The Swedish Authority for Privacy Protection (IMY) has found that the Swedish Police Authority processed personal data in breach of the Swedish Criminal Data Act when using Clearview AI to identify individuals. An IMY investigation concluded that
Cleaview AI has been used by the Police on a number of occasions without any prior authorisation. IMY concluded that the Police didn't fulfil its obligations as a data controller on a number of accounts with regards to the use of Clearview AI. The
Police has failed to implement sufficient organisational measures to ensure and be able to demonstrate that the processing of personal data in this case has been carried out in compliance with the Criminal Data Act. When using Clearview AI the Police has
unlawfully processed biometric data for facial recognition as well as having failed to conduct a data protection impact assessment which this case of processing would require. IMY fined the police SEK 2,500,000 (approximately euro 250,000). IMY also
ordered the Police to conduct further training and education of its employees in order to avoid any future processing of personal data in breach of data protection rules and regulations. In addition the Police were ordered to inform the data subjects,
whose data has been disclosed to Clearview AI, when confidentiality rules so allows. Finally the Police are ordered to ensure, to the extent possible, that any personal data transferred to Clearview AI is erased. |