Data Act (Sweden)

Last updated
Data Act
Sweden
Enacted11 May 1973
Repeals
Personal Data Act of 1998

The Data Act (Swedish : Datalagen) is the world's first national data protection law and was enacted in Sweden on 11 May 1973. [1] [2] [3] It went into effect on 1 July 1974 [4] [2] and required licenses by the Swedish Data Protection Authority for information systems handling personal data. [5]

Contents

History

Information and communications technologies (ICTs) were far developed in Sweden due to multiple circumstances and the use of computers in public administration was introduced relatively early. Furthermore, the concepts of transparency, public access and openness were traditionally widely present in Swedish society. [6] [7] Widespread public concern was raised in 1969 due to the year's public census. [7]

In 1969, the Royal Commission on Publicity and Secrecy was set up to investigate problems associated with the increasing use of computers to store and process personal data. [4] They provided the initial analysis, recommendations and drafts that addressed these problems. [2] In July 1972, they published their report Computers and Privacy (Sw. Data och integritet). [2]

The Data Inspection Board (DIB), proposed in the report, was set up in July 1973. [2]

In April 1973, the Riksdag uncontentiously passed the Data Act, also proposed in the report, which only slightly modified the commission's draft. [2] It then came into force in July 1973. [2] An associated amendment to the Freedom of the Press Act was adopted in February 1974 − around the same time as the Credit Information Act and the Debt Recovery Acts which regulated computerized credit information. [2]

Problems and succession

As the law's data registration and transborder data flow requirements were considered cumbersome and confusing by private and public organizations and the DIB was soon overcome by the magnitude of registrations the law was amended in 1982 which made the private sector and the government more self-sufficient in terms of registration. [8]

After several more amendments in 1989 a Commission on Data Protection was set up to make a total revision of the act. The commission submitted its final report in 1993 recommending a new Data Protection Act based largely on the then current second proposal from the European Commission for an EC Directive. In 1995 Sweden joined the European Union which had adopted the Data Protection Directive in the same year and a new committee was entrusted with making recommendations on the implementation of the directive and a new total revision of the Data Act. In 1997 it presented a report on the implementation containing a proposal for a new Personal Data Act. [1]

The law was then superseded on 24 October 1998 by the Personal Data Act (Sw. Personuppgiftslagen) that implemented the 1995 EU directive. [9] [10] [11] [12] The 1973 law mainly focused on automated computer processing systems containing assignable information of living [4] persons [2] and not data processing in general and was considered to be outdated in many respects for many years. [13] [14] [15]

The law

The act required a prior permit from the DIB for each computerised personal data register. When a permit was given, the Board issued tailor-made conditions for that register. It did not contain many provisions on when and how the data should be processed, or general data protection principles. [1]

Those who were subject of data contents were guaranteed freedom of access to their records. Exporting data on Swedish citizens outside the country required a license as well which wasn't granted when it was discovered that this was done to evade the regulatory requirements of the law. [8] [7] In 1979 the Swedish government issued a report which also raised concerns over critical data exported to other countries potentially becoming a target of terrorist organizations. [8]

It also requires responsible persons to pay compensations when individuals suffer damage due to incorrect information about them. [2]

The law also criminalized data intrusion but only intended to penalize persons physically breaking into offices to change data and did not consider Internet-based hacking at the time. [16]

Earlier data protection laws

In October 1970 a data protection law went into effect in the West German state of Hesse − the Hessisches Datenschutzgesetz. [17] [18] [5] [19] [6]

See also

Related Research Articles

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

<span class="mw-page-title-main">Data Protection Directive</span> EU directive on the processing of personal data

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.

<span class="mw-page-title-main">Data Protection Act 1998</span> United Kingdom legislation

The Data Protection Act 1998 was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Data retention defines the policies of persistent data and records management for meeting legal and business data archival requirements. Although sometimes interchangeable, it is not to be confused with the Data Protection Act 1998.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. There are numerous measures available to prevent cyberattacks.

The International Safe Harbor Privacy Principles or Safe Harbour Privacy Principles were principles developed between 1998 and 2000 in order to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information. They were overturned on October 6, 2015, by the European Court of Justice (ECJ), which enabled some US companies to comply with privacy laws protecting European Union and Swiss citizens. US companies storing customer data could self-certify that they adhered to 7 principles, to comply with the EU Data Protection Directive and with Swiss requirements. The US Department of Commerce developed privacy frameworks in conjunction with both the European Union and the Federal Data Protection and Information Commissioner of Switzerland.

Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organisations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handing sensitive information.

Security breach notification laws or data breach notification laws are laws that require individuals or entities affected by a data breach, unauthorized access to data, to notify their customers and other parties about the breach, as well as take specific steps to remedy the situation based on state legislature. Data breach notification laws have two main goals. The first goal is to allow individuals a chance to mitigate risks against data breaches. The second goal is to promote company incentive to strengthen data security.Together, these goals work to minimize consumer harm from data breaches, including impersonation, fraud, and identity theft.

The United States Commission's fair information practice principles (FIPPs) are guidelines that represent widely accepted concepts concerning fair information practice in an electronic marketplace.

Privacy law in Denmark is supervised and enforced by the independent agency Datatilsynet based mainly upon the Act on Processing of Personal Data.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

The Swedish Authority for Privacy Protection, formerly the Swedish Data Protection Authority, is a Swedish government agency, organized under the Ministry of Justice, tasked to protect the individual's privacy in the information society without unnecessarily preventing or complicating the use of new technology. The agency ensure legislation within this area is complied with and as such supervise different registers and carry out inspections of companies, organizations and other government agencies; led by the agency's own IT security specialists and legal advisors. The most important legislation is the Personal Data Act of 1998, the Debt Recovery Act of 1974 and the Credit Information Act of 1973. The agency also has an expert advisory role when the Government prepares new statutory provisions.

The National Privacy Commission, or NPC, is an independent body created under Republic Act No. 10173 or the Data Privacy Act of 2012, mandated to administer and implement the provisions of the Act, and to monitor and ensure compliance of the country with international standards set for data protection. It is attached to the Philippines' Department of Information and Communications Technology (DICT) for purposes of policy coordination, but remains independent in the performance of its functions. The Commission safeguards the fundamental human right of every individual to privacy, particularly Information privacy while ensuring the free flow of information for innovation, growth, and national development.

The ePrivacy Regulation (ePR) is a proposal for the regulation of various privacy-related topics, mostly in relation to electronic communications within the European Union. Its full name is "Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC ." It would repeal the Privacy and Electronic Communications Directive 2002 and would be lex specialis to the General Data Protection Regulation. It would particularise and complement the latter in respect of privacy-related topics. Key fields of the proposed regulation are the confidentiality of communications, privacy controls through electronic consent and browsers, and cookies.

The gathering of personally identifiable information (PII) is the practice of collecting public and private personal data that can be used to identify an individual for both legal and illegal applications. PII owners often view PII gathering as a threat and violation of their privacy. Meanwhile, entities such as information technology companies, governments, and organizations use PII for data analysis of consumer shopping behaviors, political preference, and personal interests.

<span class="mw-page-title-main">Data Protection Act 2018</span> United Kingdom legislation

The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK. It is a national law which complements the European Union's General Data Protection Regulation (GDPR) and replaces the Data Protection Act 1998.

The right of access, also referred to as right to access and (data) subject access, is one of the most fundamental rights in data protection laws around the world. For instance, the United States, Singapore, Brazil, and countries in Europe have all developed laws that regulate access to personal data as privacy protection. The European Union states that: "The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures." This right is often implemented as a Subject Access Request (SAR) or Data Subject Access Request (DSAR).

References

  1. 1 2 3 Öman, Sören. "Implementing Data Protection in Law" (PDF). Retrieved 10 May 2017.
  2. 1 2 3 4 5 6 7 8 9 10 Bennett, Colin J. (1992). Regulating Privacy: Data Protection and Public Policy in Europe and the United States . Cornell University Press. p.  63. ISBN   0801480108 . Retrieved 10 May 2017.
  3. "Online Privacy Law: Sweden". Law Library of Congress. 10 May 2017. Retrieved 10 May 2017.
  4. 1 2 3 Mochmann, Ekkehard; Müller, Paul J. (1979). Data Protection and Social Science Research: Perspectives from Ten Countries. Ardent Media. ISBN   9783593326047 . Retrieved 10 May 2017.
  5. 1 2 Madsen, Wayne (7 July 1992). Handbook of Personal Data Protection. Springer. ISBN   9781349128068 . Retrieved 10 May 2017.
  6. 1 2 Kosta, Eleni (21 March 2013). Consent in European Data Protection Law. Martinus Nijhoff Publishers. ISBN   978-9004232365 . Retrieved 10 May 2017.
  7. 1 2 3 Fuster, Gloria González (28 April 2014). The Emergence of Personal Data Protection as a Fundamental Right of the EU. Springer Science & Business. ISBN   9783319050232 . Retrieved 10 May 2017.
  8. 1 2 3 Madsen, Wayne (7 July 1992). Handbook of Personal Data Protection. Springer. ISBN   9781349128068 . Retrieved 10 May 2017.
  9. "Law in Sweden - DLA Piper Global Data Protection Laws of the World". www.dlapiperdataprotection.com. Retrieved 10 May 2017.
  10. "Personal Data Act (1998:204);" (PDF). Retrieved 10 May 2017.
  11. "The Personal Data Act - Datainspektionen". www.datainspektionen.se (in Swedish). Archived from the original on 6 May 2017. Retrieved 10 May 2017.
  12. Castro, Catarina (2002). Employment Privacy Law in the European Union: Surveillance and Monitoring. Intersentia nv. ISBN   9789050952392 . Retrieved 10 May 2017.
  13. "Personal Data Protection" . Retrieved 10 May 2017.
  14. Kirchberger, Christine (2011). Cyber Law in Sweden. Kluwer Law International. ISBN   9789041134523 . Retrieved 10 May 2017.[ permanent dead link ]
  15. "Data Protection Laws of the World Handbook: Second Edition - Sweden - Data Protection - Sweden". www.mondaq.com. Retrieved 10 May 2017.
  16. Kirchberger, Christine (2011). Cyber Law in Sweden. Kluwer Law International. ISBN   9789041134523 . Retrieved 10 May 2017.[ permanent dead link ]
  17. Agre, Philip E.; Rotenberg, Marc (1997). Technology and Privacy: The New Landscape . MIT Press. p.  221. ISBN   9780262511018 . Retrieved 10 May 2017.
  18. Nations, United; Publications, United Nations; Assembly, United Nations General (October 2006). Report of the International Law Commission. United Nations Publications. ISBN   9789218102676 . Retrieved 10 May 2017.[ permanent dead link ]
  19. Fuster, Gloria González (28 April 2014). The Emergence of Personal Data Protection as a Fundamental Right of the EU. Springer Science & Business. ISBN   9783319050232 . Retrieved 10 May 2017.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.