Last review date: 27 December 2024
Sweden has one national data protection authority. For the Electronic Communications sector and with respect to Cybersecurity, there are additional authorities:
- Data protection - The Swedish Authority for Privacy Protection ("Swedish DPA")
- Electronic communication - The Swedish Post and Telecom Authority
- Cybersecurity – The Swedish Civil Contingencies Agency
Last review date: 27 December 2024
The Swedish DPA
With respect to key enforcement activities, the Swedish DPA issued three administrative fines in 2024 for a total amount of SEK 60,000,000 (approx. USD 5,400,000). Further, the Swedish DPA issued a number of decisions that did not result in any administrative fines, but where the controller was left with, e.g., a reprimand or ban on the non-compliant processing activity. All of the decision issued by the Swedish DPA in 2024 were issued on the basis of personal data being transferred via an analytics tool used by the affected companies on their websites.
The three supervisory cases in which the Swedish DPA issued administrative fines during 2024 concerned failure in implementing appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR Regulation. Two of the cases of breach resulting in fines involved the transfer of information regarding customers’ orders. The companies had, among other things, transferred data containing information about purchases of over certain sensitive information (resulting in administrative fines of SEK 8,000,000 (approx. USD 725,000), and SEK 37,000,000 (approx. USD 3,360,000) respectively). Furthermore, a Swedish bank was issued an administrative fine on similar legal grounds. The bank had also used an analytics tool on its website and app, which resulted in the transfer of information pertaining to customers’ securities holdings and account numbers to a third party. According to the banks own report of the incident, personal data of up to one million individuals were improperly transferred to a third party, resulting in an administrative fine of SEK 15,000,000 (approx. USD 1,360,000).
Lastly, three companies were subject to reprimands from the Swedish DPA following breaches pertaining to the usage of analytic tools. For these three companies, however, no fines were issued by the Swedish DPA following the authority's conclusion that the violations were to be characterized as minor, taking into account that the companies after the discovery of the breach subsequently implemented various measures to enhance their IT security
In particular, in comparison to 2023 (where eleven administrative fines for a total amount of SEK 120 million (approx. USD 11,000,000) were issued), 2024 saw a relative decrease in not only the Swedish DPA's willingness to issue administrative fines, but in overall activity and the total monetary amount imposed in fines as well.
The Swedish Post and Telecom Authority
During 2024, the Swedish Post and Telecom Authority has conducted two focused reviews resulting in injunctions and/or fines. The authority has stated that two Swedish companies have failed to provide adequate contractual information to consumers and has ordered that each company pay a fine of SEK 250,000 (approx. 23,000 USD). The supervisory body has specified that the upcoming implementation of NIS 2 will bring about substantial modifications for companies under its jurisdiction, and that certain interim regulations must already be complied with by these entities.
The Swedish Civil Contingencies Agency
The Swedish Civil Contingencies Agency (“MSB”) has given notice of a response to the legislative consultation concerning the Swedish implementation of the NIS2 Directive, emphasizing the importance of coordinated regulation to make efforts to increase resilience more effective for all actors in the system. In particular, the agency has highlighted that it is particularly important that:
- The requirements for those covered are clear and cohesive,
- NIS 2 and CER are implemented as a unified regulation, and
- The work with NIS 2-CER is coordinated with the existing civil preparedness system, into a common structure to strengthen total defense.
The Swedish Civil Contingency Agency (“MSB”) has highlighted that it is not yet clear what the new regulation will look like. Organizations not currently covered by NIS and wishing to prepare for the legislative changes can, according to the agency, benefit from reviewing existing regulations on information security and security measures.
Last review date: 27 December 2024
The Swedish DPA
With respect to priorities anticipated for the near future, the Swedish DPA has stated that the authority has received increased funding from the Swedish government with the aim of enhancing its capacity to adapt its operations to a changing legal landscape regarding complaint handling, new responsibilities arising from EU regulations, an increased need for oversight of camera surveillance due to amendments in the Swedish Camera Surveillance Act, and a growing demand for guidance from various sectors concerning data protection related to technological development and innovation. According to the Swedish DPA's Strategic Target Plan for 2022-2025, the DPA will increase its support for individuals and will continue to carry out its supervision primarily on the basis of complaints from individuals. The DPA will also aim to improve data protection compliance across private and public organizations by, e.g., providing clear legal positions on various legal issues and increasing supervisory activities, as well as observe technological development and provide guidance and support to this end.
Note that the Swedish DPA has seen a significant increase in its budget for the second year in a row, which may consequently lead to higher enforcement activity. Following the previous increase in funding a trend in increased enforcement activity during 2024, however, has not been observed.
It is currently unclear if the supervision of adherence of the EU AI regulation will fall under the DPA’s supervising authority, though this is a potential future development. The authority has affirmed that it will strive to make sure the AI regulation is not viewed as a burden by offering guidance and advocating for enhanced transparency and predictability.
The Swedish Post and Telecom Authority
The Swedish Post and Telecom Authority is as of 2 August 2024, the competent authority for the supervision of the sections of the European Data Governance Act that govern providers of data intermediation services and data altruism organizations. The authority has also been given a certain mandate regarding the reuse of protected data. According to the authority's own statement, the authority is to ensure compliance with the regulations and to receive and process complaints within this domain.
Last review date: 27 December 2024
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Rare
☒ Staying the same
Class actions/group actions under data or cyber regulation are:
☒ Rare
☒ Staying the same
Last review date: 27 December 2024
There are:
☒ administrative remedies / civil penalties applied by regulators and law enforcement
These amount to up to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
☒ private remedies
Individuals may, for example:
Individuals may, for example:
- file complaints with the data protection authorities
- claim damages for material or non-material damages