I. Legal framework
Constitutional Privacy and Data Protection Framework
Sweden's Constitution 1 consists of four fundamental laws: the Instrument of Government, the Act of Succession, the Freedom of the Press Act, and the Fundamental Law on Freedom of Expression. These laws serve as a basis for the Swedish political decision-making and contain several provisions relevant to data protection and citizens' freedoms and rights. For example, Section 2 of the Instrument of Government Act of 1974 2 provides for the protection of individual privacy. Section 13 of Chapter 2 of the same instrument also states that freedom of expression and information – which are constitutionally protected pursuant to the Freedom of the Press Act of 1949 3 – can be limited with respect to the "sanctity of private life." Moreover, Section 3 of the same chapter provides for a right to protection of personal integrity (privacy) in relation to automatic data processing. The same article also prohibits non-consensual registration of persons purely on the basis of their political opinion. The European Convention on Human Rights (ECHR) has been incorporated into Swedish law in 1994. The ECHR is not formally part of the Swedish Constitution but has, in effect, similar status.
In April 2004, the Swedish government decided to set up a Committee (Integritetsskyddskommitten, Committee on the protection of privacy) composed of experts and members of the Riksdag (The Swedish Parliament) to analyze legislation in Sweden concerning privacy and create a survey related to this issue.4 In spring 2007, the Committee presented an extensive report which contained the survey and analysis.5 "The committee describes in relative depth how legislation in different areas of society has developed, what kind of information the government and the Riksdag have had to base their decisions on and also how the balance has been struck between the interest of protecting privacy and other interests."6 The last report of the Committee was presented in January 2008, and in this report the Committee presented an analysis of how the constitutional protection of privacy should be regulated and what other measures are necessary.7 On 2 June 2010, the Swedish parliament voted in favour of a proposition that includes some of the Committee's proposals, though less far-reaching than in the original proposal. A new clause will be added to the Government Bill 2009/10:80 "A Reformed Constitution, which proposes extensive amendments to the Constitution and gives both citizens and non-citizens protection against "significant privacy intrusions that occur without consent and result in surveillance or mapping of the personal life of the individual."8 The amendments to the Constitution must be confirmed during the coming legislature and will come into force in 2011, with a transition period until 2015.9 The amendments to the constitutional framework in Sweden must be considered to be significant but the issue of a more detailed regulation, as proposed by the Committee, still remains open.
The Swedish Personal Data Act (PDA) or personuppgiftslagen (PUL) was enacted in 1998 to bring Swedish law into conformity with the requirements of the European Union (EU) Data Protection Directive 1995/46/EC.10 The PDA essentially incorporates the EU Data Protection Directive into Swedish law. It regulates the establishment and use, in both public and private sectors, of automated data files on physical/natural persons. The Act replaced the Data Act of 1973, which was the first comprehensive national act on privacy in the world.11 The 1973 Act continued to apply until October 2001 with respect to processing of personal data initiated prior to 24 October 1998. An amendment of Section 33 of the Act entered into force in January 2000 in order to align even closer to the EU Data Protection Directive standards on the transfer of personal data to third countries.
In years past both the PDA and the EU Data Protection Directive, on which it is based, were criticised for being too restrictive. On 11 May 2006, the Swedish Parliament voted to amend the PDA to make it more focused on preventing the misuse of personal data.12 The most significant change to the PDA is to exempt processing of "unstructured materials," such as scrolling texts, sounds and images, and email from the great majority of handling provisions in the PDA. The excluded material will be regulated by a simple rule -- processing of personal data is not permitted if it constitutes a violation of the registered person's personal integrity. Guidelines in the legislation mandate that the data processor cannot process data for improper purposes such as harassment or defamation, or collect large amounts of information about a person without good cause. Data processors are required to correct personal data that is wrong or misleading and to observe secrecy and non-disclosure regulations. However, the amendment also decriminalises breaches committed by mere negligence; gross negligence is now required before a breach can be prosecuted under the PDA. The amendments came into force on 1 January 2007.
The PDA provides liberal exemptions for freedom of expression. It specifically states that in case of a conflict, the existing protections for freedom of the press (Freedom of the Press Act)13 and freedom of speech (Freedom of Expression Act)14 will prevail. The majority of the provisions in the PDA are also exempted in regard to processing that is carried out exclusively for journalistic purposes, or artistic or literary expression. In 2001, the Swedish Supreme Court ruled that the operator of a Web site dedicated to the criticism of several Swedish banks and bank officials did not violate the PDA, as he was protected by the exemptions for journalistic purposes.15 In another case, where a church volunteer had published information about church employees on the Internet without their consent, the Göta Court of Appeal decided in 2004 that this was not a matter of processing for journalistic purposes, or artistic or literary expression.16 The Court found that, in this case, the right to privacy outweighed the freedom of expression and the processing conflicted with several provisions in the PDA. However, due to the circumstances in this case, it was not seen as a serious offence, and the church volunteer was not convicted.17
Besides the PDA, there is also specific legislation regarding processing of personal data in different, specified sectors. Some examples include the Health Care Register Act of 1998,18 the Police Data Act of 1998,19 the Land Register Act of 2000,20 the Schengen Information System Act of 2000,21 and the Act on processing of personal data within Social Services of 2001.22 Other statutes with provisions relating to data protection include the Secrecy Act of 1980,23 the Credit Information Act of 1973,24 the Debt Recovery Act of 1974,25 and the Administrative Procedure Act of 1986.26 In sectors that fall within the scope of the EU Data Protection Directive, the specific legislation takes into account the Directive's rules.27 The EU Directive 2002/58/EC on privacy and electronic communications was essentially implemented in July 2003 by the entry into force of the Electronic Communications Act (ECA).28
In 2002, the Parliament adopted new rules on voluntary publishing licences.29 The rules on freedom of the press and freedom of expression apply to printed publications, radio and television, films, etc., and do not -- in principle -- apply to the Internet.30 With the new rules, anyone may apply for and obtain such a licence, and thereby extend the rules on freedom of the press and expression to their Web site. This means that the keeper of a Web site who has obtained a publishing licence will be able to process personal data without having to comply with the provisions of the PDA.31 Specific privacy problems have occurred in this context regarding publication of credit information and phone directories on the Internet. Following remarks from the data protection authority, a specific inquiry has been set up within the Ministry of Justice to analyse whether the new legislation conflicts with provisions that aim at protecting privacy.32 A resulting government bill resolving some of these issues was approved by the Swedish Parliament in June 2010.33 From 1 January 2011, any processing of personal credit information will have to be based on legitimate need. Such need would, for example be a landlord controlling potential tenants' financial status. The data subject will receive a copy of the document and the chance to correct faulty information. While not uncontroversial, especially by international comparison, the bill means real improvement from the previous situation, where ubiquitous peer-to-peer information gathering was possible almost without any limitation.34
Data protection authority
Compliance with the PDA is monitored by the Data Inspection Board (DIB or Datainspektionen), a central government agency that carries out its functions independently. The DIB has 40 employees35 who handle complaints from individuals concerning the processing of personal data. In 2009, the DIB handled 233 complaints about personal data processing.36 The DIB has discretion to decide which complaints to pursue, but complainants always receive a response as to whether an investigation is initiated, and the outcome of any investigation.37
The PDA requires that automated processing of personal data be notified to the DIB.38 Several exemptions from the notification duty apply, for example if an entity appoints a personal data representative. The number of representatives has increased to 3,678 in 2009 from 3,562 in 2008.39 Some processing operations that are likely to pose particular risks of improper intrusion of privacy must be notified for prior checking.40
Initiatives have also been taken to use biometric data outside the government authority sector. In 2004 and 2005, the DIB handled several requests from schools regarding the use of fingerprint recognition devices to allow access to school canteens. The DIB said that processing of biometric data for this purpose was not compatible with the principles of necessity and proportionality prescribed by the PDA and the EU Data Protection Directive. The fact that consent would be obtained from the students or their parents did not change this view. Despite this warning, biometrics, in the form of finger scans, are being used in the Kvarnby School in Stockholm to log in to school computers.41
The DIB published a report in 2005 about store bonus cards and found many privacy concerns.42 The report found that the cards contained detailed information about customers and their purchases. The DIB suggested that the companies gain consent from consumers before using the data for targeted advertising and improve the information given to new bonus customers so they could make an informed decision regarding their private data. The DIB also suggested the companies keep the data for as short a time as possible and restrict the information that is registered. In addition to the report, the DIB also issued supervisory decisions, including the three decisions of the DIB which have now been upheld by the County Administrative Court.
On 22 June 2006 the DIB issued a decision that SafeSite, a computer system that exchanges information and warnings between hotels and stores, did not violate the PDA because the warnings and descriptions examined by the Board were so vaguely formulated that they could not be considered personal data as it is defined in the PDA. SafeSite allows the warnings to be transferred to a document in order to make a police report.43
The role of the Swedish DPA has been an issue of debate since the above-mentioned Committee on the protection of privacy proposed that the agency's mission should be expanded to a more general responsibility for privacy issues. The Committee rightly identified the absence of an institution with overall responsibility for privacy-related issues and suggested that this task should fall on an entirely new agency; or, at least that the DPA should get broader competences. These suggestions were too radical, however, and the conservative/liberal coalition government instead created a "Commission on Security and Integrity Protection" (SÄKINT), which is designed to monitor and control the use of covert surveillance by the police and secret services.44 The SÄKINT's first chairman was a former secret service General Director, but he resigned one year after his installation in 2008, his action supposedly related to the debate on the FRA wiretapping.45 The DPA, however, has neither received increased budgetary means, nor a broadened area of responsibility.46
Major privacy and data protection case law
A case concerning biometric data in schools was presented, referring to a decision of the Data Inspection Board from 2004 regarding the collection and processing of students' fingerprints for the purpose of checking access to the school canteen.47 "Regardless of the fact that consent was obtained, the decision was that the processing was not adequate or relevant and that such checks could be made in a less privacy-intrusive manner."48 The Data Inspection Board's decision was appealed to the County Administrative Court who then upheld the decision.49
In June 2007, the Administrative Court of Appeal in Stockholm passed its judgment in the Anti-Piracy Bureau case.50
There was a debate in Sweden over whether police can access Internet records to fine file-sharers. A Swedish court of appeals upheld the country's first conviction of file-sharing.51
In 2009 the Swedish Parliament agreed the implementation of the Directive 2004/48/EC, commonly named the Intellectual Property Rights Enforcement Directive (IPRED). The Swedish implementing act (IPRED Act) has been widely debated as it was introduced in the wake of the above-mentioned FRA debate. It is intended to protect property rights and has been used by the Swedish Anti-Piracy Bureau to access copyrighted material and process against the server administrators. Since then, a number of cases have been brought to court by the music and publishing industries.52
One of the most important and internationally known legal cases in Sweden occurred in 2008-2009 and concerned one of the world's biggest torrent trackers, The Pirate Bay.53
- 1. Swedish Constitution, English version available at http://www.servat.unibe.ch/icl/sw00000_.html
- 2. Regeringsformen, SFS 1974:152, available at http://www.riksdagen.se/templates/R_Page____6307.aspx.
- 3. Tryckfrihetsförordningen, SFS 1949:105, available at http://www.riksdagen.se/templates/R_Page____6313.aspx.
- 4. 11th Annual Report of the Article 29 Data Protection Working Party (2007), 24 June 2008, at 105, available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2008/11th_annua...
- 5. Id.
- 6. Id.
- 7. Id.
- 8. Constitutional Boarld of the Swedish Parliament, Betänkande 2009/10:KU19, "Vissa fri- och rättigheter m.m." (Report 2009/10:KU19, "Certain Rights and Liberties etc."). at http://www.riksdagen.se/webbnav/?nid=3322&rm=2009/10&bet=KU19. Author's translation, original reads "skydd mot betydande intrång i den personliga integriteten om det sker utan samtycke och innebär övervakning eller kartläggning av den enskildes personliga förhållanden.".
- 9. Id.
- 10. Personuppgiftslagen, SFS 1998:204, English version available at http://www.datainspektionen.se/in-english/legislation/the-personal-data-....
- 11. Datalagen, SFS 1973:289.
- 12. Swedish PDA Amendments of 2007, SFS 2006:398.
- 13. SFS 1949:105, available at http://www.riksdagen.se/templates/R_Page____6313.aspx
- 14. SFS 1991:1469 and 2002:209, available at http://www.riksdagen.se/templates/R_Page____6316.aspx.
- 15. Supreme Court, 12 June 2001, see Nytt Juridiskt Arkiv (NJA) 2001 at 409, available in Swedish at http://www.rattsinfosok.dom.se/lagrummet/index.jsp.
- 16. Göta Court of Appeal, case B 747-00, 7 April 2004,.
- 17. EC Court of Justice, case C-101/01 6 November 2003, Bodil Lindqvist, OJ C 7, 10 January 2004, at 3, linked from http://ec.europa.eu/justice/policies/privacy/law/index_en.htm
- 18. SFS 1998:544.
- 19. SFS 1998:622.
- 20. SFS 2000:224.
- 21. SFS 2000:344.
- 22. SFS 2001:454.
- 23. SFS 1980:100.
- 24. SFS 1973:1173.
- 25. SFS 1974:182.
- 26. SFS 1986:223.
- 27. See for example the Health Care Register Act of 1998 and the Credit Information Act of 1973.
- 28. SFS 2003:389.
- 29. Chapter 1, section 9 of The Fundamental Law on Freedom of Expression, SFS 1991:1469 and 2002:209, available at http://www.riksdagen.se/templates/R_PageExtended____6317.aspx
- 30. See Section "Comprehensive law," supra in this report.
- 31. The Swedish Radio and TV Authority, at http://www.rtvv.se.
- 32. Ministry of Justice (JU) No. 2003:04, see terms of reference 2003:58.
- 33. Parliament protocol 2009/10:139 from 17 June, 2010, at http://www.riksdagen.se/webbnav/index.aspx?nid=101&bet=2009/10:139. See Governemt Bill 2009/10:151 (Swedish only).
- 34. This issue has engaged the Data Protection Agency considerably. See their press release on the new bill, 18 June 2010, in Swedish at http://www.datainspektionen.se/press/nyheter/ja-till-starkare-integritet....
- 35. Official Web site, available in English at http://www.datainspektionen.se/in-english/about-us/(accessed September 2010).
- 36. Earlier years: 279 in 2008, 233 in 2007, 307 in 2006, and 405 in 2005. Data Inspection Board's Annual Reports, available in Swedish at http://www2.datainspektionen.se/bt/ladda-ner-a-bestaell?page=shop.browse....
- 37. Id.
- 38. SFS 1998:204, Â§ 36.
- 39. Data Inspection Board's 2009 Annual Report, at 10.
- 40. SFS 1998:204, Â§41.
- 41. City of Stockholm Schools, "Precise Biometrics simplifies login procedures at the Kvarnby School, available here and here.
- 42. The Data Inspection Board, Report on Bonus Cards and the Personal Data Act, 2005:3, English summary available at http://www.datainspektionen.se/Documents/rapport-bonus-cards.pdf.
- 43. See SafeSite's webpage, in Swedish at http://www.safesite.se,. Decision of the DIB of 20 June 2006
- 44. Förordning 2007:1141 med instruktion för Säkerhets- och integritetsskyddsnämnden (Ordinance (2007:1141 Containing Instructions for the Swedish Commission on Security and Integrity Protection), athttp://www.sakint.se/dokument/english/ordinance_instruction_scsip.pdf. The Commission actually replaced the earlier "Registry Board", which had similar tasks.
- 45. "Statlig säkerhetsnämnd spricker," ("Government Security Commission Cracks") SvD, 9 December 2009, at http://www.svd.se/nyheter/inrikes/statlig-sakerhetsnamnd-spricker_379027.... See also Section "Wiretapping, access to, and interception of communications," infra in this report.
- 46. The DPA in fact receives about the same budgetary means in 2010 as it did in 1991 (figure adjusted to consumer price index) although its tasks have multiplied. Figures available in: Betänkande 1991/92:KU26 Anslag till datainspektionen (Statement of the Constitutional Board Ragarding Funding pf the Data Protection Agency), in Swedish at http://www.riksdagen.se; Regleringsbrev för budgetåret 2007 avseende Datainspektionen , (Regeringsbeslut Fi2006/7202) (2007 Instructions to the Data Protection Agency), in Swedish at http://www.esv.se.
- 47. 11th Annual Report of the Article 29 Data Protection Working Party,supra. See also Section "Data Protection Authority," supra in this Report.
- 48. Id.
- 49. Id.
- 50. See Section"Cybercrime," infra in this Report.
- 51. Id.
- 52. Id.
- 53. Id.