Sweden has a protracted historical past of knowledge privateness. In actual fact, it was the primary nation on the planet to undertake information privateness laws, with the 1973 Knowledge Act.
Swedish information safety laws has advanced ever since, and now consists of legal guidelines that complement the Basic Knowledge Safety Regulation (GDPR) – a set of provisions and ordinances that regulate the best way public authorities course of private information, the best way credit score info is processed, and the way digital camera surveillance is finished.
When the GDPR got here into power in Might 2018, there was plenty of publicity in Sweden across the new guidelines and plenty of dialogue on how firms might dwell as much as the necessities of the brand new laws. The constructive impact of all this consideration was that information safety and the essential necessities had been on the minds of firms and people.
“A yr into it, in 2019, we noticed that organisations on the whole had procedures and routines in place to adjust to the GDPR,” stated Elisabeth Jilderyd, worldwide authorized adviser and coordinator for the Swedish Authority for Privateness Safety (IMY). “Nonetheless, we might additionally see some deficiencies, particularly inside smaller firms, and we famous the necessity for extra coaching, steering and awareness-raising across the new guidelines.
“Now, 4 years on, there are nonetheless conditions the place the GDPR will not be fully clear and the place we’d like additional interpretation and case legislation. In 2021, we obtained 5,767 information breach notifications and greater than 2,600 complaints from people. The problems raised within the complaints helped us to develop a set of suggestions to each private and non-private sector information controllers.”
A number of the newest suggestions from the IMY are merely reminders of what’s already specified by the GDPR. Organisations should present clear info on what private information they course of and for what objective. They will need to have procedures in place to make sure people’ rights with regard to information safety, they usually will need to have procedures for coping with private information that’s processed in e-mail.
Organisations that use direct advertising and marketing should even have procedures to cease distribution of such advertising and marketing that the recipients don’t need to obtain. When digital camera surveillance is used, clear indicators should be in place to tell individuals about it.
In 2021, the IMY issued fines in eight circumstances, for a complete of SEK32.5m (€3m). These fines went out to a wide range of private and non-private sector organisations. The yr earlier than, the IMY issued fines in 15 circumstances, for a complete of SEK150m. This included a SEK75m positive imposed on Google relating to the deletion of search ends in its search engine. This case was later appealed, and the positive was lowered to SEK50m.
Rising significance of knowledge safety
Jilderyd instructed Pc Weekly: “The GDPR is a crucial step ahead in offering harmonised guidelines inside the EU and the EEA [European Economic Area], and environment friendly information safety with the likelihood for DPAs [data protection authorities] to situation administrative fines in case of non-compliance. One other essential function of the GDPR is the clear accountability for controllers – that they’re liable for making certain compliance.”
However Jilderyd stated lots of the GDPR provisions are nonetheless not fully understood by all events concerned and want additional clarification. This must be executed below the supervision of the EU and EEA information safety authorities and the Court docket of Justice of the European Union (CJEU) case legislation – and it’ll take time.
One of many massive issues that wants clarification is the problem of knowledge transfers to international locations exterior the EU and EEA. The GDPR doesn’t clearly outline the idea of those transfers, which makes the scenario sophisticated for each information controllers and information topics.
“A transparent definition within the legislation could be preferable,” stated Jilderyd. “Additionally, the foundations on cooperation between DPAs in cross-border processing conditions may need to be reviewed in an effort to be certain that this cooperation is as environment friendly as attainable.”
Knowledge safety will turn into more and more essential because the world turns into extra digitised and as new expertise makes it simpler to gather and analyse information. Guidelines on information safety may also must be carefully linked as new EU laws that impacts private information processing is drafted. Examples of recent regulation embrace the proposed AI Act, the Knowledge Governance Act and the Knowledge Act.
As is the case with all different European international locations, transferring information exterior the EU remains to be a priority for Sweden. It is crucial for the IMY to have clear guidelines which might be simply understood by controllers. The largest concern is for information being shared with the US, the nation with the largest cloud suppliers.
There’s at the moment no EU Fee resolution on satisfactory stage of safety for information within the US. Because of this information can solely be transferred to the US if there’s a contract between the EU exporter and the US importer, and so long as this contract can present the safety that EU legislation requires. The European Knowledge Safety Board (EDPB) has issued suggestions, based mostly on the CJEU choices – and the chances to switch information to the US at present stay fairly restricted.
“Hopefully, each from the controllers’ and the information topics’ perspective, we could have a brand new settlement between the EU and the US on satisfactory ensures for information safety within the US, so {that a} new adequacy resolution could be adopted,” stated Jilderyd.
“As for the US, the Trans-Atlantic Knowledge Privateness Framework [which is being negotiated between the EU and the US] might be an essential step ahead, offered that the ensures made in that framework dwell as much as the extent of safety identified by the CJEU. Most of the firms that we work together with from the EU are based mostly within the US and it’s important that this framework offers a robust stage of knowledge safety for EU and EEA information topics.
“Of specific concern is the extent to which US authorities could have entry to information and the chances for EU information topics to train their rights within the US.”