The Swedish Data Protection Authority (DPA) issued its first financial penalty for a General Data Protection Regulation (GDPR) violation.
A high school in Skellefteå was issued a 200,000 SEK fine (€19,000/$21,000) for conducting a pilot study and using facial recognition technology to keep track of the attendance of students. Aided by the IT firm, Tieto, the school utilized facial recognition technology and CCTV cameras to track the attendance o 22 students in the school. This was done for three weeks in the latter part of 2018.
The purpose of the study was to figure out if facial recognition technology can be utilized to replace the typical roll calls in classes. The Swedish law requires schools to have a roll call at the beginning of every lesson, which puts a substantial administrative burden on teachers and cuts the time expended on teaching the students.
As per Tieto, the school loses 17,280 hours per year because teachers had to mark attendance. That equals to 10 full-time work.
The study was done with good intentions, however, the DPA considered this a violation of a number of GDPR articles. GDPR was meant to safeguard EU citizens’ privacy and provide them more control over the uses and disclosures of their personal information.
The DPA concluded the school illegally processed the students’ biometric data and failed to do an appropriate impact evaluation. Facial recognition data is viewed as sensitive data and calls for more security than other, less-sensitive types of data. The school likewise was unable to notify the DPA regarding the pilot study.
The school stated that it acquired the students’ consent for the pilot study, however, the DPA said that the consent was invalid since there was an obvious imbalance between the controller [municipality] and the data subject [student].
The DPA could have issued a more severe financial penalty as the GDPR penalty structure allowed a maximum violation penalty of €1 million ($1.1 million).