Sweden's Constitution, which consists of several different legal documents, contains several provisions that are relevant to data protection. Section 2 of the Instrument of Government Act of 1974[2523] provides for the protection of individual privacy. Section 13 of Chapter 2 of the same instrument also states that freedom of expression and information - which are constitutionally protected pursuant to the Freedom of the Press Act of 1949[2524] - can be limited with respect to the "sanctity of private life." Moreover, Section 3 of the same chapter provides for a right to protection of personal integrity in relation to automatic data processing. The same article also prohibits non-consensual registration of persons purely on the basis of their political opinion. The European Convention on Human Rights (ECHR) has been incorporated into Swedish law in 1994. The ECHR is not formally part of the Swedish Constitution but has, in effect, similar status.
Sweden enacted the Personal Data Act (PDA) of 1998 to bring Swedish law into conformity with the requirements of the European Union (EU) Data Protection Directive (95/46/EC).[2525] The PDA essentially incorporates the EU Data Protection Directive into Swedish law. It regulates the establishment and use, in both public and private sectors, of automated data files on physical/natural persons. The Act replaced the Data Act of 1973, which was the first comprehensive national act on privacy in the world.[2526] The 1973 Act continued to apply until October 2001 with respect to processing of personal data initiated prior to October 24, 1998. An extended transition period, up to 2007, is allowed for pre-existing manual files. Section 33 of the Act was amended in 1999 to adopt the EU Data Protection Directive standards on the transfer of personal data to third countries. According to the Data Inspection Board, the amendment will facilitate transfer of data through international communication networks, such as the Internet. Depending on other circumstances, there may be situations where a third country - despite not having any data protection rules at all - still can be considered having an adequate level of protection. It is also possible that the level of protection in a third country may be assessed as adequate in some areas but not in others. The amendment entered into force in January 2000.
The Ministry of Justice has recently critiqued the PDA, and the EU Data Protection Directive it is based on, as being too restrictive. For instance, the PDA currently includes within its definition of "data processing" applications such as word processing, web publishing, and e-mail. Sweden thus submitted a proposal to the EU on amending the Directive to adopt a "misuse model." This model separates data processing into two categories: one comprising applications not structured to facilitate retrieval of personal data (such as word processing and e-mail); and one comprising databases and other data structures created for easy retrieval of data. Processing of information within the first category would only be punished if it resulted in harm to the data subject. Processing of information in the second category would be subject to the current protections.[2527] Sweden has also appointed a special investigator to determine how the misuse model could be applied to the PDA within the requirements of the EU Data Protection Directive.[2528]
The Data Inspection Board (Datainspektionen or DIB) is an independent board that oversees the enforcement of the PDA.[2529] As of June 2003, the DIB has forty employees, consisting mostly of lawyers, along with three IT specialists. The Board is divided into four units: the Director General's Office, the Supervisory Unit, the Information Unit, and the Legal Unit. The Director General's Office is in charge of administration; the Supervisory Unit handles investigations and complaints; the Information Unit manages the DIB website, various printed publications, lectures and seminars. The Legal Unit is responsible for the regulatory activities of the Board, issues opinions on legislative proposals on data protection, and coordinates international work. The Financial Unit was recently eliminated and its tasks distributed among the other units.[2530]
In 2002, the DIB received 406 complaints about the processing of personal data. The majority of these complaints concerned the unauthorized publishing of personal information on the Internet and direct marketing to consumers who have objected to it. The DIB also received 81 complaints regarding credit information activity and 224 complaints about debt recovery activities. The DIB conducted 250 investigations in 2002, dealing with personal data processing in compulsory schools, in genetic and other research activity, and in the workplace. In addition, the DIB conducted 99 more limited inquiries via telephone and mail. In the same year, the DIB's Information unit received 3,000 e-mails and 9,000 phone calls asking for information about the PDA.[2531]
Individuals submit complaints to the DIB, which decides on its own discretion which to pursue. Complainants always receive a response as to whether or not an investigation is initiated, and the outcome of the investigation.[2532]
The PDA requires that automated processing of personal data be reported to the DIB.[2533] The DIB received 332 such notifications in 2002, bringing the number of data processing operations in their register to 2,161. However, there are several exceptions to the notification requirement. One such exception exempts an entity from notification if it appoints a personal data representative. In 2002, the DIB was notified of 888 such representatives. As of the end of 2002, there are 2,918 personal data representatives registered with the DIB. One representative, however, may represent several data controllers. 174 processing operations involving sensitive personal data were reported to the DIB for preliminary inspection. Most of these notices dealt with the processing of personal data in genetic research and in police activity.[2534]
The PDA provides liberal exemptions for freedom of expression. It specifically states that in the case of a conflict the existing protections for freedom of the press (Freedom of the Press Act 1949) and freedom of speech (Freedom of Speech Act) will prevail. In July 2001, the Swedish Supreme Court ruled that the operator of a web site dedicated to the criticism of several Swedish banks and bank officials did not violate the DPA as he was protected by the free expression exemptions. The Supreme Court thereby reversed the decision of the court of appeals that had imposed criminal fines on the web site operator for permitting the transfer of personal information outside the country without the approval of the DIB.[2535] Several other cases on the freedom of expression exemptions have been decided by the DIB itself, often in favor of the speaker.[2536] The DIB has also proposed an amendment to the Act to cover "harmless data."[2537]
There are several so-called 'register laws' in Sweden that supplement the PDA rules on files containing personal data. Some examples include the Health Care Register Act of 1998,[2538] the Police Data Act of 1998,[2539] the Land Register Act of 2000,[2540] and the Schengen Information System Act of 2000.[2541] Other statutes with provisions relating to data protection include the Secrecy Act of 1980,[2542] the Credit Information Act of 1973,[2543] the Debt Recovery Act of 1974,[2544] and the Administrative Procedure Act of 1986.[2545] In 2001, additional laws were adopted to cover the processing of personal data for taxation purposes and social services.[2546] A bill to amend the Credit Reporting Act and bring it into line with the EU Data Protection Directive and the Swedish PDA was approved by the Finance Committee in April 2001.[2547]
National identification numbers have been in use in Sweden for years. During the 1990s the 1973 Data Act was amended to introduce restrictions on their use. These restrictions were reproduced in the new PDA. Under Section 22 of the PDA information about personal identity, numbers or classification numbers may only be processed without consent if the processing is clearly justified having regard to the purpose of the processing, the importance of secure identification, or some other substantial reason.[2548]
In 1999 the Swedish government established a Committee to study workplace privacy issues. The Committee is chaired by former Justice Minister Reidunn Lauren and includes a member of the Data Inspection Board. In March 2002, the Committee issued a proposal recommending specific legislation to protect the personal information of current employees, former employees and employment applicants in both the private and public sectors.[2549]
In November 2000 the Parliament passed the Act on Electronic Signatures.[2550] This came into effect on January 1, 2001.
The 1998 Law on Secret Camera Surveillance restricts the use of video surveillance. Permits must be obtained, and clearly visible notices posted, for video surveillance of public places. Post offices, banks and stores, however, need only register by mail in order to set up cameras to film entrances, exits and cash points if the intention is crime prevention.[2551] Penalties for breach of the law include fines and one-year imprisonment. In April 2002 charges were brought against a man for installing a video camera, without a permit, on his balcony to watch the street below.[2552]
A court order is required to obtain a wiretap.[2553] The law was amended in 1996 to facilitate surveillance of new technologies.[2554] The Prosecutor General's Office submits a report to Parliament every year with details of all of electronic surveillance conducted. The Swedish Helsinki Committee has concluded that the state interference in the private lives of its citizens lacked in legal rights and transparency. They have recommended better oversight by Parliament of these surveillance techniques as well as an independent assessment of their necessity and effectiveness[2555] In 2000 the Minister of Justice proposed an amendment to expand the use of police wiretapping and other surveillance techniques.[2556] This proposal has not gone through and is still being reworked due to strong resistance from NGOs.
Internal security is the responsibility of the Security Police, an independent agency under the overall control of the National Police Board. Oversight is conducted by the Register Board, which was established in 1996.[2557] The consolidated Act on Special Monitoring of Foreigners (1991) grants the security police the authority to conduct "exploratory" phone tapping.[2558] The Register Board released a report in December 1998 revealing that Sweden's police and security services carried out, over a long period, covert surveillance of thousands of Swedish citizens, mostly politically leftists, often on highly tenuous or trivial grounds from 1969 until 1996. The intelligence agency also used their files to attempt to prevent journalists critical of them from being hired by the national television and radio networks. The surveillance had been repeatedly denied to exist by high government officials such as the Justice Chancellor, who at the same time wrote secret reports about the investigations.[2559] The Lund/McDonald commission was set up in early 1999 in order to investigate these surveillance practices, which were demanded by the United States as a condition to receiving military technology. In April 1999 a new law on Police Data was introduced and specifically prohibits security police filing of individuals solely on the grounds of "ethnical background, political opinion, religious or philosophical conviction, trade union membership, health details, or sexual preferences."[2560]
Previously, it was also discovered that the Swedish statistical agency, Statistika, was monitoring 15,000 Stockholm residents born in 1953 in intimate detail. The information included statistics on drinking habits, religious beliefs, and sexual orientation. The DIB subsequently ordered the destruction of the master tape containing the data.[2561]
In May 2002 the Swedish Parliament approved two anti-terrorism laws. One implements the United Nations Convention on the Suppression of the Financing of Terrorism and entered into force on July 1, 2002. The second one adopts the Framework Decision of the European Union Council on Combatting Terrorism that was issued in late 2001. In January 2002 Sweden and Latvia signed a joint agreement on cooperation in areas relating to justice and interior affairs. The agreement will stay in place until December 2003 and will involve cooperation on several issues including judicial training, information sharing and data protection, crime prevention and probation services.[2562]
Sweden is a country that has traditionally adhered to the Nordic tradition of open access to government files. The world's first freedom of information act was the Riksdag's (Swedish Parliament) Freedom of the Press Act of 1766. The Act required that official documents should "upon request immediately be made available to anyone making a request" at no charge. The Freedom of the Press Act is now part of the Constitution and provides that "every Swedish citizen shall have free access to official documents." Decisions by public authorities to deny access to official documents may be appealed to general administrative courts and ultimately, to the Supreme Administrative Court. The Parliamentary Ombudsman has some oversight functions for freedom of information.
Sweden is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[2563] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[2564] In November 2001 Sweden signed, but has not ratified, the Council of Europe Convention on Cybercrime (ETS No. 185).[2565] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.