Sweden has a extensive historical past of info privacy. In reality, it was the 1st state in the entire world to undertake details privacy laws, with the 1973 Info Act.
Swedish data security laws has developed ever because, and now incorporates legislation that health supplement the Typical Information Safety Regulation (GDPR) – a established of provisions and ordinances that control the way general public authorities approach personalized knowledge, the way credit data is processed, and how camera surveillance is carried out.
When the GDPR arrived into pressure in May well 2018, there was a good deal of publicity in Sweden all over the new principles and a great deal of dialogue on how firms could dwell up to the specifications of the new legislation. The constructive effect of all this consideration was that knowledge safety and the basic needs have been on the minds of corporations and persons.
“A calendar year into it, in 2019, we observed that organisations in standard had procedures and routines in area to comply with the GDPR,” explained Elisabeth Jilderyd, intercontinental legal adviser and coordinator for the Swedish Authority for Privacy Safety (IMY). “However, we could also see some deficiencies, in specific in just more compact organizations, and we noted the need to have for far more schooling, assistance and consciousness-increasing close to the new policies.
“Now, 4 several years on, there are nonetheless predicaments wherever the GDPR is not solely distinct and where by we will need further more interpretation and scenario legislation. In 2021, we acquired 5,767 details breach notifications and much more than 2,600 problems from people. The concerns raised in the grievances aided us to produce a set of suggestions to the two public and personal sector facts controllers.”
Some of the hottest suggestions from the IMY are basically reminders of what is previously laid out in the GDPR. Organisations need to give apparent details on what individual data they approach and for what purpose. They will have to have methods in location to assure individuals’ legal rights with regard to information security, and they need to have procedures for dealing with particular facts that is processed in e-mail.
Organisations that use immediate marketing and advertising will have to also have techniques to cease distribution of this sort of internet marketing that the recipients do not want to obtain. When digital camera surveillance is made use of, distinct indications will have to be in spot to notify people today about it.
In 2021, the IMY issued fines in eight cases, for a total of SEK32.5m (€3m). These fines went out to a variety of community and non-public sector organisations. The year before, the IMY issued fines in 15 situations, for a overall of SEK150m. This provided a SEK75m high-quality imposed on Google regarding the deletion of research benefits in its research engine. This situation was later on appealed, and the wonderful was minimized to SEK50m.
Escalating great importance of details protection
Jilderyd advised Pc Weekly: “The GDPR is an important stage forward in supplying harmonised regulations inside the EU and the EEA [European Economic Area], and efficient facts security with the probability for DPAs [data protection authorities] to concern administrative fines in case of non-compliance. Another crucial characteristic of the GDPR is the distinct accountability for controllers – that they are responsible for ensuring compliance.”
But Jilderyd said many of the GDPR provisions are even now not fully comprehended by all functions associated and require additional clarification. This will have to be done beneath the supervision of the EU and EEA data defense authorities and the Court docket of Justice of the European Union (CJEU) circumstance law – and it will just take time.
One of the significant things that demands clarification is the challenge of information transfers to countries outside the house the EU and EEA. The GDPR does not plainly outline the idea of these transfers, which can make the scenario challenging for both info controllers and data subjects.
“A apparent definition in the law would be preferable,” said Jilderyd. “Also, the regulations on cooperation concerning DPAs in cross-border processing cases could possibly have to be reviewed in buy to be certain that this cooperation is as effective as probable.”
Knowledge protection will turn out to be significantly essential as the world results in being additional digitised and as new technologies would make it a lot easier to gather and analyse info. Policies on facts defense will also have to be carefully joined as new EU legislation that impacts private data processing is drafted. Illustrations of new regulation include the proposed AI Act, the Info Governance Act and the Info Act.
As is the circumstance with all other European countries, transferring details outside the house the EU is nevertheless a issue for Sweden. It is crucial for the IMY to have crystal clear regulations that are easily comprehended by controllers. The greatest problem is for knowledge staying shared with the US, the place with the greatest cloud suppliers.
There is now no EU Commission decision on adequate stage of protection for details in the US. This indicates that knowledge can only be transferred to the US if there is a contract amongst the EU exporter and the US importer, and as extensive as this agreement can provide the security that EU law requires. The European Knowledge Defense Board (EDPB) has issued suggestions, dependent on the CJEU decisions – and the prospects to transfer details to the US currently stay quite limited.
“Hopefully, both equally from the controllers’ and the information subjects’ point of view, we will have a new agreement involving the EU and the US on adequate ensures for details protection in the US, so that a new adequacy choice can be adopted,” stated Jilderyd.
“As for the US, the Trans-Atlantic Facts Privateness Framework [which is being negotiated between the EU and the US] will be an essential move forward, delivered that the guarantees produced in that framework stay up to the amount of defense pointed out by the CJEU. Quite a few of the companies that we interact with from the EU are centered in the US and it is critical that this framework presents a powerful degree of data defense for EU and EEA facts topics.
“Of specific issue is the extent to which US authorities might have entry to information and the opportunities for EU info subjects to work out their legal rights in the US.”
