Contributed By Time Danowsky Advokatbyrå AB
There is no general legislation in Sweden specifically targeting cloud computing or cloud computing transactions. There are, however, a number of sector-specific laws and regulations, as well legislation of general nature in Sweden, that may be necessary to take into consideration if considering entrusting processes or data to the cloud or providing cloud computing services.
Sector-specific laws and regulations may apply if cloud computing activities are carried out by financial institutions, or in relation to services crucial to Swedish society, pursuant to EU Directive 2016/1148 on security of network and information systems (NIS Directive), or in relation to services that are subject to the Swedish Protective Security Act (Säkerhetsskyddslag (2018:585)).
The most important legislation of general application to take into consideration in relation to cloud computing services is the General Data Protection Regulation 2016/679 (GDPR), which is the main piece of legislation in Sweden in relation to processing of personal data. Also, the Public Access to Information and Secrecy Act (Lag (2009:400) om offentlighet och sekretess) that restricts public entities’ rights to lawfully reveal certain information to third parties (eg, suppliers of cloud computing services) is of significant relevance.
The NIS Directive and the Swedish Protective Security Act
The NIS Directive has been implemented through the Swedish Act on Information Security Regarding Providers of Critical Infrastructure and Digital Services (Lag (2018:1174) om informationssäkerhet för samhällsviktiga och digitala tjänster). The legislation is supplemented by regulations issued by the Swedish Civil Contingencies Agency (Myndigheten för samhällsskydd och beredskap, or MSB). The legislation and regulations are hereafter referred to as the ”NIS legislation”.
The purpose of the NIS legislation is to increase the level of security in digital networks and information systems as well as in certain services crucial to society (eg, energy, transportation, banking, healthcare and digital infrastructure) and digital services. Based on this, entities subject to the NIS legislation are subject to a number of obligations which may be of relevance in relation to cloud computing services. In particular, entities providing services crucial to society need to observe obligations pursuant to the NIS legislation when using, or considering the use of, cloud computing services as a part of the provision of such services. These obligations include carrying out structured and risk-based information security activities, also with regard to networks and information systems that are outsourced to an external cloud computing supplier. Prior to any outsourcing, risks entailed in that outsourcing must be identified and handled, and security measures taken must be regulated in the contract. Recommendations issued by the MSB include further details on how contracted information security activities shall be followed up and how information pertaining to the entity shall be handled in connection to any incidents that occur.
The Swedish Protective Security Act, and regulations issued under the Act (hereafter together referred to as the “Protective Security legislation”) aim to protect Sweden against sabotage, terrorism, espionage and other crimes that may threaten activities that are covered by the legislation. The legislation applies to any entity that carries out activities of importance for the security of Sweden. Hacking and other data security breaches against entities carrying out activities of importance for the security of Sweden are considered serious threats. Based on this, entities subject to the Protective Security legislation are subject to extensive obligations to secure sensitive information handled by the entities and to secure IT systems or services that process such information. These obligations also extend to any suppliers, including cloud computing suppliers, to such entities. Prior to outsourcing, a separate agreement regarding protective security must be entered into between the supplier and the entity and the supplier must fulfil a number of requirements and carry out a number of activities set out in the Protective Security legislation prior to and during the service delivery. Depending on how sensitive the information that the supplier may gain access to is, it may not be possible to lawfully appoint a foreign cloud computing supplier.
The Financial Sector
Cloud computing is not prohibited within the Swedish financial sector. The Swedish Financial Supervisory Authority (Finansinspektionen), which supervises the sector, has declared that it does not see any reasons in principle why entities in the financial sector should not be allowed to use cloud computing services. The use of cloud computing services is, however, subject to both national rules regarding bank and insurance secrecy and EU frameworks, which must be taken into consideration and which may make outsourcing to the cloud contractually complicated and, in certain situations (in particular with regard to foreign cloud computing suppliers), questionable.
With regard to local legislation, the Banking and Financing Business Act (Lag (2004:297) om bank- och finansieringsrörelse) states that an individual's relation to a credit/financial institution may not be disclosed without authorisation. It is currently uncertain if an entity required to uphold bank secrecy may legally appoint a cloud computing supplier that, in certain situations, may be obliged to disclose information to foreign authorities, or if the mere appointment of that supplier could amount to a breach of obligations to uphold bank secrecy and thereby be prohibited.
Furthermore, both banks and insurance institutions are subject to a number of local and EU regulations and rules in relation to the outsourcing of activities such as cloud computing services. Such rules concern both actions to be taken prior to the decision to outsource (such as risk evaluation) and mandatory requirements on terms and conditions to be included in the contract with the cloud computing provider. The requirements on terms and conditions depend on how important the functions or processes that are outsourced should be considered to be for the outsourcing entity’s business activities.
Fundamental and detailed rules for banks to be observed in relation to outsourcing are found in the European Banking Authority’s (EBA) Guidelines on outsourcing arrangements, which are applicable in Sweden. Fundamental and detailed rules for insurance companies are found in Commission Delegated Regulation 2015/35 supplementing Directive 2009/138/EC on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II).
The Public Sector
To what extent it is legally permitted for the public sector in Sweden to use cloud computing services has long been a subject of debate. The background to this controversy are the provisions in the Public Access to Information and Secrecy Act (Lag (2009:400) om offentlighet och sekretess, or OSL) which prohibit public authorities from unlawfully disclosing to third parties information that is subject to secrecy. Some practitioners have argued that the mere use of a cloud computing service (eg, for storage of information subject to secrecy) amounts to unlawful disclosure. eSam, which is a co-operation programme between a number of Swedish public authorities and municipalities, has recently issued an opinion that in the event that information that is subject to secrecy under the OSL is outsourced to a cloud computing supplier, which may be forced by foreign legislation to disclose information processed by the supplier, merely the use of that cloud computing service should be considered unlawful disclosure pursuant to the OSL. This irrespective of whether the service contract contains provisions that prohibit the supplier from disclosing information.
The uncertainty regarding lawful use of cloud computing services in the public sector has caused challenges for both public authorities and cloud computing suppliers and has led to a public inquiry (the Swedish Government Official Report SOU 2018:25). As a result of the Official Report, a new law came into force on 1 January 2021 (Lag (2020:914) om tystnadsplikt vid utkontraktering av teknisk bearbetning eller lagring av uppgifter). The new law entails that a service provider shall be subject to confidentiality by law when a public authority (or a body or activity equated with a public authority) instructs that service provider to technically process or store information. The purpose of the new legislation is to safeguard that information handled by the service provider, which information shall be subject to confidentiality protection equivalent to that which applies when the public authority handles the information itself. Additionally, the Swedish Government has suggested restricting the right to disclose information for the purpose of public interest, as stipulated in the Freedom of Expression Act and Freedom of the Press Act, for persons in the scope of the new legislation.
In addition to the above, the Swedish government has identified a need to clarify the legislative framework in relation to the outsourcing of IT services to private service providers. As a result, the Swedish government published an Official Report in January 2021 (SOU 2021:1) proposing a new provision supplementing the OSL. The proposed provision is overriding secrecy in order for public authorities to be able to use service providers for the tasks of technical processing or storage. Public authorities shall, however, before outsourcing their data, weigh the interest of outsourcing against the interest the secrecy is intended to protect. In this weighing of interests, authorities should also consider factors such as the character of the data and its scope. The proposed provision is expected to enter into force on 1 January 2022.
Processing of Personal Data
Processing of personal data in the course of cloud computing services is subject to the GDPR. The GDPR entails, inter alia, that the data controller must have a legal basis for the processing of personal data, including the transfer of the data to the service provider, as well as for any transfer of data to countries outside the EU/EEA.
The main principles relevant for cloud computing are found under Chapter 5 of the GDPR, which governs transfer of personal data to third countries. Furthermore, the GDPR contains provisions for ensuring the safety and integrity of personal data processed – eg, by technical and organisational security measures referred to in Article 32 of the GDPR. Both the data controller and data processor are obliged to implement appropriate technical and organisational security measures to ensure a sufficient level of security in relation to the processing of data. Appropriate measures may be encryption, ability to restore the availability and access to personal data as well as internal processes for regularly testing, assessing and evaluating the effectiveness of the measures.
As a result of the recent judgment by the European Court of Justice in the case C-311/18 (Schrems II), whereby the agreement on the Privacy Shield between the EU and USA was invalidated, and which has rendered the use of the EU standard contractual clauses (SCC) no longer solely sufficient to rely on in relation to the transfer of personal data to countries outside the EU/EEA, the lawful use of cloud services is being analysed both in the public and the private sector. At the very least, it should be noted that the use of US cloud computing suppliers, or cloud computing suppliers transferring personal data to the USA, currently involves substantial challenges.
Blockchain technologies are characterised as decentralised networks, consisting of transactions that are anonymous since the information added to the chain is encrypted. Each transaction is transmitted to everyone in the network and the process may involve a large number of computers. Various types of data can be logged to the network, such as transaction information, photos/videos or documents. The technology is often used by cryptocurrencies.
Blockchains can be used to conclude contractual agreements between parties, called “smart contracts”. Smart contracts allow automatic execution of activities based on approved inputs from the parties to the contract. It includes a digital checklist where activities must be matched for the transaction to be approved. It also excludes intermediaries and allows for a less costly process.
Risk and Liability
There is no general Swedish legislation specifically targeting blockchain technology. However, specific rules and regulations may apply depending on the specific solution, and regulations regarding, inter alia, tax, accounting and general contracts may be applicable. Given the limited legislation in the area, it is important to carefully assess the risk and regulate liability and other terms in commercial relationships.
The user anonymity of cryptocurrencies means that there is a risk that they will be used for criminal purposes – eg, for money laundering. Businesses which offer purchase of bitcoins or other cryptocurrencies and digital currencies that are used as means of payment, are classified as “other financial operations” according to the Certain Financial Operations Act (Lag (1996:1006) om valutaväxling och annan finansiell verksamhet). Consequently, these businesses have an obligation to register with the Financial Supervisory Authority. The Financial Supervisory Authority has the authority to conduct supervision and supervise compliance with anti-money laundering and terrorist financing regulations.
According to the World Intellectual Property Organization (WIPO), blockchain technology can be beneficial for intellectual property rights in registering and providing evidence, and thereby be used to protect IP rights. There is an initiative in Sweden to create a copyright platform for the European Blockchain Services Infrastructure. The purpose is to create a natural point of co-ordination for those that need to access information on the legal status of copyright work. The result is expected to demonstrate how blockchains can be used to enable a more effective and efficient copyright management solution.
Processing of personal data is governed by the GDPR. According to the European Parliament, personal data in a blockchain is normally not anonymised and accordingly processing of personal data in the blockchain falls under the scope of the GDPR.
Determining the roles, and responsibilities and liabilities, can be difficult in a blockchain context. In the case of public blockchains, there is no party with more power or responsibility than any other. This makes it difficult in determining the responsibilities, including who shall be deemed the data controller for the purposes of the GDPR.
The problem with identifying the data controller, especially when the users are anonymous, may lead to difficulties in determining responsibilities regarding, inter alia, the obligation to provide information to data subjects under Articles 13 and 14 of the GDPR. Where two or more parties will be considered joint controllers according to Article 26 of the GDPR for a blockchain, it may likewise be difficult to determine the parties’ respective responsibilities.
Furthermore, blockchain also creates challenges in relation to Article 17 of the GDPR on the data subject’s right to erasure. This right of erasure causes issues with the blockchain technology due to the impossibility of deleting transactions on the chain.
Considering the cross-border nature of blockchain technology, jurisdictional issues are bound to arise. According to the Brussels I Regulation, jurisdiction may be established based on, inter alia, the domicile of the defendant or place of performance of a contract, or – in matters relating to tort, delict or quasi-delict – in the courts of the place where the harmful event occurred or may occur. In the case of public Bitcoins, transactions take place between many countries, which means that potentially multiple member states could have jurisdiction over the matter.
Starting and managing a project involving big data, machine learning and/or AI, may require various legal considerations. Big data, machine learning and AI are widely used in Sweden, in particular in the IT industry, banks and financial services, the insurance sector and other industries which involve the processing of huge data volumes and automatic decision making.
The AI model will need to be trained on actual or fictive data. Such data may have to be collected from various sources, and may be freely available (in the public domain) or subject to different licence restrictions. Examples of such restrictions are open data licences, such as creative commons, or licences from third-party rights-holders (eg, geodata licensed from the Swedish Mapping, Cadastral and Land Registration Authority (Lantmäteriet)). Where licence restrictions apply, they may differ between commercial and non-commercial use of the dataset, or set up other limitations and restrictions. Creation and use of datasets may require legal assessments regarding ownership and exclusive use rights under copyright law, sui generis data base protection, and other intellectual property law aspects. Copyright and other intellectual property law aspects, including trade secret legislation, may also be relevant for other aspects of the AI model such as the algorithms. For use of datasets which include personal data, the GDPR and other data protection legislation will apply for the data processing.
Application of the developed AI model to, for example, automatic decision making, may require further legal considerations on, inter alia, liability for decisions and liability for any harm or damage caused.
In general, there is no protection of information or data as such under Swedish Copyright law. Information or data which is of a confidential nature may be protected under the Swedish Protection of Trade Secrets Act (Lag (2018:558) om Företagshemligheter), or under contract law if disclosed under obligations of secrecy.
A collection of data (big data) may be protectable as a copyrighted work of art, where the compilation of the data is considered to be the result of an intellectual effort (an original selection and arrangement of data); however, this is rare.
Swedish copyright law, however, also offers protection of databases as a so-called neighbouring right, partly based on the sui generis right of the EU Directive 96/9/EC on the legal protection of databases (the Database Directive). Swedish copyright law has included a right of protection for so-called catalogues for a long time, and when the EU Database Directive was implemented in Swedish law, this was done based on the earlier “catalogue protection right”. It can be noted that it is generally considered that Swedish copyright law does not implement the EU Database Directive completely in all aspects.
Nevertheless, Chapter 5, Section 49 of the Swedish Copyright Act stipulates that anyone who has produced a catalogue, a table or a similar work, where a large amount of information has been collected or which is the result of a significant investment, has an exclusive right to produce copies of the work and make it available to the public. The protection is, however, limited as it only protects the database/compilation as such and not individual pieces of information. In the case of authorised use, establishment of an infringement will be based on the EU Database Directive’s principles (extraction or reutilisation of the whole or a substantial part of the database, or repeated and systematic extraction or reutilisation of insubstantial parts of the contents of the database).
The text and data mining exception in the Directive 2019/790 on Copyright in the Digital Single Market, enabling limited use of copyrighted works for text and data mining purposes, will be included in Swedish law when the directive is implemented into Swedish copyright law, such implementing legislation is currently being prepared.
Where the dataset includes personal data, the GDPR and other applicable data protection laws and regulations (including the Swedish Data Protection Act (2018:218), supplementing the GDPR with certain local Swedish regulations) must be followed. This includes ensuring that valid consents from data subjects have been procured or that other valid legal ground for the data processing exists, and that the personal data is not processed for a purpose which is incompatible with the purpose for which it was collected, and that the personal data is pseudonymised or anonymised where appropriate and that other relevant and appropriate security measures are undertaken.
Training the AI model on datasets (machine learning) will imply the use of the data from an intellectual property perspective and, where relevant, processing of personal data from a GDPR perspective, as referred to under Big Data above. Furthermore, the machine learning process itself may cause legal consideration from, for example, an IP rights perspective, such as copyright protection (which is generally available for the actual software code but not for the specific algorithm) or trade secret protection (where possible to limit reverse engineering and impose confidentiality on service users). The output of the AI model will likely not be protectable under Swedish copyright law, which requires that the work be made by a human and does not recognise works which are entirely computer made.
Sweden, as member of the EU, is taking part in EU initiatives on AI such as the 2020 White Paper on Artificial Intelligence. Sweden has, for example, accepted the Communication from the Commission on Artificial Intelligence for Europe (Com/2018/237). The Swedish agenda is to develop regulations, standards, norms, and ethical principles for the purpose of guiding ethical and sustainable use of AI. The main challenge identified is to create a safe sandbox for innovation, which means creating a regulatory framework that proactively minimises the risks when using AI.
Examples of legal issues, which will require future legislation and judicial case law in relation to AI, include:
Currently these issues are only at the discussion stage and no legislative proposals have yet been put forward yet.
The internet of things (IoT) is a term that describes the technology through which devices or everyday objects are connected to the internet. The devices/objects may be interior objects, such as refrigerators and lamps, or wearable units, such as smart watches. Another relevant example of the IoT technology is connected vehicles (ie, smart cars).
Under Swedish legislation, there are no general regulations in relation to the use of IoT. The Swedish Civil Contingencies Agency (Myndigheten för samhällsskydd och beredskap, or MSB) has published general recommendations on public actors’ use of the IoT, fact sheets on IoT risks and advice on how to secure the IoT addressed to system users. These documents identify, inter alia, privacy and security as risks in connection with the IoT.
The IoT is closely connected with information and cybersecurity risks. With the IoT technology, devices may communicate with each other and transfer data between themselves. A possible attack may target, for example, entire logistic chains or hospital devices. Due to the large quantities of data processed within IoT products/devices, attacks may have severe consequences.
An attack against IoT products may be used as a gateway in order to access other systems or to collect information. Organisations are advised to reduce the vulnerability of any IoT systems they use and mitigate against the possible consequences of an attack.
When personal data is processed within the scope of the IoT, the technology raises several data protection challenges. Processing of personal data is governed by the GDPR and the controller of the data shall fulfil the requirements in the GDPR in order for the processing to be compliant. These requirements include establishing a legal basis and informing data subjects of the processing (including any profiling of users performed by the product). As IoT products usually collect a large amount of data, compliance with the general principles of the GDPR should be emphasised. This includes not collecting more data than necessary for the purpose of processing (data minimisation) and not processing data in a manner incompatible with the initial purposes of processing (purpose limitation). Lastly, when developing products including IoT features, privacy by design, as per Article 25 of the GDPR, should be considered at an early stage of the project.
There is no legislation in Sweden specifically targeting IT service agreements. Due to the lack of specific legislation, the most important general laws to consider in relation to IT service agreements, are the Swedish Contracts Act (Lag (1915:218) om avtal och andra rättshandlingar på förmögenhetsrättens område) and the Swedish Sale of Goods Act (Köplag (1990:931)). The Contracts Act contains, inter alia, the definition of a contract, how a contract is concluded and rules regarding breach of contract. The Sale of Goods Act contains detailed rules relating to obligations of suppliers and customers in relation to sale of goods, notification of defects and remedies in the event of breach of contract. Albeit the Sale of Goods Act is limited to the sale of goods (and not services), in the event of lack of detailed terms and conditions in an IT service agreement (the Act is dispositive to contracted terms and conditions), the principles following from the Act will, to a considerable extent, apply analogously when interpreting an IT service contract. Based on the above, when considering entering into an IT service agreement with a Swedish local organisation, a basic understanding of the fundamentals of the laws above will be helpful.
In addition to the above, a number of laws and regulations will be, or may be, applicable to an IT service agreement. Of major importance is the Swedish Copyright Act (Lag (1960:729) om upphovsrätt till litterära och konstnärliga verk), which will apply to grant of rights to, for example, software and documentation, as well as the GDPR, which will be applicable to any processing of personal data as a consequence of the service delivery. In addition, sector-specific laws and regulations may be applicable depending on the circumstances.
The Swedish Copyright Act
The provision of IT services generally includes a customer’s right to dispose of deliverables included in, or as a result of, services provided. To the extent that such deliverables or results amount to copyright protected works pursuant to the Swedish Copyright Act, such works will be subject to the provisions of the Act. Works that are usually subject to the Act are software and documentation. The Swedish Copyright Act and general principles of law developed under the Act, contain rules that may be of paramount importance when drafting and entering into an IT service agreement. In particular, disputes often arise in relation to questions of whether or not a customer may be entitled to make amendments to, and/or sublicense software and documentation based on the terms and conditions of, IT service agreements entered into. The Swedish Copyright Act includes certain mandatory provisions (based on the EU Software Directive 2009/24/EC), including the right for someone who has been granted a right to use a particular piece of software to (subject to certain conditions) make back-up copies of that software if this is necessary for the use of that software, as well as a right to investigate the software to understand the ideas and principles behind it.
In the event that an IT service agreement includes the service provider’s processing of personal data, the GDPR will apply. If the service provider is processing data on behalf of the customer, a data processing agreement will need to be entered into pursuant to the provisions of the GDPR and both parties will need to ensure that the provisions of the GDPR are upheld in the service delivery.
Depending on the business sector or environment in which the entity procuring IT services is active, different laws and regulations may apply which a supplier targeting the market will need to be aware of.
IT service providers targeting the financial sector need to be aware of and, if applicable, observe local and EU laws and regulations governing the sector. Fundamental rules for IT service contracts in the banking sector that may (or may not) need to be observed are found in the European Banking Authority’s (EBA) Guidelines on outsourcing arrangements. Fundamental rules in relation to the insurance sector that may (or may not) need to be observed are found in Commission Delegated Regulation 2015/35 supplementing Directive 2009/138/EC on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II).
Furthermore, in the event that IT services are to be provided to an entity providing services crucial to Swedish society, the regulations of the Swedish Act on Information Security Regarding Providers of Critical Infrastructure and Digital Services (Lag (2018:1174) om informationssäkerhet för samhällsviktiga och digitala tjänster) will need to be observed. This will mean that a supplier of IT services will be subject to a number of activities prior to entering into a contract and that the contract must include a set of agreed security measures. Similar (but even more burdensome) challenges may face an IT service provider who is targeting Swedish entities subject to the Swedish Protective Security Act (Säkerhetsskyddslag (2018:585)) which applies to entities that carries out activities of importance for the security of Sweden. Prior to entering into a contract, it may be necessary to enter into a separate agreement relating to protective security and the supplier may need to fulfil a number of requirements and carry out a number of activities set out in the Protective Security legislation prior to and during the service delivery.
A supplier considering targeting the Swedish public sector should be aware of that a significant part of IT service agreements entered into with public authorities are channelled through the Swedish Legal, Financial and Administrative Services Agency (Kammarkollegiet). The Agency carries out public procurement for IT framework service agreements in a vast number of areas, which public authorities are able to (and to a large extent should) make call-offs from. An entity considering to targeting the Swedish public sector market will therefore need to acquaint itself with Swedish public procurement law, the activities of the Agency and the terms and conditions requested by the Agency in IT service agreements. For regions and municipalities, SKL Kommentus (a purchasing central owned by the regions and municipalities) likewise makes central IT procurements including software and cloud services.
Main Laws and Regulations Relating to Processing of Personal Data
The core rules in Sweden relating to the processing of personal data are found in the GDPR. In addition to the GDPR, Sweden has adopted a national general complementary law; the Swedish Data Protection Act (Lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning). Other relevant legislation governing data protection include, inter alia, the Patient Data Act (Patientdatalagen (2008:355)), the Criminal Data Act (Brottsdatalagen (2018:1177)) and the Electronic Communications Act (Lag (2003:389) om elektronisk kommunikation).
General Rules Regarding Processing of Personal Data
Individuals’ personal data is governed by the GDPR and organisations are obliged to comply with requirements such as general data protection principles, legal bases, information to data subjects as well as the implementation of technical and organisational security measures.
Sweden has implemented the Data Protection Act as national supplementary legislation to the GDPR. The Swedish additions to the GDPR include the following.
The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, previously known as Datainspektionen) is the supervisory authority in Sweden. At the time of the writing of this article, the authority has issued 17 administrative fines due to breaches of the GDPR, directed against private entities as well as public authorities.
Cookies are governed by the Privacy and Electronic Communications Directive 2002/58 and nationally in Sweden by the Electronic Communications Act (Lag (2003:389) om elektronisk kommunikation).
To the extent cookies are considered personal data within the meaning of the GDPR, the rules of the GDPR may also be applicable to the processing of cookies.
Non-personal Identifiable Information
Sweden lacks general laws and regulations relating to the processing of non-personal identifiable information, such as data concerning companies. The main laws and regulations that may be of relevance are set out below.
In May 2019, the EU Regulation 2018/1807 on a framework for the free flow of non-personal data in the European Union entered into force. The regulation covers the flow of non-personal data within the union and mainly imposes an obligation on member states to abolish data localisation rules that prevent the free flow of non-personal data, meaning, inter alia, that organisations should be able to process data anywhere in the union. Non-personal data is data not covered by the GDPR – eg, business invoices or data generated by industrial devices.
In addition, organisations’ business data and other types of non-personal data that are not covered by the protection of the GDPR may instead be governed by general rules in the Swedish Protection of Trade Secrets Act (Lag (2018:558) om Företagshemligheter). According to Section 2 of the Protection of Trade Secrets Act, trade secrets are considered to be information on business, or operational conditions in a trader’s business, that the trader has taken measures to keep secret, and where disclosure of this information is done for the purpose of causing harm to competition and the holder of that information. The Protection of the Trade Secrets Act is only applicable in the event of unauthorised attacks on organisations’ trade secrets. It should, however, be noted that it is permitted to disclose trade secrets in the case of criminal suspicion or for the protection of the public interest. For the public sector, the rules on public access, and confidentiality, in the Public Access to Information and Secrecy Act (Lag (2009:400) om offentlighet och sekretess, or OSL) apply.
In general, there are no legal requirements in Sweden for employers’ monitoring or limiting employees’ use of technical/digital equipment (eg, computers, phones or other devices). As a starting point, the employer has wide-ranging powers under Swedish law and the general legal principle of the employer’s right to direct and allocate work is fundamental. Tools such as computers, phones and other types of devices are regarded as work-related equipment. An employer may decide if and how its employees shall use these tools. This includes the possibility of monitoring employees’ equipment and limiting its use. According to case law, measures restricting privacy and integrity should however be proportionate and not too intrusive. Also, it should be noted that collective agreements may include limitations in relation to employers’ monitoring and limiting use of equipment.
The GDPR is relevant when employers’ processes employees’ personal data within the scope of monitoring technical equipment. Thus, the employer is obliged to comply with the regulation; establishing, for example, a legal basis for processing the data and informing the employees of the monitoring. According to the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten), an employer is only allowed to investigate its employees’ private email when there is a serious suspicion of disloyal or illegal behaviour.
General and Scope
Telecommunication is regulated by the Electronic Communication Act (Lag (2003:389) om elektronisk kommunikation). The Act is based on the EU Directive 2002/58 on privacy and electronic communications. The purpose of the Act is, inter alia, to ensure that individuals and authorities have access to secure and efficient electronic communications (Chapter 1, Section 1). The requirement of secure communication includes both the requirement of secure operation and the requirement of privacy protection.
The Act includes electronic communication networks and communications services, including associated installations and services as well as radio (Chapter 1, Section 4). The Act is applicable to, inter alia, telephone, radio and television, and the internet.
The definition of electronic communication networks covers systems for the transmission of signals, and in some cases specific equipment and other resources that allow transmission, such as radio waves, fibre or cable. The definition of electronic communication services covers services that mainly consist of the transmission of signals which are provided to another party, such as end users, for payment. Over-the-top services (OTT services), such as applications, are usually not considered to be electronic communication services provided that the service does not include a transmission of signal. Services that only constitute communication via already existing electronic communications are not covered by the definition. The service provider shall have control over the signal. IP telephony where the service provider controls the transmission of the signal may constitute an electronic communication service.
Certain technology may only be provided after the Post and Telecom Authority (Post- och Telestyrelsen, or PTS) has been informed. The PTS is the supervisory authority. Operations shall be reported to the PTS; however, an approval from the authority is not necessary. The reporting requirement is applicable for entities which provide publicly available electronic communication services, or public electronic communication networks which are mainly used for providing publicly available electronic communication services, and which are usually provided for payment (Chapter 2, Section 1). The requirement of public access entails that the service or network shall be available on the market and not only to a limited group. Internet services provided at a hotel or internal real estate networks may, for example, not be considered publicly available. The requirement that the service or network shall be offered for payment shall be interpreted in a broad sense. Payment may include valuable user information or access to services which require the viewing of adverts.
Furthermore, using radio transmitters requires a permit from the PTS (Chapter 3, Section 1). However, the PTS has stipulated exemptions from the requirement of permit. According to Chapter 3, Section 37 of the Regulation drafted by the PTS, RFID (radio frequency identifiers) are, under Swedish legislation, exempt from this requirement.
Procedure and Costs
Registration and application shall be executed prior to the start of the business and are made by filling out a form which can be found on the PTS’s website. Entities that are subject to the reporting requirement, as well as those requiring a permit, are obliged to pay annual fees. The amount is determined annually by the PTS. The reporting fee is based on the turnover of each entity and the permit fee is, in general, determined for each specific radio transmitter or permit.
The Swedish requirements for audio-visual services are regulated in:
The general rule applicable is the freedom to offer any audio-visual services (tv, radio etc) without permission from the Swedish Press and Broadcasting Authority (Myndigheten för press, radio och TV). Exempted from this general rule are terrestrial broadcasting services. Terrestrial broadcasting services require permission to broadcast, according to Chapter 4 Section 2 of the Radio and TV Act.
According to Chapter 4 Section 1 of the Freedom of Expression Act, a service that falls under the scope of this regulation is required to elect and report a publisher to be responsible for the content. Chapter 3, Section 3 stipulates the right to broadcast through wires, meaning terrestrial broadcasting. This is regulated further in the Radio and TV Act. The violation of any of these rules is subject to sanctions according to Chapter 3, Section 18 of the Freedom of Expression Act.
Services considered as TV on demand, should, according to Chapter 2, Section 2 of the Radio and TV Act, be notified to the Swedish Press and Broadcasting Authority.
Businesses that only transfers signals through wires (eg, broadcasting of radio or television from databases), for the purpose of public broadcasting of programmes, defined in Chapter 1, Section 3, Subsection 3 of the Freedom of Expression Act, are not required to notify to the Swedish Post and Telecom Authority. For example, so-called webinars fall within this scope.
Regarding video channels online, the general rule would be that it is not necessary to apply for permission, since video channels are not under the rules of terrestrial broadcasting services. Video sharing services are characterised by not having any editorial control and are therefore not protected by the Freedom of Expression Act, consequently the rules on notification are not applicable.
Sweden has implemented the revised EU Audio-Visual Media Service Directive 2010/13 under Chapter 9 a) of the Radio and TV Act. Video channels online in the form of video sharing services (eg, YouTube) fall under the scope of the Radio and TV Act. As a consequence, these services, if located in Sweden, shall be notified to the Swedish Post and Telecom Authority. Currently, there are only a few video sharing platforms under Swedish jurisdiction.
There are no general laws in Sweden regulating the requirements for the use of encryption technology. Furthermore, there is no Swedish legislation on mandatory disclosure of encryption keys to law enforcement. However, encryption technology is an important technical security measure for information security purposes and there are several sectorial guidelines and recommendations in place in relation to the use of encryption technology.
According to Article 32 of the GDPR, organisations are obliged to implement appropriate technical and organisational measures to ensure protection when processing personal data. Both data controllers and data processors are under this obligation. Encryption technology is explicitly stated as an example of such measures. It is for the controller or processor to decide if encryption is appropriate in the individual situation, taking into account, inter alia, the nature and scope of the processing. The application of security measures is, in particular, important when processing special categories of personal data.
National Encryption Requirements
The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten) recommends organisations to use encryption in certain situations. The Authority has for example stated that salary statements – which may contain information on health or trade union membership, and hence be considered as special categories of personal data according to the GDPR – should be handled with special security measures such as encryption. Furthermore, healthcare providers shall encrypt data on patients’ identity in certain circumstances, in accordance with Chapter 4, Section 6 of the Swedish Patient Act. According to the National Board of Health and Welfare’s regulations and general advice on record-keeping and processing of personal data in healthcare, patients’ data transferred via email shall be encrypted.
According to the Swedish Post and Telecom Authority’s Regulation (PTSFS 2014:1) on safeguards for processed data, all data transferred through the internet shall be encrypted. The encryption shall be carried out by a widely recognised method of encryption. The above-mentioned does, however, not apply to transfers to users who have consented to a transfer without encryption.
In relation to electronic signatures, companies regarded as qualified trust service providers should use technical measures for the purpose of providing a high level of security. Electronic signatures are governed by EU Regulation 914/2010 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (eIDAS) and nationally by the Act with Supplementary Rules to the EU Regulation on Electronic Identification (Lag (2016:561) med kompletterande bestämmelser till EU:s förordning om elektronisk identifiering). Qualified electronic signatures are considered to have the same legal effect as a written signature. Advanced or qualified signatures require high levels of security and encryption to be reliable. For example, BankID, a frequently used electronic identification tool in Sweden, qualifies as an advanced electronic signature.
Sweden has adopted a variety of emergency legislation in response to COVID-19; however, no piece of legislation specifically targeted the TMT sector. There has been an ongoing discussion around the drafting of a temporary pandemic law that makes it possible to issue rules that will affect existing laws and regulations, and this act has been adopted in January 2021 (The Act (2021:4) on Special Limitations in order to Prevent Spread of the Disease COVID-19) with far-reaching powers for the authorities (Lag (2021:4) om särskilda begränsningar för att förhindra spridning av sjukdomen covid-19).
The European Commission has praised the positive effects of tracing apps for the purpose of combating the COVID-19 pandemic. Many member states have developed such apps. The Commission has recommended member states develop tracing apps and has provided help to those who wish to develop digital solutions complementing manual tracing.
Tracing apps are subject to the GDPR. According to Article 9 of the GDPR, health data is considered as sensitive, meaning that processing of health data can only take place under strict requirements. In consequence, the Commission has published Recommendation 2020/518 on a common union toolbox for the use of technology to combat and exit the COVID crisis. The toolbox contains guiding principles based on the GDPR. The guiding principles are the following:
According to the commission, aggregated statistical data on the use of contact tracing apps that does not enable identification of the concerned natural person are not considered as personal data and therefore the GDPR does not apply.
As of October 2020, the Commission has set up an EU-wide system to ensure interoperability, connecting national tracing apps in a so-called gateway. The gateway creates the possibility for national apps to communicate across EU member states' borders. The member states are joint controllers of the processing of the data.
According to the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten), there have not been any applications from market players regarding tracing or warning apps. However, at the initiative of Swedish researchers, a national version of the UK tracing app COVID Symptom Tracker, has been launched in Sweden. The Swedish Government, however, has not expressly supported the use of the app, and it is unclear if the information collected by the app is used in the healthcare service in Sweden.