Sweden

Sweden was one of the first countries in the world to enact a comprehensive regulation on the protection of personal data since 1973. Back then, the main concern was the relationship between the government and citizens rather than the relationship between private sector and citizens. This is particularly reflected by the initial Swedish legislation that regulates primarily processing of personal data by the government, possibly because only a handful of companies possessed computers at the time. According to the EuroBarometer Survey on Data Protection issued by the European Commission 31% of the Swedish citizens feel they have no control at all over their information provided online which is in line with the European average. 

The first Swedish legislation regulating data protection (the Data Act) was enacted in 1973. In 1998 Sweden transposed into its legal framework the EU Data Protection Directive 95/46/EC with the Personal Data Act (Personuppgiftslagen or 'PDA').

Other notable acts regulating data privacy & protection:

• Constitution of Sweden (1974) - guarantees the right to protection of personal data. 2010 amendments to the Constitution ensure that every individual is protected against intrusions from the public in her or his personal integrity, in case the individual did not consent to such intrusion and it involves surveillance or monitoring of the individual. In general, such protection applies to both Swedish citizens and foreigners.

• Electronic Communications Act (2003) (Lag om elektronisk kommunikation or 'ECA')- partially transposed the EU Directive 2002/58, constitutes lex specialis to the PDA.

• Debt Recovery Act (Inkassolagen (1974:182)) which stipulates that anyone who collects debts on behalf of another, or who has purchased debts for collection, with a few exceptions, must have a permit from the Data Inspection Board.

• Credit Information Act (Kreditupplysningslagen (1973:1173)) – its primary purpose of is to protect individuals' privacy with respect to credit information. The Act stipulates that credit information concerning an individual can only be disclosed if there is a legitimate reason for disclosure.

• Patients' Personal Data Act (Patientdatalag (2008:355)) containing regulation of the processing of personal data in the healthcare sector.

• The Camera Surveillance Act (Kameraövervakningslag (2013:460)) which applies to video surveillance of public areas.

• The Marketing Act (Marknadsföringslag (SFS 2008:486)) which applies to marketing activities by legal entities, including unsolicited electronic commercial communications (for example, spam).

Sweden has two main data protection agencies. Under the PDA, the Data Inspection Board (Datainspektionen or 'DIB') is the supervisory authority responsible for enforcement of the PDA. On the other hand, the Swedish Post and Telecom Authority (Post-och telestyrelsen or 'SPTA') is responsible for compliance with the ECA. 

The DIB monitors compliance and issues administrative sanctions to ensure enforcement of the PDA. It has the power to conduct its own investigation and respond to complaints. In order to fulfil its statutory duties, the DIB has the authority to access the personal data processed, information about the processor and the documentation of processing. In addition, the DIB can enter premises that are connected to the processing of data. The DIB also issues non-binding general guidance to the PDA i.e. on what constitutes a violation of personal integrity of a person. Nevertheless, the DBI is not entitled to demand that information contravening the PDA be erased and, only has the power to submit a request to an administrative court to issue a decision ordering the removal of such information. When the DIB is not able to readily determine if the information is used in a legal manner, it can require the information holder to retain and store the information and issue injunctions. Decisions by the DIB are sanctioned with an administrative fine. Again, the DIB has no authority to enforce the administrative fine, and has to seek a court order requiring its payment.

The SPTA processes complaints, conducts inspections, and monitors compliance with the ECA. However, the SPTA deals more frequently with issues of free competition, pricing, and access to the Internet, rather than matters relating to Internet security and privacy. 

Criminal offences under the PDA can be prosecuted only by the Prosecution Authority. Depending on the severity of the crime, the DPA provides sanctions ranging from a fine or up to two years of imprisonment. The Swedish Penal Code sets out fines up to a hundred Euros. In addition, violation of personal integrity caused by the processing of personal data may require data controller to pay damages to a registered person. 

Although the DIB has the power to impose penalties, in 2014 no fines were issued. Moreover, there were no court sentences that resulted in fines, imprisonment or damages. In most cases the DIB issued remarks and injunctions.

However, there is no official limit set in relation to fines besides the guidance that they need to be proportional and objective to the intent of the legal offender. The maximum potential conditional fine that the DIB is empowered to impose by virtue of the PDA and the Swedish Penal Code may be up to 15.000,00 EUR.

In 2015, Swedish authorities focused on the healthcare sector and cloud services. In particular, the DIB encourages companies and organisations to privacy impact assessments while taking significant business decisions. This approach is triggered by a considerable growth in on-line health and fitness services, that can lead to increased sharing and storing of user's health information and using open source code in apps and for the services. 

The DIB encourages authorities, companies and organizations to build data protection & privacy into the design of their data processing systems and to update their existing policy documents so that they aid compliance with data protection & privacy law. Under the current law it is only recommended to appoint a Personal Data Representative ('PDR'), a role similar to a Data Protection Officer, but it is not mandatory. According to the DIB there are currently only 4,400 PDRs appointed by 7,100 businesses in Sweden. In order to assist entities in facilitating this process the DIB has recently published a checklist for IT projects guidance notes on privacy by design.

As a member of the European Union Sweden will be bound by the General Data Protection Regulation (GDPR) from 25 May 2018 onwards, when the GDPR becomes applicable. The introduction of a more stringent regime under the GDPR is likely to cause friction in Sweden, where the DIB has historically taken a more light-handed approach. But on the same day the GDPR documents were published in the EU Official Journal, the DIB, which has a reputation for being a pragmatic data protection authority, issued a set of documents which aim to clarify any conflict between national laws and regulations with the GDPR. The key GDPR issues that are mentioned in the document are:

• The removal of the exception for personal data processed in an unstructured form;

• The introduction of a mandatory DPO; and

• The provisions around breach notification.  

1. Pricewaterhouse Coopers Legal LLP, Privacy and Security Enforcement Tracker, March 2015, http://pwc.blogs.com/data_protection/2015/03/enforcement-tracker-download-here.html 

2. Mattias Lindberg in The International Comparative Legal Guide to Data Protection 2015, Sweden- Data Protection 2015, 13/05/2015

<http://www.iclg.co.uk/practice-areas/data-protection/data-protection-2015/sweden>

3. European Commission, EROBAROMETER Survey on Data Protection, 28/02/2015 – 09/03/2015, http://ec.europa.eu/public_opinion/archives/ebs/ebs_431_fact_se_en.pdf 

4. Data protection in Sweden: overview, Practical Law, http://uk.practicallaw.com/8-502-0348 

5. DataGuidance, Global Privacy Enforcement Report 2015 [Cecile Park Publishing Ltd.]

6. DAC Beachcroft, Sweden - Swedish DPA issues guidance for GDPR compliance, http://www.lexology.com/library/detail.aspx?g=2ba59faa-8c7d-4655-9c74-9399fb3d6c11