General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy
Facial Recognition Use Triggers GDPR FineSweden Issues Penalty After School Tests the Technology
Sweden's Data Protection Authority has issued its first fine for violations of the European Union’s General Data Protection regulation after a school launched a facial recognition pilot program to track students' attendance without proper consent.
See Also: A Guide to Passwordless Anywhere
The country's privacy authority issued a fine of 200,000 Swedish Krona ($20,700) to the municipality where the unnamed school is located for violating several of the privacy and biometrics provisions of GDPR, according to the European Data Protection Board. The municipality could have faced a €1 million ($1.1 million) penalty under GDPR, according to the privacy board.
The unidentified high school in Skellefteå, a northern region in Sweden, tested the facial recognition and artificial intelligence system on 22 students between September and December of 201 for three weeks in an attempt to track the students' attendance, Computer Sweden reports.
The school’s facial recognition system violated parts of GDPR that outline various privacy protections for European citizens, according to the European Data Protection Board. The school’s use of the technology was an unlawful processing of sensitive biometric data under GDPR. Another violation was the failure of the municipality to properly notify Sweden's Data Protection Authority about pilot program, the board says.
"The school has processed sensitive biometric data unlawfully and failed to do an adequate impact assessment, including seeking prior consultation with the Swedish DPA," the board notes.
An Issue of Consent
Although municipal officials argued that the pilot program at the school was started with the students' consent, a spokesperson for the Swedish Data Protection Authority tells Information Security Media Group that the consent was not legally valid because "there is a clear imbalance between the data subject (the pupil) and the controller (the municipality)."
The spokesperson added that it's waiting to hear if the municipality will appeal the fine.
GDPR categorizes facial recognition data as sensitive personal data that requires additional protection. The European Union also says the law restricts the processing of biometrics data without proper legal clearances and consent from European residents.
Facial Recognition as a Privacy Issue
The GDPR fine in Sweden comes at a time when the use of facial recognition technology, as well as the use of artificial intelligence, is raising privacy concerns worldwide.
One of the biggest threats associated with facial recognition data is identity theft, which is a direct violation of GDPR. Some of the other challenges include data harvesting, unauthorized tracking and misuse of data for credential stealing by threat actors (see: Facial Recognition: Big Trouble With Big Data Biometrics).
The U.K.'s Information Commissioner's Office recently launched an investigation of a British company that’s using facial recognition technology to scan pedestrians' faces near a train station in London (see: Use of Facial Recognition Stirs Controversy).
Last year, Microsoft President Brad Smith wrote a blog calling for the U.S. Congress to regulate facial recognition technology.
"Facial recognition will require the public and private sectors alike to step up - and to act," Smith wrote. "We believe Congress should create a bipartisan expert commission to assess the best way to regulate the use of facial recognition technology in the United States."
Recently, Vermont Sen. Bernie Sanders, a candidate for president, called for a ban on the use of facial recognition technology by law enforcement agencies. Meanwhile, local governments in Oakland and San Francisco have stopped local police from using the technology.
Tracking GDPR Fines
Among other recent GDPR fines, in July, the U.K.'s ICO levied a fine of £164 million ($125 million) against hotel giant Marriott for its failure to properly disclose a data breach (see: Marriott Faces $125 Million GDPR Fine Over Mega-Breach).
In another case, British privacy authorities issued a "notice of intent" to fine British Airways £184 million ($230 million) for inadequate security checks after a breach that affected nearly 500,000 customers (see: British Airways Faces Record-Setting $230 Million GDPR Fine).