The Swedish Authority for Privacy Protection (IMY) has found that the police have been in breach of the country’s Criminal Data Act when using the facial recognition services provided by Clearview AI to identify individuals. According to the IMY, the police have failed to implement sufficient organisational measures to ensure and demonstrate that the processing of personal data has been carried out in compliance with the law. In its use of Clearview AI, the police have unlawfully processed biometric data for facial recognition and have failed to conduct a data protection impact assessment required for such processing. IMY has imposed an administrative fine of approximately €250 000 on the police and ordered them to conduct further training and education of employees to avoid future processing of personal data in breach of data protection rules and regulations. The police were also ordered to inform the data subjects whose data has been disclosed to Clearview AI (when confidentiality rules allow) and to ensure that personal data transferred to Clearview AI is erased.