Comments on the EC Data Protection Directive: The View from Sweden
- The General View of the Directive
- Conceptual Issues
- Manual Files
- Freedom of Expression
- Implementation of the directive
This is a refereed article.
Date of publication: 31 January 1996
Citation: Seipel, P. (1996) 'Comments on the EC Data Protection Directive:The View from Sweden' 1996 (1) The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/elj/jilt/dp/1sweden/>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1996_1/seipel/>
At present, the main legal instrument in Sweden for the protection of personal data is the Data Act of 1973. On several occasions the act has been revised in order to reflect developments of information technology (IT) and various experiences of the application of the act. In addition to the Data Act numerous other enactments must also be taken into consideration.
Of central interest is the Freedom of the Press Act of 1949 where Chapter 2 regulates access to official documents, including computer recordings of all kinds. There are special laws in the fields of credit reporting and debt collecting, for example. Moreover, a considerable number of special so called "register laws" are in force, among them statutes on health care data, police data, and census data.
"Register laws" are sometimes independent, sometimes integrated into enactments dealing with particular public authorities, types of activities or the like. The complex nature of the regulation of the protection of personal data complicates the task of analysing the consequences of the Directive.
An earlier draft version of the Directive (COM (92) 422 final) was studied by a Swedish legislative committee in 1993. In its report, "A New Data Act" (SOU 1993:10, in Swedish), the committee made a rather far-reaching effort to adjust its proposal to the draft. This led to criticism and, with minor exceptions, the committee's proposal was not used for the continued work in the Ministry of Justice.
One reason seems to have been that the draft Directive was not viewed as a step forward in the field of personal data protection. Although the final version is an improvement in a number of respects, the Swedish attitude to the text is, generally speaking, still rather hesitant.
Among others, the Data Inspection Board appears to be among the sceptics. In brief, there is concern that the Directive reflects outdated - possibly even muddled - thinking on personal data protection and that it brings together bureaucratic elements from existing data protection laws which may prove difficult to implement in national laws.
The early main concern of Swedish observers has, however, been eliminated. It has to do with the principle of free access to public documents which is guaranteed by the Swedish constitution. A number of provisions in the earlier drafts made it questionable to what extent the freedom of information principle as it is expressed in Swedish law could be maintained without giving rise to conflicts with the protection of personal data according to the Directive, conflicts which would have been difficult to solve.
In the final text of the Directive ((OJ 1995 No L281 p31) the preamble includes a clause which explicitly makes room for freedom of information and allows the principle of public access to official documents to be taken into account when implementing the principles set out in the Directive (cf. Article 7 (c), for example).
The present Swedish legislation is concerned with "files" and its whole system of concepts will have to be revised in order to take into consideration the definitions used in the Directive. This development had actually already started because of the increasingly visible difficulties of applying legal thinking from the early 1970s to the present realities of relational databases, global data networks etc.
The question is, however, to what extent the conceptual framework of the Directive itself takes these new developments into account. This question will most likely be closely scrutinised in the work of the new committee on the revision of the Data Act. The mandate of the committee indicates that it may be necessary to look for solutions which reflect national experiences and rely on even innovative methods which are regarded as suitable to achieve the overall purposes of the Directive.
In other words, a flexible attitude to the Directive appears to be recommended. In this context it may be noted that given the existence of global information data networks with vast and fragmented data resources, it may prove difficult to implement provisions such as Article 11 which deals with information to data subjects. One may think of, for example, lists of e-mail addressees which are often received from some source or other and are stored by recipients in their address books.
On the whole, the realism of requiring a steady stream of information to "data subjects" about who is "controlling" what personal data may be put in question. In this respect, as well as in a number of others, the Directive reflects a kind of "register thinking" which meets with practical difficulties (if nothing else).
As for sound and image data, the consequences of the Directive are highly uncertain. The present Swedish Data Act applies to such information but in practice many of its provisions have proved to be unsuited - to say the least - to function in an information environment which differs from the more well-known, traditional, alphanumerical one.
For example, how are rules on rectification, erasure or blocking to be applied to "personal data" in the form of digitised photographies (where several people may appear - some wishing to stay in the picture, some wishing to be erased).
At present the Swedish Data Act does not cover manual processing. On the contrary, the Data Act is a typical "computer privacy" legislation and, thus, differs from the Directive. The exclusive computer-orientation of the Data Act has often been put in question and the implementation of the Directive will be seen by many as an opportunity to accomplish a change that is well motivated.
One solution may be to enact some kind of general privacy protection law which deals not only with the processing of personal data but sets out privacy protection principles of a broader nature.
These principles may then be further detailed and supplemented in legislation dealing specifically with personal data processing. Probably, some of the above mentioned "register laws" will also have to be expanded to cover manual filing systems.
According to Article 9 there shall be certain exemptions or derogations with regard to processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression which prove necessary to reconcile the right to privacy with the rules governing freedom of expression.
The scope of this article seems uncertain and different freedom of information traditions in the member countries will probably come into play. It may be noted that the text does not mention the right of access to information. In Sweden this right is looked upon as a necessary basis for the freedom of expression.
Two consequences may follow. One is a broad interpretation of the freedom of information exemption in Article 9 which will be to the benefit of electronic publishing, for example. Another possible consequence concerns the processing of personal data which may expose people who exercise their constitutional right to inform.
Such processing of personal will be caught in the crossfire of personal data protection and protection of the freedom to impart information.
It is still too early to predict the precise way in which the Directive will be implemented in Sweden. However, a complete revision of the present Data Act is likely, i.e. the goal will probably be the enactment of a new statute or group of new statutes rather than an amended version of the present Data Act. The above comments indicate the kind of concerns which have so far been under discussion and which will most likely continue to attract attention. During Spring 1996 the new Data Legislation Committee will begin its work. The committee is under an obligation to consult with the Government's Information Technology Commission, i.e. the high level organ which advices the Swedish government on matters of information technology law and other strategic issues related to IT.