This post is also available in: Español

Under the General Data Protection Regulation (GDPR), on August 20, 2019 the Swedish data protection authority imposed the first fine in Europe for the use of facial recognition technology, understood as a type of biometric identification that uses physiological traits to verify the identity of individuals.

Specifically, the Swedish authority imposed a fine for 200,000 Swedish Krona (almost 20,000 euros) on a secondary school for using a facial recognition software to control attendance of 22 students for three weeks. The use of the software was part of a pilot project that would allow the school to save many hours of work thanks to the automatic tracking of attendance.

The face of an individual is biometric data that allows unequivocal identification, but whose processing is prohibited under the literal wording of article 9 of the GDPR, barring the existence of any of the exceptions it provides. Although in this case the school had obtained the explicit consent of the students’ legal guardians and allowed those who did not wish to participate in the trial to refrain, the Swedish authority considered that the use of this technology had breached the GDPR in three different ways.

  • In the first place, it confirmed that the measure implemented in the school entailed a major encroachment on student privacy and, specifically, that the use of a facial recognition system was disproportionate in terms of the objective sought, which was none other than controlling class attendance.
  • In the second place, the Swedish authority considered that the processing of biometric data lacked legal basis. It upheld that (i) the consent obtained could not be considered voluntary because of the unequal position between the school and the students, and that (ii) the improved management of attendance records could not be considered a measure necessary for fundamental public interest, so it was not a sufficiently legitimate basis to justify this processing.
  • Lastly, the Swedish authority emphasized that the school had failed to make any impact assessment relative to data protection, and it had not consulted the corresponding data protection authority in advance.

The fine under analysis is a pioneer in this area in the European territory, although there are already several related investigations by other authorities on record.

Will the fine from the Swedish authority open the door to subsequent proceedings based on the improper use of a technology whose use is already globally widespread? Without the need to delve any further, in countries like Spain, this technology already allows withdrawing cash from several ATMs without having to enter a PIN number, opening bank accounts, attending events and concerts and monitoring the flow of people in airports and bus stations.

In any event, the fine imposed in Sweden places emphasis not just on the importance of performing impact assessments, but also on the need to mitigate, to the greatest extent possible, any risks to privacy that may arise from the use of disruptive technologies.

This post is also available in: Español


483 artículos

Blog de Cuatrecasas, uno de los referentes en la abogacía de negocios en España y Portugal. Representamos a algunas de las principales empresas cotizadas de ambos países y asesoramos a nuestros clientes en operaciones estratégicas, así como a inversores extranjeros interesados en el mercado ibérico