The data protection authority of Sweden, Datainspektionen, issued a fine under the GDPR against a school that implemented a facial recognition system to monitor the presence of students in classrooms.
This article is based on a post previously published by our Tommaso Ricci. It pertains to a hot topic under data protection law, such as the usage of biometric data as part of facial recognition systems, analyzed in a particular context as the recognition of students attending lessons.
The GDPR fine for unlawful processing of biometric data through a facial recognition system in Sweden
The GDPR was integrated in Sweden by the Data Protection Act (2018:218). The Act introduces special safeguards and obligations for data controllers who process biometric data used for facial recognition, including, for example, the obligation to appoint a Data Protection Officer and to carry out a data protection impact assessment.
The rationale of a stricter regime is that facial recognition technologies using biometric data are invasive since biometric data under the GDPR are “unique” identifiers of a specific natural person.
In this context, the Swedish data protection authority challenged the conduct of a high school in Skellefteå that used a facial recognition system to monitor students’ attendance at lessons. The trial lasted three weeks and involved 22 students. The Datainspektionen examined the use of the system and concluded that the high school board of the school in Sweden processed sensitive personal data in violation of the GDPR. As a consequence, it issued a fine of 200,000 SEK, which are approximately € 20,000.
In its decision, the DPA deemed that facial recognition led to the video surveillance of students in their everyday environment. This practice was an intrusion on their integrity, and that a presence control can occur through other – less intrusive – ways.
The high school board held that they had received the students’ consent to the usage of the face recognition system for attendance control. However, the high school board cannot rely on consent in this case. Indeed, students are in a position of dependence on the board, and therefore their consent cannot be deemed to be valid under the GDPR since it was not free.
The fine is moderate since Skellefteå is a public entity, and the maximum fines for public entities in Sweden are 10,000,000 SEK.
Our recommendations on the usage of biometric data and facial recognition
This fine confirms the EU wide trend of data protection authorities towards the processing of biometric data which are still deemed invasive data. The trend might change in the future when “smart” technologies will be all around us, but – up until such a cultural shift occurs – a strict regime applies to them.
And here are our recommendations when a company decides to use a facial recognition system and in general terms biometric data:
- Before implementing a facial recognition system, all the available alternatives shall be considered, and it shall be assessed whether the system needs to “uniquely” identify individuals. It is not true that the processing of any image results in the processing of biometric data, but only when the processing can identify an individual uniquely;
- If no alternative is viable to the processing of biometric data, the data processing shall respect the data minimization principle. As little data as possible shall be collected, and data shall be retained for the period strictly necessary to pursue the analysis. For instance, in some cases, the matching of data with an individual could be performed by the machine, as occurs with our smartphones, with none accessing to biometric data;
- When the processing of biometric data occurs, enhanced security measures shall be adopted to guarantee the safety and protection of such precious information;
- Before seeking for data subjects’ consent, you shall consider whether consent is a valid legal basis for processing at all in the specific circumstance. The uncertainty arises for the consent given by students. But more frequently, we deal with this issue for the consent provided by employees.
What is your view on the decision above? You may find interesting on the same topic the article “Are your customers’ images biometric data under the GDPR?” and “How privacy consent changes with the GDPR?“.