In January 2021, the Swedish Authority for Privacy Protection (“IMY”) published its privacy protection report for 2020 (the “Report”). This privacy protection report is commissioned by the Swedish government, and the Report outlines the development in the IT area with emphasis on privacy and new technologies.
One of the main conclusions IMY makes in the Report is that the amount of personal data collected (both biometric data and other personal data) increases, and that this has made people more worried about how the collected data are used. Internet of Things (“IoT”) will have a considerable effect on the right to personal privacy as IoT might make data collection from individuals less transparent. [1] Extensive data collection is expected to expand from the online environment to the physical environment such as homes, cars and buildings. It is important to implement risk mitigating actions in order to maintain the right to privacy.
Online advertising is highlighted in the Report, and IMY points out that new technologies make it easier to collect, cross-check and link large amounts of personal data collected online for purposes of e.g. online advertising. Such cross-checking may result in that some data that are not in itself considered to be sensitive, or data that may not even be considered as personal data, might become far more privacy invasive than originally expected by the individuals. [2]
Increased use of biometric data may have positive effects for individuals such as increased convenience and safety. However, use of biometric data also gives rise to risks as such data can be manipulated and might be used for other purposes than what it was originally collected for. From the perspective of protection for privacy, one of the most problematic qualities of biometric data is that biometric data cannot be replaced or changed if the data has been lost, and thus, damages in relation to breach of privacy involving biometric data may be difficult to repair. [3]
Sweden has ambitious goals regarding facilitating use of data related innovations, such as artificial intelligence (“AI”) and IoT. Steps towards strengthening data privacy have been taken, but there have not been as concrete actions taken with regard to questions of ethics and securing rights of individuals. Before the breakthrough of AI and IoT, and before the amount of biometric data collected increases even more, stronger and more concrete actions should be taken in order to ensure that privacy aspects and security aspects are taken into account in the development of products and services making use of such technologies. [4]
IMY suggests that there should be a clearly defined area of politics in Sweden that concretizes goals and actions that ensure individuals’ right to private life and right to decide how their personal data are used. According to the Report, investments are needed for research and development of technology that protects the right to privacy. [5]
Finally, IMY points out that privacy protection is a sustainability question and that privacy protection should be designed so that innovations and processes we create and use now and in the future, shall make it possible for future generations to exercise their rights to privacy. To achieve this goal, concrete steps towards ensuring privacy and security for individuals have to be taken while technologies are developed further. [6]
In the Report, IMY mentions its plans to conduct more audits based on complaints lodged by individuals, and to communicate issues addressed in complaints to those organizations concerned. [7] Based on the Report, organizations using technologies such as AI, IoT or web scraping should expect increased monitoring from a Swedish perspective. As highlighted by IMY in the Report, such organizations should focus on performing risk analyses and impact assessments, implementing privacy by design and privacy by default, as well as informing data subjects of the processing of their data in a clear and transparent manner.
[1] Swedish Authority for Privacy Protection. Privacy protection report 2020. www.imy.se/globalassets/dokument/rapporter/integritetsskyddsrapport2020.pdf (link collected 2021-05-28), p. 17.
[2] Ibid., p. 15 f.
[3] Ibid., p. 18.
[4] Ibid., p. 18.
[5] Ibid., p. 19.
[6] Ibid., p. 19.
[7] Ibid., p. 20.
Article provided by: Fredrik Roos and Linda Källström (Setterwalls, Sweden)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)