Swedish school fined over ‘roll call’ facial recognition, but consent was the cause

A municipality in the north of Sweden has been fined over its use of facial recognition technology to monitor student attendance. But the fine illustrates a part of Europe’s new privacy laws regarding the power of an organization gaining consent from the user.  

The municipality of Skellefteå, a town located about 700km north of Sweden’s capital, Stockholm, was last week fined over a facial recognition test involving 22 students at the Anderstorps high school over three weeks in December 2018.

Skellefteå’s school board had gained consent of the students to participate in the biometrics ‘roll call’ trial as well the consent of the students’ parents. But how the test was carried out still fell afoul of Europe’s General Data Protection Regulation (GDPR) in the view of Sweden’s Data Protection Authority (DPA), as reported by IDG Sweden.   

Despite the school gaining student consent, the DPA issued a fine of 200,000 Swedish Kronor (AUD$30,300) — the first penalty it’s issued under Europe’s GDPR, which came into effect in May 2018. The maximum fine the municipality could have faced under GDPR is 10 million SEK or about 1 million euros.  

In the US, facial recognition has been trialled at schools in the context of mass shootings to detect individuals who have been banned from a school.  

In Sweden, it's about paperwork. As with the recently halted facial recognition 'roll call' tests in Victorian schools, the Swedish municipality was assessing whether the technology could help cut administrative costs and alleviate teachers of paperwork related to checking student attendance. 

Skellefteå municipality claims that school staff spend more than 17,000 hours annually on checking attendance that could be better spent on educating students. It wanted to reduce roll call costs by using tags, phone apps and facial recognition. 

But Sweden’s DPA said the high school board in Skellefteå violated “several” GDPR rules, noting that biometric data needs extra protection because of its sensitive nature. 

Biometrics itself was not the key problem, but rather that the GDPR rules around validly gaining consent for sensitive information like biometrics. 

The watchdog explained that the school board can’t use a student’s consent in this case because there is an imbalance of power between the student and the school board. This impacts the legal grounds organizations can claim for processing user data after gaining consent.

As per the UK’s DPA, GDPR aims to ensure consent is freely given with the rule that “consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller.”     

The DPA decided the school’s use of facial recognition software actually meant camera surveillance of students in their everyday environment and that there were other ways to check student attendance that don’t violate students’ privacy as much.   

Skellefteå municipality said it was “humbled” by the DPA’s decision and highlighted how it protected student biometric data. For example, it claims it stored student biometric data on a computer that was not connected to any network and that anonymized data was only ever transferred from a USB flash drive inserted tp that computer by one of the project’s participants.