Sweden has an extended historical past of information privateness. In actual fact, it was the primary nation on the planet to undertake information privateness laws, with the 1973 Knowledge Act.
Swedish information safety laws has developed ever since, and now contains legal guidelines that complement the Common Knowledge Safety Regulation (GDPR) – a set of provisions and ordinances that regulate the way in which public authorities course of private information, the way in which credit score data is processed, and the way digicam surveillance is finished.
When the GDPR got here into drive in Could 2018, there was a variety of publicity in Sweden across the new guidelines and a variety of dialogue on how corporations might reside as much as the necessities of the brand new laws. The optimistic impact of all this consideration was that information safety and the fundamental necessities have been on the minds of corporations and people.
“A 12 months into it, in 2019, we noticed that organisations normally had procedures and routines in place to adjust to the GDPR,” stated Elisabeth Jilderyd, worldwide authorized adviser and coordinator for the Swedish Authority for Privateness Safety (IMY). “Nevertheless, we might additionally see some deficiencies, particularly inside smaller corporations, and we famous the necessity for extra coaching, steering and awareness-raising across the new guidelines.
“Now, 4 years on, there are nonetheless conditions the place the GDPR will not be completely clear and the place we want additional interpretation and case regulation. In 2021, we obtained 5,767 information breach notifications and greater than 2,600 complaints from people. The problems raised within the complaints helped us to develop a set of suggestions to each private and non-private sector information controllers.”
A number of the newest suggestions from the IMY are merely reminders of what’s already specified by the GDPR. Organisations should present clear data on what private information they course of and for what goal. They should have procedures in place to make sure people’ rights with regard to information safety, they usually should have procedures for coping with private information that’s processed in e mail.
Organisations that use direct advertising should even have procedures to cease distribution of such advertising that the recipients don’t wish to obtain. When digicam surveillance is used, clear indicators should be in place to tell individuals about it.
In 2021, the IMY issued fines in eight instances, for a complete of SEK32.5m (€3m). These fines went out to quite a lot of private and non-private sector organisations. The 12 months earlier than, the IMY issued fines in 15 instances, for a complete of SEK150m. This included a SEK75m high-quality imposed on Google concerning the deletion of search leads to its search engine. This case was later appealed, and the high-quality was lowered to SEK50m.
Growing significance of information safety
Jilderyd instructed Pc Weekly: “The GDPR is a vital step ahead in offering harmonised guidelines inside the EU and the EEA [European Economic Area], and environment friendly information safety with the chance for DPAs [data protection authorities] to difficulty administrative fines in case of non-compliance. One other vital characteristic of the GDPR is the clear accountability for controllers – that they’re answerable for making certain compliance.”
However Jilderyd stated most of the GDPR provisions are nonetheless not completely understood by all events concerned and wish additional clarification. This should be carried out underneath the supervision of the EU and EEA information safety authorities and the Courtroom of Justice of the European Union (CJEU) case regulation – and it’ll take time.
One of many huge issues that wants clarification is the difficulty of information transfers to international locations outdoors the EU and EEA. The GDPR doesn’t clearly outline the idea of those transfers, which makes the scenario sophisticated for each information controllers and information topics.
“A transparent definition within the regulation could be preferable,” stated Jilderyd. “Additionally, the principles on cooperation between DPAs in cross-border processing conditions might need to be reviewed with the intention to make sure that this cooperation is as environment friendly as attainable.”
Knowledge safety will grow to be more and more vital because the world turns into extra digitised and as new expertise makes it simpler to gather and analyse information. Guidelines on information safety may even should be intently linked as new EU laws that impacts private information processing is drafted. Examples of latest regulation embrace the proposed AI Act, the Knowledge Governance Act and the Knowledge Act.
As is the case with all different European international locations, transferring information outdoors the EU remains to be a priority for Sweden. It is crucial for the IMY to have clear guidelines which are simply understood by controllers. The largest concern is for information being shared with the US, the nation with the largest cloud suppliers.
There’s presently no EU Fee determination on ample stage of safety for information within the US. Which means information can solely be transferred to the US if there’s a contract between the EU exporter and the US importer, and so long as this contract can present the safety that EU regulation requires. The European Knowledge Safety Board (EDPB) has issued suggestions, primarily based on the CJEU choices – and the probabilities to switch information to the US right now stay fairly restricted.
“Hopefully, each from the controllers’ and the info topics’ perspective, we could have a brand new settlement between the EU and the US on ample ensures for information safety within the US, so {that a} new adequacy determination might be adopted,” stated Jilderyd.
“As for the US, the Trans-Atlantic Knowledge Privateness Framework [which is being negotiated between the EU and the US] shall be an vital step ahead, offered that the ensures made in that framework reside as much as the extent of safety identified by the CJEU. Lots of the corporations that we work together with from the EU are primarily based within the US and it’s important that this framework supplies a robust stage of information safety for EU and EEA information topics.
“Of specific concern is the extent to which US authorities might have entry to information and the probabilities for EU information topics to train their rights within the US.”