Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsSweden DPA Issues First GDPR Fine Against Facial Recognition in School
The Swedish Data Protection Authority (DPA) has issued its first GDPR fine against a municipality which tracked 22 students with facial recognition for three weeks. The DPA said that the size of the fine was due to the short amount of time which the pilot trial took place.
The goal of the municipality’s test was to try to decrease the 17,000 hours a year that teachers spend taking attendance. According to a media report, the Swedish DPA decided to investigate after reading about the test in the media. The Swedish DPA identified a couple of problems with the test under GDPR:
The consent collected was not valid due to the clear power imbalance between the controller and the data subject. The school captured consent from the parents, but the DPA invalidated it. Under GDPR Recital 32, consent should be “given by a clear affirmative act establishing a freely given, specific, informed and unambiguous” indication of agreement.
The high school board failed to minimize data privacy concerns by utilizing a less intrusive mechanism to track attendance without camera surveillance. Under GDPR Article 6, five of the six lawful basis of processing require that the “processing is necessary”. The United Kingdom ICO guidance on the subject of necessity has said that the “lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means, or by processing less data.”
The board also failed to complete an adequate impact assessment by not consulting the DPA and gaining prior approval. Article 36(1) requires a controller to consult the supervisory authority prior to processing where a DPIA indicates that the processing would result in a high risk absent measures taken to mitigate the risk.
For businesses, the fine is a lesson that data privacy needs to be taken into account at all levels of new project implementation, including test projects. The GDPR requirements need to be taken seriously and all of the consent requirements need to be carefully thought through before it is relied upon as the lawful basis.
Consent was also the subject of a recent decision by the Greek DPA to invalidate the lawfulness of processing obtained by PWC to process the personal data of employees. These are issues that the DPAs are closely examining and as a result businesses need to carefully think through the complexities of their decisions around privacy and consent as well..
