A small fine of $20,000 in Sweden highlights a potential problem for the use of biometrics in security throughout Europe, including American firms with offices in Europe.
In late August 2019, the Swedish data protection regulator issued its first ever fine under the General Data Protection Regulation (GDPR). The fine was for 200,000 Swedish Krona, which is just over $20,700.
The action was brought against the Skelleftea municipality, where a local school had run a trial facial biometric recognition system to track 22 students for a period of three weeks. The school had obtained the consent of both the students and their parents, and the trial was intended to improve school administration. The trial was a success, and the school had planned to expand the trial before the regulator stepped in and blocked it.
The regulator's decision was that the consent obtained did not satisfy GDPR consent requirements. According to the European Data Protection Board's commentary on the incident, "consent was not a valid legal basis given the clear imbalance between the data subject [the students] and the controller [the school]." The wider question for business and security is whether this same 'imbalance' also exists between employee and employer.
It appears that it does, making the required use of biometrics (which is defined as personal data, in fact, a 'special category' of personal data) for purposes of authentication and access potentially problematic throughout Europe. This would also apply to the European offices of American companies.
"The data protection authorities in various EU countries," explains David Flint, a commercial law consultant at the Inksters law firm, "including the UK, have determined that the use of consent as a basis for lawful processing of personal data will not be sufficient in an employment situation (or indeed i ..
Support the originator by clicking the read the rest link below.
