Sweden

[SE] Amendments to the Personal Data Act

IRIS 2007-1:1/33

Michael Plogell and Monika Vulin

Wistrand Advokatbyrå, Gothenburg

From 1 January 2007 Personuppgiftslagen 1998:204 (the Personal Data Act) will be amended. The purpose of the amendments is to focus on and regulate misuse, instead of, as is currently the case, all use of personal data. To this end certain categories of personal data have been excluded from the rules which otherwise apply and instead processing of such categories will be subject to a misuse rule. This provision has been introduced in a new Article 5a. Furthermore, negligent offences have been decriminalised.

In order to achieve a regulation that is more adapted to the every-day use of personal data and to facilitate such use, the processing of personal data in “unstructured material” has been excluded from the handling rules of the Act. The exclusion comprises material in which personal data is not structured so as to facilitate the search for personal data or compilations of such data.

Categories for processing which are excluded from the ordinary rules are for example personal data in e-mails, in running text in word processing programmes or on the Internet. The exemption applies to all sorts of personal data and in whatever form they occur, such as sound, pictures or text. For the processing of such data it is not necessary to observe any of the handling rules contained in the Act, such as the prohibition to process sensitive personal data, the prohibition to transfer personal data to a third country, or the obligation to inform the registered person of the processing.

Unstructured material is regulated by a misuse rule. The processing of such data is therefore only permitted if it does not violate the personal integrity of the registered person. The assessment of what constitutes a violation of integrity shall depend on the context in which the use of data occurs, the purpose of the processing, the extent of the dissemination of the data and what the processing may entail. The Government gives the following guidelines to data processors in connection with the misuse rule:

- Personal data may not be processed for improper purposes, such as to harass or cause worry to an individual;

- A large quantity of data about a certain individual may not be collected without a good cause;

- Incorrect or misleading personal data must be corrected;

- The personal data may not be processed in order to defame or insult an individual;

- The data processor must observe secrecy and non-disclosure duties.

The registered person is entitled to receive compensation for the damages suffered if his integrity is violated. Processing in breach of the misuse rule is under certain circumstances penalised.

Another important amendment is the decriminalisation of negligent offences. Breaches of the provisions of the Act by mere negligence will no longer be prosecuted. Infringements of the provisions will only be punishable if they have been committed intentionally of by gross negligence.