Why Sweden's First GDPR Fine Should Not Put Organisations Off Facial Recognition
It was recently announced that the Swedish Data Protection Agency (DPA) has issued its first ever fine under GDPR. The fine, which is the equivalent of almost £17,000, was given to Skelleftea local authority for trialling facial recognition as a way to monitor high-school attendance.
Teachers in Sweden spend around 17,000 hours a year keeping track of student attendance at school. Unsurprisingly therefore local government was keen to see whether new technology could assist with the onerous task freeing up more teacher time for education and pastoral care.
The trial by Skelleftea Municiplality tracked 22 students at Anderstorp’s High School over a three week period and recorded when each pupil entered a classroom. The trial was so successful that it published the results in the local media and fully expected to extend the programme. However, although the school secured parents’ consent to monitor the students, the regulator did not feel that it was a legally adequate reason to collect such sensitive personal data.
The regulator noted that although some parts of the school could be deemed to be “public”, students had a certain expectation of privacy when they entered a classroom.
It said there were less intrusive ways that their attendance could have been detected without involving camera surveillance.
As a result, the DPA found that Skelleftea’s local authority had unlawfully processed sensitive biometric data, as well as failing to complete an adequate impact assessment, which would have included consulting the regulator and gaining prior approval before starting the trial.
GDPR has been implemented for good reason and its purpose is to protect the personal information of the public. Here it could be reasoned that the facial recognition was an invasion of privacy in that it is being used for monitoring purposes and the DPA was right to implement a fine. However, it is unfortunate that the authority did not consult with the DPA as innovation is being penalised. Facial recognition is an incredibly powerful tool that is already being proven to significantly enhance the customer experience, when used lawfully. For instance the use of biometrics in airports is speeding up immigration by around 50 per cent. The use of the technology in self service restaurants is a big hit in China and certainly iPhoneX owners enjoy the ease of interacting with their apps by simply looking at the camera.
What is clear is that like any emerging technology, facial recognition has its pitfalls. But this does not mean that organisations should shy away from it – quite the opposite. However, as this case shows it is crucial to work with data experts and consult with relevant data protection authorities to ensure that the activity is considered GDPR compliant.