDPR issue with those 7 students who did not consent, as they could easily avoid being filmed altogether. However, if there was a surveillance camera filming the whole classroom, for it to be fully GDPR compliant, it would need to avoid filming the non-consenting students - either by omitting them from the camera's FoV or using some kind of privacy filter.
I've followed up with the Swedish DPA asking what kind of system was in use and will update this comment upon response.
"In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority"
"The core issue highlighted by the data protection authority is the power imbalance between students and the school"
How can law enforcement agencies operating within the EU ever legally use facial recognition since they always possess a clear imbalance of power vs citizens?
That is a good question and you are correct that there is always a huge imbalance of power between an individual and a police force. However, EU authorities are well aware of this, which is why they would never use the "consent" justification from the GDPR's Article 9 - instead they use the "substantial public interest" justification, which is wholly separate and reads:
The GDPR does not cover the use of personal data for law enforcement purposes. There is a separate legal instrument that covers this called the Law Enforcement Directive.
There is still a need to be clear about purpose (redlined above) and justification even for law enforcement, then make sure that notice exists. Transparency goes a long way to address most of these issues. As someone who has deployed this technology (FR) for over 30 years (initially in Heathrow in 1986), we learned these lessons long ago.
What many of us are oblivious to is that California has passed its equivalent to the GDPR with its California Consumer Privacy Act on the heels of the FCC’s dismantling of Net Neutrality with its reversing of the 2015 Open Internet order. I’m not saying either of these laws are the ‘be all’ ‘end all’ solution toward ensuring our online privacy protection, but at least both the EU and California recognized there was an issue and both are making good faith efforts toward addressing address our online privacy protection.
This is emblematic of more serious issues involving Net Neutrality and the current FCC’s refusal to acknowledge, let alone protect, the public’s rights regarding Internet access. Our current FCC, under the chairmanship of Ajit Pai, former Verizon lawyer, has already developed a storied past of actions to enable the monopolization, digital exclusion, redlining, blocking, throttling, paid prioritization (“prioritization for the purposes of making money, not for public safety or for specialized services”), and even zero-rating — “the practice of exempting certain types of traffic from counting against a data cap (often under an agreement between the ISP and web platform)” to overcome the 2015 Open Internet Order under the former FCC Commissioner Tom Wheeler.
Seems to me that Face Rec is unique among biometrics in the fact that the biometric signal, namely the face, is openly on display 24/7. In fact it would be suspicious if it wasn't.
So why the uproar about data privacy? For iris and finger, data protection makes sense. But isn't a face picture taken for students' enrollment? License? Captured on surveillance all day long? What is the point of penalties for not safeguarding data is requires no safeguard?
Skip, FR can take place w/o the knowledge of the individual being identified for one. With most other biometrics there is usually a clear interaction. Gait would be another one where it could be done w/o user knowing it was taking place. This is why notice and transparency about the nature of surveillance matters. The same issues apply to any use of personal data, including biometrics, it is just the case that the FR use case can have different operational realities. In this case opt-in would have helped as that's a flag in any privacy risk assessment.
UPDATE: As I've just added to the post, the fine has been appealed by the school on September 5, according to an announcement from SKL, a Swedish union for local civil servants, which said:
SKL supports Skellefteå's decision to appeal. It will be an opportunity to deepen and clarify the Data Inspectorate's analysis and conclusions. It provides guidance and support in our members' ongoing and future development in a digital age, says Jenny Birkestad, Director of the Department of Digitization at SKL.
IPVM will track this and update once it is decided.
Agree
Disagree
Informative: 1
Unhelpful
Funny
Create New Topic
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Comments (22)
John Honovich
From a Swedish source providing some context on this school:
Create New Topic
John Honovich
New Swedish Radio episode interviewing the IT manager of the school, key excerpts:
Create New Topic
Daniel McKimm
What many of us are oblivious to is that California has passed its equivalent to the GDPR with its California Consumer Privacy Act on the heels of the FCC’s dismantling of Net Neutrality with its reversing of the 2015 Open Internet order. I’m not saying either of these laws are the ‘be all’ ‘end all’ solution toward ensuring our online privacy protection, but at least both the EU and California recognized there was an issue and both are making good faith efforts toward addressing address our online privacy protection.
This is emblematic of more serious issues involving Net Neutrality and the current FCC’s refusal to acknowledge, let alone protect, the public’s rights regarding Internet access. Our current FCC, under the chairmanship of Ajit Pai, former Verizon lawyer, has already developed a storied past of actions to enable the monopolization, digital exclusion, redlining, blocking, throttling, paid prioritization (“prioritization for the purposes of making money, not for public safety or for specialized services”), and even zero-rating — “the practice of exempting certain types of traffic from counting against a data cap (often under an agreement between the ISP and web platform)” to overcome the 2015 Open Internet Order under the former FCC Commissioner Tom Wheeler.
Create New Topic
Skip Cusack
Seems to me that Face Rec is unique among biometrics in the fact that the biometric signal, namely the face, is openly on display 24/7. In fact it would be suspicious if it wasn't.
So why the uproar about data privacy? For iris and finger, data protection makes sense. But isn't a face picture taken for students' enrollment? License? Captured on surveillance all day long? What is the point of penalties for not safeguarding data is requires no safeguard?
Create New Topic
Salvatore D'Agostino
Skip, FR can take place w/o the knowledge of the individual being identified for one. With most other biometrics there is usually a clear interaction. Gait would be another one where it could be done w/o user knowing it was taking place. This is why notice and transparency about the nature of surveillance matters. The same issues apply to any use of personal data, including biometrics, it is just the case that the FR use case can have different operational realities. In this case opt-in would have helped as that's a flag in any privacy risk assessment.
Create New Topic
Salvatore D'Agostino
And meanwhile to make sure you attend yoga in India
Create New Topic
Charles Rollet
UPDATE: As I've just added to the post, the fine has been appealed by the school on September 5, according to an announcement from SKL, a Swedish union for local civil servants, which said:
IPVM will track this and update once it is decided.
Create New Topic