New Legislation for Protecting the Data of Swedish Citizens
Sweden’s Act with Supplementary Provisions to the EU General Data Protection Regulation (SFS 2018:218) or the Act for short is a data protection law that was recently passed in 2018. The Act was passed for the purpose of repealing Sweden’s Former Data Protection Act (1998:204) which had been passed more than a decade prior. As Sweden is a part of the European Union, the Act also implements the provisions of the General Data Protection Regulation or GDPR into Swedish law, thereby placing restrictions on and regulations on the grounds upon which personal data may be collected, processed, and disseminated within the country. The law also establishes the punishments that individuals and organizations stand to face should they violate the law.
What is the scope and applicability of the Act?
In terms of the scope and applicability of Sweden’s Act with Supplementary Provisions to the EU General Data Protection Regulation (SFS 2018:218), the personal and material scope of the law are identical to that of the EU’s GDPR law. However, with respect to the territorial scope of the law, the “Act applies to the processing of personal data within the framework of activities conducted at the business premises of data controllers or data processors in Sweden. The Act also applies to the processing of personal data by data controllers that 1 Prop. 2017/18:105, bet. 2017/18:KU23, rskr. 2017/18:224. are not established in Sweden, but in a place where Swedish law is applicable according to international law.”
Moreover, the provisions of Sweden’s Act with Supplementary Provisions to the EU General Data Protection Regulation (SFS 2018:218) also apply to data controllers and processors who are not physically located within Sweeden, permitting the processed data pertains to data subjects who are located in Sweden and relates to:
- offering goods or services to such data subjects, or
- monitoring their actions in Sweden.
Furthermore, as it relates to exceptions concerning the law, the provisions of the Act do not apply to certain categories of data processing, such as data processing relating to the military, national defense, or intelligence operations, among others. Additionally, as stated in the law, the “government, or an authority appointed by the government, may issue Regulations authorizing data controllers not covered by regulations on archiving to process personal data for archiving purposes in the public interest.”
What are the primary differences between the Act and the EU’s GDPR law?
Under Sweden’s Act with Supplementary Provisions to the EU General Data Protection Regulation (SFS 2018:218), many of the provisions set out in the EU’s GDPR law remain unchanged. However, one of the major variations between the two laws is the age of consent with respect to data collection and processing. The EU’s GDPR law sets this age at 16, while many other EU member states have a lower age of consent. In the case of Sweeden, the age of consent under the Act is 13. To this end, the personal data of children under the age of 13 may only be collected or processed in accordance with the consent of the child’s parent or other legal guarding.
Alternatively, as it relates to sensitive personal data, the law states that “sensitive personal data may be processed on the basis of Article 9.2 j of the EU General Data Protection Regulation, if such processing is necessary for statistical purposes and the public interest in the statistics project for which the processing takes place clearly outweighs the risk of undue infringement.” What’s more, the personal identity or coordination numbers of Sweedish citizens may also be processed under the Act without their consent, “if such processing is clearly justified in light of the purpose of the processing, the importance of accurate identification, or on other significant grounds.”
In terms of the enforcement of the law, Sweden’s Act with Supplementary Provisions to the EU General Data Protection Regulation (SFS 2018:218) is enforced by the Swedish Authority for Privacy Protection, in conjunction with both the EU’s GDPR law and Sweeden’s Enforcement Code. To this point, data controllers and processors who violate the law are subject to a number of sanctions, including but not limited to:
- A monetary penalty ranging from SEK 5,000,000 ($549,625.50) to SEK 10,000,000 ($1,099,251.00).
- Administrative fines up to €20 million or up to 4% of the total worldwide annual turnover of the preceding financial year if higher.
- Other sanctions and penalties that can be levied at the discretion of the Swedish Authority for Privacy Protection.
As Sweeden’s original Data Act was one of the first data protection laws to be passed around the world in 1973, the country’s level of regulation concerning the collection and processing of personal data is extremely high. Through the Act with Supplementary Provisions to the EU General Data Protection Regulation (SFS 2018:218) and the EU’s GDPR law, Swedish citizens can continue to enjoy the high levels of data protection and personal privacy that have become commonplace within their country. Through the advent of such legislation, said citizens can also pursue multiple avenues for recourse should their rights under the law be violated or infringed upon at any point.