Skellefteå School Penalized by DPA for Using Facial Recognition Technology

The first financial penalty for a violation of the General Data Protection Regulation (GDPR) was issued by the Swedish Data Protection Authority (DPA) to a high school in Skellefteå. The fine amounting to 200,000 SEK (€19,000/$21,000) was for undertaking a preliminary study on utilizing facial recognition technology for monitoring student attendance. With the help of the IT company, Tieto, the school had installed CCTV cameras and used facial recognition technology to track the school attendance of 22 students. The attendance monitoring in the latter part of 2018 lasted for three weeks.

The goal of the pilot study was to know if it is possible to replace the old fashioned roll calls in class with facial recognition technology. The Swedish law necessitates having a roll call at the start o classes in schools. This administrative responsibility further reduces the time spent by teachers in teaching their classes.

According to Tieto, because the teachers need to mark the class attendance, 17,280 hours are lost per year, which equals the work of 10 full-timers.

It is with good intention that the high school conducted the study. But the DPA has ruled not in favor of the study and that it violated several GDPR articles. GDPR was intended to protect EU citizens’ privacy so that they have a lot more control on the way their personal data are used and shared.

The DPA came to the decision that the school had processed the students’ biometric data in a way that is against the law and was unable to do a suitable impact analysis. Facial recognition data is deemed as sensitive data that demands more security than other data that is less sensitive. The school furthermore did not inform the DPA about the pilot study.

Though the school claims to have acquired the students’ consent prior the pilot study, the DPA deems that student consent as unacceptable considering the apparent discrepancy between the data subject [student] and the controller [municipality].

The DPA could have issued a more serious financial penalty since the maximum GDPR penalty is €1 million ($1.1 million).