The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine in the amount of EUR 250 000 applied by Swedish Authority for Privacy Protection to Police Authority, for unlawfully use of application Clearview AI for facial recognition in order to identify people.
The investigation carried out by Swedish Authority for Privacy Protection concluded that Clearview AI has been used by a few employees without any prior authorisation. The Police Authority has failed to implement sufficient organisational measures to ensure and be able to demonstrate that the processing of personal data in this case has been carried out in compliance with the Criminal Data Act, unlawfully processing biometric data for facial recognition as well as having failed to conduct a data protection impact assessment which this case of processing would require. There are clearly defined rules and regulations on how the Police Authority may process personal data and it is the responsibility of the Police Authority to ensure that employees are aware of those rules.
Furthermore, to the fine mentioned above, Police Authority will conduct further training and education of its employees in order to avoid any future unlawfully processing of personal data. In addition, will inform the data subjects, whose data has been disclosed to Clearview AI, when confidentiality rules so allows. Finally, the Police Authority will ensure, to the extent possible, that any personal data transferred to Clearview AI is erased.
The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.