Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Sweden implements the EU Data Protection Directive [1998] PLBIRp 35; (1998) 46 Privacy Laws and Business International Report 7

Sweden’s new law places emphasis on consent

SWEDEN’S NEW DATA PROTECTION LAW, implementing the EU Data Protection Directive, entered into force on 24th October. The new law, which replaces the

25-year old Data Protection Act, shifts the emphasis from registers to the processing of data and individual consent.

The old, 1973 law (Datalag 1973:289), is the world’s first national data pro- tection law. Only the German region of Hessen had legislated before that. Although the Swedish law was amended in 1982, it is now clearly in need of updating. Drafting the new law to follow the directive’s provisions posed some challenges due to Sweden’s strong tra- dition of open government. The 1998 Board for the processing of that data. The board informed the municipality that, according to the 1973 data pro- tection law, permission was required because the minutes were stored in a database which formed a register of personal data. The board also remind- ed the municipality that the right of access to official documents held by public authorities applies only to information released on paper been appointed until the end of

March 1999, will take.

CUTTING BUREAUCRACY BY SIMPLIFYING NOTIFICATION

The law’s scope includes processing of personal data which is “partly or wholly automatised.” In addition, the law applies to manual records that form part of a structured register which can be searched by certain cri-

law (Personuppgifslag 1998:204) published on 29th April, does not teria. Processing for purely personal use, for example, storing e-mai

undermine individuals’ constitutional access rights to official documents, or the freedom of the press. These constitutional rights take precedence if conflicts arise.

DEBATE ABOUT THE INTERNET The relationship between freedom of information and data protection has recently faced new dilemmas because of the Internet. The Data Inspection Board has asked whether public authorities be allowed to publish offi- cial documents on the Internet if they include personal data. A heated dis- cussion on the matter started when a Swedish municipality released meeting minutes containing personal information on its website at the beginning of the year. The informa- tion included names, addresses and even personal identification numbers

(PINS). The municipality had taken the view that a citizens’ right of access to public information prevailed over the protection of personal data, and, therefore, it was not necessary to seek permission from the Data Inspection

According to a narrow interpretation of the law, discussion groups on the Internet would be unlawful...

The Government is now consider- ing updating the rules on access to public information so that they also specifically apply to the Internet. At the same time, the Government recognises that personal data needs to be protected.

In the meantime, the debate on the protection of personal data on the Internet continues. According to a narrow interpretation of the law, discussion groups on the Internet would be unlawful, as they gather lists of names and e-mail addresses. It remains to be seen what position the acting Data Protection Commissioner of Sweden, Ulf Widebä ck, who has

addresses for private rather than pro- fessonal use, is not included.

The emphasis of the 1998 law is now clearly on processing of personal data rather than on registers as in the

1973 law. The old law required that anyone who intended to process personal data had to obtain a licence from the Data Inspection Board. This requirement is now replaced with an obligation to notify (register).

However, there are exemptions. Notification is not required from companies and organisations that have appointed an internal data pro- tection supervisor. The appointment of these officials has occurred as a result of the EU Data Protection Directive (95/46/EC). The system has been developed in Germany, where internal data protection supervisors in many companies oversee their data processing practices to ensure that they comply with the law.

In October, the Data Inspection Board introduced another exemption from notification. The exemption applies to situations where a data controller has obtained an individual’s consent, or where the data is a club or society membership register kept by the data controller.

SPECIAL RULES ON ID-NUMBERS Because of the wide use of the per- sonal identification number, there are special rules governing its processing. As with the previous law, use of a PIN is only allowed if it is necessary for the purpose of processing, for reli- able identification or another significant reason. The use of personal data for direct marketing is forbidden if the data subject has objected in writing. Other rules on processing include restrictions on sensitive data, such as trade union membership or ethnic origin. Sensitive data may be processed, however, with the consent of the data subject.

ACCESS FREE OF CHARGE

The data controllers are obliged to provide access to data free of charge, once a year. The information must be provided within a month. The con- trollers also need to inform data subjects at their own initiative about the use of their data, in particular, when the data is collected directly from the data subject. There are heavy penalties for not complying with the law, the maximum penalty

being up to two years imprisonment in serious cases. More generally, data controllers are obliged to pay com- pensation if individuals have suffered damage as a result of not complying with the law.

DATA FLOWS STILL POSSIBLE TO CONVENTION 108 COUNTRIES Sweden has a special detail in the new provisions on transborder data flows to countries outside the European Economic Area (EEA – EU countries

+ Norway, Iceland and Liechtenstein). The law states that transfers of data are allowed to coun- tries that have ratified the Council of Europe Convention 108. This rule, which is also being considered by the EU Data Protection Working Party assessing requirements for adequacy, is stated in the 1973 law.

The fact that the rule stays is good news for countries where Convention

108 is already in force, such as Hungary and Slovenia, and is perhaps a small incentive for other East European countries to ratify it. However, the Swedish model should not create a loophole. Data from Sweden is allowed to be processed only in the destination countries, and cannot be further transferred without adequate protections. In order to transfer data to third countries, contracts can be used.

TRANSITIONAL PERIOD FOR CURRENT PROCESSING

The law came into force on 24th October, but any processing already under way will benefit from a transi- tional period until 30th September

2001. New provisions on the process- ing of manual data started before

24th October 1998, apply from 1st October 2007 onwards. The new law is a framework that still needs more precise rules. The Government and the Data Inspection Board will prepare more detailed rules, for example, on information to be sub- mitted to data subjects as a result of a subject access request, and on the processing of personal identification numbers.

The Personal Data Act

(1998:204)

is available on the Internet

(in Swedish) at

http://rixlex.riksdagen.se.