HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Sweden Issues GDPR Fine to School for Unlawful Use of Facial Recognition Technology

The Swedish Data Protection Authority (DPA) has issued its first ever financial penalty for a violation of the EU’s General Data Protection Regulation (GDPR).

The 200,000 SEK fine (€19,000/$21,000) was issued to a high school in Skellefteå which conducted a pilot study that used facial recognition technology to monitor student attendance. Assisted by IT company Tieto, the school used CCTV cameras and facial recognition technology to monitor the attendance of 22 students at school. The trial ran for three weeks in late 2018.

The aim of the trial was to determine whether facial recognition technology could be used in place of standard roll calls in classes. Under Swedish law, schools are required to conduct a roll call at the start of each lesson, which places a considerable administrative burden on teachers and reduces the time spent teaching students.

According to Tieto, the school was losing 17,280 hours a year simply marking attendance. That equates to 10 full time jobs.

The pilot was conducted with the best intentions but the DPA determined the school violated several articles of GDPR. GDPR was introduced to protect the privacy of EU citizens and give them much greater control over the use of their personal data.

The DPA determined the school unlawfully processed the biometric data of its students and failed to conduct a proper impact assessment. Facial recognition data is treated as sensitive information and requires greater protection that other, less-sensitive data types. The school also failed to notify the DPA about the pilot.

The school maintained it had obtained consent from all students involved in the pilot, but the DPA determined the consent to be invalid as there was “a clear imbalance between the data subject [student] and the controller [municipality].”

The financial penalty could have been much more severe. The GDPR penalty structure permitted a maximum fine of €1 million ($1.1 million) for the violations.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.