A school in northern Sweden experimented with facial recognition as a system to document student attendance, and the Swedish Data Protection Authority (DPA) fined the municipality 200,000 SEK (about $20,699) for violating the General Data Protection Regulation (GDPR). It’s the first time the country has been fined for violating the digital privacy violation, which began enforcement in May of last year.
The facial recognition pilot had been going on for three weeks and involved 22 students, according to a press release. The high school board claimed that the data was consensually collected, but the Swedish DPA found that it was still unlawful to gather and process the students’ biometric data “given the clear imbalance between the data subject and the controller,” the European Data Protection Board wrote on Thursday.
Ranja Bunni, a lawyer at the Swedish DPA who helped with the review of this violation, said that consent isn’t a valid legal argument since the students depend on the high school board. The agency pointed out in its release that there are alternatives to checking student attendance that aren’t as intimately invasive as a facial recognition system.
The agency determined that the high school board had violated several articles in the GDPR, including processing sensitive student data, a failure to conduct an adequate impact assessment, and a failure to consult with the DPA before deploying such a system.
Authorities in Sweden can be fined up to 10 million SEK (over $1 million) for violating the GDPR, so the high school board certainly got off without a wildly steep penalty. For instance, in France, Google was fined $56.8 million in January for its shady obfuscation of how it processes its users’ data.
The GDPR came into effect in May of last year, and it was enacted in order to better protect the digital privacy and rights of consumers, which is an especially precarious new legislation for massive tech companies famous for exploiting and misusing our data. The fine for the high school in Sweden, though, indicates the breadth of the privacy law, in that it not only serves as a watchdog over the most powerful companies in the world but also any public authority engaging in unethical data collection practices. And when facial recognition systems are being increasingly toyed with, even with students, it’s nice to see a regulation in place that calls out and punishes these unjust power imbalances.