Law Library Stacks

Back to Online Privacy Law

*A 2017 updated version of this report is available

Sweden was the first country to enact a comprehensive statute regulating privacy online. Swedish legislation focuses primarily on protecting integrity and regulating the use of personal data by the government or private users without consent, rather than on private companies to which the individual has provided personal information. Even if consent is given for the use of personal information this consent may be revoked at any time. Unsolicited advertisements are permissible provided that the recipient has not expressly stated that he or she does not want this form of advertisement.

I. Legal Framework

Sweden was the first country in the world to enact a comprehensive statute to protect the privacy of personal data on computers when it adopted the Data Act in 1973.[1]

Certain personal freedoms, including the right to protection of personal data, are also found in the Swedish Constitution. The Swedish Constitution consists of four parts, Regeringsformen (RF) (Instrument of Government), Tryckfrihetsförordningen (TF) (Freedom of the Press Act), Yttrandefrihetslagen (YGL) (Freedom of Expression Act), and Sucessionsordningen (SO) (Act of Succession). Following changes to the RF in 2010, which entered into force on January 1, 2011, chapter 2, article 6 now states that every individual is protected from the public against intrusions in his or her personal integrity, if such an intrusion takes place without the approval of the individual and consists of surveillance or monitoring of the individual.[2] Prior to these amendments, it was expressly stated in the Constitution that “every citizen shall be protected to the extent specified in law, against any violation of personal integrity resulting from the registration of personal information by automatic data processing.”[3] However, when revising the Constitution, the government found this regulation superfluous since it did not provide any right beyond what was already provided by statute.[4]146">4 The regulation was interpreted to mean only that the legislature had to keep any form of personal right regarding the private integrity for automatic data processing as part of current law.[5] The Article was removed because such protection can be found in  the  Personuppgiftslag  [Personal  Data Act] (PUL).[6]

As a general rule, the same protection applies to both Swedish citizens and foreigners, pursuant to RF chapter 2, section 25.

Subsequent to the 1973 enactment of the Data Act, Sweden joined the EU in 1995 and become bound by its legislation, including Directive 95/46 and Directive 2002/58. Directive 95/46 was transposed by amending the PUL in 1998. The PUL is the general legislation for protection of personal information such as personal identification numbers, health records, and the like. By amending the Personal Data Act to more clearly include personal data online, the parliament also decided to replace the Data Act that was then in place. The new legislation was quickly found to be inadequate by the parliament, as it was too restrictive on private individuals with private blogs, and upon motions from several parliament members an investigation was initiated in 1999.[7] These efforts included lobbying for a new EU Directive.[8]

Sweden has transposed the EU Directive 2002/58 in two pieces of legislation. The main piece of legislation is the lag om elektronisk kommunikation (SFS 2003:389) (Electronic Communications Act), which entered into force in 2003. In addition the Swedish legislature has amended the PUL to make it conform with Directive 2002/58. The Electronic Communications Act is lex specialis to the PUL, which means that where there is a conflict, the Electronic Communications Act should apply, but where the Electronic Communications Act is inapplicable, the more general terms of the PUL govern.[9]

An important distinction exists between privacy laws and the Swedish approach of protecting the personal integrity of its citizens.[10] Swedish privacy legislation focuses on the use by others of personal and sensitive information online, and not on the individual’s right to privacy when he or she acts online, i.e., the right to be anonymous online.[11]

Back to Top

II.  Current Law

When Sweden implemented the first EU Directive (95/46), almost all use of personal data became a violation, including what in current legislation is referred to as harmless information.

It was sufficient that someone (with great effort) could find out the identity of a person mentioned in an online publication (i.e., blogpost, public chatroom, newsletter, webpage, etc.). One example is that Carl Bildt (now the foreign minister of Sweden) reported his own newsletter’s violations to the Data Inspection Board because he named people without their express consent.[12] Today the legislation allows for the use of common knowledge information, and permits private citizens to disclose information about others if it is not considered sensitive in nature.[13]

A. Personal Data Act (PUL)

The general principle for publication and use of any personal data is that the user must first obtain the express consent from the person mentioned.[14]156">14 However, there are certain situations where such consent is not required. Consent is not required when processing information is necessary to fulfill an agreement between the data subject and the publisher, to complete an undertaking the data subject requested, to fulfill a legal requirement, to ensure that vital interests of the data subject shall be protected; to fulfill the public interest, or to complete a government action. It is also not required when a recognized interest of the publisher of the information outweighs the interest of the data subject in protection against personal integrity violations.[15] Certain sensitive information may not be published unless it falls within an explicit exception, i.e., consent or publication by the data subject, necessity, use by non-profit organizations in their internal operations only, use by health providers, or use for research and statistical purposes only.[16]

Consent

Consent to any use of personal data that requires express consent may be revoked at any time.[17] However, if use is expressly permitted despite lack of consent, the data subject cannot demand that the information be withdrawn.[18]

Unsolicited Advertisement

If the person whose information is being registered has, in writing, asked to be excluded from any direct advertisement, his or her information may not be used for that purpose.[19] Conversely, if no such objection has been filed, it is permissible to use personal data for personally directed (targeted) advertisements.

The Data Inspection Board, Sweden’s enforcement agency for privacy rights, has attempted to specify when unsolicited advertisements are permissible without the express consent of the recipient.[20] Unsolicited advertisement is also governed by Marknadsföringslagen (the Marketing Act)[21] and through self-regulation by the Swedish advertising industry, whose trade association, SWEDMA, has published guidelines on the use  of  personal  data  in direct marketing.

Protection of Minors

The protection of minors is not specifically mentioned in the PUL. However, the Data Inspection Board has found that the use of personal information of children under the age of 13 requires consent from the parent of the child.[22] It is thus not sufficient that a child under 13 consents to the treatment of his or her personal information.

Security Measures

Section 31 of the PUL states that

[a] person or corporation that harbors personal information must take appropriate technical and organizational precautions to protect the personal data which is processed. These measures shall ensure a security level that is appropriate considering:

  1. a)  The technical measures available
  2. b)  The cost of the measures
  3. c)   The specific risks involved in the processing of the personal data.

In addition section 31 provides that the individual or corporation supplying a data subject’s personal information has the responsibility to ensure that the processor of the personal information treats the information in a satisfactory manner.

B.  Electronic Communications Act (LEK)

The Electronic Communications Act is mostly concerned with access to the Internet via Internet providers, fair use, competition and pricing.[23] However, chapter 6 deals with traffic information and integrity protection.[24] It includes provisions concerning security measures, information requirements and storage of traffic information.

LEK chapter 6, section 3 requires that a service provider that processes personal data ensure that  such  data  is  protected.[25] The level of technical and organizational security is required to be proportional to the risk to the personal data.[26]

Traffic information or information regarding a user may not be kept longer than necessary to provide access to the service.[27] As soon as it is no longer needed all identification information should be stripped.[28] Information required to be kept under data retention provisions in crime prevention legislation may be kept longer.[29] Information may not be monitored by the service provider.[30] The service provider must inform the user what traffic information it retains, for what purpose and for what period of time.[31]

Limits on Geographical Data

Chapter 6, section 9 of the Electronic Communications Act (LEK) provides that only geographical data that is necessary for the function of an agreed service or otherwise specifically consented to by the user may be used by the service provider. The information may not be stored by the service provider longer than is necessary to provide the service to the user.[32] This regulation is primarily focused on GPS functions.

Safeguards Against Data Collection by Smartphone Applications

The same provisions regarding personal data collection apply to smartphone applications, i.e., they must comply with the PUL and the LEK.

C.  Cookies

One of the new provisions that came into force with implementation of EU Directive 2002/58 was a requirement to inform users and receive their permission for the use of cookies on a website. Cookies are used to transfer information between the website and the user, allowing for a more efficient use of the website. LEK chapter 6, section 18 provides that no information may be stored or withdrawn from a user’s computer without his or her express consent. This means that all Swedish websites must provide information regarding the use of cookies, its purposes, and the duration cookies are saved on the user’s computer.[33] This specific provision entered into force on July 1, 2011, and has been heavily debated. It has been argued that to ask whether the user accepts cookies requires a website to save a cookie on the user’s computer, possibly resulting in the website breaking the law by attempting to follow it.[34]

D. Data Protection Agencies

There are two main data protection agencies in Sweden. The government delegates the division of responsibility among the two agencies. The statutory mandates for the enforcement agencies are found in the relevant legislation, i.e., the Electronic Communications Act (chapter 1, section 3) and the Personal Data Act (PUL sections 20, 21, 35, 36 and 50). For more detail please see section III below.

E.  Remedies & Sanctions

Personal Data Act

PUL section 48 regulates when and how an injured party may obtain monetary damages from a company or person that has used and published personal information in a manner inconsistent with the PUL.[35] To receive compensation there must have been damage to the data subject and a violation of his or her personal integrity.[36] The amount of damages can be reduced if the respondent can show that the violation was not his or her fault.[37] The data subject also has a right to demand that the respondents cease using the personal information.

The PUL provides for a variety of sanctions ranging from a fine to two years imprisonment, depending on the severity of the crime.[38] These crimes include providing false information to the enforcement agency, misusing personal information, transferring personal information to a third country, and failure to report automatic processing of personal data. The provisions of the PUL that are sanctioned are listed in section 49; the sole sanction for any

provision not mentioned in PUL section 49 is damages in accordance with PUL section 48. In cases of minor violations of the provisions in PUL section 49, no sanctions are awarded.[39]

Electronic Communications Act

LEK chapter 6, section 2 provides that the same sanctions for personal information violations apply under the LEK as under the PUL.[40]

F.  International Jurisdiction

The PUL and the LEK only apply to companies that are based or established in Sweden. However, the general criminal jurisdiction is broader. In accordance with the territorial principle of Penal Code chapter 2, section 1, crimes that are conducted in or can be presumed to be conducted in Sweden shall be governed in accordance with Swedish law. Even if the crime is conducted abroad, it shall be governed by Swedish law when it is carried out by a Swedish citizen or resident. However, Swedish legislation does not hold Internet service providers responsible for violations on websites, but rather holds the person publishing the personal information responsible.

Back to Top

III. Role of Data Protection Agencies

As noted above, Sweden has separate data protection agencies that ensure the implementation and enforcement of the LEK and compliance with the PUL. The main agencies are Datainspektionen, which is responsible for compliance with the PUL, and Post- och telestyrelsen (PTS), which is responsible for compliance with the LEK.[41]

A.    Datainspektionen (Data Inspection Board)

The Datainspektionen (Data Inspection Board) was first established in 1973 pursuant to the Data Act. It is an independent government agency which both issues permits and oversees the enforcement of relevant provisions.[42] As the regulation of personal data has changed, so has the authority of the Data Inspection Board, and following 2001 this authority has expanded.[43] Its overarching mandate is to “protect the individual's privacy in the information society without unnecessarily preventing or complicating the use of new technology.”[44] The Board oversees compliance with four large pieces of legislation, the PUL, the Debt Recovery Act[45] the Credit Information Act[46] and the Patient Data Act.[47] Of these, only the PUL is covered in this report.

In addition, the Data Inspection Board also issues general guidance that is not binding on the user but that suggests means to comply with the binding regulations of the PUL.[48] The Data Inspection Board has also issued its own regulations.[49] In order to ensure the enforcement of the PUL the Board monitors compliance and issues administrative sanctions. This includes both responding to complaints and conducting its own investigations.[50]

The legislative history of amendments to the PUL from 2006 also provides that the Data Inspection Board should provide guidance on what constitutes a violation of the personal integrity of a person (i.e., if a publication  violates  a  person’s  integrity  and  thus  violates PUL section 13).[51]

The Data Inspection Board may not by itself demand that information that violates the PUL be erased but may request an administrative court to issue a decision that such information be removed.[52] The Agency may, however, when it cannot determine whether a use is legal or not, require that the information holder only retain and store the information and issue an injunction coupled with damages if the information is transmitted by the information holder.[53]

B.  Post- och telestyrelsen (Swedish Post and Telecom Authority)

Post- och telestyrelsen (PTS) (the Swedish Post and Telecom Authority) was established in 1992 and is a government agency guarding electronic communication and mail in Sweden. It has four overreaching goals: working for long-term consumer benefit, long-term sustainable competition, an effective use of resources, and safe communication.[54]

PTS assists data subjects in the pursuit of their rights by making sure market participants follow the integrity rules under the LEK. PTS does this by processing complaints, conducting inspections, and monitoring to ensure compliance with determined requirements.[55]

Most of the decisions by the PTS have concerned free competition among Internet providers, pricing, and Internet access, rather than Internet security or Internet privacy.[56]

C.  Enforcement Agencies’ Relationship with Facebook and Google

The Data Inspection Board does not have jurisdiction over Facebook and Google, as the PUL only extends to private companies based in Sweden. However, the Data Inspection Board does have indirect jurisdiction over content on Facebook and Google insofar as Swedish companies or municipalities provide them with information that is covered by the PUL. That is, the Swedish Data Inspection Board does not regulate these services directly but regulates their users. For example, the Data Inspection Board has undertaken enforcement efforts against Swedish municipalities that use Google’s cloud server to store personal data. In these efforts the Data Inspection Board has found that these municipalities have violated their responsibilities to data subjects. To legally use cloud services the municipalities must establish personuppgiftsbiträdesavtal (data collector agreements) not only with Google but also with all of its subsidiaries that may use and store personal data in order to guarantee that the information is stored securely and in accordance with the PUL.[57] PTS has also joined the Norwegian datainspection board in a letter addressing several questions to Facebook including what they do with the information they obtain and how long they store personal data information.[58] Facebook has responded to these questions in a letter.[59] It is unclear at present how the Data Inspection Board intends to respond.[60]

Swedish legislation is much less concerned with its citizens’ voluntary use and submission of their own personal data online. It is sufficient that the Internet user is given the option not to use the service, which is why cookies are heavily regulated. A user must consent to the use of cookies either each time it visits a homepage or from a site provider indefinitely under the precondition that this consent may at any time be revoked (see section II, above.)

Back to Top

IV. Court Decisions

Because the enforcement of data protection is placed with two governmental agencies, the Data Inspection Board and the PTS, a number of authoritative decisions have been decided by these agencies, but not by the courts. Following the implementation of the 2002/58 Directive there have been very few court decisions, but some agency decisions, that address the permissible use of personal data online.

Bodil Case

As a case involving the Swedish implementation of the EU Directive 95/46, the Bodil case[61]is noteworthy in that it made its way to the European Court of Justice. However, because the applicable Swedish law has  been  amended  following  the  decision,  it  is  of  less importance today.

In Bodil, a communion teacher, for the benefit of her students, published some information about her co-workers on her church’s web page. She wrote the presentations herself, but made it appear that they had been written by the coworkers themselves in the first person. Among the information published was information regarding the health of a janitor who was on sick leave with a sprained ankle.  The district court found that the teacher had violated the PUL, (1) for not having applied for a permit with the Data Inspection Board before publishing the information, (2) for processing sensitive personal information (i.e. the sprained ankle) without prior approval, and (3) for transferring personal information to third countries (because it was published online).

The case was appealed to the court of appeals. The court of appeals posed seven questions to the European Court of Justice concerning the interpretation of European law on data privacy. While the European Court of Justice found that no data had been transferred to a third country (which triggers certain requirements under the EU Directive) simply because it had been published online, it also stated that it was up to the national courts to make certain that a correct balance was achieved in the case between rights and obligations of the community. (Bodil published the information in Swedish, on a Swedish site using a Swedish Internet connection.) Once the case was finally decided by the court of appeals, it found that, while the teacher had published personal data online without authorization, and thus breached the PUL, the infringements were petty offenses which should not be subject to any sanction.

Ramsbro Case

PUL section 7 provides for the use of personal data for freedom of the press purposes without having to follow the otherwise stringent PUL provisions. In the Ramsbro case,[62] the Supreme Court of Sweden was faced with defining the press freedom exception. The court ruled that the exception permitted publication of information that was of interest for the public, intended to be used to initiate or continue a public debate, and the like, even if it was done in a manner that violated the personal integrity of the person mentioned. However, it said that information that is purely private does not normally have such a journalistic purpose and is of little interest to the public at large.

Lundsberg Case

The Supreme Court ruled in the 2005 Lundsberg case[63] that publication by a school principal of an employee’s medical condition on the school’s website was a violation of PUL section 13 that resulted in a fine for the principal.[64]

Katrineholm Municipality Decision

The Data Inspection Board had occasion to rule on legal use of social media by government agencies in the Katrineholm municipality decision.[65] The municipality of Katrineholm was found to be responsible for the processing of personal information found on the municipality’s Facebook page, on its blog page and on its Twitter account. The Data Inspection Board found that the municipality’s legal responsibility for personal information found on Facebook and on the blog did include both personal information published by the municipality as well as personal information posted by the users. On the municipality Twitter account, the responsibility of the municipality only extended to the personal information the municipality itself had published due to its lack of control over other person’s Twitter accounts.

Reco.se Decision

In a matter concerning Reco.se,[66] a website where the visitor can leave comments and grade companies, the Data Inspection Board in 2010 found that the company was responsible for ensuring all the information posted on the website by visitors complied with legal requirements. The company provided the service and had every opportunity to remove, edit, alter or block personal information data. Thus, both the individual publisher and the company which provided the forum had a responsibility to make sure that the comments were consistent with PUL.

Hitta.se Decision

In the Hitta.se case,[67] the Data Inspection Board received several complaints from the public over a Swedish service (Hitta.se) which was similar to Google maps (a website that displays pictures of apartment buildings and landmarks, but not individual houses), requesting a response to whether it is illegal to display pictures of buildings that also include the registration numbers of cars outside buildings and individual persons. The Data Inspection Board found that it was not illegal under PUL as the service provider had a publication certificate and because they were covered by the Press Freedom exception in PUL section 7. The Data Inspection Board therefore ruled it had no means of regulating how the personal data was used on the website.

Jurisdictional Cases Decided by the Data Inspection Board

In accordance with EU law, as implemented by Sweden, jurisdiction over PUL violators requires that the person or organization is established in Sweden with “an effective and real operation with the help  of a stable structure.”[68] The legislation in itself gives no further definition. The Data Inspection Board has ruled that an organization will be found to be established in Sweden for purposes of its jurisdiction when the website is in Swedish, the domain name suffix is .se, the audience is Swedish speaking Internet users, and the personal information pertains to Swedish nationals.[69] The Data Inspection Board has found that it is not a precondition that the responsible parties for the website are based in Sweden for these conditions to apply.[70] On the contrary, even when a Swedish citizen publishes information on foreign sites he or she may be held responsible in accordance with PUL.[71]

Relationship Between Enforcement of IPR Infringements and Protecting Integrity

In a recent decision, Bonnier Audio AB and Others v. Perfect Communication Sweden AB (C461/10),[72] the European Court of Justice found that it was possible for Member States to demand that Internet service providers disclose personal data to identify intellectual property infringements.[73] The European Court of Justice left the determination whether a disclosure was necessary in this specific case to the Swedish courts.[74]

Back to Top

V.  Public and Scholarly Opinion

Public opinion (and outrage) in regard to Internet protection has focused mainly on wiretapping legislation known as the FRA Law that expands the government’s power to combat crime on the Internet by surveillance of personal data and electronic communication.[75] Although not part of this report, these changes have overshadowed discussion of Google and Facebook’s use of information that they have obtained from their users.

The implementation of the first EU Directive 95/46, as mentioned in section II above, was heavily criticized for being inefficient. Today’s criticism has focused mostly on the expansion of the government’s power of surveillance and the general lack of regulation of private companies’ use of information that they have obtained by consent from their users.

Swedish public opinion reflects that legislation in Sweden has focused more on the protection of personal integrity (i.e. information about individuals) and less on the right to privacy. Swedish legislators have also focused more on the relationship between government and citizens than the relationship between citizens and private companies. The government- citizen relationship continues to be more controversial to the general public than the relationship between consumer and sellers. This is particularly the case as Sweden’s enforcement agencies have recently stepped up their enforcement of intellectual property infringements. This in turn has led to a growing number of Swedes using anonymous services that hide their true identity.[76] The increase in the use of these services may be related to a desire to protect one’s privacy online, regardless of whether such use is lawful or not.

Back to Top

VI. Pending Reforms

A.   Implementation of the Data Retention Directive

Sweden decided in 2011 to postpone its implementation of the EU Data Retention Directive (Directive 2006/24), despite threats of impending fines.[77] The proposed legislation received sharp criticism not only prior to but also after the most recent proposal won majority in the parliament.[78] The current version of the bill proposes additional surveillance powers to be expanded to the Säkerhetspolisen (Swedish Security Service) and Rikskriminalpolisen (National Bureau of Investigations).[79] The government finally won support for its bill in the Swedish parliament in May 2012.[80]

B.  Secret Surveillance Measures

On June 28, 2012, the Justice Department suggested that secret surveillance measures that have temporarily been available be made permanent.[81] This would allow police to use wire- tapping and camera surveillance more often than under previous legislation.[82]

C.  Integrity Committee

In 2011 the government and the opposition agreed on the creation of a commission to investigate how and when personal integrity is violated online.[83] The proposed details on the Integrity Committee can be accessed on the Government website.[84]

On June 25, 2012, Morgan Johansson, member of the Social Democrats (the leading oppositional party) wrote an op-ed in the daily paper Svenska Dagbladet (SVD) calling for additional scrutiny of the use of personal information by private companies such as Google and Facebook.[85]

Back to Top

Prepared by Elin Hofverberg, Foreign Law Consultant,
under the supervision of Edith Palmer, Chief,
Comparative and International Law Division II
June 2012


[1] DATALAG (Svensk författningssamling [SFS] 1973:289); Peter Siepel, Sweden, in NORDIC DATA PROTECTION LAW 115, 116 (Peter Blume ed., 2001).

[2] REGERINGSFORMEN [RF] [CONSTITUTION] 2:6.

[3] RF 2:3 (SFS 1994:1468), as amended 2010.

[4] Proposition [Prop.] 2009/10:80 En reformerad grundlag [A Reformed Constitution] [Government Bill] at 256–57.

[5] Id.

[6] PERSONUPPGIFTSLAGEN [PERSONAL DATA ACT] (SFS 2003:389).

[7] Konstitutionsutskottet 1998/99:KU15, Personuppgiftslagen [Personal Data Act], http://www.riksdagen.se/sv/Dokument-Lagar/Utskottens-dokument/Betankanden/Personuppgiftslagen_GM01KU15/.

[8] Id.

[9] See 2 § PERSONUPPGIFTSLAGEN [PUL] [PERSONAL DATA ACT] (SFS 1998:204), available at http://www.riksdagen.se/sv/Dokument-Lagar/Lagar/Svenskforfattningssamling/Personuppgiftslag-1998204_sfs-1998-204/?bet=1998:204 (including all amendments to date).

[10] This distinction is mentioned in Siepel, supra note 1, at 119.

[11] See THOMAS CARLÉN-WENDELS, NÄTJURIDIK - LAG OCH RÄTT PÅ INTERNET 95–98 (3rd ed. 2000).

[12] Id.

[13] PUL 10 §.

[14] PUL 10 §.

[15] PUL 10 a–f §§.

[16] PUL 13, 15–19 §§.

[17] PUL 12 §.

[18] Id.

[19] PUL 11 §.

[20] DI 280-1999; summary in THOMAS CARLÉN-WENDELS, supra note 11, at 95–96.

[21] (SFS 2008:486).

[22] Personnummer som spärr mot småbarn på chattsajt [Personal Identification Numbers as a Barrier Against Small Children’s Access to Chat-Site], DATAINSPEKTIONEN (Dec. 2002), http://www.datainspektionen.se/personuppgiftsombud/samradsyttranden/registrering-av-personuppgifter-fran-barn-/.

[24] LEK ch. 6.

[25] LEK ch. 6:3 §.

[26] Id.

[27] LEK ch. 6:5 §.

[28] Id.

[29] Id.

[30] LEK ch. 6:17 §.

[31] LEK ch. 6:6 §.

[32] LEK ch. 6:9 §.

[34] Emanuel Karlsson, Härmed anmäler jag Riksdagen för brott mot lagen [I Hereby Report the Swedish Parliament for Breaching the Law], EMANUELS RADANMÄRKNINGAR (July 1, 2012), http://emanuelkarlsten.se/07/harmed-anmaler-jag-riksdagen-for-brott-mot-lagen/.

[35] PUL 48 §.

[36] PUL 49 §.

[37] Id.

[38] Id.

[39] Id.

[40] LEK ch. 6:2 §.

[41] Datainspektionen, Datainspektionen eller PTS – vem ska du vända dig till? [Data Inspection Board or the PTS -Who Should You Turn To?], http://www.datainspektionen.se/om-oss/det-har-gor-vi-inte/lagen-om-elektronisk-kommunikation/ (last visited July 5, 2012); PTS, https://www.pts.se (last visited July 5, 2012).

[42] Datainspektionen 1973–2008 [Data Inspection Board 1973–2008], DATAINSPEKTIONEN, http://www.datainspektionen.se/om-oss/historik/ (last visited July 5, 2012).

[43] Id.

[44] About Us, DATAINSPEKTIONEN, http://www.datainspektionen.se/in-english/about-us/ (last visited July 5, 2012).

[45] INKASSOLAGEN (SFS 1974:182).

[46] KREDITUPPLYSNINGSLAGEN (SFS 1973:1173).

[47] PATIENTDATALAGEN (SFS 2008:355).

[48] See, e.g., Datainspektionen, Säkerhet för personuppgifter [Securing Personal Data], http://www.datainspektionen.se/Documents/faktabroschyr-allmannarad-sakerhet.pdf (rev’d Nov. 2008).

[49] For a list in English, see Datainspektionens föreskrifter [DIFS] [Data Inspection Board’s Regulations], DATAINSPEKTIONEN, http://www.datainspektionen.se/lagar-och-regler/datainspektionens-foreskrifter/ (last visited July 5, 2012) (scroll to bottom of page).

[50] Så arbetar Datainspektionen [How the Data Inspection Board Works], DATAINSPEKTIONEN, http://www.datainspektionen.se/om-oss/arbetssatt/ (last visited July 5, 2012).

[51] Prop. 2005/2006:173 Översyn av personuppgiftslagen [Review of the Personal Data Act] [Government Bill], 20 (Mar. 16, 2006), http://www.regeringen.se/content/1/c6/06/08/09/2c0a24ce.pdf.

[52] PUL 47 §.

[53] PUL 44 §.

[54] Om PTS [About PTS ], PTS, http://www.pts.se/sv/OmPTS/ (last visited July 5, 2012).

[55] Säker kommunikation [Secure Communication], PTS, http://www.pts.se/sv/OmPTS/Verksamhet/Saker-kommunikation/ (last visited July 5, 2012).

[56] See Post och Telestyrelsen, https://www.pts.se (last visited July 5, 2012).

[57] Monica Kleja, Datainspektionen slår ner på molntjänster [Data Inspection Board Cracks Down on Cloud Services], NYTEKNIK.SE (Oct. 3, 2010), http://www.nyteknik.se/nyheter/it_telekom/internet/article3281165.ece (translation by author).

[58] Facebook svarar de nordiska länderna, DATAINSPEKTIONEN (Sept. 20, 2011), http://www.datainspektionen.se/press/nyheter/2011/facebook-svarar-de-nordiska-landerna/.

[59] Letter from Richard Allan, Director of Policy for Europe, Africa, and Middle East, Facebook, to Bjorn- Erik Thon, Director, Data Inspectorate of Norway (Sept. 2011), available at http://www.datatilsynet.no/Global/english/Facebook_questions_answere2011.pdf.

[60] See DATAINSPEKTIONEN, supra note 58.

[61] Rättsfall från Hovrätterna [RH] [Court of Appeals] 2004-04-07 p. 51, available at https://lagen.nu/dom/rh/2004:51.

[62] Nytt Juridiskt Arkiv [NJA] [Supreme Court] 2001 p. 409; summary in Vad är straffbart enligt personuppgiftslagen, en vägledning från datainspektionen för polis och åklagare [What is Sanctioned Under the Personal Data Act: A Guide from the Data Inspection Board for Police and Prosecutor], DATAINSPEKTIONEN, at 15 (Jan. 2011), http://www.datainspektionen.se/Documents/vagledning-aklagare.pdf.

[63] NJA 2005-05-26 p. 361.

[64] Summary in DATAINSPEKTIONEN, supra note 62, at 18–19.

[65] Decision DNR 684-201 (July 12, 2010), available at http://www.datainspektionen.se/Documents/beslut/2010-07-05-katrineholm.pdf.

[66] Datainspektionen, Diarienr 1288-2009, Tillsyn enligt personuppgiftslagen (1998:204) – ang. omdömen i en interaktiv tjänst på Internet, Jan. 11, 2010, http://www.datainspektionen.se/Documents/beslut/2010-01-12-rejtingsajt.pdf.

[67] Dnr 274-2001, summary in DATAINSPEKTIONEN, supra note 62, at 14.

[68] DATAINSPEKTIONEN, supra note 62, at 10.

[69] See id. (referencing Decision Nos. 1658-2008 and 265-2009).

[70] Id.

[71] Id. at 10–11.

[72] Available online at http://curia.europa.eu/juris/liste.jsf?language=en&num=C-461/10 (last visited July 16, 2012).

[73] See summary in Stefan Widmark & Evelina Anttila, ECJ Hands Down Preliminary ePhone Ruling - International Report, INTELLECTUAL ASSESMENT MANAGEMENT (IAM) (June 13, 2012), http://www.iam-magazine.com/reports/Detail.aspx?g=29765a88-ded7-47ec-9601-c391c513ee89.

[74] Id.

[75] See, e.g., Ungdomsförbunden kritiska mot integritetspolitik [Youth Parties Critical of Integrity Policies], SVD.SE, (June 29, 2009; updated July 28, 2009), http://www.svd.se/nyheter/inrikes/politik/valet2010/ungdomsforbunden-kritiska-mot-integritetspolitik_3137721.svd.

[76] Allt fler svenska anonyma på internet [Increasing Number of Swedes Anonymous Online], SVD.SE (May 1, 2012), http://www.svd.se/nyheter/inrikes/allt-fler-svenskar-anonyma-pa-natet_7125265.svd (translation by author).

[77] Sweden Postpones EU Data Retention Directive, Faces Court, Fines, THE REGISTER (Mar. 18, 2011), http://www.theregister.co.uk/2011/03/18/sweden_postpones_eu_data_retention_
directive/
.

[78]See Op-ed, Erik Bengtzboe, Justitieministern sviker löfte om integritet [Minister of Justice Breaks Promise on Integrity], SVD.SE (June 19, 2012; updated June 20, 2012), http://www.svd.se/opinion/brannpunkt/justitieministern-sviker-lofte-om-integritet_7289849.svd; see also Op-ed, Camilla Lindberg & Carl Johan Rehbinder, Våga vägra datalagringsdirektivet [Dare to Refuse the Data Retention Directive], SVD.SE (Sept. 3, 2010), http://www.svd.se/opinion/brannpunkt/vaga-vagra-datalagringsdirektivet_5242087.svd.

[79] For full text of the proposal in Swedish, see Prop. 2011/12:55 De brottsbekämpande myndigheternas tillgång till uppgifter om elektronisk kommunikation [Crime Prevention Government Agencies’s Access to Information on Electronic Communication][Government Bill] (Feb. 10, 2012), available at http://www.regeringen.se/sb/d/108/a/186055.

[80] Sweden Extends Police Eavesdropping Powers, THELOCAL.SE (May 11, 2012), http://www.thelocal.se/40784/20120511/.

[81] Den framtida regleringen av hemliga tvångsmedel mot allvarliga brott [Future Regulation of Secret Surveillance Measures Against Serious Crimes], REGERINGEN.SE (June 28, 2012), http://www.regeringen.se/sb/d/119/a/195993.

[82] Id.

[83] Regeringen och Socialdemokraterna överens om signalspaning [Swedish Government and Social Democrats Agree on Communication Intelligence], REGERINGEN.SE (Dec. 15, 2011), http://regeringen.se/sb/d/15434/a/182763.

[84] Ramöverenskommelse mellan regeringen och Socialdemokraterna om Polisens tillgång till signalspaning [Frame Agreement Between the Government and the Social Democrats Concerning Police Access to Intelligence], REGERINGEN.SE (Dec. 15, 2011), http://regeringen.se/content/1/c6/18/27/63/71e7da2c.pdf.

[85] Op-ed, Morgan Johansson, Nätföretagens makt bör regleras [The Power of Online Corporations Should be Regulated], SVD.SE (June 25, 2012), http://www.svd.se/opinion/brannpunkt/natforetagens-makt-bor-regleras_7299699.svd.

Back to Top

 

 

Last Updated: 12/30/2020