skip to content
 

Data Protection Laws and Freedom of Expression: Sweden Flag of Sweden

 

 

I. First-Generation Statutory Law

Sweden became the first state to enact comprehensive data protection legislation Data Act on 1 May 1973. This Act was amended many times. A particularly relevant amendment was enacted in 1982 (see below) which alongside other changes adopted during up to 1 April 1988 can be seen this version.
 
Special Expression Derogation
No specific derogations aimed at shielding professional journalism or other special forms of expression were included in the first-generation data protection law.
 
Broad Expression Derogation
No specific provisions were adopted.
 
Personal Exemption
An amendment to the law enacted in 1982 explicitly excluded personal data files set up by an individual or kept exclusively for personal use from any requirement to obtain a license from the DPA (Amended Act, section 2).
 
Knowledge Facilitation Framework
No specific provisions were adopted.
Parliamentary Debates
Special Expression Derogation
No relevant parliamentary debates recorded either in 1973 or in 1982.[1]
 
Broad Expression Derogation
No relevant parliamentary debates recorded either in 1973 or in 1982.[2]
 
Personal Exemption
No relevant parliamentary debates recorded either in 1973 or in 1982.[3]
 
Knowledge Facilitation Framework
No relevant parliamentary debates recorded either in 1973 or in 1982.[4]
 

 

II. Second-Generation Statutory Law

Sweden adopted a new data protection framework including implementing Directive 95/46 through the Personal Data Act 1998. This Act was amended a number of times including an important change in 2007.
 
Special Expression Derogation
Section 7 of the new law disapplied its provisions insofar as they would conflict with the Freedom of the Press Act. It further provided a complete and unconditional exemption from all substantive data protection provisions and regulatory oversight for any processing exclusively for journalistic purposes or artistic or literary expression.  However, especially as Article 89 GDPR is not referenced, this provision does not umambigously establish the priority of the special expression derogation over the knowledge facilitation framework.
 
Broad Expression
Section 7 of the new law also disapplied its provisions to the extent that they contravened the provisions concerning freedom of expression contained in the Fundamental Law on Freedom of Expression. This Act provides broad immunities for processing aimed at very wide types of publication and communication including “through public playback of material from a database” (Ch. 1, art. 1) which clearly extend beyond special expression as generally conceived.This protection is subject to the procedural requirement of formally appointing a responsible editor (Ch. 4, art. 1) and ensure their identity is apparent from any recording than is publicly released (Ch. 4, art. 4).
Another important amendment was also adopted in 2007. This set out a ʻmisuseʼ rather than ʻprocessingʼ approach to the regulation of  personal data not structured in order to evidently facilitate its search or compilation.  In sum, such processing was exempt from all substantive data protection provisions so long as the integrity or privacy of the data subject was not violated (s. 5a).
 
Personal Exemption
According to Section 6, the Data Protection Act did not apply to processing of personal data that a natural person performs in the course of activities of a purely private nature.
 
Knowledge Facilitation Framework
Data processing for historical, statistical or scientific purposes were exempted from compatibility and time limits but with safeguards that it not be used to take measures as regards any data subject save with their consent or based on extraordinary reasons having regard to the vital interests of the data subject (sec. 9). Exemptions were moreover provided from the reactive transparency rule (subject access) so long as the data had not been undergoing processing for a year or more (s. 26) and the prohibition of the processing of sensitive data (s. 19). The latter exemption was subject to the condition that (i) it is necessary and (ii) the interest of society in the research or statistics project within which the processing is included is manifestly greater than the risk of improper violation of the personal integrity of the individual that the processing may involve. It was stated that such data could be supplied to be used for such purposes unless otherwise provided by the rules on secrecy and confidentiality and that approval by a research ethics committee would result in these requirements being deemed satisfied.  However, the DP Ordinance provided that otherwise such research would need to be subjected to preliminary review by the DPA (unless another legal provision provided otherwise) (s. 9).  Under the Swedish Ethical Review Act 2004 the processing of sensitive including criminal-related data without consent became subject to compulsory statutorily regulated review process which was required to prioritise individual welfare (s. 8), ensure that any risk to health, safety and personal integrity were necessary (s. 10) and counterbalanced by the scientific value of the work (s. 9), that the absence of consent was necessary and that research was either likely to be of direct benefit to the data subject or entailed significant risk of injury or discomfort and the purpose was to benefit somebody else suffering a similar illness or disorder (s. 21).
Preparatory Reports and Parliamentary Debates
Special and Broad Expression Derogation  - Debate prior to Personal Data Act 1998
In a 1991 report, the Swedish Commission on Data Protection analysed the processing of personal data in the areas of journalism, literature and art.[5] The Commission noted that while the use of data processing was increasingly widespread in the journalistic sector, data files for journalistic purposes have not been regulated.[6] Introducing such regulation would be difficult due to potential conflicts with the constitutional freedom of expression.[7] In particular, the Commission considered that two difficulties would arise. First, subjecting journalistic files to data protection legislation may constitute an act of censorship, restricting freedom of expression.[8] Second, subjecting journalistic data files to data processing legislation and thereby to the control of the Data Inspection Board might jeopardise the principle of the protection of the anonymity of sources.[9] To avoid these difficulties, the Commission proposed the basic rule that the constitutional principle of freedom of expression should override data protection legislation.[10] According to the Commission, journalistic data files had not been particularly intrusive.[11] Consequently, the Commission proposed that a new data protection act should contain exemptions for journalistic data files. These include both files that are used as a purely technically instrument in the production of journalistic artifacts,[12] and files that are not technical, but which play a key role in the production of journalistic products (e.g. journalists' lists of potential information providers).[13] Moreover, digital archives of previously published journalistic products should be exempted.[14] As the Commission argued, while such archives may contain much sensitive personal data, established standards of good journalistic practice will work to secure individuals’ personal integrity.[15]
 
In the final report in 1993, the Commission on Data Protection formally held that data protection should not apply to data files which are technically necessary for the production of printed media and also other forms expression protected by the Fundamental Law on Freedom of Expression. Such forms of expression include content transmitted via radio, TV, and similar devises, as well as public displays of films, videos, audio recordings and other kinds of recordings.[16] Data protection rules should neither apply to archives of previously published material nor to the data processing for purposes of the production of dictionaries, encyclopedias and the like or of creating a continuing text.[17]
 
In 1997, a draft of the new data protection law was introduced to the Swedish Riksdag (Parliament).  The draft Data Protection Law sought to implement Article 9 of Data Protection Directive 95/46 in Section 7. Section 7 was divided into two parts. The first held that the rules of the Data Protection Law should not apply insofar as they were contradictory to the constitutionally entrenched principles of freedom of press and freedom of expression. The second section provided that the rules of the Data Protection Law should also not apply to processing of personal data for journalistic, literary or artistic purposes. The second part was added because the Government considered that certain forms of journalistic, literary or artistic activities, for example internet-based journalism, were not covered by the Freedom of the Press Act and the Fundamental Law on Freedom of Expression and would thus not be exempted by the first section. Although the Council on Legislation argued that this would considerably broaden the scope of the journalistic exemption, the Government insisted on this approach. It pointed out that the Data Protection Directive 95/46 allowed Member States to take their constitutional traditions and principles into account and that Sweden took the notions of literary and artistic expression to refer to the means of communication, rather than to the content or quality of the expression.
 
The issue of special expression derogations was raised by two MPs in the Constitutional Committee. In motion 1997/98:K13 MP Carl Bildt (Moderate Party) pointed to the concerns voiced by the Council on Legislation and argued that the whole of section 7 was surrounded by insecurity, and therefore should be entirely removed from the bill.[18] In motion 1997/98:K15 MP Peter Erikson (Green Party) also pointed to the concerns voiced by the Council on Legislation and argued that the Government’s analysis of the compatibility between the Directive and the constitutional principles entrenched in the Freedom of the Press Act and the Fundamental Law on Freedom of Expression had been insufficient. He therefore urged Parliament to carefully consider this question.[19] The majority in the Constitutional Committee, however, dismissed these motions and supported the governmental draft law, reiterating the arguments made by the Government. In addition, the majority argued that Swedish constitutional principles could not be overridden through any EU decisions.[20] The Moderate Party members of Constitutional Committee, however, added a dissenting opinion to its report, repeating the demand of motion 1997/98:K13 that Section 7 should be removed from the bill.
 
The issue of freedom of expression and freedom of press was also discussed in the plenary debate. MP Peter Eriksson (Green Party) supported the Government’s decision to interpret the Directive expansively so as to safeguard the Swedish constitutional principles of freedom of press and freedom of expression. However, he added, the government and the majority of Constitutional Committee had too quickly dismissed the concerns voiced by the Council on Legislation and had not provided a sufficiently thorough analysis of the compatibility of the Directive with the Swedish constitutional principles of freedom of press and freedom of expression. Therefore, Eriksson urged the Parliament not to alter the draft law, but to ask Government to press for reforms of the Directive so as to render it definitively compatible with Swedish constitutional principles of freedom of press and freedom of expression.[21] MP Barbro Hietala Nordlund replied to this critique, arguing that no one could specifically pinpoint where the incompatibility between the Directive and Freedom of the Press and the Fundamental Law on Freedom of Expression lied. It would be worthwhile to preserve these two laws.[22]
 
Special and Broad Expression Derogation  - Debate prior to Personal Data Act Amendment 2007
The centrepiece of the Government’s reform proposal was to introduce a ʻmisuseʼ rather than ʻprocessingʼ or comprehensive management model into the law as regards ʻunstructuredʼ personal data processing including where such information was simply found in continuous text.  The relationship between data protection and freedom of expression, especially broad expression, was discussed within this context.
 
Firstly, the debate re-raised the question of which types of expression fell within special expression.  The Government inter alia suggested that in order to benefit from constitutional protection, publications needed to have an official publisher. This was heavily criticised in the Constitutional Committee.[23] In particular, blogs on the Internet rarely have a responsible official publisher. Nonetheless, these blogs would have to be considered to have journalistic or cultural ambitions. It was argued that freedom of expression on the Internet would be too restricted and not sufficiently protected. This aspect of the Government’s proposal was accordingly rejected by the Constitutional Committee as the constitutional protection of freedom of expression was at the time already under review.[24]  A motion by the Liberal People’s Party generally supported this approach but argued that it was insufficient. The motion argued that in order to benefit from constitutional protection, publications did in fact need to have an official publisher, which was rarely the case for blogs on the Internet. As a result, the motion argued, freedom of expression on the Internet was too restricted and the Government/Parliament should consider a reform of this area.[25] The Constitutional Committee rejected this motion, arguing that a Commission was currently reviewing the constitutional protection of freedom of expression and that one should await its report before taking any action in this regard.[26]
 
A second issue concerned what types of freedom of expression should be able to benefit from regulation under the ʻmisuseʼ rather than comprehensive ʻprocesssingʼ model.  The same Liberal People’s Party motion proposed that databases containing personal information in structured form which were for the public or common good should also be included.  It was argued that a relevant example would be a databases of authors that contain biographical and / or bibliographical information.[27]
 
In the parliamentary debates, Helena Bargholz MP (Liberal People’s Party) reiterated the arguments already presented in this motion. She welcomed the introduction of the ‘misuse model’ as a norm for handling personal data in unstructured contexts. This would include the vast majority of forms of regularly published material of a journalistic or cultural nature. However, on the protection of freedom of expression, she was concerned that in many cases the conditions for publication on the internet had been circumvented. She therefore expressed her party’s concerns over talk of reconciling the stronger protection of the freedom of the press with the weaker protection of the general principle of freedom of expression. Rather, the protection granted by the Freedom of Expression Act should be adjusted to reflect those in the Freedom of the Press Act, affording a high level of protection. This would be particularly important in order to address changed realities of publications of blog posts etc. on the internet.[28] Ingvar Svensson MP (Kd), however, pointed out that no changes would be made to Section 7 of the law, which disapplied the provisions of the Data Protection Act if there was a conflict with the Freedom of Expression or the Freedom of the Press Acts. He thus considered the remarks by MP Bargholz to be moot.[29]
 
Personal Exemption
With regard to the personal exemption, the Commission argued that files for personal use do not represent any danger to the personal integrity of individuals and therefore should not need to be authorised or controlled by Data Inspection Board.[30] No parliamentary debates took place on the personal exemption in 1998 or 2005.
 
Knowledge Facilitation Framework
On the issue of data processing for research or statistical purposes, the 1990 Report of  Swedish Commission on Data Protection Commission noted that under the then applicable [first generation] legislation, no specific provisions addressed the use of data files for research or statistical purposes. However, the Data Inspection Board had practices as regards the granting licences for scientific and statistical purposes.[31] The Commission’s report thereby considered three issues to be of central importance in this regard. First, data processing for scientific and statistical purposes should be regulated under a new data protection law, with the DPA (the Data Inspection Board) acting as a monitoring agency. The DPA should be responsible for providing a set of standards to govern data processing for scientific and statistical purposes. Research and statistical data processing should thereby be divided into two categories: (i) processing involving sensitive personal data which would require DPA authorisation and (ii) processing that does not involve sensitive personal data which would not require such authorisation.[32] The second issue concerned the extent to which research and statistical data files should be bound by the standard of informed consent. As a baseline, the Commission held that data processed for research and statistical purposes obtained from respondents should give informed consent, meaning that they should have been informed on the purpose and content of the register.[33] The third issue the Commission addressed were situations in which the processed data was not originally collected and kept for scientific purposes. The Commission proposed to relax requirements for consent in these situations.[34]
 
The Commission proposed to exempt the processing of sensitive data for research purposes from the requirement to obtain informed consent in cases in which this would be disproportionate, jeopardise the outcome of the research or be detrimental to the respondents’ health conditions. The research project must thereby be of a certain importance and the personal data must be sufficiently secured.[35] The Data Inspection Board would need be notified of the processing of such sensitive data for research and statistical purposes. The Data Inspection Board could thereby set conditions for the further processing[36] of such data or prohibit it.[37]
 
No parliamentary debates took place on the knowledge facilitation framework.
 

III. Third-Generation Statutory Law

Sweden adopted third-generation legislation Lag 2018:218, which implemented the GDPR on 19 April 2018.
 
Special Expression Derogation
Section 7 of the new law extended the provisions here to cover not only artistic and literary but also academic creation/expression in addition to journalistic purposes and removed the express requirement that the processing had to be ʻexclusivelyʼ for such purposes. Otherwise, the provisions here mirror the old regime, namely, completely and unconditionally disapplying data protection insofar as it would conflict with the Fundamental Laws on Freedom of the Press and Freedom of Expression and additionally providing a complete and unconditional exemption from all substantive data protection provisions included in the GDPR's main chapters (but not basic security and data breach duties as well as supervision including by the DPA in this regard) as regards special expression area.  However, as article 89 GDPR itself is not included within this, these provisions do not expressly establish the priority of the special expression derogation over the knowledge facilitation framework.
 
Broad Expression
Similarly to the old law, Section 7 disapplied data protection to the extent that it would contravene the provisions concerning freedom of expression contained in the Fundamental Law on Freedom of Expression.  This law provides broad immunities for expression going beyond special expression but is subject to the formality of appointing a responsible editor and also ensuring that their identity is apparent from any recording that is made public (see above).
The 2007 provisions which had specifically exempted non-structured processing of personal data from the ordinary data protection provisions insofar as processing did not violate the private/integrity of the individual were not reenacted.
 
Personal Exemption – see GDPR, art. 2(2)(c)
 
Knowledge Facilitation Framework – see also GPDR, art. 5(1)(b) (compatibility), art. 5(1)(e) (time limits) and art. 89(1) (appropriate safeguards)
Data processed for archival, statistical or research purposes may not be used in order take measures, unless there is a special reason with regard to the data subject’s vital interests (sec. 1-3 Chapter IV) or, in the case of archiving, this concerns authorities' use of data contained in public documents (under national legislation).  Section 3 of Chapter II of the implementing Act relates to individual archives. Pursuant thereto, the Government or the authority determined by the government may issue regulations stating that persons responsible for personal data who are not covered by regulations on archives may process personal data for archive purposes of general interest. In section 6 of Chapter III, the implementing Act moreover provided that sensitive personal data may be processed for archival purposes of general interest on the basis of Art. 9(2)(j) GDPR, if the processing is necessary for the personal data controller to be able to comply with archive regulations. Section 7 of Chapter III exempted processing of sensitive personal data for statistical purposes, if such processing is in the public interest and such an interest clearly outweighs the risk of undue intrusion on individual’s privacy. Under Section 8 of Chapter III criminal-related data can be processed other than by public authorities if necessary to comply with the regulation on archives.   The Ethical Review Act 2004 (see above) was amended to cover sensitive data under Articles 9 and 10 GDPR and provides a special basis for processing so long as the research is authorised according to its prescribed rules.
Parliamentary Debates
Special and Broad Expression Derogation
Pursuant to the Data Protection Act implementing the GDPR, the GDPR shall not be applied to the extent that it would be contrary to the Fundamental Law on Freedom of the Press or Freedom of Expression. The Government thereby maintained that these laws would not have to be amended in light of the GDPR.[38]
Two consultative bodies, the Swedish Data Inspectorate and the Swedish Chamber of Commerce questioned whether such a broad derogation from data protection provisions in favour of freedom of expression would be compatible with the GDPR. The Swedish Data Inspectorate, moreover, voiced concern over the processing of personal data on the internet which was covered by publication certificates for databases. In response, the Government observed that Art. 85 GDPR provided a greater scope for exceptions than the previous Directive as derogations were no longer limited to exclusively journalistic purposes. The Government stressed that the importance of opinion formation through alternative channels such as social media and blogs had increased dramatically in recently years, making it imperative that an exception cover all of special expression in addition activity within the scope of the Law on Freedom of the Press and Freedom of Expression.  It additionally pointed out recital 153 GDPR pursuant to which the concept of freedom of expression should be interpreted broadly in accordance with its importance in a democratic society.[39]
 
The Government elaborated that the concept of ‘academic expression’ was new. While it would have to be distinguished from ‘research’ that is regulated elsewhere in the GDPR, it would not be possible to assign the term any set meaning in the implementing law. Rather, such meaning would develop in practice.[40] MP Per-Ingvar Johnsson, in contrast, argued that the implementing legislation would have to clarify the meaning of terms ‘artistic’ and ‘academic’, which could not be merely left to case law as this would create uncertainty.[41]
 
Knowledge Facilitation Framework
The implementation of the GDPR led to a number of changes in law concerning scientific research. However, these changes were not discussed in connection with the passing of the implementing Act.[42]
 

[1] ‘Riksdagens Protokoll 1973:33’ (12 April 1973) https://www.riksdagen.se/sv/dokument-lagar/dokument/protokoll/riksdagens... (last accessed 11 February 2021); ‘Riksdagens Protokol 1981:82’ (18 February 1981) https://www.riksdagen.se/sv/dokument-lagar/dokument/protokoll/riksdagens... (last accessed 11 February 2021).
[2] Ibid.
[3] Ibid.
[4] Ibid.
[5] SOU, ‘Vissa särskilda frågor beträffande integritetsskyddet på ADB-området : delbetänkande av Datalagsutredningen’ (1991).
[6] Ibid, 84-6.
[7] Ibid, 102.
[8] Ibid, 101.
[9] Ibid.
[10] Ibid, 113.
[11] Ibid, 112.
[12]  Ibid, 113.
[13] Ibid, 116.
[14] Ibid, 120.
[15] Ibid.
[16] SOU 1993:10.
[17] SOU 1993:10; Bilagor, p.15 (§6).
[18] See Carl Bildt et al. ‘Motion 1997/98: K 13’ (2 June 1998) https://www.riksdagen.se/sv/dokument-lagar/dokument/motion/med-anledning... (last accessed 18 March 2021).
[19] Peter Eriksson, ‘Motion 1997/98: K 15’ (2 June 1998) https://www.riksdagen.se/sv/dokument-lagar/dokument/motion/med-anledning... (last accessed 18 March 2021).
[20] ‘Report of the Constitutional Committee 1997/98: KU18’ https://www.riksdagen.se/sv/dokument-lagar/arende/betankande/personuppgi... (last accessed 18 March 2021).
[21] MP Peter Eriksson (Green Party), speech 7 in ”Riksdagens snabbprotokoll 1997/98:91 Torsdagen den 16 april” http://www.riksdagen.se/sv/Dokument-Lagar/Kammaren/Protokoll/_GL0991/ (last accessed 20 August 2020).
[22] MP Barbro Hietala, speech 20 and 29 in Riksdagens snabbprotokoll 1997/98:91 Torsdagen den 16 april” http://www.riksdagen.se/sv/Dokument-Lagar/Kammaren/Protokoll/_GL0991/ (last accessed 20 August 2020).
[23] Konstitutionsutskottet, ”Konstitutionsutskottets betänkande 2005/06:KU37, p.18 http://www.riksdagen.se/sv/Dokument-Lagar/Utskottens-dokument/Betankanden/Arenden/200506/KU37/ (last accessed 20 August 2020).
[24] Konstitutionsutskottet, ”Konstitutionsutskottets betänkande 2005/06:KU37, p.15 http://www.riksdagen.se/sv/Dokument-Lagar/Utskottens-dokument/Betankanden/Arenden/200506/KU37/ (last accessed 20 August 2020).
[25] Motion 2005/06: K 26 (4 May 2006) https://www.riksdagen.se/sv/dokument-lagar/dokument/motion/med-anledning... (last accessed 19 March 2021).
[26] Konstitutionsutskottet, ’Konstitutionsutskottets betänkande 2005/06:KU37’ http://www.riksdagen.se/sv/Dokument-Lagar/Utskottens-dokument/Betankanden/Arenden/200506/KU37/ (last accessed 18 March 2021).
[27] Motion 2005/06: K 26 (4 May 2006) https://www.riksdagen.se/sv/dokument-lagar/dokument/motion/med-anledning... (last accessed 19 March 2021).
[28] Debatt i kammaren (11 May 2006) https://www.riksdagen.se/sv/dokument-lagar/arende/betankande/oversyn-av-... (last accessed 19 March 2021).
[29] Ibid.
[30] SOU 1990:61, ‘Skärpt tillsyn:huvuddrag i en reformerad datalag / delbetänkande av Datalagsutredningen’ (1990) 160 (see https://lagen.nu/sou/1990:61 (last accessed 27 July 2021)).
[31] Ibid, 167.
[32] Ibid, 60.
[33] SOU 1990:61, ‘Vissa särskilda frågor beträffande integritetsskyddet på ADB-området : delbetänkande av Datalagsutredningen’ (1991), 10 and 59.
[34] Ibid, 70.
[35] SOU 1993:10; Bilagor, p.21 (§30).
[36] SOU 1993:10; Bilagor, p.23 (§40).
[37] SOU 1993:10; Bilagor, p.24 (§41).
[38] Constitutional Committee, ‘Konstitutionsutskottets Betränkende 2017/18:KU23’ https://www.riksdagen.se/sv/dokument-lagar/arende/betankande/ny-dataskyd... (last accessed 25 July 2020).
[39] Ibid.
[40] Ibid.
[41] Ibid.
[42] See for a summary ‘Education Committee’s Report 2018/9: UbU 5’ https://www.riksdagen.se/sv/dokument-lagar/arende/betankande/behandling-... (last accessed 19 March 2021).