Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Marcus Hoy
Some Swedish companies may not understand their compliance obligations under the EU’s new privacy regime, especially a fundamental change between existing law and the new privacy scheme that takes effect next year, privacy attorneys in Sweden told Bloomberg BNA.
Sweden’s existing privacy law treats “unstructured” personal data—information that isn’t structured to facilitate searches to find the personal data, or to allow easy compilation of the data—lightly. The law allows processing of such data, such as emails, word processed documents, blogs, and images, as long as an individual’s privacy isn’t infringed.
The European Union General Data Protection Regulation, the new EU-wide privacy law, doesn’t include a carve-out for unstructured data. Proposed Swedish legislation to implement the GDPR, the Supplementary Data Protection Act, doesn’t carry over the exemption from the national law it replaces.
Sweden’s privacy office published an opinion Sept. 8 that is generally supportive of the proposed Swedish law, but said companies should be aware of the changes to how personal data can be processed.
Because the unstructured data exemption will no longer exist, companies in Sweden will have to adapt to a significant change and may require “both technical and legal assistance,” Caroline Olstedt Carlstrom, an attorney and data protection specialist at Advokatfirman Lindahl in Stockholm, told Bloomberg BNA. Much of the present data processing in Sweden could be “considered non-compliant when GDPR becomes applicable.”
Swedish companies, along with all EU countries, will face stricter consent rules, mandatory data breach notification, and the possibility of fines of up to 20 million euros ($24 million) or 4 percent of their worldwide revenue under the GDPR when it takes effect in May 2018.
Although large Swedish companies, such as Volvo Cars and IKEA Group, are steadily working toward their GDPR compliance goals, smaller companies may need significant legal advice.
Many Swedish companies haven’t “yet grasped the extent of the legal requirements placed on them by the GDPR,” Carlstrom said. Companies may have delayed adapting to the GDPR because “Swedes are more used to openness and thus less cautious about sharing personal data.”
Elisabeth Jilderyd, a Swedish privacy office attorney, told Bloomberg BNA that much of the GDPR doesn’t differ greatly from what Swedish companies have been complying with under the two-decades old EU Data Protection Directive and the Swedish law that adopted the directive.
For example, the GDPR privacy principles of limiting data collection for specific uses and having a valid legal basis to collect and use data are familiar to Swedish companies, Jilderyd said. The GDPR emphasizes accountability—"that is, data controllers must take an active responsibility to comply with the rules”—more strongly than present Swedish law, Jilderyd said. The new GDPR fines may be “necessary and helpful” to enforce compliance in some instances, she said.
Large Swedish multinationals have been anticipating the need to take accountability for their data processing activity and to comply with other GDPR obligations.
IKEA has made preparing for the GDPR a priority, company spokeswoman Johanna Iritz told Bloomberg BNA. “In general, we do not foresee any problems for the IKEA Group when the Regulation becomes effective,” she said. Customer privacy and data security remain priorities for the company, Iritz said.
Volvo Cars is reviewing its data processing practices and intends to adapt all of them to the GDPR requirements, a company spokesman told Bloomberg BNA. There are some provisions in the GDPR that remain unclear to some of the companies that Volvo works with, he said, but there isn’t a significant change from the present regulatory landscape.
There may be opportunities for companies, hidden in the compliance challenge.
The GDPR may initially be burdensome for some businesses due to increased costs, Nicklas Thorgerzon, a technology and data protection attorney at the Vinge law firm in Stockholm, told Bloomberg BNA. The risk of heavy fines for noncompliance is also a concern, he said. But “it may also be possible to strengthen a brand or trade name by demonstrating that data protection and privacy is being taken seriously by the company,” Thorgerzon, who advises companies on GDPR implementation, said.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)