26th August 2019

|

by: Admin

|

Categories: News

£17,000 Fine Issued by Swedish Supervisory Authority for Processing Students’ Facial Recognition Data

The supervisory authority in Sweden, Datainspektionen, issued its 20-page written decision on 20 August 2019 regarding the unlawful processing of biometric data of 22 students over a period of three weeks. This is the first decision by the Swedish supervisory authority for a breach of GDPR. An administrative fine of 200,000 SEK was imposed, and the school also received a warning.
 
Datainspektionen found that the school had used facial recognition to monitor the attendance of students at a school in Skelleftea, in contradiction of GDPR, namely by breaching:
 
– article 5, by treating students’ personal data in a more invasive way, and by using more personal data than was necessary for the stated purposes, namely the monitoring of attendance;
– article 9, by treating special category personal data (namely biometric data) without having a lawful exception to the prohibition on processing special category personal data; and
– articles 35-36, by not completing a data protection impact assessment and failing to undertake prior consultation with the supervisory authority.
 
 
The supervisory authority in Sweden, Datainspektionen, issued its 20-page written decision on 20 August 2019 regarding the unlawful processing of biometric data of 22 students over a period of three weeks. This is the first decision by the Swedish supervisory authority for a breach of GDPR. An administrative fine of 200,000 SEK was imposed, and the school also received a warning.
 
Datainspektionen found that the school had used facial recognition to monitor the attendance of students at a school in Skelleftea, in contradiction of GDPR, namely by breaching:
 
– article 5, by treating students’ personal data in a more invasive way, and by using more personal data than was necessary for the stated purposes, namely the monitoring of attendance;
– article 9, by treating special category personal data (namely biometric data) without having a lawful exception to the prohibition on processing special category personal data; and
– articles 35-36, by not completing a data protection impact assessment and failing to undertake prior consultation with the supervisory authority.
Students
The supervisory authority therefore imposed an administrative fine on the school in the Skelleftea Council in accordance with articles 58 and 83 of GDPR, in the amount of 200,000 SEK (approx. £17,000). The school was also given a warning, in accordance with article 58.2, that the intended processing operations were likely to infringe the provisions of GDPR.
 
The matter was brought to the attention of Datainspektionen through local media, who reported that trials were being conducted at the school to use facial recognition in order to monitor attendance of the 22 students of one of the classes at the school for a period of three weeks. The purpose of the investigation was to determine whether the processing of personal data through the usage of facial recognition for the purposes of monitoring attendance was in accordance with the provisions of GDPR. The school were of the opinion that it would be an easier and more effective way to monitor attendance of students at classes at the school and that this method, according to estimates, would save 17,280 hours work per year for the school as a whole. The students were filmed by a camera as they entered their classrooms. The pictures were then compared with the pre-recorded images of the students’ faces, together with their first names and surnames. These details had been stored on a local data base at the school, which was contained in a locked cupboard. Explicit consent had been obtained from the students’ guardians, and it was made clear that there was an option to refuse to provide the personal data and biometric data.
 
In its decision, Datainspektionen pointed to recital 43 which states that “[i]n order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of a specific situation”.
 
Datainspektionen went on to state that this meant that a decision as to whether consent had been given freely would not just be determined on the grounds as to whether consent had been given but also the relationship between the data subject and the data controller. It noted that the scope for voluntary consent in the context of a public authority and a data subject was limited. They went on further to state that in the context of a student and a school, which would be making a decision on, for example, grades and therefore the future of the student with regards to further studies and work, students (and/or their guardians) were not able to provide such free consent. They also highlighted that this was a case involving children and that each individual circumstance would be different, depending on the school and the age of the child. For example, it accepted that in principle a guardian could give consent for school photographs to be taken, but that this was distinguishable from this type of processing.
 
The school further argued that the processing was in accordance with article 6.1(e), namely that it was necessary for the performance of a task carried out in the public interests or in the exercise of official authority vested in the controller, on the grounds that they had to report on absences to the Central studiemedelsnamnden (which can be translated as the central study board). There are various Swedish statutory provisions placed on schools to report on students’ unauthorised absences from school. Whilst Datainspektionen accepted that there was a legal obligation to collect this data regarding attendance at school, they did not accept that this authorised the school to process special category personal data, as in this case.
 
Datainspektionen also considered whether the exemption under Article 9(2)(g) applied, namely that “…processing is necessary for reasons of substantial public interest in the basis of Union or State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject domestic law”, but found that it did not.
 
With regards to the justification of the fine, Datainspektionen gave consideration to the circumstances of the breach when deciding the amount, in accordance with article 83. Particular consideration was given to:
 
– article 83.2(a) – the nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
 
– article 83.2.(b) – the intentional or negligent character of the infringement;
 
– article 83.2(g) – the categories of personal data affected by the infringement;
 
– article 83.2(h) – the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement; and
 
– article 83.2(k) – any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
 
Datainspektionen was of the opinion that a number of articles were breached and considered this serious, justifying a higher fine. Further consideration was given to the fact that the breach concerned children and special category personal data, all of which were aggravating features. It was also noted that they only became aware of the matter through the media, rather than from the school itself.
 
The school have been advised that they can appeal against the decision in writing within three weeks from the date of the decision.
 
It will be interesting to see what happens regarding the lawfulness – or otherwise – of the processing of facial recognition data, such as recently reported in the media regarding Kings Cross, given the much wider range of that processing both in terms of duration an quantity.
 
This article has been written based on the written decision of Datainspektionen, which is available in Swedish, at https://www.datainspektionen.se/globalassets/dokument/beslut/beslut-ansiktsigenkanning-for-narvarokontroll-av-elever-dnr-di-2019-2221.pdf. It does not necessarily reflect the views and opinions of Ordered Co Ltd.