Digital business in Sweden: overview
A Q&A guide to digital business in Sweden.
The Q&A gives a high level overview of matters relating to regulations and regulatory bodies for doing business online, setting up an online business, electronic contracts and signatures, data retention requirements, security of online transactions and personal data, licensing of domain names, jurisdiction and governing law, advertising, tax, liability for content online, insurance, and proposals for reform.
To compare answers across multiple jurisdictions, visit the Digital Business Country Q&A tool.
This Q&A is part of the global guide to digital business law. For a full list of jurisdictional Q&As visit www.practicallaw.com/digital-business-guide.
There are several Swedish laws relevant to the conduct of business online, some of which are specific to online trade, whereas others apply to all business activities.
Relevant regulations include the:
E-commerce Act (2002:562).
Distance and Off-Premises Contracts Act (2005:59).
Electronic Communications Act (2003:389).
Act on Responsibility for Electronic Bulletin Boards (1998:112).
Personal Data Act (1998:204).
Sales of Goods Act (1990:931).
Consumer Sales Act (1990:932).
Marketing Practices Act (2008:486).
Consumer Credit Act (2010:1846).
Contracts Act (1915:218).
The parliament (Riksdagen) is responsible for passing all legislation in Sweden. The government (Regeringen) and authorities may issue ordinances and regulations based on statutory authorisation. In terms of industry bodies, the Swedish Digital Commerce Association (Svensk Digital Handel), which is a part of the Swedish Trade Federation (Svensk Handel), manages a trust mark called "Trygg E-handel" that businesses can display on their website, if they meet the requirements set out by the association.
Setting up a business online
A new business must first establish a legal entity through which the business will operate, for example, limited liability company (aktiebolag).
The website through which the business will be conducted must be designed and developed. This can be done with in-house expertise or by engaging a third party provider.
Further, a number of documents and texts must be prepared and made available on the website. These include:
Terms and conditions (regarding the sale and purchase of goods/services).
If the app is developed by a third party provider, it is important that the agreements set out that the copyright to the app belongs to the business. Otherwise, the copyright vests with the developer even though the developer has been engaged to develop the app on behalf of the business. In any event, the business must make sure that it has the necessary rights to use the app in accordance with its needs and that any third party intellectual property rights are handled accordingly.
If the business wishes to distribute the app through a commercial app platform (for example, Apple, Google and/or Microsoft), it is necessary to conclude an agreement regarding such distribution. Standard agreements including the technical requirements to fulfil are usually publicly available on the app platform's website.
Running a business online
In general, Swedish law does not stipulate any form of requirements for contracts to gain legal effect and therefore it is in most cases possible to form a contract electronically. There are a few exceptions to this main rule, for example transfer of real property requires a formal written agreement signed by both parties.
A contract is binding when an offer from one party has been accepted by the receiving party. Offers that a trader directs to the public, for example through a website, are in general not regarded as a binding offer but merely a request to make an offer.
The E-commerce Act (2002:562) sets out information requirements applicable to services provided at a distance by electronic means, among other things, through a website. Under the E-commerce Act, there must also be technical aids in place making it possible for the customer to identify and correct information errors before the order is submitted. The customer must also receive a confirmation of the order via email.
As to consumer contracts, the trader must comply with the information obligations in the Distance and Off-Premises Contracts Act (2005:59). Under the Distance and Off-Premises Contracts Act, the consumer can, regardless of the reason, withdraw from the contract within 14 days from the receipt of the goods; or from entering into the contract, if the contract concerns services.
The enforceability of shrink-wrap and click-wrap contracts has been debated in the legal doctrine, however, the common understanding seems to be that such contracts are enforceable. As regards browse-wrap contracts, it is highly doubtful that such contracts can gain legal effect.
Contract formation and validity in general is regulated by the Contracts Act (1915:218). If the contract concerns services provided by distance selling via electronic means, for example through a website, the trader must also comply with the information requirements set out in the E-commerce Act (2002:562).
Furthermore, the Consumer Sales Act (1990:932), the Consumer Credit Act (2010:1846) and the Distance and Off-Premises Contracts Act (2005:59) are applicable to consumer contracts in general.
The Sales of Goods Act (1990:931) is applicable to business-to business contracts in general.
The European eCommerce and Omni Channel Trade Association (EMOTA) is the European level umbrella federation representing Online and Omni Channel trade across Europe. The EMOTA members provide trustmarks that are based on EMOTA's European standard for safe e-commerce. The Swedish Digital Commerce Association (Svensk Digital Handel) is an EMOTA member and provides the trustmark called "Trygg E-handel". More information on the trustmark can be found at www.tryggehandel.se.
The remedies available for breach of an electronic contract are the same as for any other type of contract.
If a trader does not provide information or technical aids required under the E-commerce Act (2002:562), the information, or lack of it, can be regarded as misleading advertising under the Marketing Practices Act (2008:486). This may lead to:
An order to provide the information or the technical aids.
Swedish law recognises e-signatures. Banks and authorities often use e-signatures, however, in the authors' experience, it is rarely used in commercial relationships.
With effect from 1 July 2016, Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS) replaced the Qualified Electronic Signatures Act (2000:832) and Directive 99/93/EC on electronic signatures (Electronic Signatures Directive)Definition of e-signatures.
An electronic signature is defined as data in electronic form which is attached to, or logically associated with, other data in electronic form and which is used by the signatory to sign.
An advanced electronic signature is defined as an electronic signature that is uniquely linked to the signatory, capable of identifying the signatory, created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control. An advanced electronic signature is linked to the data signed in such a way that any subsequent change in the data is detectable.
A qualified electronic signature is defined as an advanced electronic signature that is created by a qualified electronic signature creation device, and based on a qualified certificate for electronic signatures.
Format of e-signatures
There are three types of e-signatures:
Advanced electronic signature.
Qualified electronic signature.
For example, the contract formation under the Consumer Credit Act requires advanced electronic signature. Qualified electronic signatures are rarely required. The most common electronic signature in Sweden is the advanced electronic signature BankID.
Implications of running a business online
Cyber security/privacy protection/data protection
The collection and use of personal data is regulated by the Personal Data Act (1998:204). The Personal Data Act implements Directive 95/46/EC on data protection (Data Protection Directive). It applies to data controllers that are established in Sweden or use equipment based in Sweden.
The Personal Data Act will be replaced by the General Data Protection Regulation in 2018.
For further information on data protection laws in Sweden, see Data Protection in Sweden: overview.
The Personal Data Act (1998:204) sets out the fundamental requirements for the collection and use of personal data. These include a requirement that personal data can only be processed for specific, explicitly stated and justified purposes and the data cannot be processed for a longer period than necessary. Even if the fundamental requirements are fulfilled, the processing must be based on consent or a legal basis, for example, if the processing is necessary to perform a contract with the registered person or to enable the controller to fulfill a legal obligation. The processing of sensitive personal data, such as concerning racial or ethnic origin, is subject to more stringent requirements and limitations.
There are no specific limitations on storage of personal data in the cloud, however, the general requirements on security and transfer to countries outside the EU/EEA could affect the use of cloud solutions.
The Personal Data Act (1998:204) requires that the personal data controller takes appropriate technical and organisational measures against unauthorised or unlawful processing of personal data. The measures must ensure an appropriate level of security with regard to the technical options available, the costs, the specific risks associated with the treatment of the personal data, and how sensitive the personal data is.
When traders handle credit or debit card data from consumers, they must ensure compliance with the Payment Card Industry Data Security Standards (PCI-DSS) which stipulates how traders handle customer information.
The Personal Data Act (1998:204) requires that the personal data controller takes appropriate technical and organisational measures when handling personal data. Encryption features are considered technical security measures and when sensitive personal data is transferred over open networks, the Data Protection Authority generally recommends that encryption features are used.
Government bodies can access or compel disclosure of personal data in some cases, for example:
The Swedish Prosecution Authority, the Swedish Police Authority, the Swedish Security Service and other authorities that are acting against criminal activity can under certain circumstances compel telephone operators to disclose information regarding their subscribers.
The National Defence Radio Establishment (FRA) conducts signals intelligence and can initiate surveillance on the basis of orders from the Defence Intelligence Court (Försvarsunderrättelsedomstolen).
If there is a reasonable suspicion that the usage of the payment services is part of money laundering, a payment service provider must without delay give the Swedish Police Authority access to personal data if it is required by the authority.
The provision of electronic payments is regulated in the Payment Services Act (2010:751) and the Financial Supervisory Authority's (Finansinspektionen) regulatory code regarding payment services (FFFS 2010:3). Under these regulations a payment institution must keep information about executed payment transactions and balances of payment accounts for a minimum of five years.
There are no specific system design requirements relating to the conclusion of electronic contracts or to the processing of personal data. However, the General Data Protection Regulation will set such requirements.
If the system applies decisions based solely on automated processing which noticeably affects individuals, under the Personal Data Act (1998:204) the person whom the decision concerns must be given the opportunity to request a review of the decision by a person.
Under the Marketing Practices Act (2008:486), the marketing cannot be misleading or aggressive and it may be prohibited if it affects the consumer's ability to make informed business decisions. If the marketing is directed at children, the assessment should be made based on how the average child perceives the marketing. This means that a trader who chooses to target children must adapt the marketing based on how a child perceives the advertising message.
Under the Children and Parents Code (1949:381) persons younger than 18 years old are minors and cannot by themselves conclude agreements. However, children who are 16-18 years old can in most cases decide how to spend money they have earned (which includes entering into relevant agreements). The trader is liable for determining whether the customer is of legal age and competent to enter into a contract and the mere belief that the customer is of a certain age is not enough for the agreement to be valid.
As regards consent to the processing of personal data, a minor can give a valid consent to processing activities if he or she is capable of understanding the implications of the consent. Hence, an assessment of the young person's ability to understand the full consequences of the processing of its personal data must be made. As a general rule it can be said that a person who has turned 15 years old normally is able to give a valid consent. This must, however, be assessed case by case and factors such as age and the nature and purpose of the processing should be considered.
There are no specific rules on linking, framing, caching, spidering or the use of metatags. However, general rules regarding for example intellectual property rights and marketing may apply to the use of such practices.
Under the Act on Copyright in Literary and Artistic Works (1960:729), copyright includes the exclusive right to exploit the work by making it available to the public. According to case-law (C-466/12), an ordinary hyperlink makes a work available to the public, however, if the link leads to a publicly available portion of a website, the work is not made available to a new public and the copyright is not infringed. If the link can be used to circumvent any types of restrictions on the website to which the link refers, the link could constitute infringement. The same applies to framing (C-348/13).
The Marketing Act (2008:486) requires that linking and framing is in accordance with generally accepted marketing practices. All marketing must be formulated and presented in such a way that it clearly appears that marketing is involved. A link or frame that has a marketing purpose must therefore clearly be marked as marketing.
The Act on National Top-Level Domains for Sweden on the Internet (2006:24) regulates the technical operations of country code top level domains for Sweden and the assignment and registration of domain names.
The Swedish country code top level domain .se and the top level domain .nu is run and administrated by Internetstiftelsen i Sverige (IIS) and regulated by IIS Registration Conditions.
Anyone can register a ".se" domain, whether based in Sweden or not.
Registering a domain name does not confer any such additional rights. There is however the possibility to obtain the rights to a word or name through the Trademarks Act (2010:1877) or the Trade Names Act (1974:156). These rights are acquired through registration and must fulfil certain requirements. The registration for trademarks is done at the Swedish Patent and Registrations Office and for trade names at the Swedish Companies Registration Office.
The exclusive rights to a business name are obtained by registration in the Swedish Companies Register or establishment. A business name is considered established if a substantial part of the relevant public knows it as the name of the business for which it is used.
The following restrictions apply to business names:
The name must make it possible to distinguish the company from other companies and trademarks.
The name cannot be identical or confusingly similar to other business names and trademarks.
The name cannot infringe on intellectual property rights.
The name cannot contain someone else's distinctive surname, if the use of it may cause a disadvantage to the bearer of the name.
The name cannot be misleading or refer to a specific business activity or title that is not part of the actual business.
The name cannot contain any discriminatory or offensive words.
Jurisdiction and governing law
There are no specific rules on the jurisdiction for internet transactions, so the general rules on jurisdiction apply. If the defendant is domiciled within the EU, the Regulation (EC) 44/2001 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (Brussels Regulation) applies. In general, a party may always be sued in the member state where it is domiciled. However, exceptions may apply in specific contractual situations and with regards to tort claims and consumer contracts. Further, jurisdiction agreements must be respected by the courts. However, specific rules and limitations apply to consumer contracts.
If the defendant is domiciled in a country outside the EU and that country is a signatory to the Lugano Convention, the Lugano Convention applies. The rules in the Lugano Convention are essentially the same as in the Brussels Regulation.
If the defendant is domiciled in a country to which the Lugano Convention and the Brussels Regulation do not apply, there are no rules directly applicable. The Swedish Supreme Court stated that in such cases guidance may be sought in Chapter 10 of the Swedish Code of Judicial Procedure (1942:740) and in the Brussels Regulation.
There are no specific rules on the choice of law for internet transactions, so the general rules on choice of law apply. For contract matters, the Regulation (EC) 593/2008 on the law applicable to contractual obligations (Rome I) is applicable if the contract was entered into after 17 December 2009. If the contract was entered into before this date, the Rome Convention is applicable. The rules in the Rome Convention are essentially the same as in Rome I. As a general rule, the parties can choose which law the contract will be governed by. When the law applicable to the contract has not been chosen, the law governing the contract is determined under Article 4 of the Rome Convention. For example, a contract for provision of services will be governed by the law of the country where the service provider has his habitual residence. Specific rules and limitations apply to consumer contracts in both mentioned regulations.
HCCH Convention on the Law Applicable to International Sales of Goods 1955
, which was ratified by Sweden and implemented into Swedish legislation by the Act on Applicable Law to International Sales of Goods (1964:528), is applicable to the business-to-business sale of personal property. The Act takes precedence over Rome I when applicable. For tort matters, the Regulation (EC) 864/2007 on the law applicable to non-contractual obligations (Rome II) applies.
The Directive 2013/11/EU on alternative dispute resolution for consumer disputes (ADR Directive) seeks to ensure that EU resident consumers can turn to ADR entities for all kinds of contractual disputes they might have. The Act on Alternative Dispute Resolution in Consumer Relations (2015:671) implements the Directive and regulates ADR entities in Sweden.
Regulation 524/2013 on online dispute resolution for consumer disputes (Online Dispute Resolution Regulation) establishes an "out of court" online platform for settling disputes that arise from online business-to-consumer (B2C) transactions. The Online Dispute Resolution Regulation complements the ADR Directive. The platform, which is free of charge and available in all official languages of the EU, helps the parties identify the competent ODR entity and transmits the filed complaint to the entity, which the parties have agreed to use.
The participation in these ADR and ODR methods is voluntary, but traders who wish to use the ADR and ODR methods must provide the consumers with information about the availability and procedures. The findings of the ADR and ODR entities are merely a recommendation and therefore not legally binding on the parties.
There are no specific ADR/ODR methods available for B2B trading.
The Marketing Practices Act (2008:486) applies to advertising online and via social media in the same way as it applies to regular marketing offline. The relevant rules include:
The advertisement must be designed so that it can easily be identified as advertisement.
The advertisement cannot be misleading.
The advertisement cannot infringe on other companies trade marks or copyrights.
Aggressive marketing is prohibited.
The word "sale" during online sale promotions can only be used if:
the products sold compromise products which form part of the trader's ordinary assortment;
the sale takes place during a limited period of time; and
the prices are significantly lower than the trader's normal prices for equivalent products.
A trader can, in the course of advertising, use electronic mail or other similar automatic system for individual communication only if the recipient has agreed to it.
A company can only identify a competitor in comparative advertising under certain conditions set out in section 18 of the Marketing Practices Act.
The advertising and selling of products and services such as medical products, tobacco, alcohol, financial services and gambling are highly regulated, however not specifically with regards to online activities. These regulations apply to both online and offline sales and advertising.
Companies selling pharmaceuticals to the public online must display a certain logo on the website ensuring the website is legally selling pharmaceuticals. The logo contains a link to a verification page with the Swedish Medical Products Agency. The logo enables consumers to verify whether the website can legally sell medical products or not.
The Marketing Practices Act (2008:486) strictly forbids traders from sending unsolicited e-mails to consumers without their consent. However, if the e-mail address was obtained in connection with the sale of a product, unsolicited e-mails may be sent if:
The consumer has not objected to the use of its e-mail address for marketing purposes.
The marketing pertains to the trader's own similar products.
The consumer has been clearly and explicitly provided with the opportunity to object, simply and without charge, to the use of such information for marketing purposes when it was collected and in conjunction with each subsequent market communication.
In marketing by means of e-mail, both in relation to consumers and legal entities, the communication must at all times contain a valid address through which the recipient can request that the marketing ceases.
There are no specific language requirements for websites, so general rules on the sale of goods and services apply.
If goods are sold to consumers, the instructions on how to use the product must be in Swedish, unless the product is of a simple nature. Information regarding technically advanced products addressed to a limited customer base may be in English. Further, a consumer has a right to get safety information and instructions for products in Swedish.
Swedish companies must, regardless of annual turnover, register for VAT if the company is required by Swedish law to charge sales tax.
Foreign businesses established within the EU that sell goods online to Swedish persons not registered for VAT must register for VAT and add Swedish VAT if the total turnover to such persons exceeds SEK320,000 per calendar year. Businesses that sell goods subject to excise tax, like alcohol and tobacco must register for VAT regardless of turnover.
However, VAT is a complex area and these issues must be assessed case by case.
Companies registered with the Swedish Company Registration Office must register for VAT at www.verksamt.se no later than 14 days prior to the commencement of the business operation. Foreign businesses register for VAT at the Swedish Tax Agency on form SKV 4632.
Protecting an online business
Liability for content online
Liability for website content is covered by a number of laws, including the:
Marketing Practices Act (2008:486).
E-commerce Act (2002:562).
Distance and Off-Premises Contracts Act (2005:59).
Copyright Act (1960:729).
General Torts Act (1972:207).
Personal Data Act (1998:204).
Swedish Penal Code (1962:700).
Fundamental law of Freedom of Expression (1991:1469).
Freedom of Press Act (1949:105).
Under the E-commerce Act (2002:562) the service provider must provide the following information:
VAT-number (if applicable).
The company number.
The name of the supervisory authority.
According to the Distance and Off-Premises Contracts Act (2005:59) a trader must provide certain information before entering into a distance contract (for example a sale concluded online). This information includes:
The price of the goods or services, including taxes.
The main characteristics of the goods or services.
The arrangements for payment and delivery or performance in any other manner.
Under the Personal Data Act (1998:204), the controller must provide the data subject with information regarding the processing of personal data.
Under the Electronic Communications Act (2003:389), a website operator must inform the visitor of the website that the website contains cookies and the purpose for which cookies are used.
Generally, whoever publishes material on a website is held liable if the material would in any way violate any laws.
If the website operator has a publication licence, the operator must nominate a legally responsible editor, who is then liable for the content published on the website.
Under the E-commerce Act (2002:562), a service provider (for example, an internet service provider) is not liable for content on a website if the provider:
Does not have any knowledge of the unlawful information.
Acts immediately to prevent further dissemination of the information on obtaining such knowledge.
If a service provider in any way contributes to the content of a website, the service provider is liable for such content.
Under European case law (C-314/12), a national court can order an ISP to shut down a website if the content of the website infringes any copyright laws.
There is no right for an ISP to shut down a website at its own discretion stipulated in law, but it could be included in the ISP's terms and conditions for its services.
Liability for products / services supplied online
There are no specific regulations on the liability for products/services supplied online, so general rules apply. The sale of counterfeit goods is subject to civil and criminal sanctions in the Swedish Trade Marks Act (2010:1877). Online trading platforms can be liable for helping the sale of counterfeit goods over the internet. Following the decision of the ECJ in case C-324/09, auction operators may be ordered to take measures to make it easier to clearly identify sellers of counterfeit goods. However, the operator of the online marketplace cannot be liable for the infringement itself, given that it does not itself actively use the trade marks. An operator is actively using the trade mark if it provides assistance to the seller which entails optimising the presentation of the offers for sale or promoting them.
There are no specific regulations regarding the use of spiders, bots or crawlers. General rules on data protection apply. The Directive 96/9/EC on the legal protection of databases (Database Directive), which is implemented in Swedish law, does not prevent the reuse of parts of the creator's database once it has been made accessible for use by the public. However, the CJEU ruled in case C-30/14 that the author of a database may lay down contractual limitations on its use by third parties. A website reusing another website's database must observe such limitations.
W http://www.riksdagen.se/sv/dokument-lagar (Swedish)
Description. The website contains Swedish legislation, but also documents and information that show the passage of parliamentary matters from the proposal to the decision-making stage.
W http://www.riksdagen.se/en/documents-and-laws (English)
Description. The website contains some of the Swedish legislation in English, as well as documents and information in English that enable to follow the passage of parliamentary matters from the proposal to the decision-making stage.
Henrik Bergström, Partner
Bird & Bird
Professional qualifications. Admitted to the Swedish Bar Association
Areas of practice. Commercial agreements; data protection; technology and communications; media and sport.
Angelica Lundqvist, Associate
Bird & Bird
Professional qualifications. Admitted to the Swedish Bar Association
Areas of practice. Commercial agreements; data protection; technology and communications; healthcare and eHealth.