Polismyndigheten – €220,000 Fine (Sweden, 2021)

Through information in the media the Swedish DPA became aware that the Swedish Police Authority were using the controversial app Clearview AI for law enforcement and investigation purposes. Clearview AI is an app in which the user can upload images and through facial recognition find out if the person depicted on the image exists in other images in Clearview AI's extensive database, which is made up of three billion images scraped from social media sites and webpages. Following the news, the DPA initiated an investigation against the Police. The investigation concludes that Cleaview AI has been used by the Police on a number of occasions. According to the Police a few employees have used the application without any prior authorisation. The DPA highlights that the Police: *Failed to implement sufficient organisational measures to ensure and be able to demonstrate that the processing of personal data was carried out in compliance with the Criminal Data Act *Unlawfully processed biometric data for facial recognition *Failed to conduct a data protection impact assessment (DPIA) which this case of processing would require Did the Swedish Police Authority violate the Criminal Data Act when using the Clearview AI app? The DPA found that the Swedish Police Authority had not fulfilled it’s obligations with regards to the appropriate technical and organisational measures that should be fulfilled to ensure compliance with the Criminal Data Act (CDA). Even though the employees had used the app without an explicit recommendation from the employer, the employer is still considered responsible for the use of the app and as being the data controller. Since the data that was processed in Clearview AI was biometric data, i.e. sensitive, and also regulated by the public access and secrecy act the breach is to be considered severe. The DPA held that the Police must: *Pay a fine of SEK 2 500 000 *Implement sufficient training and organisational measures as per Chapter 3 § 2 CDA *