Sweden Update: Monitoring data privacy news

This time around we are reporting about the numerous data protection developments in the EU. The European Data Protection Board’s (EDBP) final recommendations are finally published and while certain elements of flexibility can be found in the new guidelines, the bottom line is that organisations are required to put significant effort into ensuring the compliance of their – or their processors or sub-processors’ – transfers of personal data outside the EU/EEA. The European Court of Justice (CJEU) has also delivered two important judgments. The first judgment concerns the functioning of the so-called “one-stop-shop” mechanism aimed at coordinating supervisory responsibility between different national data protection authorities (DPAs) in the context of cross-border processing of data. The second judgment, on the other hand, provides for a balancing exercise between traffic safety and the protection of the right to private life and protection of personal data.

Finally, the Swedish DPA receives attention in this report as the long-awaited decision regarding the publicly available recorded health-care related phone calls to the national health consultation number 1177 has now been published.

Our purpose with this Data Privacy Report is to provide you with the latest and most relevant data privacy news. The areas of focus are the Nordics, the Baltics and Europe in general.

Sweden

The Swedish Data Protection Authority (DPA) has issued an administrative fine against the Östra Skaraborg Rescue Service for a far-reaching camera surveillance of its staff at the fire stations in violation of the GDPR. The DPA had initiated an investigation concerning the Rescue Service’s use of surveillance cameras in the changing rooms used by the firefighters in the event of an emergency. It was found that the camera surveillance had been turned on round-the-clock, even though the surveillance is deemed necessary only when a fire alarm is set off.  The DPA found that while the Rescue Service had compelling reasons for the camera surveillance, the extent of the surveillance was not reasonable, in particular in reference to the power imbalance present in an employment relationship. According to the decision, the camera surveillance should be limited and only activated in the event of an alarm. Additionally, the area of the surveillance should be limited to those areas that are necessary.

Read more here (Swedish).

The Swedish DPA has issued an administrative sanction fee of SEK 16 million in total against Storstockholms Lokaltrafik limited company (SL). The Swedish DPA stated that SL had violated article 5, 6 and 13 of the GDPR by equipping ticket inspectors with body cameras that record images and sound. The infringements consisted of (i) SL’s use of body cameras to prevent and document threats and violence, (ii) SL’s use of body cameras to confirm the identity of travellers who must pay a surcharge and (iii) insufficient information to the data subjects. The DPA considered that the cameras can be used to prevent and document threats and violence but only for a maximum of 15 seconds. Camera surveillance for the purpose of identifying travellers was on the other hand deemed unnecessary as the same purpose can be attained by taking pictures without audio. Finally, the information provided to the data subjects should have included information about the recording of sound.

Read more here (Swedish).

The Swedish media revealed in 2019 that recorded phone calls made to the Swedish medical consultation services Vårdguiden 1177 were publicly available on the internet without encryption. Consequently, the Swedish DPA initiated an investigation concerning the processing of personal data by organisations involved in the provision of the 1177 service. The DPA has now finalized its investigation and published six decisions, including administrative sanctions on the matter. 

The medical consultation service 1177 is owned by Swedish regions and each region carries out medical consultation services independently or by outsourcing the task to external actors. When a data subject calls 1177, the call was directed to the system administrator Inera. Some regions had subsequently outsourced the task of medical consultation to a subcontractor Medhelp AB and in those cases the calls from the data subjects were directed from Inera to Medhelp AB. Medhelp AB used in its turn a subcontractor Medicall Co Ltd for medical consultation during nighttime and weekends. Medicall Co Ltd is a company located in Thailand, while the personnel answering the phone calls consisted of Swedish nurses. Medihelp and Medicall had additionally entered into a contract with Voice Integrate Nordic AB which provided a switchboard and recorded the phone calls. The relationships between the actors can be illustrated as follows:

The incident where the recorded phone calls became publicly available was caused by an incorrect configuration and the responsibility for the incident lies on Medhelp in its role as a care provider and Voice Integrate Nordic AB where the incident took place. Medhelp was considered as the data controller in the matter and had thus the obligation according to the GDPR to take appropriate technical and organizational measures to ensure an adequate level of security for the protection of personal data. In this case Medhelp had in other words an obligation to prevent unauthorized access to personal data. Additionally, Medhelp had failed in its information obligations towards the data subjects as well as failed to respect the principle of lawfulness as the processing by the subcontractor Medicall was not considered to have had a legal basis for processing of health data. The Voice Integrate Nordic received also a fine, in its role as a processor for having failed to take appropriate technical and organizational measures and protect the recordings. Finally, the regions having outsourced the medical consultations to Medhelp received fines.

Medhelps fine sums up to a total of SEK 12 million, Voice Integrate Nordic received a fine of SEK 650 000 and, the Region of Stockholm received a fine of SEK 500 000 while the Region Sörmland and Region Värmland received a fine of SEK 250 000 each.

Interestingly, the Swedish DPA did not investigate the lawfulness of the transfer of personal data from Medhelp to Medicall located in Thailand, that is outside the EU/EEA. The case handler has commented that such delimitation is motivated by the purpose of the sanctions to be effective, proportional, and dissuasive. As the other violations of the GDPR already motivated a high administrative fine that the DPA considers as effective, proportional, and dissuasive, there had been no need for further investigation, according to the case handler.

Read more here (Swedish) and here (English).

Finland

The Administrative Court of Eastern Finland has delivered a judgment concerning the appropriateness of the Finnish DPA’s hearing procedure and the imposed administrative fine of EUR 16 000. The violation giving rise to the fine consisted of a failure to carry out a data protection impact assessment in connection of processing the location data of the data controller’s employees. The Court found that the procedure followed the Finnish Administrative Procedure Act and that the imposed fine meets the criteria of effectiveness, proportionality, and dissuasiveness. According to the Court, the fine of EUR 1500 claimed by the applicant would not fulfil the named criteria. The judgment is the first of its kind interpreting the appropriateness of the size of the administrative fine in Finland.

Read more here.

Denmark

The Danish DPA has concluded that Nordea has not breached data protection laws when disclosing personal data of the bank’s customers in connection with the sale of receivables. The disclosed information included inter alia customers’ social security numbers. The disclosure did not, however, constitute a breach because Nordea was processing the data in accordance with its legal obligations, such as the Tax Reporting Act.

Read more here (Danish).

Transatlantic data transfer discussions

The European Union and the United States leaders have committed to work on transatlantic data flows protecting consumers and enhancing privacy protections while facilitating commerce over the Atlantic. An important element of the cooperation is to provide legal certainty when it comes to the flow of personal data between the EU and the US.

Read more here.

The EDPB

The European Data Protection Board (EDPB) has adopted a final version of the Recommendations on supplementary measures following the draft which was published in the aftermath of the Schrems II judgment. The recommendations aim at facilitating the task of data controllers to ensure an essentially equivalent level of data protection when transferring personal data to third countries, outside the EU/EEA area. The final version of the recommendations is published two weeks after the new Standard Contractual Clauses (SCC) for international transfers were published by the EU Commission.

The final version of the recommendations introduces a number of amendments to the previous draft. Most notably, the EDPB adopts a somewhat more flexible approach when it comes to the legal assessment of whether the importer country’s legislation impinges the effectiveness of the relevant transfer tool, such as the SCC. The had previously EDPB rejected the possibility of considering subjective factors such as the likelihood of the public authorities’ access to the personal data in the third country in the draft. The final version allows, however, documented practical experience to be considered in the evaluation if such experience is supported by other objective factors. This change is in line with the approach adopted by the EU Commission in the new SCCs.

Additionally, a new concept of “problematic legislation” is introduced as an element of assessment of the third country legislation. Problematic legislation is understood as legislation that imposes obligations on the data importer that conflict with the safeguards provided by the relevant transfer mechanism, and which does not respect the essence of the fundamental rights and freedoms recognized in the EU legal order.

Finally, the EDPB continues with its approach of defining the concept of international transfers in the widest possible meaning entailing that for instance remote access as well as storage in a cloud situated outside the EEA is considered as a transfer.

Read more here.

The CJEU

The Court of Justice of the European Union (CJEU) has delivered a judgment specifying the powers of national DPAs within the scheme of the GDPR and the so-called “one-stop-shop” mechanism. The case derives from an injunction request before Belgian courts where the referring Belgian court requested the CJEU to determine whether the Belgian courts have jurisdiction in a case where Facebook Ireland is alleged to have infringed the GDPR. According to the “one-stop-shop” mechanism, the Irish DPA is the “lead supervisory authority” in cases where the controller, in this case Facebook Ireland, has its main establishment in Ireland. The question is rather heated as the Irish DPA is consistently criticized for not adequately enforcing GDPR, while the Irish DPA has also expressed its frustration with the one-stop-shop solution assigning the task of enforcement against the most “Big Tech” companies which, inter alia for tax reasons, have their European establishments in Ireland.

The CJEU’s main finding is that a national DPA, which does not have the status of a lead supervisory authority according to the GDPR’s rules for one-stop-shop, may, under certain conditions, have the competence to adopt a decision finding that a processing infringes the GDPR where such power has been conferred to the DPA. Such competence must, however, be exercised with due regard to the cooperation procedures between the EU DPAs laid down in the GDPR. Additionally, the CJEU addresses the one-stop-shop mechanism and states that the lead SA must consider the relevant and reasoned objections made by the other concerned DPAs when exercising its powers.

Read more here.

The CJEU has delivered a judgment holding that the GDPR precludes Latvian legislation obliging the road safety authority to make data relating to penalty points imposed on drivers for road traffic offences accessible to the public. While the CJEU recognizes that the objective of the Latvian legislation to improve road safety is of general interest and recognized by the European legal order, the Latvian legislator has the possibility of fulfilling this objective by other means that are less harmful for the fundamental rights of the data subjects. It is furthermore interesting that the CJEU adopts a view that, in light of the sensitivity of the processed data and of the seriousness of that interference with fundamental rights, namely respect for private life and the protection of personal data where such information may give rise to social disapproval and result in stigmatization of the data subject, the value of the fundamental rights prevail the public interest of having access to official documents and the right to freedom of information. Such statement may prove challenging for instance for the Swedish legal tradition of wide public access to official documents.

Read more here.

By Cirio, Sweden, a Transatlantic Law International Affiliated Firm. 

For further information or for any assistance please contact sweden@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.