News




No biometric surveillance for Italian students during exams

In September 2021 the Italian Data Protection Authority (DPA) fined Luigi Bocconi University €200 000 for using Respondus, a proctoring software, without sufficiently informing students of the processing of their personal data and, among other violations, for processing their biometric data without a legal basis. Bocconi is a private University based in Milan and during the COVID-19 pandemic introduced Respondus tools to monitor students during remote exams. 


Respondus offers two different modules: Lockdown browser and Respondus Monitor. The former prevents a student from using their computer as usual, meaning that the person for example cannot open other programs. Respondus Monitor checks that the person in front of the screen is the one that should be taking the exam, in order to prevent someone else from replacing the student or passing notes. To do this, the software uses algorithms that analyse the biometric data of the person’s face in order to confirm their presence and it also records keystrokes, mouse movements and the duration of the exam. After processing the data, the software sends the professor a report showing the student’s image for identification purposes and alerts of any anomalies, with details on the reason for the alert. 

The University initially tried to walk back from what they stated in their own privacy policy, claiming that no biometric data was processed given that the only identification happening was the one concerning the initial picture taken by the software and used by an operator (in this case the professor) to confirm the identity of the student. Something that didn’t match the real functioning of the system. In fact, in their decision, the DPA says that Respondus declared that their software creates a biometric template to monitor the presence of the same person in front of the screen throughout the exam. For this reason, the “software performs a specific technical processing of a physical characteristic of the persons,” says the DPA and, currently, in Italy there is no legal provision expressly authorising the processing of biometric data for the purposes of verifying the regularity of exams. The DPA highlights also that, considering that the processing was carried out by the University for the purpose of issuing degrees with legal value and the specific imbalance in the position of students with respect to the University, consent does not constitute the legal basis of the processing nor can it be considered as freely given. 

In addition, the DPA considers the functionalities of the ‘Respondus Monitor’ component as a “partially automated processing operation for the analysis of the behaviour of the data subjects, in relation to the subsequent assessment by the teacher,” and this “gives rise to the ‘profiling’ of the students.”

This processing of personal data, according to the DPA, may have an impact on the emotional and psychological sphere of the persons concerned which “may also derive from the specific functionalities of the supervision system, such as, in this case, facial recognition and behavioural profiling, with possible repercussions on the accuracy of the anomalies detected by the algorithm and therefore, indirectly, also on the overall outcome of the test.” 

Laptop and book, both open

Bocconi is not the only Italian University using proctoring software. In June 2020 in Italy there were at least ten Universities using (or planning to use) similar tools such as Proctorio, ProctorExam, and Safe Exam Browser. This Authority’s decision would prohibit other Italian Universities from using software similar to Respondus that collect and process students’ biometric data.

Despite this push back on student monitoring, this decision also reminds us that biometric surveillance is increasingly expanding into every sphere of our lives and the only solution is to call for a ban on these technologies.

Contribution by: Laura Carrer, Research and Advocacy at Digital Rights Unit, Hermes Center & Riccardo Coluccini, Reclaim Your Face national campaign contributor.



ReclaimYourFace is a movement led by civil society organisations across Europe:

Access Now ARTICLE19 Bits of Freedom CCC Defesa dos Direitos Digitais (D3) Digitalcourage Digitale Gesellschaft CH Digitale Gesellschaft DE Državljan D EDRi Electronic Frontier Finland epicenter.works Hermes Center for Transparency and Digital Human Rights Homo Digitalis IT-Political Association of Denmark IuRe La Quadrature du Net Liberties Metamorphosis Foundation Panoptykon Foundation Privacy International SHARE Foundation
In collaboration with our campaign partners:

AlgorithmWatch AlgorithmWatch/CH All Out Amnesty International Anna Elbe Aquilenet Associazione Luca Coscioni Ban Facial Recognition Europe Big Brother Watch Certi Diritti Chaos Computer Club Lëtzebuerg (C3L) CILD D64 Danes je nov dan Datapanik Digitale Freiheit DPO Innovation Electronic Frontier Norway European Center for Not-for-profit Law (ECNL) European Digital Society Eumans Football Supporters Europe Fundación Secretariado Gitano (FSG) Forum InformatikerInnen für Frieden und gesellschaftliche Verantwortung Germanwatch German acm chapter Gesellschaft Fur Informatik (German Informatics Society) GONG Hellenic Association of Data Protection and Privacy Hellenic League for Human Rights info.nodes irish council for civil liberties JEF, Young European Federalists Kameras Stoppen Ligue des droits de L'Homme (FR) Ligue des Droits Humains (BE) LOAD e.V. Ministry of Privacy Privacy first logo Privacy Lx Privacy Network Projetto Winston Smith Reporters United Saplinq Science for Democracy Selbstbestimmt.Digital STRALI Stop Wapenhandel The Good Lobby Italia UNI-Europa Unsurv Vrijbit Wikimedia FR Xnet


Reclaim Your Face is also supported by:

Jusos Piratenpartei DE Pirátská Strana

MEP Patrick Breyer, Germany, Greens/EFA
MEP Marcel Kolaja, Czechia, Greens/EFA
MEP Anne-Sophie Pelletier, France, The Left
MEP Kateřina Konečná, Czechia, The Left



Should your organisation be here, too?
Here's how you can get involved.
If you're an individual rather than an organisation, or your organisation type isn't covered in the partnering document, please get in touch with us directly.