Tag Archives: GDPR fine

Sweden issues first fine under GDPR for the use of facial recognition technology in a school

Previously on this blog, we discussed the UK Information Commissioner’s Office (ICO) investigation into the planned rollout of facial recognition software for a large site around King’s Cross in London. This investigation has renewed scrutiny of the technology among data protection observers, particularly in its relation to privacy rights.

Facial recognition technology for use in schools and on campuses has taken off in the United States and elsewhere, and there are even tech companies dedicated specifically to this section of the security industry. Amid understandable concerns of security at schools in the US, companies offer fairly comprehensive ‘biometric security platforms’ for schools, colleges and universities. Such services claim to identify unauthorised visitors, alert school personnel and secure campus events.

Despite the industry’s seemingly unstoppable uptake, Sweden’s Data Protection Authority (DPA) has issued its first monetary punitive measure to date for the use of this technology in a school. The DPA found a local authority to be in breach of the EU’s General Data Protection Regulation (GDPR), which the Swedish Rijksdag adopted as the Data Protection Act in April last year.

The local authority, the Skellefteå municipality in the north, was trialling facial recognition on secondary school students for the purpose of tracking attendance. Pupils faces would be scanned and registered remotely as they entered the classroom. Consent from the parents of the twenty-two students who participated in the trial in autumn 2018 had been sought, but this was not deemed sufficient reason to collect the special category (biometric) data: the DPA saw no adequate reason for the municipality to process and control this sensitive and potentially risky data. They took into consideration the students’ privacy expectations, as well as the fact that there are many less intrusive means of automating or economising on attendance tracking. As stated clearly by GDPR, ‘personal data shall be adequate, relevant and not excessive in relation to the purpose of purposes for which they are processed.’

In February, the local authority had told SVT Nyheter, the state broadcaster, that teachers were spending 17,000 hours a year reporting attendance, which is how facial recognition as a time- and cost-effective replacement for human labour, as so often the case with new tech, came to the table.

Two high-profile GDPR fines for British Airways and Marriott International, Inc

The Information Commissioner’s Office (ICO) has released two statements this week declaring intention to fine British Airways and Marriott International, Inc £183.39m and £99m respectively for breaches of the General Data Protection Regulation (GDPR). In both cases, which affect data subjects from countries across the world, the ICO was the lead supervisory authority acting on behalf of other EU Member State data protection authorities.

These punitive measures are provided under the GDPR, and are the largest fines issued by the ICO to date. These fines both therefore break the former record, which was the £500,000 fine issued to Facebook last year for the social media giant’s role in the Cambridge Analytica scandal (which was actually the maximum fine possible under the previous, much more lenient legislation, since much of the action had taken place prior to GDPR’s implementation).

These two warning shots are fines amounting to 1.5% of the respective company’s global turnover, out of a possible 4% provided by GDPR. This leniency is availed by the companies’ willingness to cooperate with the authority and make immediate improvements where possible. However, it is expected that the companies will appeal the decision.

Failure to protect their customers’ data due to negligent digital security was at the heart of the decisions. The ICO discovered that from June to September 2018, users of BA’s website were being diverted to a fraudulent site used to harvest data. Roughly 500,000 customers had their personal information compromised in this way. Arguably on an even greater scale, the hotel giant Marriott was found to be presiding over a system exposing 339 million guest records to the internet.

Due diligence is the important aspect to these decisions, associated to the principle of ‘accountability’ defined in the GDPR. In the case of BA, poor security arrangements on the website were responsible for the cyber attackers being able to harvest personal data relating to log-in details, payment cards, travel bookings, names and addresses. Similarly, Marriott had failed to pursue due diligence when the company acquired Starwood (a hotel chain), which maintained a vulnerability in its guest reservation database dating back to 2014.

Marriott’s CEO has emphasised the fact that their subsidiary was victim to a cyberattack indeed the company itself notified data protection authorities of the breach, but as the Information Commissioner Elizabeth Denham has stated, “the GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

These decisions set a strong precedent, and will hopefully encourage companies to take greater responsibility for the personal data they hold. Being victim to a cyberattack is not in itself an excuse: companies and organisations must demonstrate that they have attempted to take appropriate and robust security measures. The accountability principle as explained in the GDPR is very clear on this.

Harry Smithson, July 2019