Data Protection in Sweden: An Overview

General trends

In recent years, there has been a significant evolution in Sweden’s approach to data protection. The rapid advancements in technology, increased digitalisation across industries, and a growing awareness of the individual’s right to privacy are the main drivers of this development. As a member of the European Union (EU), the Swedish data protection regime consists of the General Data Protection Regulation (GDPR) and national laws supplementing the GDPR.

This update highlights some of the most prominent trends in Sweden. The first trend concerns the increased focus on cybersecurity from a data protection perspective and the role of data protection officers in Sweden. The second trend highlights technical advancements and the role of AI and data protection, including examples of ongoing initiatives in Sweden. Thirdly, Swedish developments concerning the processing of personal data relating to criminal convictions and offences will be presented.

Cybersecurity From a Data Protection Perspective

Malicious attacks

Sweden is currently experiencing an increased focus on cybersecurity measures for many different reasons. Besides being impacted by the EU data and cyber-regulatory developments expected to enter into force during 2024 and 2025, we have also noted that the changed security situation with the war in Ukraine, Sweden’s application for membership in NATO, Quran burnings in Sweden, and the terrorist threat level which is currently considered to be four out of five (level four entails a high terrorist threat), have led organisations to prioritise and invest in cybersecurity frameworks to safeguard information. As Swedish authorities and news headlines continue to highlight the changed security situation in Sweden, we have noted that there is a general increased awareness among individuals concerning cybersecurity threats. As recently as January 2024, Swedish authorities and media have reported on a major ransomware attack that occurred in a large data centre in Sweden. Several Swedish authorities and organisations have been affected. Although it is too early to analyse the impacts of the ransomware attack, especially from a personal data perspective, it will likely influence organisations giving priority to investment in cybersecurity measures in the foreseeable future.

In 2023, the Swedish Authority for Privacy Protection (IMY) (Integritetsskyddsmyndigheten) issued a national overview of personal data breaches with a specific examination of malicious attacks, as defined by the GDPR. IMY states that it received 5,331 reports of personal data breaches during 2022, of which 341 reports were in relation to malicious attacks. Interestingly, IMY’s study on data protection related to malicious attacks demonstrates that attacks during 2022 decreased compared to the previous year, despite the changed security situation in Sweden. While the reasons for the decline in malicious attacks may vary, one being that organisations have failed to report, one optimistic perspective suggests that the decrease could be due to the improvement in cybersecurity awareness and resilience. Nonetheless, the landscape of cybersecurity is constantly evolving and organisations must ensure they keep up to speed with the ongoing developments. For continued strong resilience in cybersecurity matters, Data Protection Officers (DPOs), naturally play a crucial role.

The role of DPOs

The GDPR requires certain organisations to appoint a DPO to ensure compliance with current data protection regulations. IMY evaluated the effectiveness of DPOs in influencing their organisations’ data protection performance during 2023. The survey includes the responses of DPOs in over 800 organisations, which corresponds to approximately two out of ten organisations that have registered a DPO. Despite the low amount of respondents, the survey still highlights a general need for Swedish organisations to invest in continuous and systematic efforts addressing data protection.

The survey identifies challenges faced by DPOs in their daily work. One significant challenge includes the general lack of maturity and knowledge about data protection issues within organisations. Another identified challenge is the general lack of time allocated to working on data protection matters. It is rather unusual for a DPO to dedicate most of its working time to data protection. Only half the DPOs have sufficient allocated time to perform and work effectively with data protection.

Moreover, the DPOs face organisational challenges and a general lack of support within their organisations. While there has been progress in understanding and implementing the GDPR in Swedish organisations, only four out of ten DPOs report that their management prioritises data protection issues. Furthermore, organisations seem to fail to implement continuous and systematic data protection workflows, as only four out of ten DPOs report that their organisation works continually and systemically with data protection.

To give an illustration, IMY recently issued a decision concerning the insurance company Trygg-Hansa (previously Moderna Försäkringar) for its severe security flaws. The security flaws resulted in the personal data contained in insurance documents concerning 650,000 customers being accessible to unauthorised individuals across the internet. Due to the nature of the insurance documents, some included sensitive personal data, including information about health. This security flaw caused IMY to issue an administrative fine of SEK35 million against Trygg-Hansa. IMY concluded that Trygg-Hansa had not taken appropriate technical measures to ensure a level of security that was appropriate in relation to the risks. The security flaws were of such fundamental nature that they should have been detected and addressed before the system was implemented. Through continuous and systematic data protection workflows, the security flaw could have been avoided.

By analysing the responses from the DPOs, it becomes apparent that organisations not only need to review the actual internal support given to the DPOs, but also evaluate if the organisation as such works effectively with continuous and systematic data protection. From our understanding, it is important to highlight the need for organisations to clearly distinguish the tasks of a DPO from the responsibility of the controllers and processors, making this a management and governance matter. A common misconception is that DPOs are responsible for the entire organisation’s data protection compliance, while in fact, the DPOs’ responsibilities stretch to monitoring the organisation’s compliance. A DPO does not determine the means and purposes of processing and does not make management decisions. Therefore, in order to effectively implement data protection in the organisation, the management needs to take responsibility for implementing privacy frameworks and integrating systematic data protection. Failure to implement systematic and continued data protection work in practice can lead to the organisation’s risk not complying with the GDPR, by for instance, failure to ensure a continued adequate level of security for personal data.

Not only is this important from a data protection perspective, but also from a cybersecurity perspective. Active prioritisation of data protection matters within organisations is an absolute necessity to succeed in data protection performance and requires management attention. In light of the rapidly developing cybersecurity and regulatory landscape, strengthened data protection governance within the organisation is fundamental to ensure an adequate level of protection of personal data and to secure the personal data against cyber threats and data breaches.

AI

AI in general

Sweden is no exception to the increasing global interest in AI. The use and integration of AI in various sectors raises significant concerns from a data protection perspective, which needs to be evaluated on a case-by-case basis. One of the foremost challenges is to understand the impact of the GDPR on AI and vice versa. Close collaboration between technicians and legal professionals is crucial for ensuring that new AI technology is safe from a data protection perspective. IMY has been actively involved in addressing the emerging challenges of new AI technology through a regulatory sandbox pilot. The pilot highlights the use of AI in relation to the data protection regulations as further described below.

IMY’s regulatory sandbox pilot

The main objective of IMY’s regulatory sandbox initiative is to enable collaboration between innovators and regulators. Together, the innovators and regulators interpret how regulations can work in practice with innovative products and services. The purpose of the regulatory sandbox is for IMY to provide guidance through workshops and thereafter make the results public. The first regulatory sandbox pilot (the “Pilot”) included two healthcare providers aiming to evaluate the possibilities of jointly training and exchanging machine learning method models. AI Sweden, which is the Swedish centre for applied AI, also supported the work. The results from the Pilot include IMY’s reasoning behind the appropriate legal basis for such processing activities, the data processing roles and other relevant information from an AI and data protection perspective. The results of the Pilot contain IMY’s reflections on AI and other new technologies while ensuring compliance with the GDPR. IMY highlights the special need for cross-functional collaboration when it comes to the use of AI. Both the regulatory aspects and the technical aspects are highly complex, especially when taken into practice. Close collaborations between technicians and legal professionals is crucial for success. In the same way technicians need to educate legal professionals on how the technology functions, legal professionals need to develop good pedagogical skills to explain the fundamental principles of data protection and how it should be applied. Further regulatory sandbox projects are expected to take place during 2024.

Personal Data Relating to Criminal Convictions and Offences

Article 10 in general

Article 10 of the GDPR concerns processing of personal data relating to criminal convictions and offences. In Sweden, the general rule is that personal data related to criminal convictions and offences may only be processed by public authorities. The legal bases for organisations, other than public authorities, to process personal data of this nature are limited to when permitted under the Swedish constitution, lex specialis, or when necessary to establish legal claims or fulfil legal obligations. In addition, IMY has the authority to grant organisations permission to process personal data related to criminal offences. In this chapter, we will highlight two important developments led by IMY, which are relevant to personal data relating to criminal convictions and offences in Sweden.

Interpretation of Article 10

The first development is IMY’s regulatory statement clarifying its stance on the interpretation of Article 10 of the GDPR concerning personal data relating to criminal convictions and offences. Article 10 of the GDPR shall, according to IMY, be interpreted to apply to information that discloses if a person is or has been the subject of a police report, preliminary investigation, prosecution or proceedings in criminal cases. This also includes acquittals in criminal cases, that is, if a person has been released from accusation and freed from obligation regarding the charges. IMY’s statement further clarifies that information indicating that a physical person has or may have been suspected of a specific crime, in other words suspected of criminal activities, can be considered to be included under the scope of Article 10 of the GDPR, regardless of whether legal proceedings have been initiated or not. However, this shall not be interpreted to include any information since there is a certain threshold of specificity to be considered. Additionally, IMY also clarifies that observations or passive events where the objective criteria for a crime may be met are normally not considered processing of personal data relating to criminal convictions and offences. To put it more simply, if a surveillance camera captures a robbery through passive recording of a certain area, this would generally not be considered data processing under Article 10 of the GDPR. On the other hand, if the sequence of events is separated at a later stage for the purpose of legal action, it will fall under the scope of Article 10 of the GDPR.

Checks against sanction lists

The second development is IMY’s newly proposed regulation aimed at facilitating the processing of personal data relating to criminal convictions and offences by certain sectors. Organisations within the financial sector and military industry frequently need to perform checks against various international sanction lists, for example sanction lists from OFAC, OFSI and the EU, for compliance reasons. IMY has received an excess in applications from organisations seeking permission to process such personal data to comply with anti-money laundering and terrorism financing obligations, as well as from organisations involved in the export of dual-use goods or military equipment to adhere to international export restrictions.

The processing of personal data concerning criminal convictions and offences is to some extent permissible under the Swedish Money Laundering and Terrorist Financing (Prevention) Act (Lag (2017:630) om åtgärder mot penningtvätt och finansiering av terrorism) to the extent necessary to assess and manage the risks associated with a customer relationship. On the contrary, there is no explicit legal basis in the Swedish Money Laundering and Terrorist Financing (Prevention) Act for conducting checks against sanction lists. As a consequence thereof, unless checks against sanction lists are authorised by other applicable law, for example through EU-regulations, organisations in Sweden have been required to seek specific permission from IMY to be able to conduct checks against sanction lists since sanction lists may contain information about criminal offences.

The newly proposed regulation will provide a legal basis for certain organisations engaged in financial services and subject to anti-money laundering and terrorism financing regulations, and for certain organisations involved in the export of dual-use goods or military equipment, to process personal data for checks against sanction lists under certain conditions. These conditions include that the sanction list has to be democratically established and publicly available on official websites, and the organisations are required to implement protective measures to distinguish genuine matches. The scope of personal data processing is limited to various categories of individuals associated with the organisations.

The proposed regulation aims to facilitate/remove the application process for certain organisations and reduce the administrative burden on both the applicant and IMY.