Summary
of the Swedish
Personal Register Law
The object of the law is to protect against invasion of privacy through
handling of personal information. The law defines "handling of
personal information" as any handling of personal information,
automatic or manual, like collection, registering, organizing, storing,
treatment or change, retrieval, use or transmission, publication, collating,
blocking or deleting. This law, however, only applies to handling of
information which is wholly or partly automatic (for example by using
computers), or which is contained in a structured collection
of personal information available for search or retrieval.
Personal information is defined as any kind of information,
which directly or indirectly refers to a living physical person.
The law specifies exceptions where the law is not
valid: Wholly private registers handled by a single person for his or
her personal needs, registers published in newspapers, books or broadcast
programs, registers used only by journalists, authors or artists.
The
law may not be as dangerous as it sounds
The law may not be as dangerous as it sounds, since there has been
a very heated debate about the law in Sweden, and it is possible that
the law will not in reality be upheld in ways which endanger freedom
of speech. Because of this, many providers of services in Sweden have
chosen to continue as before until anyone really is prosecuted according
to the new law.
Requirements
on treatment
of personal information
Personal information
may only be handled for specified and justifiable goals. Collected information
may only be used for the purpose, for which it was collected. Personal
information must be correct and up-to-date and must not be kept longer
time than needed for the purpose of the collection.
Personal information may only be handled with permission
from the person, whose information is handled, or for certain other
justified uses.
Sensitive
information
It is not permitted
to handled personal information which reveals race or ethnic origin,
religious or political opinions, membership in trade unions and information
about health or sexual behaviour. There are a few exceptions from this,
a society may handle information who are its members, even though the
organization is connected to a particular religious faith or political
view, and medical organizations may handle medical information about
their patients, researchers may handle information for research purposes
and such information may also be handled or published with permission
from the person, whose information is handled.
Transmission
to third countries
Personal information
may not be transmitted outside of Europe without permission from the
person, whose information is handled, except with explicit permission
from this person, to fulfill legal obligations or to protect vital interests.
Control
and punishment
The upholding of the
law is controlled by a special government agency, the Data Inspection
Agency, and breaking the law may be punished through damages to the
registered person, fines and prison up to two years.
|
Critique
of the act
Publication
of information
on the Internet would be illegal
If you interpret the
act literally, it would mean that the following acts would be illegal:
- Writing of an e-mail
message to a recipient outside Europe without the prior permission
of the recipient.
- All Internet-based
discussion forums (except those run by newspapers, since newspapers
are excempt from the law) in which any information about a person
is mentioned without the permission of that person.
- Publication on the
Internet of any scientific paper, which contains lists of references,
unless each person in the list of reference has given permission in
advance.
- Any criticism of
a named person, where that person does not give permission for the
criticism. For example, criticism of politicians would not be allowed,
a trade union would not be allowed to criticize named employers, etc.
This does not agree
very well with the Swedish constitution, which says that society should
protect the rights of citizens to communicate with each other, especially
communication about political and religious issues. However, the constitution
contains a clause saying that the rights to communicate can be restricted
in order to protect personal privacy, so the lawmakers claim that the
law is not in contradiction to the constitution.
Why
are some vocations exempted
The law has also been
criticized for the exemption for authors, journalists and artists: Freedom
of speech should be a right for everyone, not only for certain vocations.
The
law is not needed
Criticism of the law
has also said that the law is not needed, since there are other laws,
like laws about racial agitation, defamation of character, etc. which
are better ways than this law to regulate unwanted communication.
Will
the law really be upheld
The previous Data Act,
which the new law replaces, also made most of the Internet illegal.
However, this law has only been upheld by the government very irregularly.
In one case, an online forum was forbidden to discuss political and
religious issues, in another case, an author was forbidden to write
his book using a computer. In the second case, however, this decision
was revoked on appeal to the government. The new act, however, does
not allow appeals to the government, only to courts of law, which can
be expected to follow the words of the law. Local governments have been
forbidden from publishing notes from their meetings on the Internet.
In most cases, however, personal information has been published on the
Internet without repressional acts from the government.
Probably, the new law will also not be upheld, but
the risk that the government can apply the law, when something is published,
which they do not like, has been said to be an argument against the
new law.
The agency responsible for upholding the law, the
Data Inspection Agency, says that it will strictly interpret the letter
of the law, but that they may, because of limited time, not have time
to act against uncontroversial information, like naming the nobel prize
winners on the Internet.
Is
Sweden forced by
the European Union
to enact this law?
The law was passed
by the Swedish parliament with only the small liberal party and a few
stragglers from other parties voting against it. When asked why they
passed a law which restricts freedom of speech in this way, they say
that they had to pass this law, in order to fulfill a directive (in
Swedish  and in English  )
from the European Union.
However, opponents of the law says that this directive
was not meant to be applied to publication of personal information,
it was only meant to be applied to structured collections of personal
information. Also structured collections would however cause problems,
for example a list of references in a scientific paper is obviously
a structured collection and would thus be illegal, unless each of the
authors of the papers in the reference list gave their permission, and
to obtain such permission would often be very difficult.
Will
the government amend the law
Because of the criticism,
the government has asked the Data Inspection Agency to investigate,
whether publication of local government protocols and some other publication
might be exempted from the law.
History of the law
Sweden was one of the first European countries to get a law about computers
and personal privacy. This law was accepted in its first version by
the Swedish parliament in 1973. The law in its initial form required
all data bases of personal information to get permission from a special
"Data Protection Agency" of the Swedish government, and this agency
should not allow data bases which infringe on personal privacy. In particular,
data bases containing certain so-called sensitive information, such
as about political and religious believs, race and ethnic origin, illnesses
and sexual behaviour, were only allowed under very special circumstances.
I was one of the few people who already during the
1970s raised the issue of the conflict between this act and freedom
of speech. In 1978, I applied for permission to run a BBS. I wrote in
my application that we intended people to be able to send messages to
each other on any topic they needed to communicate about. My application
was denied in 1978. After talks to the
agency, we wrote a new application where we promised not to allow messages
giving information about the senstive areas, and promised to delete
all messages after two years.
I strongly criticized the data protection agency
at that time, and said that even though the Swedish constitution specially
safeguards the right to communicate on politics and religion, we were
forbidden from such communication. We started our BBS, and in fact we
did have political and religiuous discussions in it, and the data protection
agency never tried to stop us from doing this. So already at that time,
the law was not very much implemented in reality in applications where
people send messages and documents to each other.
I also did not delete old messages after two years,
again, the data inspection agency did not do anything to enforce its
ruling. After that, of course, we got more and more BBSes and e-mail
systems and the Internet. The data protection agency very seldom tried
to restrict this. Mainly, they said no
if you asked for permission, but very few people were silly enough to
ask for permission.
One person was a Swedish author, who asked for permission
to use a computer to write a book (containing factual information about
people, and thus a "personal information data base" according to the
law). The data inspection agency said no!
But he appealed to the government, and the government said yes, it said
that freedom of speech was more important than the data protection act
in this case. After that, the most controversial issues has been that
certain local governments in Sweden have put up web pages with notes
from their meetings, which often contained names of existing people.
The data inspection agency has tried to restrict this.
Recent changes to the law
The Swedish parliament has in November 1999 decided some modifications
to the law in reaction to the critics it has received. The changes are
that minor violations of the law will not be punished. Damage may however
have to be paid also for minor violations of the law. Another change
is that personal information can be exported, provided that the recipient
upholds reasonable privacy control.
Many parties in the parliament wanted more changes.
The liberal party wanted to specify in the law, that the law should
not be used to infringe on the freedom of speech, and also wanted to
disallow damages for minor violations of the law.
Several parties asked the Swedish government to try
to get EU to change its data directive, based on the model that the
law should specify what is forbidden, and not be valid for so much permitted
information.
|
