The Swedish data protection authority, Datainspektionen, initiated an audit of the public school board of Skellefteå municipality earlier this year after having received media reports that the school board, in a trial project at Anderstorps upper secondary school, had used facial-recognition technology to register student presence during a few weeks.
The school board used facial-recognition software via camera to capture and register 22 students’ participation in class. The board was contemplating implementing this technology as a standard procedure. The purpose had been to further streamline operations and automize taking the class register, a task that would generally take 10 minutes per class. The board claimed that automizing taking the class register would save 17,280 hours of work each year at the school.
Biometric data was captured by cameras in the form of photographs of students' faces and their full names. The information was stored in a local computer without internet connection, which was stored in a locked cabinet. Explicit consent was collected from guardians, and it was possible to refrain from participating in the trial. However, neither a risk assessment nor prior consultation with the Swedish DPA was executed. August 20, the Swedish DPA fined the school SEK 200,000 ($29,000 U.S.), its first fine under the EU General Data Protection Regulation, and issued a warning against further processing.
In its ruling, the Swedish DPA found that the school had violated the GDPR in three ways: violation of the fundamental principles of Article 5 by processing personal data in a more integrity invasive manner than necessary relative to the purpose (attendance), Article 9 by processing sensitive personal data (biometrical data) without legal basis, and Articles 35 and 36 by not fulfilling the requirements of data protection impact assessment and prior consultation.
The violation of Article 5: Purpose limitation and data minimization
Article 5 of the GDPR states that personal data shall be collected for specific, explicitly stated and legitimate purposes and not later used in a manner incompatible with these purposes (purpose limitation). In addition, personal data processed should be adequate, relevant and not too comprehensive in relation to the purposes of to which they are processed (data minimization). Recital 39 of the GDPR follows that personal data may be used only if the purpose of the processing cannot be achieved in a satisfactory way with other methods.
The Swedish DPA found that the processing concerned children who are dependent on the school board and that the processing took place in the children’s everyday environment. Even though the processing was fairly limited — few students were concerned and the time period short — the Swedish DPA stated that the use had posed a great intrusion of the students’ privacy. Further, registering attendance in class can be made in less intrusive ways, meaning that the use of facial recognition was disproportionate to the purpose.
The violation of Article 9: Sensitive data
Article 9 (1) of the GDPR constitutes a processing of biometric personal data to uniquely identify a natural person. The starting point is that it is prohibited to use such sensitive information. To process sensitive personal data, an exception to the prohibition under Article 9(2) of the GDPR must be applicable.
As stated above, the school board confirmed consent from the guardians was given in conjunction with the current processing. But, as previously stated, the Swedish DPA stressed the significant inequality of the relationship between the school board and the students and the fact that attendance records are a one-sided control measure. Hence, the Swedish DPA states that consent cannot be used as a legal basis, as consent cannot be considered voluntary. Consent is therefore not possible to use as an exception from the prohibition to use sensitive personal data in the case at hand. The Swedish DPA also stated that managing attendance records is an action and not necessary in the substantial public interest (if it was, it would be exempted from the said prohibition).
The violation of Articles 35 and 36: Data protection impact assessment and prior consultation
The school board had made some sort of a risk assessment, in which it claimed that the security and legal basis (consent and public interest) it had resulted in a decision that no high risks to the data subjects were at hand. However, no data protection impact assessment had been made. The Swedish DPA found that the school board's risk assessment lacked an assessment of the risks that exist for the data subjects’ rights and freedoms, as well as an account of the proportionality of the processing in relation to its purposes. Thus, the Article 35 requirements were not fulfilled.
It does not come as a surprise to the privacy professional that the case at hand is a school-book example of a situation where a DPIA is required before the initiation of the trial. Here, it should be noted that the capture has been done with camera surveillance, which is a systematic surveillance, including sensitive personal information about children in an environment in which they are dependent. Face recognition is also a new technology.
As of this writing, this case is the first GDPR fine in Sweden, and it truly stresses the fundamental importance of performing risk assessments and having an active stance in mitigating privacy risks.
Another point to reflect on is that this fine is set rather high. A fine of SEK 200,000 ($29,000 U.S.) may not seem strict; however, keep in mind that the maximum level of public sector fines has been limited to SEK 10 million (approx. $1.5 million U.S.). The fine at hand represents 2% of the maximum fine of SEK 10 million, which could imply that had the school been in the private sector, the fine would have amounted to at least SEK 4.3 million (approximately $626,000 U.S.) if the maximum amount had been 20 million euros. Had the Swedish DPA also looked into other potential violations (such as duty to inform or the level of security), the fine would most certainly have been even higher.
If you consider that the fine concerned only 22 students for a very limited period of three weeks and that the recipient is a tax-financed unit, the standard for fines is set quite high by the Swedish DPA for coming enforcement actions.