A local education authority in Skellefteå, a city in northern Sweden, has been fined over $20,560 (SEK 200,000) by the Swedish Data Protection Authority after it was caught trialling facial recognition technology to monitor the attendance of high-school students.
In its pilot program, Anderstorp High School in Skellefteå tracked 22 students over the course of three weeks, recording every time they entered a classroom.
Before embarking on the test mission, it admittedly obtained the permission of the students themselves, as well as their parents. However, the Swedish Data Protection Authority (DPA) concluded that the program still violated several articles of the General Data Protection Regulation (GDPR), an EU privacy regulation, imposing a fine on the municipality for the illegal collection of data.
“The High School Board in Skellefteå has violated several of the provisions of the Data Protection Regulation, which is why we're now issuing a penalty fee,” DPA Director General Lena Lindgren Schelin said in a statement.
The agency concluded that facial recognition technology interfered with the integrity and privacy of the students, and stressed that there are less intrusive ways to monitor attendance, including those that do not involve camera surveillance.
“Facial recognition technology is in its infancy, but development is fast. We therefore see a great need to create clarity about what applies to all actors,” Lena Lindgren Schelin explained.
Felicia Lundmark of the High School Board at Skellefteå municipality emphasised that the idea was to evaluate the future of artificial intelligence for attendance control, not only in Skellefteå, but the whole of Sweden.
Jörgen Malm, the headmaster of Anderstorp High School, voiced his surprise at the fine.
“The outcome is not good. Also, it's an interesting decision because it's a big question how we should handle information and how IT shall be developed in a school environment,” Malm told national broadcaster SVT, assuring that the school has been “incredibly accurate” in handling the students' data, which was later deleted.
Harry, one of the students involved in the experiment, said that the fines were “unjust”.
The size of the fine was set at SEK 200,000, influenced, among other things, by the fact that the perceived violation occurred for a limited period of time only. Authorities can receive a maximum of SEK 10 million ($1,03 million) in fees for failing to comply with the regulation.
This is the first time that Sweden has ever issued a fine under the GDPR, which came into effect last year in a bid to strengthen personal data and privacy protection for private individuals, including facial images.