Swedish DPA: Police unlawfully used facial recognition app

Feb 11, 2021

Source: European Data Protection Board

The Swedish Authority for Privacy Protection finds that the Swedish Police Authority has processed personal data in breach of the Swedish Criminal Data Act when using Clearview AI to identify individuals.

Upon news in the media of the Swedish Police Authority using the application Clearview AI for facial recognition the Swedish Authority for Privacy Protection (IMY) initiated an investigation against the Police.

The investigation concludes that Cleaview AI has been used by the Police on a number of occasions. According to the Police a few employees have used the application without any prior authorisation.

IMY concludes that the Police has not fulfilled its obligations as a data controller on a number of accounts with regards to the use of Clearview AI. The Police has failed to implement sufficient organisational measures to ensure and be able to demonstrate that the processing of personal data in this case has been carried out in compliance with the Criminal Data Act. When using Clearview AI the Police has unlawfully processed biometric data for facial recognition as well as having failed to conduct a data protection impact assessment which this case of processing would require.

There are clearly defined rules and regulations on how the Police Authority may process personal data, especially for law enforcement purposes. It is the responsibility of the Police to ensure that employees are aware of those rules, says Elena Mazzotti Pallard, legal advisor at IMY.

IMY imposes an administrative fine of SEK 2,500,000 (approximately EUR 250,000) on the Police Authority for infringements of the Criminal Data Act. IMY also orders the Police to conduct further training and education of its employees in order to avoid any future processing of personal data in breach of data protection rules and regulations.

In addition, the Police are ordered to inform the data subjects, whose data has been disclosed to Clearview AI, when confidentiality rules so allows. Finally, the Police are ordered to ensure, to the extent possible, that any personal data transferred to Clearview AI is erased.

To read IMY’s decision (in Swedish), click here.

For further information, please contact:

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA’s website or other channels of communication, the news item is only available in English or in the Member State’s official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Recent news

CSC elects 2nd Deputy Coordinator

The Coordinated Supervision Committee (CSC) has elected Matej Sironic from the Slovenian Data Protection Authority (DPA) as its Deputy Coordinator for a term of two years. Sironic will be the second Deputy Coordinator, and will work along with Sebastian Hümmeler from...

read more