The ruling is in Swedish, but to summarise the school was using facial recognition on its students. Facial recognition is biometric data, hence sensitive (special categories of data in the GDPR). They used consent as the legal basis but this was considered as unlawful due to the imbalance of relationship between the controller (school) and the data subject (student of 16+ yrs). Basically the student had no choice.
But there is more. The Swedish data protection authority based their decision on the following:
Art 5 – personal data collected was intrusive and more was collected that was needed for the purpose
Art 9 – the school did not have a legal exception to handle sensitive data. It is forbidden to collect sensitive data unless this is the case.
Art 35-36 – seems that a DPIA was not done.
What does this mean to other schools or even any public or private entity looking to use intrusive biometrics? Do a data protection impact assessment (DPIA), from here you will be able to get a clean picture on the potential risk of harm to the rights and freedoms of the data subject.
For me personally and professionally, I’m just happy that China’s big brother approach has been nipped in the bud here in Sweden 🙂
And you have a chance to do something to stop the indiscriminate surveillance practices used by the U.S. government agencies. It seems that the Act that was created in a single month has one part that is being abused and this is section 215. To find out more check here.
Stop 215 (video)
Even if you are not living in the United States, or you are not American, you can still do something. You know that government intelligent agencies all over the world are sharing your personal information with NSA. We are all a part of this mass surveillance program. I sent out some pre-defined Twitters from my virtual shadows handle. Find the ones I used here.
Seems that the email service that Edward Snowden recommended as actually protecting your privacy in the US is being forced to share all data and subsequently shut down! The owner and operator of the service, Ladar Levison, has been gagged. Reading between the lines, it looks like he will move his services outside of the US.
His advice is don’t share any of your data on US servers! Read more in infosecurity.
Interesting TEDx talk from 2012 on surveillance (thanks Dave Eddey down under ;-)). What Christopher Soghoian basically says is that you are being watched. Internet companies hang on to our personal information for as long as is practicable. When they receive a request from government requesting information on users, they have no choice but to comply. There is a couple of the Internet companies that have tried to inform users of these orders, one of these was Twitter. Want more info? Then grab a coffee and take 5 😀
I thought given the wire-tapping excitement going on now, that I’d post some of the practices going on world-wide that maybe you are not aware of, all excepts from Virtual Shadows (2009), so there could be some updates since, I haven’t checked. If there are updates it will surely include social media as per USA with PRISM.
Many of the international laws on wiretapping date back to a series of seminars hosted by the FBI in the United States in 1993 at its research facility in Quantico, Virginia, called the International Law Enforcement Telecommunications Seminar (ILETS) together with representatives from Canada, Hong Kong, Australia and the EU. The product of these meetings was the adoption of an international standard called the International Requirements for Interception that possessed similar characteristics to CALEA from the United States. In 1995 the Council of the European Union approved a secret resolution adopting the ILETS. Following its adoption and without revealing the role of the FBI in developing the standard, many countries have adopted laws to this effect. Following adoption of the standard the European Union and the United States offered a Memorandum of Understanding (MoU) for other countries to sign to commit to the standards. All participating countries were encouraged to adopt the standards so it was natural that international standards organisations, such as the International Telecommunications Union (ITU) and the European Telecommunication Standardization Institute (ETSI), would adopt the standards.
Adoption of wire-tapping laws
Australia was one of the first countries to sign the MoU along with Canada. In Australia the Telecommunications Act expects the telecommunications operators to proactively assist law enforcement by providing an interception capability.
In the UK RIPA requires that telecommunications operators maintain a ‘reasonable interception capability’ in their systems and be able to provide on notice certain ‘traffic data’.
In the Netherlands all ISPs have to have the capability to intercept all traffic with a court order and maintain users’ logs for three months.
In New Zealand the Telecommunications (Interception Capabilities) Act 2004 obliges telecommunications companies and ISPs to intercept phone calls and emails on the request of the police and security services.
In Switzerland ISPs are required to take all necessary measures to allow for the interception of mail and telecommunications.
In June 2008 Sweden’s parliament approved controversial new laws (FRA-lagen) allowing authorities to spy on cross-border email and telephone traffic. The Swedish press claim that this will make Sweden the most surveyed country in Europe. This wiretapping law enables the intelligence authorities to ‘listen’ to all traffic, Hotmail, MSN, SMS etc., across Sweden’s borders. The law becomes effective at the end of 2009. Given Sweden’s stance on human rights the passing of this law is quite remarkable. It was following some pretty heated dis- cussions in parliament that the law was passed on a very fine majority (47 against and 52 for). The argument for tapping of international lines is ‘terrorism’. Of course any ‘terrorists’ will encrypt their communications and there is nothing that the Swedish authorities can do about this. Of course one can always monitor ‘traffic patterns’ on identified suspect com- munication which can be as revealing as the communications’ contents themselves in certain situations. However the use of the contents of such communications in a court of law will be impossible without the decryption key and they cannot obtain this unless there is a law enacted similar to the RIPA in the UK, which forces the key-holder to give the encryption or decryption key to the authorities on request and if they refuse they can be convicted for concealing evidence.
There was also a telecommunications driven incentive in 2008 called Phorm. I have not checked out the present status in 2013.
Neither Microsoft or Facebook support this bill. Imagine that everything you post on FB to be available for government authorities? Fine if you trust them I suppose, but I don’t.
Why is not crowdsourcing used more in the fight against terrorism? Transparency and the power of the people, of whom most want a safe society could provide an all encompassing safetynet. Crowdsourcing for example is starting to be used to locate missing persons and children, it is very powerful. There are so many people out there that can make a positive difference to this broken world we live in.