The Personal Data Act 1988 is the most important legal instrument on data protection in Sweden. The act implements the EU Data Protection Directive (95/46/EC), which aims to protect people against violations of their right to privacy resulting from personal data processing in both the public and private sectors.
Both Sweden and other member states where the directive has been implemented have encountered certain difficulties its application. The directive's provisions on the actual processing of personal data appear to be too complicated. Data processing is completely harmless in most cases, and is (in Sweden) carried out every day by most employees.
Since the implementation of the directive in Sweden the legislation has been much debated, and the government has been approached to examine a new data protection model. This will focus on misuse of personal data rather than all personal data handling, as is the case under the directive. In September 2002 amendments to the directive were jointly proposed by Sweden, Austria, Finland and the United Kingdom. According to this proposal, the rules must effectively protect personal data without unnecessarily restricting data processing. The proposal seeks to balance these requirements better, without weakening the level of data protection.
The proposal includes, among others, the following amendments to the directive:
- Photographs and names will not be automatically regarded as sensitive data. These types of data should be regarded as sensitive and thus require special protection where they "clearly describe intimate personal characteristics and their processing is particularly likely to infringe fundamental freedoms or privacy" (Recital 33).
- Processing of personal data is allowed when the "processing is necessary for the performance of a contract to which the data subject is a party" (Article 8(2)).
- Information shall be "made available" rather than given to the data subject. It shall be made available "at the time of the collection or within a reasonable period after the collection" of the data (Article 10).
- No information need be made available unless it is "necessary to guarantee fair processing in respect of the data subject". Furthermore, it is not necessary to make the information available if it "would involve disproportionate effort" (Article 10).
- The transfer of personal data to third countries is allowed if "the personal data is lawfully published in a member state" (Article 26(1)).
The argument behind the proposal is that, in order for the directive's provisions to gain acceptance and to be applied effectively, they must concentrate on the essentials. The core requirements of data protection are more likely to be complied with by data controllers if unnecessary and, in some cases, costly bureaucratic requirements (for which there is no conclusive value in data protection terms) are removed. Consequently, Sweden and the other countries believe that, although some requirements will be removed, the proposed amendments are in fact likely to strengthen data protection.
For further information on this topic please contact Agne Lindberg at Advokatfirman Delphi & Co by telephone (+46 8 677 54 00) or by fax (+46 8 20 18 84) or by email ([email protected]).