TOPICS: Data Protection, Children's Privacy, Facial Recognition, GDPR, Sweden
The Swedish Data Protection Authority ("Swedish DPA") has decided to fine a school in northern Sweden for using facial recognition technologies in order to keep track of students' attendance at school.
The Skelleftea high school launched a pilot program at the end of 2018 to track the attendance of its students using facial recognition technology. The pilot included 22 students over a period of three weeks and aimed to detect when each student had entered and left the classroom. The information was stored in a local computer without internet connection, stored in a locked cabinet
Prior to the pilot's deployment, the school obtained the consent from its students and their parents, but the Swedish DPA considered such consent to be invalid. Given there is a clear imbalance between the students and the school staff and that students are afforded a certain expectation of privacy when they enter the classroom, consent cannot be used as an exception to the prohibition to use sensitive personal data in this case.
The Swedish DPA also pointed out that, despite the school's claims that this procedure would save 17,280 hours of work each year, there are less intrusive ways for the school to detect attendance, without involving camera surveillance. Finally, the Swedish DPA found that no Data Protection Impact Assessment ("DPIA") had been made, which means that the school board's risk assessment process lacked the required assessment of the risks
proportionality of the processing in relation to its purposes.
In such scenario, the Swedish DPA found that the school had violated the GDPR in three ways: (i) violation of the fundamental principles of Article 5 by processing personal data in a manner which was more invasive than necessary relative to the purpose; (ii) violation of Article 9 by processing sensitive personal data (biometrical data) without a valid legal basis; and (iii) violation of Articles 35 and 36 by not fulfilling the requirements of data protection impact assessment and prior consultation (in this context, you may find our practical DPIA practical guide to be of assistance).
Similarly, the Chinese government also announced this month that it plans to curb and regulate the use of facial recognition technology and other apps in schools, following
a similar Chinese pilot project to monitor the attendance and behavior of students in class. The topic of facial recognition has been widely discussed in China this month, on account of the controversy caused by Zao, a face-swapping app that could be used to defraud facial recognition technologies. In our previous newsletter, we reported that San Francisco recently banned local
This update was published as part of our Technology & Regulation monthly client update. To read more about HFN's Technology & Regulation Department, click here.