Privacy in Sweden: overview
A Q&A guide to privacy in Sweden.
The Q&A guide gives a high-level overview of privacy rules and principles, including what national laws regulate the right to respect for private and family life and freedom of expression; to whom the rules apply and what privacy rights are granted and imposed. It also covers the jurisdictional scope of the privacy law rules and the remedies available to redress infringement.
To compare answers across multiple jurisdictions, visit the Privacy Country Q&A tool.
This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.
The Instrument of Government (Kungörelse (1974:152) om beslutad ny regeringsform), which forms part of the Swedish Constitution, contain provisions on the state's duty to safeguard the private and family life of the individual as well as on the protection of all individuals against interventions of the state in the forms of:
Body and house searches or similar measures.
Examinations of letters and other private consignments.
Secret interception or recording of telephone calls and other private messages.
In addition, all individuals are protected against considerable intrusion from the state regarding the personal integrity if the intrusion amounts to surveillance or surveying the individual's personal circumstances. The Instrument of Government also prescribes to what extent and under what circumstances limitations to the rights and freedoms of individuals are allowed and acceptable.
The European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) has been incorporated into Swedish law through part of the Instrument of Government, stating that no law or regulation may be passed in contravention of Sweden's commitments under the ECHR.
The freedom of expression is mainly regulated in the Freedom of Expression Act (Yttrandefrihetsgrundlag (1991:1469)), which is also part of the Swedish constitution.
Other laws that regulate the right to privacy are:
Personal Data Act (Personuppgiftslag (1998.204)). This regulates the collection and use of personal data and implements Directive 95/46/EC on data protection (Data Protection Directive).
Patient Data Act (Patientdatalag (2008:355)). This regulates the use of personal data in the health care sector.
Camera Surveillance Act (Kameraövervakningslag (2013:460)). This regulates camera surveillance and the use of such recordings.
Electronic Communications Act (Lag (2003:389) om elektronisk kommunikation). This implements Directive 2002/58/EC on the protection of privacy in the electronic communications sector (E-Privacy Directive). The Electronic Communications Act contains, among others, provisions on the retention of data generated or processed in connection with the provision of electronic communication networks and services. The provisions were introduced through Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks (Data Retention Directive), which was declared invalid by the ECJ in 2014. However, the provisions still apply, as the E-Privacy Directive allows EU member states to introduce national rules to that effect, subject to the fulfilment of certain requirements. Whether or not the Swedish legislation fulfil those requirements have been contested by providers of electronic networks and services and the issue is expected to be clarified by the ECJ during 2016, after a reference from the Stockholm Administrative Court of Appeals for a preliminary ruling in 2015 (Tele2 Sverige AB v Post-och telestyrelsen, case C-203/15).
Under Swedish law, in general any individuals whose privacy has been violated can commence proceedings to protect their privacy. Regarding sectoral laws, regulators can commence proceedings to protect privacy. The Swedish Data Protection Authority can, for example, investigate and commence proceedings regarding violations of privacy in connection with personal data processing or otherwise in relation to the:
Personal Data Act.
Patient Data Act.
Camera Surveillance Act.
Debt Recovery Act.
Credit Information Act.
Criminal offences proceedings may also be brought by a public prosecutor, where applicable.
General privacy rights are set out in the Swedish constitution, inter alia, in the Instrument of Government and the Freedom of Expression Act (see Question 1). In addition, privacy rights under Swedish legislation include (but are not limited to) the following rights:
The right to be informed of any processing of personal data.
The right to be protected against unjustified processing of personal data.
The right to request and receive information regarding the processing of personal data.
The right to request personal data to be corrected, blocked or deleted.
The jurisdictional scope of Swedish privacy laws is generally limited to Sweden. Therefore, proceedings against the state or public authorities for violating the privacy rights granted under Swedish law may be commenced in Swedish courts. After exhaustion of domestic legal remedies an individual may bring proceedings before the ECHR. Proceedings against a natural or legal person for violating an individual's privacy rights will be brought in Swedish courts or be notified to the regulator.
Financial compensation may be awarded an individual who has had his right to privacy infringed by the state. In addition, in the case of natural or legal persons violating an individual's privacy rights financial compensation can be awarded by a court. Other remedies are decisions by the regulator, including:
Issuing injunctions coupled with statutory fines (there is no minimum or maximum amount of the statutory fine).
Issuing interim injunctions.
Withdrawing a permit or licence issued for the commercial activities of the respondent.
See Question 5.
Susanna Norelid, Partner
Professional qualifications. Advokat, Sweden
Areas of practice. Corporate and commercial; marketing and advertising; data protection and privacy.
Non-professional qualifications. LLM, University of Lund, 1991; LLM of International Business Law, University of London, 1993
Professional associations/memberships. Member of the Swedish and International Bar Association; ICC Marketing Committee; International Association of Defence Counsels (IADC); Network leader, JUC Network on Personal Data and Privacy.
Emanuel Hollstrand, Associate
Professional qualifications. Associate, Sweden
Areas of practice. Data protection and privacy; marketing and advertising.
Non-professional qualifications. LLM, Stockholm University, 2012