mixmagic - stock.adobe.com

Sweden’s first GDPR fine sets regulatory tone

Secondary school fined for breaching General Data Protection Regulation, signalling the attitude of Sweden’s Data Protection Authority

This article can also be found in the Premium Editorial Download: CW Europe: CW Europe: Deutsche Bank creates innovation division

Sweden has seen its first fine issued under the General Data Protection Regulation (GDPR), which was imposed on an upper secondary school, according to the country’s Data Protection Authority (DPA).

Some fear that the fine, of about SEK200,000 (£16,000), could make organisations more cautious about implementing of digital technologies, but there has been support for the DPA’s stance.

The school, Anderstorpsskolan in Skellefteå, used face recognition technology in a time-limited test to identify students attending classes. The school, in northern Sweden, carried out the test for a few weeks, tracking 22 students. The regulator found the school’s board to have violated GDPR law.

The DPA based the size of the fine primarily on the fact that the school comes under a local authority, and that the offence occurred while it was testing the tool for a limited period. Under the legislation, a fine, if appropriate, can be up to SEK10m.

The DPA ruled that biometrics is sensitive personal data, and it was not enough that the students’ parents had given their consent for the exercise.

The school board, comprising politicians from the local authority in Skellefteå, appealed against the fine, with support from the Swedish Association of Local Authorities and Regions (SKL).

The SKL said digitisation technologies need to be tested to find out more about them, including defining their limits, and that a school such as Anderstorpsskolan should not be fined.

But Sofia Edvardsen, partner at law firm Sharp Cookie Advisors, said the DPA’s motivation for its decision was correct. “I believe there are some important points to establish that can have a significant impact beyond the Swedish market,” she said.

The DPA said the school had failed to carry out a sufficient risk assessment before it began the face recognition trial. “It is interesting that the Swedish DPA seems to require that a risk assessment is made, compliant with the requirements of the Data Protection Impact Assessment,” said Edvardsen. “I had not expected such a strict interpretation of the accountability requirement.”

Peter Birgersson, partner at Deloitte, also said it was the right decision to fine the school. “The school cannot use consent as a basis for carrying out this processing of personal data, as the individuals in question have a dependency position as pupils in the school,” he said. “This also includes an aspect of biometric personal data, which is sensitive personal data and processing of it should be limited. We should also bear in mind that this is children’s personal data.”

Read more about GDPR

Birgersson added: “Attendance can be checked in many other ways, still using smart digital technology, but not necessarily based on biometric personal data. Instead, attendance can be registered by using something the student knows, such as a password, or by using a card. These can be changed if the student wants, but biometric data is something that you as a person will carry all your life. Biometric data cannot be changed.”

Birgersson said the DPA’s stance might be thought of as making digital development more difficult for organisations, but he does not agree. “Instead, I believe this helps organisations navigate how to drive digital development and what safeguards need to be taken in this work,” he said. “Digital development should not be hampered by this ruling – it should create a dialogue about how it is done best.”

Sweden’s first GDPR fine is an important landmark, setting the tone for the regulator’s approach to enforcing the legislation.

So far, the implementation of GDPR across Europe has been far from homogeneous – and it would be no surprise if large multinational companies factored in nations’ different stances on GDPR when deciding where to set up their headquarters.

In terms of fines, France has taken the hardest line, with CNIL, the French DPA, fining Google €50m, Bouygues Telecom €250,000, Uber €400,000, Dailymotion €50,000 and Optical Center €250,000.

European countries have demonstrated varying strategies on imposing penalties, and have set up different structures to implement the regulations. In Germany, for example, DPAs are organised on a state level – but there is also a separate DPA at federal level, with jurisdiction over telecom and postal service companies. The result is that Germany has 17 data protection authorities, rather than just one.

European countries also diverge in their interpretation of some of GDPR’s finer points. For example, Austria’s regulator ruled that all a data controller has to do in response to a request for data deletion is to remove individual references to that data.

Read more on Privacy and data protection

Data Center
Data Management