Sweden issues first fine under GDPR for the use of facial recognition technology in a school

Previously on this blog, we discussed the UK Information Commissioner’s Office (ICO) investigation into the planned rollout of facial recognition software for a large site around King’s Cross in London. This investigation has renewed scrutiny of the technology among data protection observers, particularly in its relation to privacy rights.

Facial recognition technology for use in schools and on campuses has taken off in the United States and elsewhere, and there are even tech companies dedicated specifically to this section of the security industry. Amid understandable concerns of security at schools in the US, companies offer fairly comprehensive ‘biometric security platforms’ for schools, colleges and universities. Such services claim to identify unauthorised visitors, alert school personnel and secure campus events.

Despite the industry’s seemingly unstoppable uptake, Sweden’s Data Protection Authority (DPA) has issued its first monetary punitive measure to date for the use of this technology in a school. The DPA found a local authority to be in breach of the EU’s General Data Protection Regulation (GDPR), which the Swedish Rijksdag adopted as the Data Protection Act in April last year.

The local authority, the Skellefteå municipality in the north, was trialling facial recognition on secondary school students for the purpose of tracking attendance. Pupils faces would be scanned and registered remotely as they entered the classroom. Consent from the parents of the twenty-two students who participated in the trial in autumn 2018 had been sought, but this was not deemed sufficient reason to collect the special category (biometric) data: the DPA saw no adequate reason for the municipality to process and control this sensitive and potentially risky data. They took into consideration the students’ privacy expectations, as well as the fact that there are many less intrusive means of automating or economising on attendance tracking. As stated clearly by GDPR, ‘personal data shall be adequate, relevant and not excessive in relation to the purpose of purposes for which they are processed.’

In February, the local authority had told SVT Nyheter, the state broadcaster, that teachers were spending 17,000 hours a year reporting attendance, which is how facial recognition as a time- and cost-effective replacement for human labour, as so often the case with new tech, came to the table.