*This report updates a report from 2012
Since 2012 Sweden has made a number of changes to its privacy regulation and interpretations. Most of these changes have been in response to European Union measures, such as the 2014 decision by the European Court of Justice (ECJ) invalidating the Data Retention Directive, the “right to be forgotten” case from 2014, and upcoming legislation in relation to the EU’s General Data Protection Regulation, which will apply directly in all EU countries starting on May 25, 2018. There have also been a number of precedent cases in which the Swedish Supreme Court has determined how personal data should be protected online. In 2016, the ECJ found that the Swedish data retention rules violate EU law.
I. Introduction
There have been a number of developments in privacy law in Sweden since 2012. The biggest change is yet to come, however, as the European Union’s General Data Protection Regulation (GDPR) will apply directly in Sweden and the remaining EU Member States beginning on May 25, 2018.[1] For instance, the Personal Data Act (Personuppgiftslagen, PUL)—the centerpiece of Swedish privacy legislation—will be replaced by this EU regulation, which has caused a number of add-on amendments to be introduced. This report focuses on changes in force as of December 2017 and only briefly mentions the likely effects of the GDPR on Swedish legislation. Ongoing work to comply with GDPR and the EU Law Enforcement Directive[2] can be found on the Swedish government and Swedish Parliament websites.[3]
II. Legislative Changes
A. Implementation of the Data Retention Directive
As mentioned in the Law Library of Congress’s 2012 report,[4] the Swedish Parliament passed a bill to implement the EU Data Retention Directive, including its crime-fighting provisions, in May 2012.[5]
B. Adoption of Secret Surveillance Measures
In 2014 the Swedish Parliament adopted rules that allowed for an increase in secret surveillance measures, making temporary tools permanent.[6] For example, the new rules include allowing secret surveillance of electronic communications involving spousal relationships when investigating terrorism-related crimes or crimes that carry a minimum two-year prison sentence.[7]
Finding a balance between security and personal integrity continues to be subject to debate within the Swedish Parliament. Members of Parliament are currently discussing new privacy protections during signal surveillance for defense purposes.[8]
C. Personal Data Act
There have been no amendments to Sweden’s principal Personal Data Act, the PUL, since 2010.[9] However, the law is set to be repealed in May 2018 when the GDPR will apply directly.[10] One of the more notable changes that will take place is that the frequently used section 5a PUL exception (commonly referred to as missbruksregeln, or the “abuse rule”[11]) will no longer be valid, as the GDPR does not allow for such an exception.[12] This exception currently allows for the use of personal data in texts, such as references on a blog or in an email, without triggering the procedural requirements in the PUL, as long as the use does not violate the integrity of the subject.[13]
D. New Rules on Sharing Personal Information Within the EU
Sweden implemented Council Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters[14] in May of 2013, effective June 1, 2013.[15] This will be replaced by implementation of the EU Law Enforcement Directive in May of 2018.
E. Changes in Electronic Communications
Since 2012 there have been ten amendments to the Swedish Electronic Communications Act (Lag om elektronisk kommunikation, LEK)—the law that contains the data retention provisions.[16] None of them pertain to privacy protections for online data or data retention, however.
III. ECJ Limits Swedish Data Retention Provisions
The Swedish data retention provisions found in the LEK legislation implement EU Directive Nos. 2006/24/EC and 2002/58/EC, of which the 2006/24/EC Directive was struck down by the European Court of Justice (ECJ) in 2014 in the Digital Rights Ireland case.[17] The Swedish authorities, over the objection of several internet service providers (ISPs), continued to mandate retention of user data for six months, with reference to the domestic LEK legislation (as based on EU Directive 2002/58/EC).[18] ISP Tele2 refused to follow these rules, citing the ECJ ruling,[19] resulting in litigation in the Swedish courts.[20]
In December of 2016, a preliminary ruling was delivered by the ECJ in which it determined that the Swedish rules for data retention were too general and indiscriminate, as it called for the retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communications.[21] In March 2017, the Administrative Court of Appeals that had referred the question to the ECJ concluded that Swedish ISPs need not retain data on their customers for investigative reasons.[22] The Swedish Justice Department has prepared a committee report with the purpose of determining how the data retention provisions can be amended to harmonize and comply with the EU legislation.[23] The government report (the next step in the legislative process) is currently on referral (remissyttrande) with stakeholders.[24] Responses must be received by January 30, 2018.[25] Work is also being done at the EU level to replace provisions of Directive 2006/24/EC.[26]
IV. Domestic Case Law
In 2015 the Administrative Supreme Court ruled on the limits of the section 5a missbruksregel in the PUL, determining that a list of personal information was covered by the rule, thus not making it a violation of how personal information may be handled.[27] The court found that the fact that the list was used when doing background checks on people was not material to whether the exception applied.[28]
In NJA 2013 s. 1046 the Swedish Supreme Court found that publishing a copy of a judgment in a civil case online when the judgment contained the losing party’s name and address violated the private data protections found in PUL.[29]
V. Guidance
Datainspektionen (the Swedish enforcement authority for PUL violations) has published GDPR guidance for personnel who work with personal data.[30]
VI. Information Held by the Government
A. Transfer of Private Information
In 2017 a government scandal pertaining to sensitive personal data was unveiled. Both the Transportation Authority (Transportstyrelsen) and the National Police (Rikspolisen) had transferred personal information from Sweden to be handled by private companies based in foreign countries.[31] A wave of criticism followed.[32] This incident also resulted in several members of Parliament reporting both the current and former governments to the Konstitutionsutskottet, the Constitutional Committee that scrutinizes the work of the government and decides whether a minister should be prosecuted, for how they handled the matter.[33]
B. Government Sale of Personal Information
In 2013 there was public criticism of Swedish government agencies for selling personal information.[34] Examples of government agencies that sold information included the tax authority, CSN (student loan agency), and Transportation Authority, with the latter making some SEK 30 million (approximately US$3.6 million) annually off of these sales.[35]
VII. Right to Be Forgotten
Swedes, based on Sweden being an EU Member State, are protected by the “right to be forgotten” as established in the ECJ Google Spain case from 2014.[36] This means that Swedes may ask Google and other search engines to remove content concerning them under certain circumstances.[37] According to reports, more than 11,000 claims had been lodged with Google by Swedish citizens as of May 2016.[38] For example, Google has so far removed content for a woman who wished to have her name and address removed.[39] Others have not found the same success. For example, a CEO who was linked to Hells Angels in an online article unsuccessfully brought suit the Svea Appeals Court to have that information removed from Google’s top search results on him, as the court determined that the public interest outweighed the man’s desire for the information to be forgotten.[40]
Swedish Datainspektionen has made a finding that Google may also have to remove content from its search results on searches made outside of the EU when the resulting information has connections to Sweden either because it is presented in the Swedish language, is stored on a Swedish website, or concerns a Swedish person.[41]
VIII. Outlook: The Swedish Constitution and GDPR
It is unclear what effects the GDPR will have on rights under the Swedish Constitution. The Constitution protects the right to privacy,[42] the right to free speech,[43] freedom of information,[44] and public access.[45] Any provision in the current PUL legislation is secondary to the Constitution,—i.e., any inconsistencies/discrepancies between the two and the protections found in two components of the Swedish Constitution, namely Tryckfrihetsförordningen (TF) (the Freedom of the Press Act) and Yttrandefrihetsgrundlagen (YGL) (the Fundamental Law on Freedom of Expression), will supersede protections in the PUL.[46] The GDPR, which is to replace the PUL, on the other hand, supersedes national legislation, including incompatible constitutional provisions. However, the Swedish government has interpreted the national discretion found in articles 85 and 86 of the GDPR regarding freedom of expression and freedom of information as allowing for Swedish constitutional protections in the YGL and TF in their current form to trump the GDPR,[47] arguing that the GDPR allows for a “national regulation of the relationship between protections for personal data on the one hand, and free speech, freedom of information and the right of public access on the other.”[48] Whether that interpretation is correct is for the ECJ to determine.
Prepared by Elin Hofverberg
Foreign Law Research Consultant
December 2017
[1] See EU survey for details.
[2] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (EU Law Enforcement Directive), 2016 O.J. (L 119) 89, http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016. 119.01.0089.01.ENG, archived at https://perma.cc/SEK4-VSKN.
[3] Statens Offentliga Urtredningar [SOU] 2017:39 Ny dataskyddslag - Kompletterande bestämmelser till EU:s dataskyddsförordning, http://www.regeringen.se/49a184/contentassets/e98119b4c08d4d60a0a2d0878990d5ec/ny-dataskyddslag-sou-201739, archived at https://perma.cc/7D9P-6CS4. For example, Datainspektionen (the Swedish Data Protection Authority) has critiqued the government committees for not recognizing the difference between a directive and a regulation, noting that Swedish legislators are trying to keep much of Sweden’s personal data legislation in place by arguing that the laws in force correspond to the GDPR. Datainspektionen, Remissvar, Remittering av betänkandet SOU 2017:66 Dataskydd inom Socialdepartementets verksamhetsområde – en anpassning till EU:s dataskyddsförordning 1–2 (Nov. 1, 2017), http://www.datainspektionen.se/Documents/ remissvar/2017-11-13-yttrande-socialdataskyddsutredningen.pdf, archived at https://perma.cc/MZ8K-VXTD; Datainspektionen, Datainspektionen pekar på vikten att lagförslag ger tillräckligt rättsligt stöd (Nov. 13, 2017), https://www.datainspektionen.se/press/nyheter/2017/datainspektionen-pekar-pa-vikten-att-lagforslag-ger-tillrackligt-rattsligt-stod/, archived at https://perma.cc/FJ9N-QLBQ.
[4] Elin Hofverberg & Edith Palmer, Online Privacy Law: Sweden (Law Library of Congress, June 2012), https://www.loc.gov/law/help/online-privacy-law/2012/sweden.php.
[5] Lag om inhämtning av uppgifter om elektronisk kommunikation i de brottsbekämpande myndigheternas underrättelseverksamhet [Act on Collection of Data Information on Electronic Communications for the Crime Prevention Authority’s Surveillance Activity] (SFS 2012:278), http://www.notisum.se/rnp/sls/lag/20120278.htm, archived at https://perma.cc/QA57-ZU5Q.
[6] Proposition [Prop.] 2013/14:237 Hemliga tvångsmedel, http://www.regeringen.se/49bb7b/contentassets/ cc6ff48d963b40cea1eebed07ba09644/hemliga-tvangsmedel-mot-allvarliga-brott-prop.-201314237, archived at https://perma.cc/9AB9-8LJ4.
[7] 27 kap. 2§ 2st 1-8 Rättegångsbalken [RB], http://www.notisum.se/rnp/sls/lag/19420740.htm, archived at https://perma.cc/7YNA-N9UT.
[8] Skrivelse[Skr.] 2016/17:70 Signal spaning Integritetsskydd vid signalspaning i försvarsunderrättelseverksamhet, http://www.riksdagen.se/sv/dokument-lagar/dokument/skrivelse/integritetsskydd-vid-signalspaning-i_H40370, archived at https://perma.cc/5KVW-TE6S; Försvarsutskottets betänkande[Bet.] 2016/17:FöU5 - Integritetsskydd vid signalspaning i försvarsunderrättelseverksamhet, http://www.riksdagen.se/sv/dokument-lagar/arende/ betankande/integritetsskydd-vid-signalspaning-i_H401FöU5, archived at https://perma.cc/PWF2-BT5Q.
[9] Personuppgiftslag [PUL] [Personal Data Act] (SFS 1998:204), http://www.notisum.se/rnp/sls/fakta/ a9980204.htm, archived at https://perma.cc/87ZA-Z7V2.
[10] See EU survey.
[11] 5a§ PUL.
[12] Missbruksregeln upphör, Datainspektionen, Feb. 23, 2017, https://www.datainspektionen.se/dataskydds reformen/dataskyddsforordningen/missbruksregeln-upphor/, archived at https://perma.cc/4BDS-UTDL.
[13] Id.
[14] Council Framework Decision 2008/977/JHA of 27 November 2008 on the Protection of Personal Data Processed in the Framework of Police and Judicial Cooperation in Criminal Matters, 2008 O.J. (L 350) 60, http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32008F0977, archived at https://perma.cc/5NWY-KWX8.
[15] Lag med vissa bestämmelser om skydd för personuppgifter vid polissamarbete och straffrättsligt samarbete inom Europeiska unionen (SFS 2013:329), http://www.riksdagen.se/sv/dokument-lagar/ dokument/svensk-forfattningssamling/lag-2013329-med-vissa-bestammelser-om-skydd_sfs-2013-329, archived at https://perma.cc/QM2K-LV5K.
[16] See list of amendments available, Lag (2003:389) om elektronisk kommunikation, Notisum, http://www.notisum. se/rnp/sls/fakta/a0030389.htm, archived at https://perma.cc/7GCQ-42GH; Lag om elektronisk kommunikation [lek][Act on Electronic Communications](SFS 2003:389), Notisum, http://www.notisum.se/rnp/ sls/lag/20030389.htm, archived at https://perma.cc/7HSR-86V9.
[17] Joined Cases C-293/12 and C-594/12, Dig. Rights Ireland Ltd. v. Minister for Communications, Marine and Natural Resources, ECLI:EU:C:2014:238, http://curia.europa.eu/juris/celex.jsf?celex=62012CJ0293&lang 1=en&type=TXT&ancre, archived at http://perma.cc/XZK2-Y7D5; see also EU survey.
[18] Kammarrätten i Stockholm [Administrative Appeals Court Stockholm], 7380-14 p. 2, http://www.kammar rattenistockholm.domstol.se/Domstolar/kammarrattenistockholm/Domar/2017%20jan-juni/Dom_7380-14.pdf, archived at https://perma.cc/3Q48-6NQD.
[19] Id.
[20] Id.
[21] Joined Cases C-203/15, Tele2 Sverige AB v. Post-och telestyrelsen and C-698/15 Secretary of State for the Home Department v. Tom Watson, paras. 75–81, ECLI:EU:C:2016:970, http://eur-lex.europa.eu/legal-content/EN/TXT/? uri=CELEX%3A 62015CJ0203, archived at http://perma.cc/PT73-PD2J, summarized in Elin Hofverberg, European Court of Justice/Sweden: Invalidation of Data Retention Obligations, Global Legal Monitor (Jan. 19, 2017), https://www.loc.gov/law/foreign-news/article/european-court-of-justicesweden-invalidation-of-data-retention-obligations/, archived at https://perma.cc/6P7S-HRCP.
[22] Kammarrätten i Stockholm [Administrative Appeals Court Stockholm], 7380-14, http://www.kammarratteni stockholm.domstol.se/Domstolar/kammarrattenistockholm/Domar/2017%20jan-juni/Dom_7380-14.pdf, archived at https://perma.cc/EEZ2-4UKU; Press Release, Kammarrätten i Stockholm, Post- och telestyrelsen (PTS) har inte haft rätt att förelägga Tele2 att lagra trafikuppgifter m.m. för brottsbekämpande ändamål, s.k. datalagring (Mar. 7, 2017), http://www.kammarrattenistockholm.domstol.se/Om-kammarratten-/Nyheter-och-pressmeddelanden/Post--och-telestyrelsen-PTS-har-inte-haft-ratt-att-forelagga-Tele2-att-lagra-trafikuppgifter-mm-for-brottsbekampande-andamal-sk-datalagring, archived at https://perma.cc/6NDT-TPYU.
[23] Dir. 2017:16 Datalagring och EU-rätten, http://www.regeringen.se/491d4e/contentassets/423c9145c0354e7aa7a8bf4657631dfe/datalagring-och-eu-ratten-dir.-201716, archived at https://perma.cc/CDW8-HT93; SOU 2017:75 Datalagring – brottsbekämpning och integritet, http://www.regeringen.se/4a8d12/contentassets/b635202b96fc4e4490886e0ef8601e66/datalagring--brottsbekampning-och-integritet-sou-201775, archived at https://perma.cc/EZ6V-VDAW.
[24] Remiss Ju2017/07896/Å, Regeringskansliet (Oct. 30, 2017), http://www.regeringen.se/4ab456/contentassets/ a3e8bb4742c64e99baf0bc71c65dae9d/remisslista-sou-201775-datalagring--brottsbekampning-och-integritet, archived at https://perma.cc/X2WB-5SGY.
[25] Id. at 4.
[26] Communication from the Commission to the European Parliament, the European Council and the Council, Fourth Progress Report Towards an Effective and Genuine Security Union, COM (2017) 41 final (Jan. 25, 2017), http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52017DC0041&from=EN, archived at https://perma.cc/Q7SK-93DS.
[27] Högsta förvaltningsdomstolen [HFD] [Administrative Supreme Court Reporter] 2015 ref. 3, http://www.hogsta forvaltningsdomstolen.se/Domstolar/regeringsratten/R%C%A4ttsfall/HFD%202015%20ref.%203.pdf, archived at https://perma.cc/Y933-EVGT.
[28] Id.
[29] Nytt Juridiskt Arkiv [NJA][Supreme Court Reporter] 2013 s. 1046.
[30] Datainspektionen, Förberedelser inför EU:s dataskyddsförordning Vägledning till personuppgiftsansvariga, http://www.datainspektionen.se/Documents/vagledning-forberedelser-pua.pdf (last visited Dec. 11, 2017), archived at https://perma.cc/5SMB-2PZ8. Datainspektionen devotes an entire section of its website to the GDPR. Dataskyddsförordningen, Datainspektionen, http://www.datainspektionen.se/dataskyddsreformen/data skyddsforordningen/ (last updated Oct. 23, 2017), archived at https://perma.cc/LS94-U2BH.
[31] Tidslinje: IT-skandalen på Transportstyrelsen, Sveriges Radio (Aug. 28, 2017), http://sverigesradio. se/sida/artikel.aspx?programid=83&artikel=6745040, archived at https://perma.cc/PRH4-MF8Y; Adrian Sadikovic, Daniel Öhman & Alexander Gagliano, Rikspolischefen frångick säkerhetsskyddsförordningen, Svergies Radio (Sept. 5, 2017), http://sverigesradio.se/sida/artikel.aspx?artikel=6770725, archived at https://perma.cc/8P4E-G4WR.
[32] E.g., Ulrica Olsson, “Läckta personuppgifter kan handla om liv eller död,” SVT (July 19, 2017), https://www.svt.se/nyheter/inrikes/lackta-personuppgifter-kan-handla-om-liv-eller-dod, archived at https://perma.cc/PF9Y-JACM.
[33] For a list, see search results at Riksdagen, https://www.riksdagen.se/sv/dokument-lagar/?doktyp=ku-anm&q=Transportstyrelsen&p=1&st=2 (last visited Nov. 29, 2017), archived at https://perma.cc/6KEZ-LYSF.
[34] Kritik mot att myndigheter säljer personuppgifter, Sveriges Radio (Aug. 4, 2013), http://sverigesradio.se/ sida/artikel.aspx?programid=83&artikel=5608445, archived at https://perma.cc/HF9R-4MC8; Myndigheters försäljning av personuppgifter, Skriftlig fråga 2015/16:277, Riksdagen, https://www.riksdagen.se/sv/dokument-lagar/dokument/skriftlig-fraga/myndigheters-forsaljning-av-personuppgifter_H311277 (last visited Dec. 11, 2017), archived at https://perma.cc/K7ER-4UL2.
[35] Kritik mot att myndigheter säljer personuppgifter, Sveriges Radio, supra note 33.
[36] See EU survey.
[37] Id.
[38] Erik Wisterberg, Så många svenskar kämpar för att bli bortglömda av Google [These Many Swedes Fight to Be Forgotten by Google], BREAKIT (May 11, 2016), https://www.breakit.se/artikel/3667/sa-manga-svenskar-kampar-for-att-bli-bortglomda-av-google, archived at https://perma.cc/TA8R-5KCM.
[39] Transparency Report, Google, https://transparencyreport.google.com/eu-privacy/overview?privacy_ requests=country:SE&lu=privacy_requests (last visited Nov. 21, 2017), archived at https://perma.cc/X25C-HP4U.
[40] Hanna Lundquist, Granskad företagare får inte bli bortglömd [Scrutinized Businessman Not Allowed to Be Forgotten], Journalisten (May 8, 2017), https://www.journalisten.se/nyheter/granskad-foretagare-far-inte-bli-bortglomd, archived at https://perma.cc/X2LD-P7PS.
[41] Press Release, Datainspektionen, The Right to Be Forgotten May Apply All Over the World (May 4, 2017), https://www.datainspektionen.se/press/nyheter/the-right-to-be-forgotten-may-apply-all-over-the-world/, archived at https://perma.cc/NT8D-42Z3.
[42] 2 kap. 6§ Regeringsformen [RF] [Instrument of Government] [Constitution] (SFS 1974:152), http://www.notisum.se/rnp/sls/lag/19740152.htm, archived at https://perma.cc/Z47Y-5DSS.
[43] 2 kap. 1§ 1p. RF; 1 kap. 1 § Yttrandefrihetsgrundlag [YGL] [Constitution] (SFS 1991:1469), http://www.notisum.se/rnp/sls/lag/19911469.HTM, archived at https://perma.cc/5N5V-PPR3; 1 kap. 1 § Tryckfrihetsförordning [TF] [Constitution] (SFS 1949:105), http://www.notisum.se/rnp/sls/lag/194 90105.htm, archived at https://perma.cc/LYL6-HPYB.
[44] 2 kap. 1 § 2p. RF.
[45] 2 kap. 1 § TF.
[46] 1 kap. 7§ PUL.
[47] Kommittédirektiv [Dir. 2016:15] Dataskyddsförordningen, at 21f, https://www.regeringen.se/493ace/ contentassets/b16563d102144523a1af80fb44321c43/dir.-201615-dataskyddsforordningen, archived at https://perma.cc/CGK8-FERJ.
[48] Id.
Last Updated: 12/30/2020