The Swedish Data Protection Authority has fined a municipality 200 000 SEK (approximately 20,000 euros) for flouting a privacy law by using facial recognition technology to keep track of the students’ attendance, the BBC reported.
This is the first fine issued by the Swedish DPA under the General Data Protection Regulation.
The school was charged for tracking 22 students over the period of three weeks and monitoring when each entered a classroom. The school claims the monitoring was based on consent. The Swedish DPA, however doesn’t consider consent a valid legal basis based on the irregularity that exists between the data subject and controller.
The GDPR which came into force last year classifies the use of facial images and other biometric information as being a special category of data, with “added restrictions” to its use.
The Swedish authority opened an investigation about Anderstorp’s High School’s trial after media reports. It discovered during the probe that teachers at the school had employed the manual process of tracking attendance, spending 17,000 hours a year to achieve this. In order to speed up the process, the authority had decided to employ the use of facial-recognition technology.
Facial recognition technology, this month flagged 26 Californian lawmakers as criminals. The faces of the lawmakers were screened against a database of 25000 publicly available booking photos. The software erroneously matched 26 legislators with mug shots. A bill was passed afterwards for its ban. The facial recognition technology has been flagged by many people because of its unreliability. Its errors could cause embarrassments.
The trial happened during Autumn and was considered successful, much that the local authority considered an extension.
Jorgen Malm who oversees the high school told SVT that the technology was safe and argued that they had received consent from the parents of the students. The regulator, however, did not think that consent was not a legally adequate reason to harvest such sensitive information from the students.
It said there were other less intrusive measures to use; it didn’t have to be a surveillance camera to monitor attendance of students in a school. The regulator noted that the students, even though they are still minors have a right to certain level of privacy when entering a classroom.
As a result, the ruling ended in disfavour of the high school. It was concluded that the local authority was guilty of unlawfully processing sensitive biometric data.