Facial recognition technologies from a Swedish data protection perspective
When processing digital images or videos of a physical person, the processing may involve the processing of biometric data which, according to the main rule in the General Data Protection Regulation (GDPR) is forbidden1. The specific provisions and exemptions on the processing of biometric data in the GDPR as well as national legislation must, therefore, be taken into consideration whilst adopting any facial recognition technologies.2
The Swedish Data Protection Authority (DPA) has taken an active role in regulating facial recognition. A case concerning facial recognition technology was the first case to be fined by the Swedish DPA under the GDPR in August 2019. The Swedish DPA fined a municipality of approximately 20 000 Euro for using facial recognition technology to monitor the attendance of students in school. The Swedish DPA concluded that the use of facial recognition via a camera entailed processing of personal data which was more intrusive with regard to personal integrity and more extensive than necessary to fulfill the purpose of monitoring student attendance. The Swedish DPA also concluded that there was no valid exemption from the prohibition on the processing of special categories of personal data.3
In October 2019, the Swedish DPA issued an opinion approving certain use of facial recognition by the Swedish Police Authority for the purposes of carrying out its duty to investigate and prosecute crime. The Swedish DPA based its decision on that facial recognition technology can be significantly more effective for identifying criminals compared to manual analysis.4
In June 2020, the Swedish DPA issued an opinion approving a facial recognition technology to be used in stores for analyzing visitor movement patterns. The image data from the surveillance camera were anonymized and sent to a cloud service for carrying out analysis. As the analysis was carried out based on anonymized data, an exemption from Article 9 of the GDPR was not considered necessary.5 Instead, the legal basis outlined in Article 6.1(f) of the GDPR was considered sufficient for the processing of personal data.6 In order to use this legal basis for processing, it is important that the biometric data is properly anonymized and that the remaining data do not allow the unique identification or authentication of a natural person.
The Swedish Government has also proposed a new legislation to enable the Swedish Migration Agency, Swedish Police Authority and Swedish foreign authorities to process special categories of personal data (including through biometric data and facial recognition technology) within the field of immigration and citizenship for testing purposes which are strictly necessary and in accordance with the Swedish Aliens Data Act.7 The law is proposed to enter into force on 1 December 2020.8
As facial recognition technologies continue to emerge in the market, the Swedish DPA and other DPAs as well as governments throughout Europe are likely to intensify its regulating efforts. For more information on the Swedish position, or evaluation of planned use of facial recognition, please contact Setterwalls Data Privacy and Data Protection team, which is ranked as a Tier 1 team in Sweden in the first edition of Legal500's separate ranking.
1Article 9(1) of the GDPR (Regulation (EU) 2016/679).
2Please note that there are more directions, opinions and special regulations concerning the processing of biometric data for facial recognition that will not be presented herein.
3See the full decision issued by the Swedish Data Protection Authority: www.datainspektionen.se/globalassets/dokument/beslut/facial-recognition-used-to-monitor-the-attendance-of-students.pdf.
4See the full prior consultation: www.datainspektionen.se/globalassets/dokument/ovrigt/2019-10-23-polisen-forhandssamrad.pdf.
5The processing of photographs should not systematically be considered to be processing of special categories of per-sonal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person, according to recital 51 of the GDPR (Regulation (EU) 2016/679).
6Reference number DI-2020-3670.
7See the full Swedish Aliens Act (2005:716): www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/utlanningslag-2005716_sfs-2005-716.
8See the full Swedish government bill: www.regeringen.se/4a66ed/contentassets/9bff0ac16e0149688a80310101a4f4e8/Prop-202021-5.pdf.
Article provided by: Fredrik Roos & Linda Källström (Setterwalls, Sweden)
Dr. Tobias Höllwarth (Managing Director INPLP)