Sweden’s First GDPR Fine Goes to a High School

Slowly but surely all of the EU member states introduced their first GDPR fines. The next one in line is Sweden.

The case took place in the northern part of Sweden, where a school introduced experimental system using facial recognition in order to document student attendance. As a result, the Swedish Data Protection Authority (DPA) fined the municipality 200,000 SEK (about £16,800) for violating the General Data Protection Regulation (GDPR).

This is the first fine issued in the country since the introduction of the GDPR last May.

According to a press release the facial recognition pilot had been going on for three weeks involving 22 students. The high school board claimed that the data was consensually collected, but the Swedish DPA found that it was still unlawful to gather and process the students’ biometric data “given the clear imbalance between the data subject and the controller,” the European Data Protection Board wrote last Thursday.

At the same time, the position of the Swedish DPA was that consent isn’t a valid legal argument since the students depend on the high school board. The agency pointed out in its release that there are alternatives to checking student attendance that aren’t as intimately invasive as a facial recognition system.

The agency determined that the high school board had violated several articles in the GDPR, including processing sensitive student data, a failure to conduct an adequate impact assessment, and a failure to consult with the DPA before deploying such a system.

Authorities in Sweden can be fined up to 10 million SEK (£839,000) for violating the GDPR, so the high school board certainly got off without a wildly steep penalty. For instance, in France, Google was fined $56.8 million (£47 million) in January for its shady obfuscation of how it processes its users’ data.