First GDPR Fine in Sweden Over Facial Recognition Use

A high school received the first GDPR fine in Sweden after using facial recognition technology on students.

Eliza Crawford · September 6, 2019

A school in northern Sweden has been fined 200,000 SEK (about $20,000) after experimenting with facial recognition as a system to document student attendance. The Swedish Data Protection Authority (DPA) fined the school for violating three articles under the General Data Protection Regulation (GDPR):

  • Article 5(1)(C): The use of facial recognition was intrusive in monitoring the attendance of students which lays down the ‘data minimization’ principle.
  • Article 9: Facial recognition data comprises ‘special categories of data’, which may only be processed to a legal basis. Processing facial recognition data is allowed with the data subject’s explicit consent. The school argued that all the students and their parents had given consent. However, the Swedish regulator held that the permission given by students was not a voluntarily given and freely chosen because of the school’s powerful position.
  • Article 35: Under this article, there is a requirement to conduct a documented Data Protection Impact Assessment (DPIA) before processing data that entails elevated data protection risks, such as facial recognition monitoring.

This is the first time the country has been fined for violating the digital privacy violation. The facial recognition pilot had been going on for three weeks last fall and involved 22 students.

Ranja Bunni, a lawyer at the Swedish DPA who helped with the review of this violation, said that consent isn’t a valid legal argument since the students depend on the high school board. The agency pointed out in its release that there are alternatives to checking student attendance that aren’t as intimately invasive as a facial recognition system.

While the Swedish DPA’s ruling is not big compared to other GDPR fines, it’s a clear marker that GDPR enforcement is picking up around the globe. The Sweden High School case indicates the extent of GDPR is not just limited to giant corporations such as British Airways, but also smaller public and private entities.

Visit here to learn how CookiePro helps comply with the GDPR.