Facial recognition technologies from a Swedish data protection perspective

Technologies for facial recognition – capable of identifying and/or verifying a physical person automatically from a digital image or video – are developing at a fast pace and continue to emerge in the markets. Facial recognition technologies are normally based on the identifica-tion of certain facial features from an image and comparing it with images of faces collected in a database. The technologies available for facial recognition are many and the ways in which the technology can be used are countless.

When processing digital images or videos of a physical person, the processing may involve the processing of biometric data which, according to the main rule in the General Data Pro-tection Regulation (GDPR) is forbidden.  The specific provisions and exemptions on the pro-cessing of biometric data in the GDPR as well as national legislation must, therefore, be tak-en into consideration whilst adopting any facial recognition technologies. 

The Swedish Authority for Privacy Protection (IMY) has taken an active role in regulating facial recognition. A case concerning facial recognition technology was the first case to be fined by the Swedish IMY under the GDPR in August 2019. The Swedish IMY fined a munici-pality of approximately 20 000 Euro for using facial recognition technology to monitor the attendance of students in school. The Swedish IMY concluded that the use of facial recogni-tion via a camera entailed processing of personal data which was more intrusive with regard to personal integrity and more extensive than necessary to fulfill the purpose of monitoring student attendance. The Swedish IMY also concluded that there was no valid exemption from the prohibition on the processing of special categories of personal data. 

In October 2019, the Swedish IMY issued an opinion approving certain use of facial recogni-tion by the Swedish Police Authority for the purposes of carrying out its duty to investigate and prosecute crime. The Swedish IMY based its decision on that facial recognition technol-ogy can be significantly more effective for identifying criminals compared to manual analy-sis.

In June 2020, the Swedish IMY issued an opinion approving a facial recognition technology to be used in stores for analyzing visitor movement patterns. The image data from the sur-veillance camera were alleged by the company to have been anonymized and sent to a cloud service for carrying out analysis. The Swedish IMY has clarified that they do not com-ment on whether the technology described achieved an actual anonymization of data, but considered based on an overall assessment taking all the specific integrity-enhancing measures in the specific case in consideration, including that the accuracy of identifying a returning customer was as low as 50%, that an exemption from Article 9 of the GDPR was not considered necessary.  Instead, the legal basis outlined in Article 6.1(f) of the GDPR was considered sufficient for the processing of personal data.  In order to use this legal basis for processing, it is im-portant that the biometric data is properly anonymized and that the remaining data do not allow the unique identification or authentication of a natural person.

In December 2020, the Swedish Government legislated an amendment to the Swedish Al-iens Data Act to enable the Swedish Migration Agency, Swedish Police Authority and Swe-dish foreign authorities to process special categories of personal data (including through biometric data and facial recognition technology) within the field of immigration and citizen-ship for testing purposes which are strictly necessary and in accordance with the Swedish Aliens Data Act.  

As facial recognition technologies continue to emerge in the market, the Swedish IMY and other data protection authorities as well as governments throughout Europe are likely to intensify its regulating efforts. For more information on the Swedish position, or evaluation of planned use of facial recognition, please contact Setterwalls Data Privacy and Data Pro-tection team, which is ranked as a Tier 1 team in Sweden in the first edition of Legal500’s separate ranking.

^1. Article 9(1) of the GDPR (Regulation (EU) 2016/679).
^2. Please note that there are more directions, opinions and special regulations concerning the processing of biometric data for facial recognition that will not be presented herein.
^3. See the full decision issued by the Swedish Authority for Privacy Protection: https://www.imy.se/globalassets/dokument/beslut/beslut-ansiktsigenkannin….
^4. See the full prior consultation: https://www.imy.se/globalassets/dokument/ovrigt/2019-10-23-polisen-forha….
^5. The processing of photographs should not systematically be considered to be processing of special cate-gories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person, according to recital 51 of the GDPR (Regulation (EU) 2016/679).
^6. Reference number DI-2020-3670.
^7. See the full Swedish Aliens Data Act (2016:27): https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningss….
^8. See the full Swedish government bill: https://www.regeringen.se/4a66ed/contentassets/9bff0ac16e0149688a8031010….