Swedish DPA: Police unlawfully used facial recognition app

Feb 11, 2021

Source: European Data Protection Board

The Swedish Authority for Privacy Protection finds that the Swedish Police Authority has processed personal data in breach of the Swedish Criminal Data Act when using Clearview AI to identify individuals.

Upon news in the media of the Swedish Police Authority using the application Clearview AI for facial recognition the Swedish Authority for Privacy Protection (IMY) initiated an investigation against the Police.

The investigation concludes that Cleaview AI has been used by the Police on a number of occasions. According to the Police a few employees have used the application without any prior authorisation.

IMY concludes that the Police has not fulfilled its obligations as a data controller on a number of accounts with regards to the use of Clearview AI. The Police has failed to implement sufficient organisational measures to ensure and be able to demonstrate that the processing of personal data in this case has been carried out in compliance with the Criminal Data Act. When using Clearview AI the Police has unlawfully processed biometric data for facial recognition as well as having failed to conduct a data protection impact assessment which this case of processing would require.

There are clearly defined rules and regulations on how the Police Authority may process personal data, especially for law enforcement purposes. It is the responsibility of the Police to ensure that employees are aware of those rules, says Elena Mazzotti Pallard, legal advisor at IMY.

IMY imposes an administrative fine of SEK 2,500,000 (approximately EUR 250,000) on the Police Authority for infringements of the Criminal Data Act. IMY also orders the Police to conduct further training and education of its employees in order to avoid any future processing of personal data in breach of data protection rules and regulations.

In addition, the Police are ordered to inform the data subjects, whose data has been disclosed to Clearview AI, when confidentiality rules so allows. Finally, the Police are ordered to ensure, to the extent possible, that any personal data transferred to Clearview AI is erased.

To read IMY’s decision (in Swedish), click here.

For further information, please contact:

Legal Advisor Elena Mazzotti Pallard : +46-8-657 61 72
Press Office: +46-8-515 15 415

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA’s website or other channels of communication, the news item is only available in English or in the Member State’s official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

← Norwegian DPA issues fine to Gveik AS Spanish Data Protection Authority (AEPD) imposes fine of 6.000.000 EUR on CAIXABANK, S.A., →

Recent news

EDPB Annual Report 2023: Safeguarding individuals’ digital rights

Apr 22, 2024

The EDPB has launched its 2023 Annual Report. The report provides an overview of the work carried out by the EDPB in the previous year and reflects on important milestones, such as the election of Anu Talus as EDPB Chair; the adoption of two binding decisions and one...

EDPB sets out priorities for 2024-2027 and clarifies implementation DPF redress mechanisms

Apr 18, 2024

Brussels, 18 April - During its latest plenary, the EDPB adopted its strategy for 2024-2027. The strategy sets out the EDPB’s priorities, grouped around four pillars, as well as key actions per pillar to help achieve these objectives. These four pillars are: Pillar 1...

EDPB: ‘Consent or Pay’ models should offer real choice

Apr 17, 2024

Brussels, 17 April - During its latest plenary, the EDPB adopted an Opinion following an Art. 64(2) GDPR request by the Dutch, Norwegian & Hamburg Data Protection Authorities (DPA). The Opinion addresses the validity of consent to process personal data for the...