momius -

GDPR harmonised with local laws in Nordic EU states

Sweden provides an interesting challenge for the European Union’s data protection regulation due to its laws around freedom of press and free speech

The European Union’s (EU) much lauded General Data Protection Regulation (GDPR) on personal information protection has been introduced, in largely absolute terms, into the national laws of Nordic EU member states Finland, Sweden and Denmark.

The GDPR came into force across EU states on 25 May.

The single exception to the GDPR’s “absolute” legal status is Sweden, where new amendments and changes to the country’s constitution will be required to harmonise existing laws with the full scope of the GDPR’s personal data protective reach.  

Such an outcome was inevitable in Sweden, which has the most liberal freedom of press, expression and data protection laws of all the Nordic countries.

Addressing GDPR exemptions

In Sweden, the GDPR, nor the country’s own Data Protection Act, may not be applied if elements do not conform with the provisions of the Freedom of the Press Act or conflict with the Fundamental Law on Freedom of Expression.

As a result, while the GDPR will affect the vast majority of Swedish enterprises, some database operators will remain, in the short-term at least, exempt from complying with the totality of the new rules that are embedded in the new EU legislation.

Among the companies on the GDPR exemption list are Eniro, Ratsit and Hitta, three of Sweden’s leading database operators and online publishers. To bring all database operators under the umbrella of the GDPR, the Ministry of Justice (MoJ) has established an expert group to draft new legislation that will seek to impose stricter limitations on how personal data collected by these companies can be collected, stored and distributed. The final legislative solution will aim to close loopholes in current laws that give database operators a broad freedom to gather and release personal data.

“Certain uses of personal data are allowed under existing laws in Sweden. These laws protect traditional freedoms, such as expression and the press. Companies like Hitta, Ratsit and Eniro, at this point in time, are not required to comply with GDPR even though they publish a range of personal data, such as telephone numbers, addresses, dates of birth and information on income. Such portals are considered part of the open information system in Sweden,” said Sara Malmgren, a senior associate and head of IT and ethics law at Stockholm-based law firm Foyen Advokatfirma.

“Certain uses of personal data are allowed under existing laws in Sweden. These laws protect traditional freedoms, such as expression and the press”
Sara Malmgren, Foyen Advokatfirma

As part of the impending changes in support of the GDPR, the MoJ-appointed expert committee will need to re-examine the legal entitlements granted under Sweden’s Publishing Certificate system. It is under this system that database operators such as Eniro, Hitta and Ratsit are free to collect and distribute personal information from a broad range of sources, including the national tax office, Skatteverket.

The final legislative solution, still to be reached, will need to achieve a compromise between personal data rights as set out under the GDPR, while respecting the general integrity and liberal scope of existing freedom of the press and freedom of expression acts. The MoJ plans to present draft legislative bills to the national parliament, the Riksdag, in the final quarter of 2018. It is expected that the relevant laws will be amended in the first half of 2019.

“These publishing certificates give constitutional protection and right to publish to certain database operators. These protections are similar to the right to free speech. Database operators are authorised to publish under the Freedom of the Press Act. Operators having this authorisation are excluded from complying with all aspects of the GDPR at present. They can basically publish what they want,” said Malmgren.

Right to erasure

Although database operators holding publishing certificates are not bound by the full constraints of GDPR, or the legal requirement to delete personal information, all companies have a system and process in place to “delete on request”.

As a rule, private citizens and companies can present a request, using a downloadable online form or by snail-mail in letter format to the operator in question, to have personal information removed from databases operated by Eniro, Hitta and Ratsit. In the case of Eniro and Hitta, this process can generally take between four to 10 working days for the company to fully comply with a right to erasure request. By contrast, the right to be forgotten process operated by Ratsit can take up to 30 days to fulfil.

“Companies with a publishing certificate do not need to comply with all aspects of GDPR. Nevertheless they cannot publish personal information such as IP addresses, user names or passwords”
Per Lövgren, Datainspektionen

Database operators holding publishing certificates do not generally question the justification for right to erasure requests, even though they are not legally obliged to delete personal data, said Per Lövgren, the head of communications at the Swedish Data Protection Authority (Datainspektionen).

“Companies with a publishing certificate do not need to comply with all aspects of GDPR. Nevertheless they cannot publish personal information such as IP addresses, user names or passwords. This is the type of information database operators obtain when users sign up to their services and open a new account. This makes them different from other database operators, like retailers H&M or ICA, which are bound by all legal elements of GDPR,” said Lövgren.

Counting the cost of GDPR compliance

An assessment conducted by Intrum, the Stockholm-headquartered management services company, estimated the average cost for implementing GDPR among SMEs in the EU zone at €8,000. The figure is reckoned to be €65,000 for large corporations. According to Intrum, the total estimated implementation cost, based on 26 million businesses across the EU, is €198bn. The conversion sum for Swedish companies with under 250 employees is expected to amount to €10,300, a cost that is higher than the EU or Nordic average.

The harmonisation of GDPR within Finland’s data protection and press freedom legislative structures has added a new weapon to the arsenal of the country’s Data Protection Ombudsman (DPO).

The DPO has opened an investigation, based on suspected breaches of the GDPR, in a tracking app developed by the Finnish sports activity firm Polar. The company’s Flow app has been found to reveal users’ sensitive location data. It is the first recorded case in Finland, or the Nordic region, where the GDPR is being applied to an investigation into a commercial application that is suspected to have data security shortcomings.

Meanwhile, the integration of GDPR into Danish law proved to be a relatively uncomplicated process.

The legal harmonisation dimension of the task was aided by the enactment of the National Data Protection Act by the Danish Parliament, the Folketing. The new legislation replaced the Personal Data Processing Act. The National Data Protection Act conveyed updated powers of authority to the Danish Data Protection Agency. This included funding and legal provisions for the agency’s current organisation and structure, which incorporates a Council and a Secretariat.

Read more about the General Data Protection Regulation

Read more on Privacy and data protection

Data Center
Data Management