Swedish Companies Girding for EU Privacy Regime Change

By Marcus Hoy

Some Swedish companies may not understand their compliance obligations under the EU’s new privacy regime, especially a fundamental change between existing law and the new privacy scheme that takes effect next year, privacy attorneys in Sweden told Bloomberg BNA.

Sweden’s existing privacy law treats “unstructured” personal data—information that isn’t structured to facilitate searches to find the personal data, or to allow easy compilation of the data—lightly. The law allows processing of such data, such as emails, word processed documents, blogs, and images, as long as an individual’s privacy isn’t infringed.

The European Union General Data Protection Regulation, the new EU-wide privacy law, doesn’t include a carve-out for unstructured data. Proposed Swedish legislation to implement the GDPR, the Supplementary Data Protection Act, doesn’t carry over the exemption from the national law it replaces.

Sweden’s privacy office published an opinion Sept. 8 that is generally supportive of the proposed Swedish law, but said companies should be aware of the changes to how personal data can be processed.

Because the unstructured data exemption will no longer exist, companies in Sweden will have to adapt to a significant change and may require “both technical and legal assistance,” Caroline Olstedt Carlstrom, an attorney and data protection specialist at Advokatfirman Lindahl in Stockholm, told Bloomberg BNA. Much of the present data processing in Sweden could be “considered non-compliant when GDPR becomes applicable.”

Swedish companies, along with all EU countries, will face stricter consent rules, mandatory data breach notification, and the possibility of fines of up to 20 million euros ($24 million) or 4 percent of their worldwide revenue under the GDPR when it takes effect in May 2018.

Although large Swedish companies, such as Volvo Cars and IKEA Group, are steadily working toward their GDPR compliance goals, smaller companies may need significant legal advice.

Many Swedish companies haven’t “yet grasped the extent of the legal requirements placed on them by the GDPR,” Carlstrom said. Companies may have delayed adapting to the GDPR because “Swedes are more used to openness and thus less cautious about sharing personal data.”

EU Privacy Regime Readiness

Elisabeth Jilderyd, a Swedish privacy office attorney, told Bloomberg BNA that much of the GDPR doesn’t differ greatly from what Swedish companies have been complying with under the two-decades old EU Data Protection Directive and the Swedish law that adopted the directive.

For example, the GDPR privacy principles of limiting data collection for specific uses and having a valid legal basis to collect and use data are familiar to Swedish companies, Jilderyd said. The GDPR emphasizes accountability—"that is, data controllers must take an active responsibility to comply with the rules”—more strongly than present Swedish law, Jilderyd said. The new GDPR fines may be “necessary and helpful” to enforce compliance in some instances, she said.

Large Swedish multinationals have been anticipating the need to take accountability for their data processing activity and to comply with other GDPR obligations.

IKEA has made preparing for the GDPR a priority, company spokeswoman Johanna Iritz told Bloomberg BNA. “In general, we do not foresee any problems for the IKEA Group when the Regulation becomes effective,” she said. Customer privacy and data security remain priorities for the company, Iritz said.

Volvo Cars is reviewing its data processing practices and intends to adapt all of them to the GDPR requirements, a company spokesman told Bloomberg BNA. There are some provisions in the GDPR that remain unclear to some of the companies that Volvo works with, he said, but there isn’t a significant change from the present regulatory landscape.

There may be opportunities for companies, hidden in the compliance challenge.

The GDPR may initially be burdensome for some businesses due to increased costs, Nicklas Thorgerzon, a technology and data protection attorney at the Vinge law firm in Stockholm, told Bloomberg BNA. The risk of heavy fines for noncompliance is also a concern, he said. But “it may also be possible to strengthen a brand or trade name by demonstrating that data protection and privacy is being taken seriously by the company,” Thorgerzon, who advises companies on GDPR implementation, said.

To contact the reporter on this story: Marcus Hoy in Copenhagen at correspondents@bna.comTo contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

The proposed Supplementary Data Protection Act is available, in Swedish, at http://src.bna.com/sMj.

The privacy office's opinion on the legislation is available, in Swedish, at http://src.bna.com/sMt.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.