vectorfusionart - stock.adobe.co

Sweden and GDPR – four years on

Swedish data protection coordinator talks to Computer Weekly four years into the General Data Protection Regulation

This article can also be found in the Premium Editorial Download: CW EMEA: CW Nordics: Norway struggles to keep up with demand for tech specialists

Sweden has a long history of data privacy. In fact, it was the first country in the world to adopt data privacy legislation, with the 1973 Data Act.

Swedish data protection legislation has evolved ever since, and now includes laws that supplement the General Data Protection Regulation (GDPR) – a set of provisions and ordinances that regulate the way public authorities process personal data, the way credit information is processed, and how camera surveillance is done. 

When the GDPR came into force in May 2018, there was a lot of publicity in Sweden around the new rules and a lot of discussion on how companies could live up to the requirements of the new legislation. The positive effect of all this attention was that data protection and the basic requirements were on the minds of companies and individuals.  

“A year into it, in 2019, we observed that organisations in general had procedures and routines in place to comply with the GDPR,” said Elisabeth Jilderyd, international legal adviser and coordinator for the Swedish Authority for Privacy Protection (IMY). “However, we could also see some deficiencies, in particular within smaller companies, and we noted the need for more training, guidance and awareness-raising around the new rules.

“Now, four years on, there are still situations where the GDPR is not entirely clear and where we need further interpretation and case law. In 2021, we received 5,767 data breach notifications and more than 2,600 complaints from individuals. The issues raised in the complaints helped us to develop a set of recommendations to both public and private sector data controllers.”

Some of the latest recommendations from the IMY are simply reminders of what is already laid out in the GDPR. Organisations must provide clear information on what personal data they process and for what purpose. They must have procedures in place to ensure individuals’ rights with regard to data protection, and they must have procedures for dealing with personal data that is processed in email.

Organisations that use direct marketing must also have procedures to stop distribution of such marketing that the recipients do not want to receive. When camera surveillance is used, clear signs must be in place to inform people about it. 

In 2021, the IMY issued fines in eight cases, for a total of SEK32.5m (€3m). These fines went out to a variety of public and private sector organisations. The year before, the IMY issued fines in 15 cases, for a total of SEK150m. This included a SEK75m fine imposed on Google regarding the deletion of search results in its search engine. This case was later appealed, and the fine was reduced to SEK50m. 

Increasing importance of data protection 

Jilderyd told Computer Weekly: “The GDPR is an important step forward in providing harmonised rules within the EU and the EEA [European Economic Area], and efficient data protection with the possibility for DPAs [data protection authorities] to issue administrative fines in case of non-compliance. Another important feature of the GDPR is the clear accountability for controllers – that they are responsible for ensuring compliance.”

But Jilderyd said many of the GDPR provisions are still not entirely understood by all parties involved and need further clarification. This will have to be done under the supervision of the EU and EEA data protection authorities and the Court of Justice of the European Union (CJEU) case law – and it will take time.  

One of the big things that needs clarification is the issue of data transfers to countries outside the EU and EEA. The GDPR does not clearly define the concept of these transfers, which makes the situation complicated for both data controllers and data subjects.

“A clear definition in the law would be preferable,” said Jilderyd. “Also, the rules on cooperation between DPAs in cross-border processing situations might have to be reviewed in order to ensure that this cooperation is as efficient as possible.”

Data protection will become increasingly important as the world becomes more digitised and as new technology makes it easier to collect and analyse data. Rules on data protection will also have to be closely linked as new EU legislation that affects personal data processing is drafted. Examples of new regulation include the proposed AI Act, the Data Governance Act and the Data Act. 

As is the case with all other European countries, transferring data outside the EU is still a concern for Sweden. It is important for the IMY to have clear rules that are easily understood by controllers. The biggest concern is for data being shared with the US, the country with the biggest cloud providers. 

Read more about GDPR

There is currently no EU Commission decision on adequate level of protection for data in the US. This means that data can only be transferred to the US if there is a contract between the EU exporter and the US importer, and as long as this contract can provide the protection that EU law requires. The European Data Protection Board (EDPB) has issued recommendations, based on the CJEU decisions – and the possibilities to transfer data to the US today remain quite limited.  

“Hopefully, both from the controllers’ and the data subjects’ perspective, we will have a new agreement between the EU and the US on adequate guarantees for data protection in the US, so that a new adequacy decision can be adopted,” said Jilderyd. 

“As for the US, the Trans-Atlantic Data Privacy Framework [which is being negotiated between the EU and the US] will be an important step forward, provided that the guarantees made in that framework live up to the level of protection pointed out by the CJEU. Many of the companies that we interact with from the EU are based in the US and it is important that this framework provides a strong level of data protection for EU and EEA data subjects.

“Of particular concern is the extent to which US authorities may have access to data and the possibilities for EU data subjects to exercise their rights in the US.”

Read more on Privacy and data protection