Sweden belongs to the civil law tradition, which – in contrast to common law – is codified. The primary constitutional law is The Instrument of Government (1974:152), which contains a guarantee that everyone shall be protected in their relations with government institutions against significant invasions of their personal privacy, if these occur without their consent and involve the surveillance or systematic monitoring of the individual’s personal circumstances.
The central piece of legislation for the protection of personal data since 25 May 2018 has been the Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR). On the same date, the Act (2018:218) with supplementary provisions to the EU Data Protection Regulation (the Data Protection Act, hereinafter the DPA), supplemented by an Ordinance (2018:219) (Data Protection Ordinance), came into force.
EU and Swedish law use the term "personal data". Personal data is defined by the GDPR as "any information relating to an identified or identifiable natural person".
A great many further acts and ordinances contain regulations regarding personal data registries and other processing of personal data. This body of law is known, collectively, as the Registry Acts. The Registry Acts cover areas such as law enforcement, financial activities, healthcare and much more. There is no authoritative list of the Registry Acts. Relevant legislation outside of the Registry Acts includes the Camera Surveillance Act (2018:1200) and the Electronic Communications Act (2003:389), implementing the e-Privacy Directive 2002/58/EC.
The text of the European Convention on Human Rights has been incorporated into law in the ECHR Act (1994:1219).
Chapter 8 of the GDPR regulates remedies, liability and penalties with regard to data protection. Article 58 of the GDPR grants many varied powers to the Data Protection Authority. The DPA explicitly authorises the national Data Protection Authority (Datainspektionen) or Data Inspection Board (DIB) to exercise the powers set out in Article 58.1–58.3. The DIB is restricted under the DPA to imposing administrative sanctions to the breaches of the GDPR as listed in Article 83, and also breaches of Article 10. The DIB is authorised to decide administrative sanctions against public authorities should one come to breach the GDPR.
The penalty fee for a public authority shall be determined up to a maximum of SEK5 million in the case of infringements referred to in Article 83(4) of the EU Data Protection Regulation, and up to a maximum of SEK10 million in the case of infringements referred to in Articles 83.5 and 83.6 of the Regulation. Breaches of the GDPR or the DPA cannot lead to criminal penalties in Sweden, with the exception of a breach of secrecy or confidentiality by a data protection officer concerning the performance of his or her tasks.
Under the Swedish Criminal Code (Chapter 4, Section 9C), a person who unlawfully obtains access to information intended for automatic processing, or unlawfully alters, erases, blocks or, in a register, inserts such information, is guilty of breach of data security and is sentenced to a fine or imprisonment for at most two years. The same applies to a person who seriously disturbs or impedes the use of such information in an unlawful way through some other, similar measure. If the offence is gross, the person is guilty of gross breach of data security and is sentenced to imprisonment for at least six months and at most six years. When assessing whether the offence is gross, particular consideration is given to whether the act caused serious damage, or related to a large quantity of information, or was otherwise of a particularly dangerous nature.
The supervisory authority regarding data protection is the Swedish Data Inspection Board (DIB). The mission of the DIB is, according to the Ordinance (2007:975) instructing the DIB, "to work to ensure that fundamental human rights are protected in connection with the processing of personal data, to facilitate the free flow of personal data within the European Union and to ensure that good practices are observed in credit and debt collection operations".
The DIB is a public authority reporting to the Ministry of Justice. It has long been a comparatively small organisation, comprising 91 employees at the end of 2019 with an operating budget for 2019 of approximately SEK94.4 million. The DIB is also the supervisory authority for the Debt Recovery Act of 1974 (1974:182), the Credit Information Act of 1973 (1973:1173) and the Camera Surveillance Act of 2018 (2018:1200).
The DIB may initiate investigations as a result of complaints filed with the authority or widely reported allegations of infringement. It also conducts annual supervisory audits of different sectors of society according to a supervisory plan that is revised annually. The DIB’s Annual Report for 2019 relates that the DIB initiated 51 new ongoing inspection matters during 2019 concerning the GDPR.
The DIB has the power to request access to personal data that is being processed by someone in its jurisdiction, including access to the premises of the processing. It may request information and documentation regarding the processing and regarding any security measures applied to the processing. The DIB may order that certain security measures shall be applied to the processing, and may prohibit a controller from processing personal data in any other manner than by storing it.
The administrative process before the DIB is governed by the Data Protection Act and the general provisions of The Administrative Procedure Act (2017:900). Decisions regarding orders or sanctions can, in accordance with DIB internal procedural rules, be taken by the case officer in charge, the head of department or by the director-general, depending on the gravity or importance of the decision. There is no requirement to submit a draft decision to the receiving party for comment prior to adopting it, but this has been known to happen in a small number of cases. Administrative fines may not be imposed unless the respondent has been given an opportunity to file its opposition within five years of the alleged breach. The data processor must be served any decision imposing an administrative fee.
The DIB’s decisions according to the GDPR and national provisions for administrative fees may be appealed to the Administrative Court. The process before the Administrative Court is almost exclusively a written procedure. The Administrative Court’s decision may also be appealed to The Administrative Court of Appeal, but this requires a review permit.
Sweden applies the principles of free sifting of evidence and free assessment of evidence. The administrative process is generally less stringent and typically adapted to the type of matter, as opposed to the legal standards applied in General Court proceedings. As a general rule however, in matters regarding administrative fees, the DIB and the courts will apply the legal standard of “proven” (styrkt).
Processing of personal data is primarily regulated through the GDPR, which belongs to the super national authority of the European Union (see 1.1 Laws). The GDPR is immediately applicable before Swedish courts upon being promulgated by the EU legislature without any further adoptions or procedures.
Sweden is a signatory to the European Convention on Human Rights (ECHR). As set out in 1.1 Laws, the ECHR has been incorporated into national legislation through the ECHR Act and may be invoked directly before Swedish courts.
The legislature has given the government the authority to issue ordinances supplementing the national law supplementing the GDPR. Under this ordinance, the Government has given the DIB the competence to issue regulations. With this competence, the DIB has issued a regulation regarding the processing of personal data having to do with criminal offences (DIFS 2018:2).
The GDPR gives data subjects the right to mandate certain kinds of duly constituted not-for-profit organisations to lodge complaints on their behalf. Furthermore, data subjects may also mandate such not-for-profit organisations to receive compensation on their behalf. While the GDPR authorises member states to adopt legislation that allows not-for-profit organisations to act without the data subjects’ mandate, Sweden has elected not to adopt such legislation.
The DIB has, so far, not published any approved codes of conduct pursuant to Article 40 GDPR. However, the DIB did approve several codes of conduct under the previous Data Protection Act for sectors such as municipalities and landlords. To the extent such codes have not been superseded, they may at least serve to provide guidance in their respective sectors.
Given the strict nature and general applicability of the GDPR, industry self-regulatory organisations play no decisive role in Sweden.
The rules on data protection in Sweden primarily consist of directly applicable EU legislation and are highly developed. The DIB has traditionally not demonstrated an aggressive approach to enforcement of data protection laws. As in most EU member states, however, the adoption of the GDPR created expectations that enforcement activities would become more aggressive. The investigative activities of the DIB have increased, but, as of February 2020, have not risen to the aggressive level initially expected.
The Swedish Data Protection Authority, the DIB, fined a municipality approximately EUR20,000 for its unlawful use of facial recognition technology to monitor the attendance of students in a municipally run school. The DIB concluded that using facial recognition technology to monitor student attendance violated several articles of the GDPR. Under the Data Protection Act, Swedish public authorities can receive a maximum fine of approximately of EUR1 million. The school had based the processing on consent but the DIB considered that consent was not a valid legal basis given the clear power imbalance between the data subjects and the controller.
The DIB issued an administrative fine against a website that published personal data of all Swedes above the age of 16 for infringement of the Credit Information Act and the GDPR. The administrative fine against the website was EUR35,000. The decision addressed the interplay between the legislative frameworks for credit information activity, data protection and the constitutional protection of freedom of expression. The website had also published information about records of criminal convictions. Such information is regulated by the GDPR and may not be published under the Credit Information Act without prior authorisation from the DIB.
The DIB revoked the authorisation for a company to conduct credit information activities. The reason was that the company provided information to the above-mentioned website in violation of the Credit Information Act.
One hot topic in Sweden currently concerns public authorities’ use of cloud services for storing information that is classified as secret under the Public Access to Information and Secrecy Act (2009:400). While the Act only applies to Swedish authorities and certain public entities, service providers to such authorities and entities may be indirectly affected through missed business opportunities. This topic is also related to the transfer of personal data to third countries under the mechanisms provided for by the GDPR (see below).
Under the GDPR, personal data may be processed only if a legal basis set out in Article 6 applies. The Data Protection Act (DPA) specifies that the GDPR does not apply if it contravenes the constitutional Freedom of the Press Act and the Fundamental Law on Freedom of Expression.
The DPA applies to those controllers of personal data that are established in Sweden. The DPA also applies to the processing of personal data performed by controllers or processors established only in countries outside the EU/EEA, if the processing concerns data subjects located in Sweden and is related to the offering of goods or services to those data subjects, or the monitoring their behaviour in Sweden.
The GDPR applies to the processing of personal data wholly or partly undertaken by automated means and to the processing, other than by automated means, of personal data which forms part of a filing system or is intended to form part of a filing system.
The GDPR applies to the processing of personal data in the context of the activities of an establishment of a data controller or data processor within the EU, regardless of whether the processing take place within the EU or not.
Data Protection Officers
In accordance with Article 37 of the GDPR, controllers and processors are required to appoint a data protection officer (DPO) where the processing is carried out by a public authority or other public body, or where the core activities of the controller or the processor consist of processing operations which – by virtue of their nature, their scope or their purposes – require regular and systematic monitoring of data subjects on a large scale, or finally, where the core activities of the controller or the processor consist of large-scale processing of sensitive personal data as categorised in Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
While the GDPR elaborates on the position and tasks of the data protection officer, the only explicit legal responsibility is to maintain the confidentiality requirement set out in the DPA. There is an ongoing debate in Sweden as to whether, and under what circumstances, a DPO can incur personal liability for his or her actions in the role. The possibility of personal liability has not been authoritatively ruled out.
Lawful Basis and Fundamental Principles for Processing
Under the GDPR, personal data may be processed only if a legal basis set out in Article 6 applies.
The DPA specifies that the GDPR does not apply if it contravenes the constitutional Freedom of the Press Act and the Fundamental Law on Freedom of Expression.
Personal data may be processed on the basis of Article 6(1)(c) or (e) of the GDPR if the processing is necessary for the personal data controller to comply with a legal obligation arising from a law or other regulation, collective labour market agreements or decisions issued under a law or other regulation, or as part of the data protection officer’s exercise of authority by a law or other constitution.
Personal data may also be processed on the basis of Article 6(1)(e) of the GDPR if the processing is necessary to perform a task of public interest arising from a law or other regulation, collective agreements or decisions issued pursuant to law or other constitution, or as part of the personal data officer’s exercise of authority by a law or other regulation.
The GDPR makes a distinction for the processing of special categories of personal data, labelled sensitive data under the DPA.
Special categories of personal data include those that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Sensitive personal data in the field of employment and social security and social protection law may be processed pursuant to Article 9(2)(b) of the GDPR if the processing is necessary for the data controller or the registrant to fulfil his or her obligations and exercise his or her special rights in the field of labour law and in social security and social protection.
Personal data thus processed may be disclosed to third parties only if there is an obligation for the data controller to do so or, in the field of social security and social protection, where the data subject has explicitly agreed to the disclosure.
Processing by a public authority of sensitive personal data that is necessary for reasons of substantial public interest is permitted if the information has been submitted to the authority and the processing is required by law, where the processing is necessary for the handling of a case, or otherwise, if processing is necessary in view of an important public interest and does not constitute an improper infringement of the personal privacy of the data subject. Chapter 3 of the DPA elaborates the circumstances under which special categories of personal data may be processed.
Privacy by Design and Privacy by Default
The European Data Protection Board has published draft Guidelines 4/2019 on Article 25 Data Protection by Design and by Default. The consultation closed on 16 January 2020 and the Guidelines are expected to be finalised during 2020. There has been no Swedish national guidance at this point, though DIB encourages the use of encryption for email of any sensitivity.
Privacy Impact Analyses
Data processors are required to perform privacy impact analyses where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons under Article 35 of the GDPR. This applies especially where the processing concerns a systematic and extensive evaluation of personal aspects to persons through automated decision-making rendering legal decisions, large-scale processing of sensitive data and large scale monitoring of public places.
The DIB, has published a list of occasions at which time an impact assessment is required. The list is available in English at https://www.datainspektionen.se/globalassets/dokument/beslut/list-regarding-data-protection-impact-assessments.pdf
There is no explicit national requirement, as such, to adopt internal or external privacy policies. The GDPR however integrates accountability as a principle which requires that organisations put in place appropriate technical and organisational measures and are able to demonstrate, on request, what they have done in this area and its effectiveness.
Data Subject Rights
Under Article 15 of the GDPR, the data subject has the right to obtain, from the controller, confirmation as to whether or not personal data concerning him or her is being processed, and, where this is the case, access to that personal data. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means. The information shall be provided without undue delay and, in any event, within one month of receipt of the request. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests.
While the information shall, as a general rule, under Article 12, be provided free of charge, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may charge a reasonable fee taking into account the administrative costs of providing the information or refusing to act on the request.
Information does not need, under the DPA, to be provided with regard to personal data in running text that has not been given its final wording when the application was made or that comprises an aide memoire or similar. However, this does not apply if the data has been disclosed to a third party or if the data was only processed for historical, statistical or scientific purposes or, as regards running text that has not been given its final wording, if the data has been processed for a period longer than one year.
To the extent that it is specifically prescribed by a statute or other enactment, or by a decision that has been issued under an enactment that information may not be disclosed to the data subject, the right to information is curtailed. A controller of personal data that is not a public authority may, in a corresponding case as referred to in the Public Information and Secrecy Act (2009:400), refuse to provide information to the data subject.
Individuals have, under certain circumstances, under the GDPR Articles 15 to 22, the right to object, require rectification, blocking or erasing (as applicable) of personal data. The controller must also notify a third party to whom the data has been disclosed about the measure, unless it is shown to be impossible or would involve a disproportionate effort.
The data subject is entitled, at any time, to revoke consent that has been given in those cases where the processing of personal data is only permitted on the basis of consent.
Anonymisation, De-identification and Pseudonymisation
Under Article 25 of the GDPR, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects. Under Article 35 of the GDPR, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data where a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons.
Data subjects are entitled to be informed of the occurrence of any automated decision-making. As a general rule, data subjects have the right not to be subject to automated decision-making, including profiling, if this can have legal consequences. However, there are exceptions for when such actions are necessary for the performance of a contract, are allowed by EU or member state law or where the data subject has given his or her consent.
Injury or Harm
The concepts of “injury” and “harm” are relevant for data protection laws before Swedish courts in that the data subject should be put in the same position as though no violation of the GDPR had occurred. Due to the difficulties in proving to what extent harm or injury was suffered, Swedish courts have adopted standard amounts. This practice has previously been adopted for compensation for victims of crimes. In addition to compensating loss of income, bodily harm, hospital fees etc, victims are also awarded standardised amounts for the violation in and of itself.
Some personal data is, by its nature, sensitive and hence needs stronger protection. Processing of sensitive personal data is forbidden but there are certain exceptions. Before processing sensitive personal data, the data processors must fully understand what lawful grounds they have for the processing. Sensitive personal data is data about racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health, a person's sex life or sexual orientation, genetic data and biometric data that is used to uniquely identify a person.
Whether or not financial data is recognised as sensitive, depends on the view of the data subject. Financial data is, by its nature, commonly regarded as sensitive and hence in need of stronger protection. Processing of financial data is therefore forbidden, but there are certain exceptions.
Regarding financial data that is processed by financial institutions under the supervision of the Swedish Financial Supervision Authority (SFSA) data may be processed, under the rule of lex specialis. Financial companies, under the supervision of the SFSA, have the right to process sensitive personal data since special laws take precedence over the GDPR. The personal data of management personnel and employees is processed in order to be able to find out if these persons are suitable to provide advice to other private individuals.
Personal data concerning health includes all data concerning the health status of a data subject which reveals information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify that natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test. The National Board of Health and Welfare (Socialstyrelsen) has adopted regulation HSLF-FS 2016:40 on keeping medical records and data protection in health care, together with extensive Guidelines to the regulation.
Privacy in the sector of electronic communications is governed by the Electronic Communications Act (2003:389), or ECA, implementing the e-Privacy Directive 2002/58/EC. The ECA applies to processing data in connection with the provision of publicly available electronic communications services in public communications networks. Providers must safeguard the security of their services. Traffic data must only be processed for billing, marketing of services and administration by third parties. Traffic data must be erased when no longer needed. Contents of voice calls or messages must not be accessed or monitored. However, courts, law enforcement and service providers preventing network abuse may access traffic data or contents of calls or messages in certain cases and for specific purposes.
Children have a higher level of protection with regard to their personal data. Due to the fact that they are less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of the personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.
Internet, Streaming and Video Issues
Sweden passed the 2010 amendments to the EU electronic communications regulatory regime into law by an Act of the Riksdag on 17 May 2011. The new regulations came into force on 1 July 2011. Among the changes to the Electronic Communications Act (2003:389) was the updated "cookie regulation".
Chapter 6, Section 18 of the Electronic Communications Act states that information may be stored in or retrieved from a subscriber’s or user’s terminal equipment only if subscribers or users are provided with access to information on the purpose of the processing and consent to the processing. This does not apply to the storage or retrieval necessary for the transmission of an electronic message over an electronic communications network, or for the provision of a service explicitly requested by the subscriber or user.
The preparatory work to the new legislation emphasises that internet users should not be inconvenienced through cumbersome routines relating to the use of legitimate tools such as cookies. This work suggests that consent to cookies may be expressed through web browser settings, but stops short of explicitly stating that browser settings are sufficient.
The supervisory authority for the Electronic Communications Act, the Swedish Post and Telecom Authority (PTS), initiated an investigation in February 2014 into how cookies are used, writing to 16 organisations with popular websites (banks, media companies and public authorities) asking questions on cookie law compliance. Following extensive consultations with the concerned sites, the PTS, on 27 June 2016, closed the investigation without bringing any charges or imposing any sanctions. Guidance in the form of “soft law” has eventually been published by the PTS together with the Agency for Digital Government (DIGG) in the form of a dedicated website https://webbriktlinjer.se/. DIGG is responsible for the website as of 1 January 2019.
The GDPR also applies to the use of cloud computing services; there is no regulation specific to such services. The DIB has issued guidance on the subject, a four-page pamphlet titled "Cloud services and the Personal Data Act" (also published in English). The guidance emphasises that whoever appoints a cloud provider is still a controller of personal data and that the controller must carry out a risk and impact assessment with regard to engaging the provider. The DIB reminds cloud service users that when processing sensitive personal data (eg, information about health), information about legal offences and secrecy-protected information, the DIB requires that strong authentication be used when transferring data in an open network and that the data shall be protected by encryption. When such information is processed, the requirement for access checks often means that the controller of personal data shall not only carry out checks for particular reasons but also regularly and systematically follow up who has had access to which information. The DIB also stresses the importance of entering into an adequate processor agreement that complies with DPA requirements. The DIB has previously raised objections to processor agreements used by Microsoft Azure and Google Apps services.
The Marketing Act (2008:486) has regulations on marketing by email, fax or telephone.
Under the Marketing Act, a trader may, in the course of marketing to a natural person, use email, a telefax or automatic calling device or any other similar automatic system for individual communication that is not operated by an individual, only if the natural person has consented to this in advance.
Where a trader has obtained details of a natural person’s email address in the context of a sale of a product to that person, the consent requirement shall not apply, provided that:
In marketing via email, the communication shall at all times contain a valid address to which the recipient can send a request that the marketing cease. This also applies to marketing to a legal person.
A trader may use methods for individual distance communication other than those referred to above, unless the natural person has clearly objected to the use of such methods.
Employers must research and find legal grounds for the processing of personal data of their employees. For example for the fulfilment of the employment agreement or compliance with legal obligations such as the need to submit information to the Tax Authority.
Laws and Considerations
Workplace privacy is not subject to any specific laws in Sweden. The processing of personal data in the workplace is governed by the general provisions of the GDPR. Two separate proposals for legislation on privacy in the workplace have been presented in government-commissioned reports since 2002, but have not, to date, led to legislation.
Monitoring Workplace Considerations
Employers are typically interested in collecting information regarding their employees to monitor performance, presence, and compliance with policies, as well as to protect against corporate espionage and security. The GDPR generally allows for monitoring for such purposes where employers have a legitimate interest. However, employers must ensure that their legitimate interests are not overridden by the interests or fundamental rights of the employees.
Monitoring activities may include camera surveillance, reading employees’ emails, reviewing logs, etc.
Role of Labour Organisations
Swedish labour organisations enjoy a strong position in the workplace and the Swedish labour market is characterised by few labour disputes. Labour organisations therefore play an important role in asserting workers’ rights in general. However, Swedish data protection legislation does not give labour organisations any formal role.
Whistle-Blower Hotlines and Anonymous Reporting
Sweden has a long tradition of whistle-blower protection for persons giving information to publishers who enjoy constitutional protection under the Freedom of The Press Act. Public officials who investigate the identities of sources may face criminal liability and imprisonment. Reprisals against public servants for their giving of information to protected publishers are also criminal offences.
Whistle-blowers’ protection against actions from public authorities is not absolute, however. The Freedom of The Press Act contains an exclusive catalogue of criminal offences for which whistle-blowers may be held liable. This catalogue includes unlawful threat, defamation, incitement, agitation against an ethical or national group, treason, espionage, incitement for war, unlawful possession of secret information. The Chancellor of Justice is the sole prosecutor for any acts committed where the Freedom of The Press Act applies.
In 2017, Sweden also adopted the Act (2016:749) on Reprisals Against Employees Who Raise The Alarm Against Grave Ills, which ensures employees and consultants in private companies protection when raising the alarm against actions in their employer’s business, for which persons may face at least two year’s imprisonment. Employers may not carry out any reprisals against employees or consultants who raise the alarm internally, with a labour organisation or publicly. Employers may be liable for compensation to employees or consultants for any reprisals. Agreements waiving the whistle-blower law are void.
The Swedish government has commissioned a report to draft a proposal for the implementation of the EU Whistle-Blowing Directive (2019/1937), which is to be in force by 17 December 2021.
Swedish procedural law typically does not include a discovery process. The Procedural Code provides means for litigants to request and obtain documents from the other party, or third parties, if said documents may be of evidentiary value. However, the duty of disclosure is typically not invoked in most proceedings.
Sweden applies the principles of free sifting of evidence and free assessment of evidence. DIB enforcement activities are governed by administrative law. Claims for damages are tried by general courts. The administrative process is generally less stringent and typically adapted to the type of matter, as opposed to the legal standards applied in general court proceedings. As a general rule however, in matters regarding administrative fees the DIB and the courts will apply the legal standard of proven (styrkt).
The penalty fee for a public authority shall be determined up to a maximum of SEK5 million in the case of infringements referred to in Article 83(4) of the EU Data Protection Regulation, and up to a maximum of SEK10 million in the case of infringements referred to in Article 83.5 and 83.6 of the Regulation. Breaches of the GDPR or the DPA cannot lead to criminal penalties in Sweden, with the exception of a breach of secrecy or confidentiality of a data protection officer concerning the performance of his or her tasks.
Enforcement Cases and Major Cases
The Stockholm Administrative Court, in cases 8483-19, 8487-19 and 8489-19, which concerned Swedish Customs’ use of cameras to monitor cars rolling off ferries at three different ports, granted Swedish Custom's appeal to allow it to process data caught on the cameras at a remote facility – rather than in the cameras, which was a condition of the DIB's original permit. The appeal was granted due to sufficient technical protection against unauthorised access and the strong interest in having the harbours monitored.
The laws applicable to law enforcement access to data for serious crimes are the Code of Judicial Procedure (1942:740), the Act on Measures to Prevent Serious Crimes (2007:979), the Act on Collection of Information Regarding Electronic Communications in The Law Enforcement Authorities’ Intelligence Activities (2012:718) and the Electronic Communications Act (2003:389). While not a law enforcement activity, the Swedish Armed Forces may collect data under the Act on Signals Intelligence in The Intelligence Activities of the Swedish Armed Forces (2008:717).
Secret Interception and Surveillance of Telecommunications
In the course of preliminary investigations, public prosecutors may apply for court authorisation to undertake secret interception of electronic communications (contents) or secret surveillance of electronic communications (metadata, geolocation, units present in a given area).
Interception and surveillance may concern the suspect’s phone number as well as the phone numbers of persons the suspect is highly likely to contact. Permits are granted when the suspicion rises to the level of reasonable grounds and it is of exceptional importance for the investigation of a serious crime.
Swedish Police, Security Services and Customs may intercept or monitor electronic communications in the course of their intelligence activities according to the Act on Collection of Information Regarding Electronic Communications in The Law Enforcement Authorities’ Intelligence Activities (2012:718).
The communications in question must concern serious crimes and the interception or monitoring must be of particular importance for the prosecution of such crimes. The intercepting or monitoring authorities were previously authorised to initiate such activities independently, but must, as of 1 October 2019, apply for a permit with the Prosecution Authority. The Security and Integrity Committee must be notified of the decision within one month of ceasing the activities.
The National Defence Radio Establishment intercepts and monitors electronic communication intercepts signals intelligence under its specific charter, the Act on Signals Intelligence in Defence Intelligence Activities (2008:717). It operates according to its charter upon being given authorisation from the government or government offices, the armed forces, the Security Service and the National Operations Offices of the Police. Activities may only concern foreign threats such as military attacks, international terrorism, the development of weapons of mass destruction, serious threats against utilities, etc.
Wired collection may only take place for signals passing the boarders of Sweden and in the networks of operators of public communications networks. Furthermore, only signals between parties outside of Sweden are allowed to be intercepted. The authority must seek authorisation from the Defence Intelligence Court before initiating interception and monitoring. Such authorisation is only given if formal requirements are met, no less intrusive measures are available, the intrusion is motivated by the value of the sought-after information and the authorisation does not concern only one specific natural person.
Private entities processing personal data under the GDPR may not invoke requests from foreign governments as a legitimate interest for processing and transferring personal data. Private entities may rely on a specific legal basis for processing which is necessity to comply with a legal obligation. The legal obligation however must be laid down by EU law or member state law to which the entity is subject.
Public authorities processing personal data under the GDPR cannot rely on legitimate interests as a legal basis. Outside of the application of the GDPR, public authorities with responsibility for intelligence and law enforcement may rely on their statutory basis for collecting and transferring personal data.
Sweden does not participate in a Cloud Act agreement with the USA.
The law authorising the National Defence Radio Establishment received widespread criticism at the time of its adoption in 2009.
A European Union Directive (2018/1972) will authorise member states to enact legislation that extends the duty from operators of electronic communications networks to also concern providers of messaging apps such as Messenger, WhatsApp and Telegram. The current Swedish proposed legislation for transposing the EU Directive into national law does not extend the duty to such service providers. This has spawned a public debate regarding government access to private data and communications.
The GDPR provides a general prohibition against transferring personal data outside of the EU or the European Economic Area or EEA (so-called third countries). From this general prohibition the GDPR provides a set of exceptions (see 4.2 Mechanisms That Apply to International Data Transfers).
Sweden has adopted special national exceptions from the rules relating to, inter alia, restrictions on international transfers of personal data using the competence granted to member states in Articles 85 and 86 of the GDPR. The rules on international transfers of personal data therefore do not apply to the Freedom of The Press Act and the Fundamental Law on Freedom of Expression as well as processing of personal data in the field of journalism and in the course of academic, artistic or literary activities.
The GDPR offers a set of mechanisms to transfer personal data to third countries.
The GDPR offers a general authorisation of transfers of personal data to third countries or international organisations where the European Commission has decided that a third country, a territory or one or more specified sectors within that third country, or the organisation in question ensures an adequate level of protection. The European Commission has adopted an adequacy decision on 12 July 2016 for transfers of personal data to the USA for commercial reasons ((EU) 2016/1250).
The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the USA (limited to the Privacy Shield framework) as providing adequate protection. The European Commission has announced that adequacy talks are ongoing with South Korea.
It is currently debated, however, whether the European Union Court of Justice (CJEU) may invalidate the Privacy Shield as it did with its predecessor, Safe Harbour.
Where there is no adequacy decision, personal data may still be transferred to a third country or an international organisation when the transferring party has provided appropriate safeguards and there are enforceable data subject rights and effective legal remedies available to data subjects.
The GDPR considers appropriate safeguards to be binding instruments between public authorities or bodies; such as binding corporate rules, standard data protection clauses adopted by the Commission, an approved code of conduct, or an approved certification mechanism.
Groups of undertakings or groups of enterprises engaged in economic activity with establishments in third countries may seek the approval for binding corporate rules to allow the transfer of personal data between their establishments.
As with the European Commission adequacy decisions, there are also ongoing discussions regarding the validity of the standard contractual clauses. There is a case pending before the CJEU regarding the validity of such clauses.
Derogations for Specific Situations
In the absence of adequacy decisions or appropriate safeguards, transfers to third countries may be allowed if the data subject has consented after having been informed of the possible risks and if the transfer is necessary for, eg, conclusion or performance of certain contracts or making legal claims.
Swedish law does not require any government notifications for transferring data internationally.
The general rule under the GDPR is that data must be localised to the EU/EEA, unless transfers to third countries are permitted as set out in 4.2 Mechanisms That Apply to International Data Transfers. Within the EU/EEA, the GDPR ensures the free flow of data. There are no Swedish rules concerning the localisation of data. There is however an ongoing public debate regarding whether storing classified data with entities under the jurisdiction of the United States may be contrary to national secrecy laws.
Swedish law does not require any sharing of code, algorithms or similar technical details with the government.
The limitations and considerations that apply to organisations in connection with foreign data requests, foreign litigation and internal investigations carried out partially outside of the EU/EEA are the same as set out in 4.2 Mechanisms That Apply to International Data Transfers.
In the case of an internal investigation carried out exclusively inside the EU/EEA, such an investigation is primarily limited by the question of whether there is a legal basis for processing. An internal investigation would conceivably rest on either the need to defend or assert legal rights or claims, or finding a legitimate interest that overrides the interests of the data subjects in question.
Sweden has transposed the so-called Copyright Directive or Information Society Directive (InfoSoc) through the Copyright Act (1960:729). The Copyright Directive, and thus the Copyright Act, contains exceptions for transient reproductions of copyrighted works without independent economic value that occur on a network between third parties. However, rights-holders may secure injunctions against intermediaries (ie, internet service providers (ISPs)) if their services are used by a third party to infringe on copyrights or related rights. Most famously, rights-holders have secured injunctions against several Swedish ISPs forbidding their continued complicity in the Pirate Bay’s ongoing infringement. In practice, such injunctions against ISPs constitute blocking orders.
The EU has adopted a blocking statute regarding the extra-territorial application of certain third country laws to protect EU operators engaged in lawful international trade, movement of capital and related commercial activities (Council regulation (EC) 2271/96). Operators may rely on the blocking statute to nullify the legal effects of blocked laws and recover damages caused by the application of such laws. Currently, the only third countries covered by the blocking statute are Cuba and Iran (Commission delegated regulation (EU) 2018/1100).
The Union for professionals (Akademikerförbundet SSR” has lodged a complaint with the Parliamentary Ombudsmen (Justieombudmannen) regarding the municipality of Trelleborg’s use of automated decision-making regarding applications for welfare assistance. Several municipalities use such systems to support decision-making, but according to the complaint Trelleborg actually has the system take the decision to allow or reject the application.
The DIB has fined a municipality approximately EUR20,000 for the use of facial recognition technology to monitor the attendance of students in school. The DIB concluded that the use of facial recognition technology to monitor attendance of students in school violated several articles of the GDPR. In Sweden public authorities can receive a maximum fine of approximately of EUR1 million. The school had based the processing on consent but the Swedish DPA considered that consent was not a valid legal basis given the clear power imbalance between the data subjects and the controller. For more information, see 1.7 Key Developments.
The Swedish Supreme Administrative Court found, in a 2016 ruling, that the use of camera-carrying drones was equivalent to CCTV-surveillance, which under the then-relevant legislation required a permit with regard to places to which the general public had access. Under the GDPR and present camera surveillance regulation, private-sector users no longer require a permit to fly a drone that carries a camera, but must ensure that any ensuing data processing complies with the GDPR. Public authorities and organisations whose operations are in the service of a public interest (such as healthcare, education, public transport) require a permit to carry out camera surveillance.
Protocols for digital governance or fair data practice review boards or committees are uncommon in Sweden.
Please see 1.7 Key Developments, 2.5 Enforcement and Litigation and 5.1 Addressing Current Issues in Law.
The due diligence process of reviewing information typically involves the processing of personal data. There is no Swedish regulation concerning due diligence in corporate transactions, as such. While the onus of the process falls on the prospective purchaser, it is not a requirement of the sort to provide a legal basis under the GDPR for the processing. Any legal basis will need to rely on the balancing of interests of Article 6.1 (f) of the GDPR. The outcome of such balancing will benefit from privacy-supporting measures such as the limitation of the amount of processed personal data, pseudonymisation and anonymisation of personal data where feasible, in conjunction with stringent non-disclosure commitments. Any transfer of personal data outside the EU will require special restrictions. Information and transparency requirements with regard to the data subjects whose data is processed in the context of a due diligence is a challenge which may be mitigated through the data protection policies of the corporate entities concerned.
The SFSA's guidelines (FFFS 2018:5) on reporting of events of material significance suggest undertakings should immediately report events that could lead to significant financial loss for a large number of customers and events that could lead to a considerable loss of reputation for the undertaking.
The events in question may include, for example, that
Providers of payment services are required to report serious operational incidents and security incidents to the Authority under the Guidelines (FFS 2018:4).
The Swedish Civil Contingencies Agency (MSB) has reporting requirements regarding information security incidents under regulation (MSBFS 2018:7) for providers of services of critical importance to society.
The DIB published a report in January 2020 detailing its investigation into the large number of complaints filed with the DIB regarding sites providing information on personal data regarding many or most residents in Sweden. These sites publish data such as names, detailed addresses and other contact information, date of birth, gender, estimated value of residence, previous addresses, whether other persons live at the same address, if the person is a registered board member of a company, motor vehicle ownership, etc.
The sites who disclose this personal data have typically applied for a Certificate of Publication from the Swedish Press and Broadcasting Authority. The publishing certificate provides the same constitutional protection of freedom of expression as mass media companies have for their online publications. Through the Certificate, online information services are exempted from the GDPR.
Less than a year from the GDPR entering into force, the DIB has received some 750 complaints from the public regarding the processing of personal data by the sites thus protected. A government commission has been tasked with reviewing if there is a need to restrict the constitutional protection presently afforded to these information sites.