(Apr. 6, 2021) On February 10, 2021, the Swedish Authority for Privacy Protection (IMY, Integrationsmyndigheten, formerly Datainspektionen) issued a decision whereby it fined the Swedish Police Authority 2.5 million Swedish kronor (about US$296,000) for violating the Crime Data Act (Brottsdatalagen) by using the facial recognition application Clearview AI.
The artificial intelligence application was used intermittently from the fall of 2019 until March 3, 2020, by employees at the Swedish Police to locate victims and perpetrators of crimes, including child sex crimes, by using facial recognition.
The IMY found that this novel use of artificial intelligence in data processing violated several provisions in the Crime Data Act. (Crime Data Act 2 ch. 12 §; 3 ch. 2 §; 3 ch. 7 § 1 para.) The act specifically states that “[b]iometric information and genetic information may be processed only if they are specifically used for and absolutely necessary for the purpose of processing them.” (2 ch. 12 §.) The authority must also “through necessary technical and organizational measures ensure, and be able to prove, that the processing of the personal information is legal and that the registered person’s rights are protected.” (3 ch. 2 §.)
The use of new technology to process personal data is subject to additional safeguard requirements. According to the Crime Data Act, changes in how personal data is treated, including the use of new types of processes, require that the data processor investigate the consequences of the use on the protection of personal information. Moreover, if there are increased risks of infringement of the registered person’s protected rights, the authority using the information must first consult the IMY before the new process may be adopted. The IMY found that the legality of the use of the Clearview AI had not been sufficiently addressed by the Police Authority before the application was used and that the IMY had not been consulted as required. In its decision, the IMY further argued that the use of artificial intelligence in this case was unlikely to meet the requirement of necessity as required under law. (3 ch. 7 §.)
In addition to sanctioning the Police Authority with a monetary fine, the IMY also required the authority to educate its employees, by September 15, 2021, on how personal data may be processed and to provide the IMY with proof that the authority has a system for treating personal data that complies with current law. The Police Authority must also inform persons whose data have been provided to Clearview AI and ensure that Clearview AI deletes any information acquired from the Swedish Police stored on the app.