On August 21, the Swedish Data Protection Authority (Datainspektionen, or SDPA) announced that it had fined a high school in Skellefteå, Sweden 200 000 kronor (US$18,600) for violating the General Data Protection Regulation (GDPR) by using a facial-recognition system to record student attendance. The SDPA stated that this is the first fine that it has levied for a GDPR violation.
The SDPA reported that the school, on a trial basis, had used facial recognition via camera “to test students’ attendance at their lessons.” (All translations unofficial) After examining the school’s use of the system, which affected 22 students, it found that the facial-recognition camera surveillance of the students “in their everyday environment was an intrusion on their integrity and that their presence control can be done in other ways that are less violative of privacy than facial recognition.”
The high school board had sought to justify the use of the system for attendance control on the basis that the students had consented to that use. The SDPA responded that the board could not use consent as a justification “because the students are in a position of dependence on the board.” Accordingly, the SDPA concluded, in the words of SDPA Director General Lena Lindgren Schelin, that the Skellefteå high school board “violated several of the provisions of the Data Protection Regulation in a way” that prompted issuance of the SEK 200,000 penalty.
According to the European Data Protection Board, under Swedish law the fine for a GDPR violation could be as high as SEK 10 million. In this case, the SDPA explained that the size of the penalty was influenced, among other things, by the fact that it involved a public authority and a use of the facial-recognition system “for a limited period.”
Note: This case is an important precedent for GDPR enforcement that compliance officers in companies and government agencies — including educational systems — need to bring to the attention of C-level officials in their organizations. Article 4(14) of the GDPR clearly defines “biometric data” in a manner that indicates that facial-recognition systems must be built and operated in a manner that complies with the GDPR. The SDPA decision in this case is likely to be only the first of many decisions that will affect entities that install facial-recognition systems without considering the GDPR ramifications of doing so.