Swedish Personal Data Act

22 March 2006

Josefine Jonsson

On 2 February 2006, the Swedish government presented draft legislation containing several proposals aimed at making the Swedish Personal Data Act (the “Act”) more focused on preventing misuse of personal data. Presently, the Act contains provisions on the handling of data, which apply regardless of whether the processing is harmful to personal integrity or not. This has lead to complaints about the provisions being too rigorous and formalistic in the context of the protection they provide if complied with in situations of everyday processing. Furthermore, the Swedish government has concluded that the Act needs to be adjusted to reflect the rapid technological developments within the IT area. It is against this background that the amendments set out below are proposed, all within the framework establish by Directive 95/46/EC.

The draft legislation is currently undergoing legal review by the Council of Legislation. The amendments are planned to enter into force on 1 January 2007.

Unstructured material exempted and a new rule preventingmisuse of personal data

The most significant proposal in the draft legislation is to exempt processing of unstructured materials, such as running texts, sounds and images, from the great majority of handling rules in the Act. The handling provisions should be reserved for processing which can be harmful to the personal integrity of individuals, i.e. materials which are structured in order to significantly facilitate searches for or compilations of personal data, such as personal data registers and personal data-related databases. With unstructured materials, such as running texts, sounds and images, the purpose is generally different, namely to promote the freedom of speech or to communicate with others. If the handling rules are applied in situations where interests other than privacy prevail, there is a risk that the Act will be watered down and lose its value.

Consequently, a dividing line is drawn based on the structure of the material, or more specifically, whether it significantly facilitates searches for personal data or not. It is the structure of the material as a whole which is considered. In practice, the proposal means that the handling provisions in the Act will not be applicable, among other things, to everyday processing like the production of running text in word processing software, the publication of running text on the Internet, the use of sound and image recordings or email correspondence. This is the case on the condition that the material is not intended for inclusion in a database with a personal data-related structure such as an electronic system for handling business.

Excluded material will be regulated by a simple rule designed to provide protection from the misuse of personal data. Under this rule, the processing of personal data is not permitted if it constitutes a violation of the registered person's personal integrity. The concept is given its content by the following examples, which are to be seen as guidelines for what not to do:

  • not to process personal data for improper purposes, such as persecuting or disgracing an individual;
  • not to collect a large amount of information about one individual without acceptable reasons;
  • not to not rectify personal data that turn out to be incorrect or misleading;
  • not to slander or insult someone else; and
  • not to violate an obligation to keep information secret.

If personal data in unstructured material is processed in violation of personal integrity, damages may be awarded to the registered person. Also, if personal integrity is violated under certain specified circumstances, criminal sanctions are also available.

Decriminalisation of negligent offences

Another important proposal, aimed at shifting towards misuse-orientated legislation, is to decriminalise acts which are committed by negligence. This amendment is proposed to make sure that only serious breaches are penalised and that unreasonable results are avoided. Consequently, only acts committed intentionally or by gross negligence will constitute a criminal offence under the Act.

Other proposals in the draft legislation concern the right to appeal certain decisions to the administrative courts and the right for the government to provide exceptions under Art. 13.1 of Directive 95/46/EC.

Response to the proposal

As the draft legislation is under legal review it is still uncertain whether the proposal will be passed by the Swedish Parliament. If this is passed, it is clear that it will lessen the burden on companies that process personal data in their everyday business.

So far the responses to the draft legislation have been positive. In a recent press release the director general for the Swedish Data Inspections Board, Göran Gräslund, expressed his support for the draft legislation. According to him, the proposed amendments will simplify the everyday use of IT and will allow the Data Inspection Board to focus on behaviour which creates serious threats to personal integrity.