Sweden’s data protection (IMY) has fined the local police authority €250,000 (more than $300,000) for the unlawful use of Clearview AI, a controversial facial recognition software. The use of the software is in breach of the country’s Criminal Data Act.
As part of the enforcement, the police were ordered to conduct training and education sessions of the staff to avoid anything like this in the future. The processing of personal data needs to be handled a certain way, to stay within the rules and regulations.
The authority has also been ordered to inform people whose personal data was sent to Clearview AI.
IMY’s investigation found that the police had used the facial recognition service on several occasions and that several employees had deployed it without authorization. Earlier this month, Canadian privacy authorities discovered that Clearview had breached local laws.
The company collected photos of people to feed into its database, without getting the proper consent from the owners of the photos.
IMY concluded that the police did not fulfill its obligations as a data controller on several accounts and especially in the use of Clearview AI. The police failed to implement measures to demonstrate that personal data processing complied with the Criminal Data Act.
Some questions linger
The IMY said that there are clearly defined rules and regulations in how the Police Authority is supposed to process personal data, especially for law enforcement functions.
The fine was decided on, based on an overall assessment. The decision was made at the discretion of the IMY. The maximum fine for the violation the Police is accused of committing would be €1,000,000.
It is not clear why the police avoided the bigger fine but the watchdog has closed the matter.