Some people are gloating over the “First Fine under GDPR in Sweden” where a school has been fined 200,000 euros for testing Face recognition technology for attendance monitoring.
This move deserves unequivocal condemnation and probably is an example of how regulators should not function. It actually appears like the Swedish DPA having scored its first victim who was a soft target just to show that it has the power.
According to one expert,
“The school cannot use consent as a basis for carrying out this processing of personal data, as the individuals in question have a dependency position as pupils in the school,”
While the legal point of ” Undue influence” is well recognized, this also extends to many other situations including employers taking consent from employees.
This decision is a landmark no doubt on how GDPR is used to harass uses of technology.
Even if the authority was unhappy that the school did not consult them with a DPIA before “Testing” the software, it would have been reasonable if the School had been warned and given a nominal fine of One Euro.
Then public would have appreciated the gesture and the intention of warning others.
It is possible that the school may be rich enough to bear the fine but the principle of treating an educational institution with a heavy fine for testing technology is unacceptable. If this becomes a precedence, every organization needs to take prior legal opinion before any operational decision on implementation of technology. Many technology implementation projects would hit a roadblock. This is not good for the future of technology.
I wish this order is over turned as excessive application of regulatory power.