Last Friday the Swedish Governmental commission of inquiry, the Data Protection Commission, published its report of inquiry (Sw. Ny dataskyddslag SOU 2017:39) concerning the national deviations that are permitted according to the General Data Protection Regulation (the “GDPR”) as well as the impact of GDPR on national legislation. We have summarised in our blogpost the most relevant points of the report for businesses.
The commission proposed that the Personal Data Act (Sw. Personuppgiftslag (1998:204)) and the Personal Data Ordinance (Sw: Personuppgiftsförordning (1998:1191)) should be repealed and that the supplementary provisions of a general nature should be enacted in a new act and ordinance on data protection. The new act will be called the Act containing supplementary provisions to the EU General Data Protection Regulation (Sw. lagen med kompletterande bestämmelser till EU:s dataskyddsförordning) (the “Data Protection Act”) and the ordinance will be called Ordinance containing supplementary provisions to the EU General Data Protection Regulation (Sw. förordningen med kompletterande bestämmelser till EU:s dataskyddsförordning).
The Data Protection Commission proposes an extended applicability of the relevant provisions of the GDPR to areas which are not covered by EU law, such as national security. However, the new act will be subsidiary to certain sector-specific provisions such as national laws regarding record keeping. This means that we can expect further national legislation regarding data protection in the future.
According to the proposal, the GDPR shall not limit the Swedish constitutional provisions on freedom of the press and freedom of expression. The proposal introduces an exemption from certain provisions of the GDPR for the processing of personal data for journalistic purposes or for academic, artistic or literary expression.
The GDPR sets 16 as the age limit for parental consent for processing of personal data in relation to offers of information society services (such as social media, search engines and applications) and allows Member States’ legislation to reduce it to the lowest of 13. The proposal sets out that the age limit for parental consent in Sweden shall be 13. For younger children, consent must be given or approved by a custodial parent. How consent from a custodial parent should be given is not proposed by the Data Protection Commission.
Furthermore, the Data Protection Commission seeks to clarify how some of the legal grounds enshrined in the GDPR for the processing of personal data will be established in Swedish law. For instance, the legal ground “legal obligation” should apply if it follows from a legislative act, other statute, collective agreement or decision issued pursuant to an act or other statute.
The general rule according to the GDPR is that processing of sensitive personal data is prohibited, unless applies in the GDPR or in national law. In line with this, the proposed Data Protection Act introduces supporting provisions for the processing of sensitive personal data, under certain conditions, in the areas of employment law, health and medical care, social care, archiving and statistical activities.
The Data Protection Commission proposes that the requirements regarding processing of personal identity numbers should remain the same as today and that Section 22 of the Personal Data Act should be transferred to the new Data Protection Act as it fulfils the requirements of GDPR. This means that the requirements for processing personal identity numbers will remain the same.
The Data Protection Act introduces new provisions regarding the confidentiality obligations of data protection officers (“DPO”). In the private sector, according to the Data Protection Act, DPOs will be bound by confidentiality where the DPO has acquired knowledge of personal or financial circumstances of an individual.
The Data Protection Commission proposes restrictions for data subject’s rights under the GDPR. For instance, the right to access shall not apply if the personal data is subjected to secrecy or as a main rule where personal data is contained in running texts that constitute rough drafts or notes. According to the proposal, the right to compensation from the data controller or data processor, for damages suffered as a result of a breach of the GDPR, should also apply to the new Data Protection Act or further related Swedish laws that are complementary to the GDPR. Furthermore, the Data Protection Commission proposes that even governmental authorities shall be able to be imposed with administrative fines if they violate the data protection regulations, just as enterprises or other private parties.
The proposed Data Protection Act outlines the supplementary provisions adapting Swedish law to the GDPR, however, the new Swedish legal framework concerning data protection under the GDPR will only be seen in its entirety when further sectorial laws, Government regulations and regulations of the Swedish data protection authority are issued.