When starting off a new year it is a fitting time to summarize the past year. Our conclusion as TMT/IP lawyers is that it has been an interesting year with the growing number of exciting instructions matching progress in the internet and technology. As the title suggests we would like to give a brief recap on recent developments during 2014 in Sweden in the field of data protection, specifically highlighting the upcoming Data Protection Regulation (the Regulation) and Sweden's view on this particularly important change to be expected.
During 2014 the Swedish Data Inspection Board (the DIB) handled a number of interesting supervision matters touching personal data processing in health care such as direct access to patient records; cloud services; and various types of registers within the public sector, for example, the Swedish police's criminal- and surveillance register and registers within Bolagsverket and Domstolsverket. There are a number of ongoing interesting public reviews related to data protection in Sweden, for example, a review specifically focused on the regulation of personal data processing by public authorities. The scope of this review was revised in May 2014 in order to be better adapted to the upcoming Regulation. The review will be presented during spring 2015.
The Swedish Data Protection Act in light of the upcoming Regulation
Almost three years ago, the Commission presented a proposal for a new regulation for the protection of personal data which, when finally adopted, will replace the current Data Protection Directive and therefore also the Swedish Personal Data Act (PDA) and more or less all other national regulations on personal data. Other than the purely content changes contained in the Regulation, the greatest difference is that this is a regulation and not a directive. Since the proposal was published, it has been discussed and processed extensively by EU legislators and many have expressed views on its content and presented proposals for changes.
In short, Sweden's view is that the new rules on data protection shall be regulated as a directive instead of a regulation in order to get more room for national sector-specific regulations such as the Swedish principle of public access to official records (Sw: offentlighetsprincipen). Sweden also promotes that a so called risk based approach shall be included in the Regulation similar to the current Section 5 a in the PDA. Prior to the JHA Council meeting on December 4 2014, where a proposal for the applicability of the Regulation on the public sector was discussed (and adopted as a temporary partial – non-binding – agreement), the Swedish Department of Justice presented some additional comments on the Regulation and expressed that Sweden is positive to the proposal because, among other things, greater influence is given to the legislature regarding the public sector and because the Swedish principle of public access to official records appears to be considered.
Future – how is the Regulation progressing?
The short answer is that the ball is still in the Council's court and it must arrive at a joint opinion before negotiations can be held between the Council, the Commission and the European Parliament. Many are sure to feel that the process is protracted, complicated and hard to understand. Last year, we were particularly looking forward to finding out if the Council and the European Parliament would manage to agree on a final wording of the proposed Regulation so that it could be adopted before the end of 2014. Many expressed the hope that the Regulation would be completed before the end of 2014, now in the beginning of 2015 we can conclude that unfortunately we are not yet there. The current estimate is that the Council will hopefully reach a joint opinion during the EU summit in March 2015. It will then be possible to reach a final agreement on the proposal between the Council, the European Parliament and the Commission by the end of 2015. Given the planned two-year transitional period (from Directive to Regulation), this would mean that the Regulation should enter into force towards the end of 2017.
As technology has developed with new products and services new challenges in protecting personal data have arisen and increased the challenge to apply personal data rules. The current provisions are vague and open to interpretation, which means that implementation differs between the EU Member States. It is, therefore, welcome that attempts are being made at the EU level to achieve more uniform rules. However, the internet is global, so surely an even more extensive process awaits; namely reaching agreement on a greater number of solutions with a larger ambit and broader perspective. Getting there will likely take a very long time, in particular given the extensive and time-consuming EU process on the Regulation thus far and for the time taken for the Council and the European Parliament to agree on a joint proposal.
Whether the proposal for a regulation will be adopted during this year remains to be seen. Delphi is following the developments and look forward to data protection year 2015 with excitement. In the meantime - please visit Delphi Data Protection Blog at http://blogg.delphi.se.