The Sweden Personal Data Protection Act 1998
Sweden enacted the Personal Data Act 1998 (PDA) to incorporate the provisions of the European Union’s (EU) Data Protection Directive (95/46/EC) into Swedish law. The PDA regulates the establishment and use, in both the public and private sectors, of automated data files containing information about natural persons. The intention of the law was to protect personal privacy and regulate misuse of personal information data bases.
One of the major requirements of the PDA is the stipulation that personal data may only be processed for specific, explicitly stated and justified purposes and that it may not be processed for any purpose that is incompatible with that for which the information was collected. In addition, personal data may not be kept for a longer period than is necessary for the purpose of the processing.
A public authority known as the Swedish Data Inspection Board (DIB) is the primary overseer and enforcer of the PDA. One of the DIB’s key functions is to prevent the encroachment upon privacy. It also handles complaints and examines government bills to ensure that new laws and ordinances adequately protect personal data. DIB’s powers in relation to supervision are contained in PDA section 43, which states that the supervisory authority is entitled to request (a) access to the personal data that is processed; (b) information and documentation of the processing of personal data and security of this processing; and (c) access to those premises linked to the processing of personal data.”
According to Section 6 of the PDA, personal data used by a natural person in the course of activities of a purely private nature is outside the scope of the Act. The European Court of Justice (Case C-101/01 Bodil Lindqvist v Åklagarkammaren i Jönköping) has declared that this exemption is to be read as “relating only to activities which are carried out in the course of individuals’ private or family life, which is clearly not the case with the processing of personal data consisting in publication on the internet so that data is made accessible to an indefinite number of people.” In this case, a woman who identified and included information about fellow church volunteers on her Web site was held to be in breach of the Data Protection Directive. The court held that the creation of a personal Web site was not a personal or private activity typifying an exception under the PDA.
