Proposal for Data Protection Act

Published

“Proposal for national Swedish legislation complementing the General Data Protection Regulation EU 2016/679, GDPR”

The General Data Protection Regulation becomes effective on 25 May 2018 and will be directly applicable in all of EU. However, the GDPR allows for each member state to adopt national supplementary rules with the purpose of adapting the provisions of the GDPR to specific national conditions and national legislation on e.g. employment and freedom of speech.

In preparation of such national legislation the Swedish government launched an investigative committee referred to as “Dataskyddsutredningen” (the Data Protection Committee) in February 2016. The committee’s remit was to propose national regulation that supplements the General Data Protection Regulation at a general level (as opposed to suggesting sector specific regulations). The committee’s presented its white paper on 12 May 2017. The white paper proposes a new supplementary act referred to as “Dataskyddslagen” (the Data Protection Act). The committee suggests that the Data Protection Act will enter into effect in parallel with the GDPR.

In short, the white paper proposes that in Sweden the GDPR should apply also for processing personal data in the course of an activity which falls outside the scope of EU law, such as national security and law enforcement. It also contains suggested provisions with the purpose of clarifying the essence of the legal grounds for processing data if necessary for “compliance with legal obligation to which the controller is subject” and “the performance of a task carried out in the public interest or in the exercise of official authority”. Furthermore, it suggests provisions clarifying that sensitive data may if necessary be processed by employers, in the field of health and medical care, and for archival and statistical purposes. In addition, the white paper identifies gaps as to the possibility for public authorities to process sensitive data when necessary and proposes provisions to bridge those gaps.

It is also worth noting that the administrative fines stipulated for breaches of the GDPR are suggested to apply for breaches of the Data Protection Act too.

Please feel free to contact Alexander Berger, Head of Data Privacy, if you would like to know more about the Data Protection Act and the GDPR.