Facial Recognition Technology Creates a Fine Mess in Sweden
Student attendance is an issue in Sweden. A 2015 report by the Organisation for Economic Co-operation and Development (OECD) found Sweden to have “one of the largest proportions of students who arrive late for school among OECD countries.”
Schools in the nation’s capital have struggled to get students to show up at all. A 2016 study of 58 schools in Stockholm, found a third of students (33.5%) admitted to playing truant for at least one day during the current academic year.
A new attendance problem came to light this week when a school in the northern municipality of Skellefteå was fined by the Swedish Data Protection Authority (DPA) for trialing facial recognition technology on its students without valid consent.
In a project dubbed Future Classroom, Anderstorp High School teamed up with Nordic software and services company Tieto to test automatic student registration using tags, smartphone apps and facial recognition technology over a three-week period in the last quarter of 2018.
The aim of the project, which involved 22 students, was to give back to teachers at the high school the 17,280 hours they spend each year registering students in lessons.
The Swedish DPA issued Skellefteå municipality with the country’s first GDPR violation fine after concluding that the project violated articles 5, 9, 35 and 36. The amount was set at 200,000 SKr (approximately $20,000) out of a maximum 10,000,000 SKr that can be imposed on public authorities under Swedish law.
Consent was obtained from students who participated in the project, however the Swedish DPA found that a consensual agreement could not have a valid legal basis “given the clear imbalance between the data subject and the controller.”
Tommy Lindmark, IT strategist for Skellefteå municipality, told Infosecurity Magazine: “I was surprised by the [DPA’s] decision and think that our work has been very well done. But the issue is sensitive in Sweden and legislation and technological development are not keeping pace.
“I hope that we can get law and technology to work together so that we can make the public sector more efficient.”
The fact that the DPA only learned about the Future Classroom project after it was covered by Swedish national TV was a deciding factor in determining how steep the fine should be.
Jenny Bård, legal advisor to the Swedish DPA, told Infosecurity Magazine that working in the school’s favor was the fact that the test had only involved 22 pupils for a short time.
“On the other end,” said Bård, “there has been a disproportionate registration lacking legal ground, and the municipality (controller of the public school) has not enough considered the high risks related to the test.
“Children have been registered with special categories of data. And the information has reached the DPA only through media. The amount has in this case been considered to be effective, proportionate and dissuasive.”
The DPA fine has not quashed efforts to introduce automatic student registration into Skellefteå’s schools.
Lindmark said: “We have a clear consent and right now we are thinking about how to proceed. The question is what does consent mean? To be continued.”
Tieto project manager Fredrika Ling said: “Tieto is now analyzing this situation together with the municipality. It is important to create a good environment with clear frameworks for this type of projects for the future to enable innovation and use of latest technologies for better services.”