TMT 2019 Comparisons

Last Updated June 13, 2019

Law and Practice

Author



Affärsadvokaterna i Sverige AB is a modern firm focused on commercial law and offers advice on strategic agreements, IT law, dispute resolutions, procurements and privacy law issues. Its clients are found in a variety of industry sectors, including medical/healthcare, transportation and logistics, IT, security and safety, the car industry and staffing. Affärsadvokaterna has extensive experience of the TMT sector and provides ongoing advice in national and international projects, mainly with regard to the outsourcing and digitalisation of business processes, IT, artificial intelligence and robotics, contact centres, payroll and invoicing processes, facility management, financial services, purchasing and third-party logistics. In addition, the firm advises clients on a range of outsourcing and IT-related disputes. In recent years Affärsadvokaterna has handled arguably the most legally complicated IT projects in Sweden and some of the most innovative digitalisation projects within the healthcare sector (such as apps and web-based programs for leading private healthcare providers in Sweden).

In general, there are no specific laws or regulations in relation to cloud services. The use of cloud services is mainly regulated by standard contracts. However, cloud services, and the use thereof, falls within the scope of the general legal framework.

There is often an international aspect to the use of cloud services, since the cloud service providers may be established in another country than the user. This might entail jurisdictional issues, which may have unanticipated consequences for the careless user. Because of these uncertainties regarding jurisdiction, cloud service agreements regularly entail a clause defining the applicable law.

The principle of openness (offentlighetsprincipen) is a fundamental in Sweden and this right has great impact upon the use of cloud services. Hence, the use of cloud services from outside Sweden by government bodies is therefore very much in focus with the main question being if there is a possibility of using cloud services that are geographically located outside Sweden. The principle of openness and the rules set out in the Public Access to Information and Secrecy Act may therefore restrict or prevent government bodies from using cloud services from outside Sweden. In the aftermath of the Swedish scandal with Transportstyrelsen (see 5 Challenges with IT Service Agreements, below) the discussions have been many as to the answer to the question of the lawfulness of government bodies using cloud services that are geographically located outside Sweden. It is often argued that it is possible for a government body to use services outside that are geographically located outside Sweden if the information is treated with confidentiality and with secrecy within the service provider. However, it is important for the government body to make an early assessment by legal expertise on a case-by-case basis.

It is noteworthy that even if it is the Parliamentary Ombudsmen (JO), that are appointed to ensure that public authorities and their staff comply with the laws and other statutes governing their actions, the Parliamentary Ombudsmen have only rendered one decision that can provide guidance. The decision concerned a medtech company and hence sensitive patient information but the principles may be applied to other industries (such as Fintech or Insurtech). In the decision from the Parliamentary Ombudsmen it was vital that the confidentiality undertakings of the employees of the service provider was general and not personal undertakings. It is therefore of outmost importance that the whole process and data flow is analysed and that all legal documents are reviewed by experts in the field.

There are no specific regulations in regards to the use of cloud services within certain industries. However, some regulated industries have higher requirements regarding information security and/or specific rules and requirements regarding outsourcing (eg, the finance- and the healthcare industry). As described above and since it can be argued that the legislation in some aspects is unclear, a debate is going on as to whether public authorities and other public entities, that are subject to strict rules regarding confidentiality, may use cloud services, since the use of cloud services may imply a breach of confidentiality.

There are three main challenges when it comes to processing of personal data in cloud services. All three can be ascribed to the controller’s control over the processing activities.

The first is that it can be difficult to know where the processing actually takes place – ie, where the server on which the personal data is stored is located geographically as well as from which places the cloud service provider – but also to some extent the controller can access the personal data using remote connection. This is important because both storage and access are defined as processing activities in the General Data Protection Regulation ((EU) 2016/679) (the GDPR) and the rule of thumb in the GDPR is that personal data should be processed within the European Union or the European Economic Area.

Second, the GDPR prescribes that the controller shall implement appropriate technical and organisational security measures to ensure, for example, confidentiality, accessibility and resilience in the treatment systems. Since cloud service providers regularly do not allow their users to provide specific instructions and/or requirements on how the information security of the service should be built up, the controller have to trust the cloud service provider in this regard.

The third challenge is that the controller must make sure that only authorised employees can access the personal data. Since all access to personal data, that is stored in cloud services, is done via remote connection, it can be difficult to control who has access to the personal data.

Currently, there are no Swedish legislation initiatives relating to direct blockchain technology. It is considered that the existing laws and general principles are sufficient, which in some aspects creates uncertainty. In addition, such an uncertainty creates a clear advantage to the new entrepreneurs and businesses having counsels that have experience in the field.

In 2016 Sweden was one of the first countries in the world to launch a project on developing the national land registry on blockchain and there are currently many exciting block chain projects developing in Sweden. Especially in the financial sector, and especially within Fintech, Swedish entrepreneurs and businesses are at the forefront in using the blockchain technology. Hence, financial institutes are now showing specific interests in blockchain technology since the usage of blockchain technology in the banking industry will most probably make the industry more competitive since blockchain can be used to bring transparency and effectiveness to the financial markets. As a result, most of the major banks are engaged in different projects involving the new blockchain technology.

The risk to all participants in a blockchain trade in case of a systemic issue with a blockchain could be material if, for example, trades are not settled or are settled incorrectly. For example, the risk to customers of a systemic issue with trading-related infrastructure such as blockchain could be material if trades are not settled or are settled incorrectly. Hence, the allocation and attribution of risk and liability in regards to a blockchain service that is defect must be given careful consideration. These considerations must include considerations at all levels, and for all the participants. Hence, the terms and conditions (T&Cs) for all participants must be given careful thought.

Blockchain poses various risks as a consequence of the technology and manner of operations. However, the legal considerations, even if they are complex, are handled within the same legal framework as they have been done historically. Hence, considerations must be taken in the T&Cs of the fact that it is not possible to control and stop a public blockchain. A private blockchain may have that possibility and it is therefore likely, even if it has not yet been tested in court, that it will be considered that this will be sufficient to trigger a liability of the company managing the platform.

At a very early stage in the projects involving blockchain technology, the blockchain vendor must determine its strategy in regards intellectual property rights. This applies not only to the intellectual property of the blockchain technology itself but also to the underlying data provided by the users.

The same considerations apply as other development projects. Hence, the general trend is that open source is becoming more and more common since Swedish entrepreneurs and businesses, especially within Fintech, tend to realise that technology will have to be shared in order for value to be gained. 

In blockchain technology data that is stored cannot, as the main rule, be altered. As a consequence, if the blockchain and the data include personal data (or even patient information) this will have clear data privacy implications. Hence, the developers of the blockchain are in considering the privacy of design, weighing the personal integrity versus transparency. This is especially the case within the financial and healthcare sectors which in Sweden have special legal requirements in regard to the handling of personal data and patient information and therefore there are many complex associated compliance issues. In practice, it is therefore complicated to validate both the security as well as the data privacy and not many Swedish compliance practitioners are used to working with the data privacy- related questions that arise in blockchain projects.

At the moment a service provider is very risk-aversive. The balance of performance risk is therefore very much present at the moment. The service levels of the service provider are of course dependent upon the service delivery model of the service provider but depending on the reward, the risk is set accordingly. Hence, the services are provided with very limited service levels and excluding warranties regarding performance of the services. However, for users who are utilising the service as part of their business, this is not sufficient resulting in lengthy negotiations with regards to the balance of performance risk.

Since the core of the blockchain technology is that the nodes on a blockchain may be located anywhere in the world, a number of complex jurisdictional issues arise. It may also be difficult to determine where a breach or failure occurred. The two main issues are what law shall be applied and which courts will handle a dispute.

In consideration thereof, it is therefore of upmost importance to include an exclusive governing law and jurisdiction clause in the T&Cs.

Smart technology has been one of the key elements in the development of the digitalisation trend and is changing the respective industry for many businesses. For example, the usage of smart technology, such as big data, machine learning and AI, is becoming more common, especially within the healthcare sector and within the financial industry.

Within the healthcare industry the leading companies are entering into strategic agreements providing for machine learning and AI. The strategic agreements and the use of big health data are normally supporting clinical decision-making and actions as well as making it possible to prioritising administrative tasks. This trend further reinforces the need for flexible and dynamic agreements where all parties have the opportunity to continually increase their business benefit and their competitiveness. The new strategic agreements in regard to machine learning and AI are therefore highly flexible agreements with a focus on mutual benefit and transparency taking into account the rapid developments within the industry.

As a result of not only the high focus and attention that privacy law issues have had and the implementation of GDPR but also the general digitalisation trend (including the use of machine learning and AI), a number of procurement legal issues have been in focus early in the procurement process. Among these issues has been how and where the personal data will be processed. The privacy issues in the strategic agreements are therefore currently in much focus. Even under a public procurement a contracting entity has the possibility to raise more demanding requirements than what is set out under, for example, GDPR as long as the requirements do not contradict general legal principles. Hence, the contracting entity is faced with challenges in regards to how its internal privacy law policies and privacy documentation shall be drafted and implemented and documented in order for the entity to follow the procurement principles of proportionality and non-discrimination. It is therefore, for example, important to carefully assess and draft the reasoning and purpose behind the terms for the processing of the personal data and IT security. 

This trend of having a need to early in the procurement process detect procurement legal issues in relation to the processing of personal data and IT security will continue and the public contracting entities that have not identified these legal issues within public procurements are likely to be subject to procurement review and possibly lengthy litigations following.

There is currently no legislation in Sweden specifically targeting AI, which means the legal challenges relating to liability, insurance and intellectual property will have to be resolved within the existing legal frameworks and on a contractual basis. There is however consensus among most political parties that some sort of specific regulation of the area of AI should be adopted. Sweden will follow closely initiatives regarding AI put forward on a European Union level.

When contemplating a project with connected devices there are quite a few restrictions that will affect an Internet of things (IoT) project’s scope. The digitalisation trend is ongoing and with the large amount of data collected through IoT systems a provider will get access to a large amount of information in regard to individuals and organisations. Hence, the two main restrictions are related to security and privacy risks and challenges.

These risks and challenges are present in IoT projects since, in an IoT setting, devices are located everywhere and hence exposed to theft, malicious damage and intrusion. An IoT project with connected devices must therefore take into account that malicious hackers can use the increased physical accessibility of devices to find more vulnerabilities in IoT systems.

In a traditional IT project, servers and workstations will be protected in server rooms and offices. Hence, cyberattacks have therefore up until now mainly threatened information systems, computer networks and personal computers. However, in an IoT project, the security risks must be escalated to an even higher standard.

In addition, since an IoT project can have a number of connected devices, the amount of gathered and accumulated information will normally be very large. Some of that information will be sensitive personal data or even patient information. Even if sensitive personal data might be removed or protected by anonymisation when the data is dispersed, a huge combination of seemingly non-sensitive data and information from different devices can create a unique identifier which may result in privacy breaches. Furthermore, one additional challenge of data privacy in IoT projects is that the data collection process is more passive, which results in that a user of a device is less aware of whether and when the user is being tracked. As a result of the development some providers will have access to an increasing amount of personal data and are therefore able to depict a more complete picture of an individual’s activities (eg, geodata, visited websites, purchased products, etc). The information may sometimes be combined with other personal data to create a more comprehensive profile and the information is often used within e-commerce and targeted advertising. Hence, an IoT project must in an early stage see how the risks may be reduced and how the provider may be transparent in how the information will be used. As a consequence, an IoT project must be aware and take into account legal expertise that have experience in privacy by design in sensitive IoT projects. An additional legal challenge of IoT is the fact that it often defies the traditional controller-processor relationship leading to situations of joint controllerships and questions of who has what rights to the data.

The following principles are therefore recommended to be acknowledged at an early stage in an IoT project:

  • Data minimisation: Prevent privacy risks in a proactive manner by systematically minimising the amount of collected and processed data.
  • Informed consent: Terms are presented in an understandable, relevant and transparent way, which gives the user the ability to choose not to share certain information.
  • Transparency: Provide users with insight into how their data is treated and used.
  • Verifiable preventive protection: Prevent threats by security measures whose effectiveness are verifiable.
  • Possibility to withdraw consent: Offer the users the possibility to conveniently withdraw their consent and remove the shared information.

Projects within IoT have been promoted in Sweden during the past years. 'IoT Sweden' is a national initiative to make Sweden a leading force in the usage of Internet of Things and a strategic programme funded by Swedish government agencies Vinnova, Swedish Energy Agency and Formas. The programme finances innovative projects within IoT, and cooperates with companies and academia.

Even if there are no general legal regulations entering into an IT service agreement with a Swedish entity there are quite a few main challenges encountered by organisations entering into an IT service agreement with a Swedish entity.

Transactions in the public sector are subject to mandatory public procurement legislation; namely, the Public Procurement Act (Lagen om offentlig upphandling) and the Public Procurement Act within the Supply Sectors (Lagen om upphandling inom försörjningssektorerna). The Swedish Competition Authority (Konkurrensverket) is the supervisory authority of these sectors and the regulator on public procurement. Violation of the public procurement rules can turn out to be very expensive for the public procurer, with lengthy litigations following.

There are regulatory restrictions in Sweden regarding information sensitive for the nation’s security. Such security-classed information should not be part of cross-border transactions, where such information risks ending up with foreign powers. Violations of these restrictions may lead to criminal charges for responsible people.

An example of such a violation in Sweden, which turned into a national scandal, was when the Swedish Transport Agency (Transportstyrelsen) in 2015 outsourced its IT functions to IBM. IBM decided to run the outsourced IT functions in the Eastern European countries. The Swedish Transport Agency manages information on every vehicle in Sweden including police vehicles, military vehicles, corporate vehicles and private individuals’ vehicles. Security-classed information - in particular, personal data regarding individuals with a driver’s licence, such as Swedish military defence pilots, agents of the Swedish security service, etc - was transferred to IBM under the outsourcing agreement. When the violation became publicly known during the summer of 2017, the director general of the Swedish Transport Agency was dismissed from her job and got severely fined.

Regulatory restrictions regarding information security are also provided by the Swedish Civil Contingencies Agency (Myndigheten för samhällsskydd och beredskap). However, these regulations are to be interpreted as recommendations rather than regulations. According to the regulation it is recommended that the customer is given ample opportunity to examine how the service provider manages data security in the IT service agreement.

One not so obvious regulatory restriction that should be addressed is the regulation regarding unfair competition. The purpose of this is to ensure that IT service agreements that may give rise to anti-competitive effects are examined under the rules prohibiting anti-competitive agreements.

An IT service agreement must also comply with the rules regulating risk of abuse regarding dominant position. However, abuse of dominant position can only be applicable if the supplier occupies a dominant position and after negotiations attaches conditions to the agreement that are considered abusive. In no case can the conclusion of an IT service agreement be considered an abuse of a dominant position in itself.

According to Swedish law the parties may negotiate and decide the governing law in the IT service agreement. However, some Swedish industries may have sector-specific regulations that may interfere with a contractual dispute clause, if the parties have decided to not take note of such regulations.

Hence, unless there is specific national interest in regards to certain State-owned companies or authorities, personal data may be transferred freely within EU/EEA countries without restrictions. Since there are no general rules that provide corresponding guarantees outside the EU/EEA, it has been considered that transfers to such countries must be limited. Personal data may therefore only be transferred outside the EU/EEA if there is an adequate level of protection in the recipient country or if there are special safeguards protecting the personal data and the rights of the data subjects.

Personal data may therefore be transferred to a third country, for example when:

  • there is an adequate level of protection in the recipient country;
  • when the data subject has given his/her consent to the transfer;
  • in certain specific situations enumerated in the Data Protection Act; and
  • if it is permitted in some other way according to regulations or specific decisions by the Government or Data Inspection Board with reference to that there are adequate safeguards with respect to the protection of the rights of the data subjects.

Such safeguards may result from standard contractual clauses approved by the EU Commission or Binding Corporate Rules (BCR).

The Swedish rules governing employee transfers from one employer to another are far reaching and regulated both at EU level by Directive 2001/23/EEG on the safeguards of employees’ rights in the events of transfer of undertaking, businesses or parts of undertakings or businesses (the 'Acquired Rights Directive' or ARD) and at national level in § 6b in the Swedish Act on Protection of Employees’ Rights (Lagen om anställningsskydd).

The Acquired Rights Directive states that a transfer occurs “where there is a transfer of economic entity which retains its identity, meaning an organised grouping which has the objective of pursuing an economic activity, whether or not that activity is central or ancillary”. The Acquired Rights Directive stipulates the minimum protection; therefore, the laws in the Swedish Act on Protection of Employees’ Rights give in some instances a higher protection for employees than the ARD – for example, in § 6b in the Swedish Act on Protection of Employees’ Rights applicable to all public business.

From an employment perspective a transfer of business is at hand when there is a change of employer. However, there are a number of sub-criteria that will determine whether or not a transfer of business is at hand or not. In a business transfer the new employer automatically takes over the responsibility for the contractual conditions that the previous employer had. Although, it is not rare that the new employer and the transferred employee agree to new conditions. The new employer also takes over the responsibility for obligations that have arisen prior to the transfer; hence, it is important for the new employer to perform proper due diligence on outstanding financial obligations prior to entering into a transfer agreement and/or claim warranties.

The regulations on employee transfers are applicable to personal employment agreements as well as collective agreements. If the transferor and the transferee are bound by the same collective agreement, such agreement will be valid against the transferee. Should the transferor, but not the transferee, be bound by a collective agreement, the transferee will also be bound by the collective agreement in applicable parts. If the transferor and transferee are bound by different collective agreements, the collective agreement that the transferee is bound by prevails. However, the transferee must comply with the rules of the transferor’s previous collective agreement for one year.

The employee has the right to oppose that the employment with the current conditions are transferred to a new employer. The employee shall within a reasonable period of time after being notified about the transfer state whether he or she prefers to stay with the transferor. If an employee chooses to stay with the transferor, the employment will remain unchanged. However, the employee runs a high risk of being made redundant.

Even if the criteria set out in Swedish Act on Protection of Employees’ Rights are not satisfied or where there is uncertainty as to whether employee transfers will take place automatically, it is not uncommon that customers require the supplier to contractually commit to act as if ARD/the Swedish Act on Protection of Employees’ Rights applied, whether or not it does so by law. It is very important that the customer and the supplier agree who will be responsible for employment-related costs or liabilities. Hence, the terms in regards to commitment to hire/employee transfers are often subject to lengthy negotiations and the wording should be carefully considered.

The data protection legislation within the European Union is undergoing extensive revision. The data protection reform seeks to harmonise the data protection legislation throughout the European Union. The purpose of the reform is primarily to strengthen the individual’s rights in regards to their personal data.

The General Data Protection Regulation ((EU) 2016/679) (the GDPR) is the first step in the data protection reform and is, since it came into force on 25 May 2018, the principal data protection legislation across the European Union, hence also in Sweden. The GDPR harmonises data protection legislation throughout the European Union, though not entirely. The GDPR opens up for national legislation in specific areas. As a result hereof, a new Data Protection Act (DPA) was adopted in Sweden.

The EU Commission has proposed yet another regulation within the data protection reform; the ePrivacy Regulation (the ePR). The ePR covers privacy and electronic communications and will apply to telecom and Internet operators. If adopted, the ePR will replace the current ePrivacy Directive 2002/58/EC (ePD). At this stage, the ePR is still undergoing negotiations and it is uncertain when a final version will be presented, what it will contain and when it will enter into force. While waiting for the ePR to enter into force, the ePD is still in force. Since the ePD is an EU directive it is implemented into Swedish legislation through national laws, the most important being the Electronic Communications Act.

Furthermore, the European Convention on Human Rights (the ECHR) has been incorporated into Swedish law. The ECHR has an impact on some Swedish data protection principles; namely, the Swedish principle of openness (offentlighetsprincipen) and freedom of the press and freedom of speech (tryck- och yttrandefriheten).

The Swedish Marketing act states that it is not permitted to send electronic marketing (spam) to persons who has not given their consent. The Swedish Marketing Act establishes that marketers are required, according to good marketing practice – before a call is made to a consumer in sales, marketing or fund-raising purposes – to control if the consumer’s phone number is in the blocking registry (NIX-Telefoni). A recently adopted legislation is requiring all distance sales (with a few exceptions) to consumers to be written. This has caused the call centres and customer communication industry to review and revise their respective internal and external processes relying even more on AI in the customer communication (eg, customer service, call centre, support and telephone sales). The Swedish Callcenter Organisation has a strong and leading standing in Sweden and it is recommended that all relevant companies shall follow its rules (including the ethical standards) and that these rules have been adhered to in all procurements.

The data protection legislation distinguishes data regarding individuals from data regarding companies. The GDPR regulates the processing of personal data, which means any information relating to an identified or identifiable natural person. Data regarding companies falls outside of the scope of the GDPR. However, data regarding companies and the processing hereof is covered by other legislation that regulates the right to use such data and protects the data from unduly processing if the data is confidential.

As mentioned, general processing of data – namely, data regarding companies or data regarding unidentifiable natural persons – falls outside the scope of the GDPR. Nevertheless, in the data-driven economy and because of the use of new technologies, such data is still of the upmost importance for the controllers. Being a significant part of the controllers’ assets, it is important for the controllers to manage their data in the most effective way, in regards to both business processes and what the data is used for. Even though general processing of data falls outside the scope of the GDPR, such processing of personal data is covered by other laws and legal principles.

In Sweden, there is an extreme focus on integrity in general and processing of personal data in particular. The trend partly derives from the data protection reform and partly due to a large scandal, regarding the government’s use of personal data and data protection, which emerged during the summer of 2017. Processing of personal data falls under the scope of the GDPR. For the processing of personal data to be lawful under the GDPR, the data controllers have to abide by a set of rules that, as in principle, falls back on six fundamental principles. The fundamental principles of the GDPR seek to strengthen the individual’s rights in regards to their personal data and force the controllers to be transparent in regards to their processing of personal data.

In Sweden, it is common for employers to allow their employees to use the company’s e-mail for private matters or surf the web privately. Furthermore, a lot of employers, especially in the private sector, let employees use the company’s IT equipment, such as mobile phones and computers, privately.

If the employer does not tolerate that the employees do certain things with the company’s IT equipment or if the employer intends to monitor the use of the IT equipment, the employees must be informed about it and what consequences any misuse will bring. One practical measure is to develop an IT policy that makes clear what restrictions apply to the employee’s use of IT equipment, e-mail and the Internet and that employee monitoring occurs.

Employee monitoring falls under the material scope of the General Data Protection Regulation ((EU) 2016/679) (the GDPR) and is therefore subject to the general requirements of the GDPR. This means, among other things, that the employer must have a legal basis for employee monitoring. However, employers cannot rely on consent from employees, since employees often find themselves in a position of dependence upon their employers and are therefore unable to give the voluntary consent required by the GDPR. As a result, hereof, employers need to perform a balance of interests that shows that the company’s need for monitoring weighs heavier than the employee’s right not to be supervised. When performing the balance of interests the opinion of the relevant trade union is weighted heavily. If the employer wants to perform some type of employee monitoring, the employer should therefore negotiate with the relevant trade union. If the employee monitoring is already regulated in the collective agreement, the negotiation with the trade union is not necessary.

To be able to meet the fact that products and services in the area of telecommunications are becoming more and more advanced and increasingly platform independent, the Swedish legislation regarding telecommunications, the Electronic Communications Act, is drafted as a uniform and technology-neutral law. The Electronic Communications Act applies to all electronic communication networks and communication services, and thereto associated installations and services, as well as other use of radio communication. However, the law does not apply to the content that is transmitted in electronic communication networks using electronic communication services.

Requirements prior to bringing a product/service to the market. Is there is a local requirement for an approval by the regulator prior to offering any product or service that offers such technology (as well as a description of the procedure in question and related cost).

According to the Electronic Communications Act, all commercial suppliers of public communication networks and publicly available electronic communication services are obligated to notify the Swedish Post and Telecom Authority (Post- och telestyrelsen, the PTS) before the operation commences and pay a processing fee of SEK1,000. Furthermore, entities that conduct activities requiring notification to the PTS are obliged to pay a yearly fee. The fee is based on the turnover of the activity subject to notification. For businesses with an annual turnover exceeding SEK5,000,000, the annual fee is 0.147% of the turnover.

For the use of radio transmitters to be lawful, it is necessary to get a permit from the PTS. To get the permit the entity is obligated to pay a processing fee of SEK1,000 and thereto a yearly fee based on a number of different factors.

The requirements for being allowed to broadcast audiovisual services depend on a number of things. The Swedish Radio and Television Act prescribes that some broadcasts require a licence and others only need to be registered with the Swedish Broadcasting Authority (Myndigheteten för press, radio och tv) (the SBA). Broadcasting licences for public service broadcasters are issued by the government, since they are funded by the state.

A TV broadcasting licence is required to be allowed to broadcast in the terrestrial network. Broadcast via satellite, cable and the Internet only need to be registered with the SBA. All radio broadcasts, except web-radio, need a broadcasting licence.

Online broadcasts intended for the public need to be registered if they are live streaming or playback at times decided by the broadcaster. All other online broadcasts do not require registration. However, on-demand TV falls under the scope of the Swedish Radio and Television Act and calls for registration.

The Swedish government has appointed a State Public Report with the purpose to propose amendments to the Radio and Television Act, in order to implement the consolidated version of Directive 2010/13/EU. The content of the State Public Report is still unknown, but it will probably propose that the provisions in the Swedish Radio and Television Act should also include online video channels. 

Online broadcasts intended for the public need to be registered if they are live streaming or playback at times decided by the broadcaster. All other online broadcasts do not require registration. However, on-demand TV falls under the scope of the Swedish Radio and Television Act and calls for registration.

The Swedish government has appointed a State Public Report with the purpose to propose amendments to the Radio and Television Act, in order to implement the consolidated version of Directive 2010/13/EU. The content of the State Public Report is still unknown, but it will probably propose that the provisions in the Swedish Radio and Television Act should also include online video channels. 

If an organisation uses encryption, there are some exemptions from certain rules. For example, a controller does not need to inform the data subject about an occurred data breach if the personal data was encrypted. Furthermore, there is an exemption from the prohibition of e-mailing sensitive patient data within the healthcare sector if the healthcare provider encrypts the e-mail in such a way that only the intended recipient can access the information in the e-mail.

Affärsadvokaterna i Sverige AB

Västra Trädgårdsgatan 15
SE-111 53 Stockholm
Sweden

+46 (0) 8-25 45 04

N/A

info@affarsadvokaternasverige.se www.affarsadvokaternasverige.se
Author Business Card

Law and Practice

Author



Affärsadvokaterna i Sverige AB is a modern firm focused on commercial law and offers advice on strategic agreements, IT law, dispute resolutions, procurements and privacy law issues. Its clients are found in a variety of industry sectors, including medical/healthcare, transportation and logistics, IT, security and safety, the car industry and staffing. Affärsadvokaterna has extensive experience of the TMT sector and provides ongoing advice in national and international projects, mainly with regard to the outsourcing and digitalisation of business processes, IT, artificial intelligence and robotics, contact centres, payroll and invoicing processes, facility management, financial services, purchasing and third-party logistics. In addition, the firm advises clients on a range of outsourcing and IT-related disputes. In recent years Affärsadvokaterna has handled arguably the most legally complicated IT projects in Sweden and some of the most innovative digitalisation projects within the healthcare sector (such as apps and web-based programs for leading private healthcare providers in Sweden).

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.