EPIC --- Privacy and Human Rights Report
|Title Page Previous Next Contents | Country Reports >Kingdom of Sweden|
Sweden's Constitution consists of four fundamental laws: the Instrument of Government, the Act of Succession, the Freedom of the Press Act, and the Fundamental Law on Freedom of Expression. These laws serve as a basis for the Swedish political decision-making and contain several provisions relevant to data protection and citizens' freedoms and rights. For example, Section 2 of the Instrument of Government Act of 1974 provides for the protection of individual privacy. Section 13 of Chapter 2 of the same instrument also states that freedom of expression and information – which are constitutionally protected pursuant to the Freedom of the Press Act of 1949 – can be limited with respect to the "sanctity of private life." Moreover, Section 3 of the same chapter provides for a right to protection of personal integrity (privacy) in relation to automatic data processing. The same article also prohibits non-consensual registration of persons purely on the basis of their political opinion. The European Convention on Human Rights (ECHR) has been incorporated into Swedish law in 1994. The ECHR is not formally part of the Swedish Constitution but has, in effect, similar status.
The Swedish Personal Data Act (PDA) or personuppgiftslagen (PUL) was enacted in 1998 to bring Swedish law into conformity with the requirements of the European Union (EU) Data Protection Directive (95/46/EC). The PDA essentially incorporates the EU Data Protection Directive into Swedish law. It regulates the establishment and use, in both public and private sectors, of automated data files on physical/natural persons. The Act replaced the Data Act of 1973, which was the first comprehensive national act on privacy in the world. The 1973 Act continued to apply until October 2001 with respect to processing of personal data initiated prior to October 24, 1998. An amendment of Section 33 of the Act entered into force in January 2000 in order to align even closer to the EU Data Protection Directive standards on the transfer of personal data to third countries.
Besides the PDA, there is also specific legislation regarding processing of personal data in different specified sectors. Some examples include the Health Care Register Act of 1998, the Police Data Act of 1998, the Land Register Act of 2000, the Schengen Information System Act of 2000, and the Act on processing of personal data within Social Services of 2001. Other statutes with provisions relating to data protection include the Secrecy Act of 1980, the Credit Information Act of 1973, the Debt Recovery Act of 1974, and the Administrative Procedure Act of 1986. In sectors that fall within the scope of the EU Data Protection Directive, the specific legislation takes into account the Directive’s rules.
The PDA provides liberal exemptions for freedom of expression. It specifically states that in the case of a conflict, the existing protections for freedom of the press (Freedom of the Press Act) and freedom of speech (Freedom of Expression Act) will prevail. The majority of the provisions in the PDA are also exempted in regard to processing that is carried out exclusively for journalistic purposes, or artistic or literary expression. In 2001, the Swedish Supreme Court ruled that the operator of a Web site dedicated to the criticism of several Swedish banks and bank officials did not violate the PDA, as he was protected by the exemptions for journalistic purposes. In another case, where a church volunteer had published information about church employees on the Internet without their consent, the Göta Court of Appeal decided in 2004 that this was not a matter of processing for journalistic purposes, or artistic or literary expression. The Court found that, in this case, the right to privacy outweighed the freedom of expression and the processing conflicted with several provisions in the PDA. However, due to the circumstances in this case, it was not seen as a serious offense, and the church volunteer was not convicted.
In 2002, the Parliament adopted new rules on voluntary publishing licenses. The rules on freedom of the press and freedom of expression apply to printed publications, radio and television, films, etc., and do not – in principle – apply to the Internet. With the new rules, anyone may apply for and obtain such a license, and thereby extend the rules on freedom of the press and expression to their Web site. This means that the keeper of a Web site who has obtained a publishing license will be able to process personal data without having to comply with the provisions in the PDA. Specific privacy problems have occurred in this context regarding publication of credit information and phone directories on the Internet. Following remarks from the data protection authority, a specific inquiry has been set up within the Ministry of Justice to analyze whether the new legislation conflicts with provisions that aim at protecting privacy. The problem regarding phone directories has been commented in a report by the National Post and Telecom Agency, who said that the new legislation might be in conflict with the EU Directive on Privacy and Electronic Communications. The agency recommended that this conflict also be examined in the Ministry of Justice inquiry.
In years past the PDA, and the EU Data Protection Directive on which it is based, were criticized for being too restrictive. On May 11, 2006, the Swedish parliament voted to amend the PDA, to make it more focused on preventing misuse of personal data. The most significant change to the PDA is to exempt processing of “unstructured materials,” such as running texts, sounds and images, and email from the great majority of handling provisions in the PDA. The excluded material will be regulated by a simple rule – processing of personal data is not permitted if it constitutes a violation of the registered person’s personal integrity. Guidelines in the legislation mandate that the data processor cannot process data for improper purposes such as harassment or defamation, or collect large amounts of information about a person without good cause. Data processors are required to correct personal data that is wrong or misleading and to observe secrecy and non-disclosure regulations. However, the amendment also decriminalizes breaches committed by mere negligence; gross negligence is now required before a breach can be prosecuted under the PDA. The amendments came into force on January 1, 2007.
The EU Directive on privacy and electronic communications (2002/58/EC) was essentially implemented in July 2003 by the entry into force of the Electronic Communications Act (ECA). The provision on unsolicited e-mail in this Directive was implemented in April 2004 when the Swedish Marketing Act was amended to reflect the Directive in this respect. As a result of this amendment, direct marketing by e-mail now requires prior consent. The National Post and Telecom Agency is in charge of supervising compliance with the Electronic Communications Act. Monitoring of the Marketing Act, including the provisions on unsolicited e-mail, falls under the scope of the Swedish Consumer Agency.
The provisions on privacy in publicly available electronic communications services are found in Chapter 6 of the ECA. This includes provisions on security in public communications networks, processing of traffic and location data, cookies, public directories, etc. The PDA of 1998 applies to processing of personal data in electronic communications networks and services to the extent that the ECA does not stipulate otherwise. The National Post and Telecom Agency emphasizes the importance of enhancing the level of user knowledge and awareness about security on the Internet. However, Sweden is second from the bottom in the EU when it comes to protecting its citizens' private integrity, according to Privacy International’s 2006 privacy ranking.
Compliance with the PDA is monitored by the Data Inspection Board (DIB), Datainspektionen. The DIB is a central government agency and carries out its functions independently. As of July 2007 the DIB has 40 employees. The agency handles complaints from individuals concerning processing of personal data. In 2006, the DIB handled 307 complaints about personal data processing, down from 405 in 2005. The DIB has discretion to decide which complaints to pursue, but complainants always receive a response as to whether an investigation is initiated, and the outcome of any investigation.
The PDA requires that automated processing of personal data be notified to the DIB. Several exemptions from the notification duty apply, for example, if an entity appoints a personal data representative. The number of representatives has decreased from 3,420 to 3,284, however, representatives can represent several entities. Some processing operations that are likely to involve particular risks for improper intrusion of privacy must be notified for prior checking.
Initiatives have also been taken to use biometric data outside the government authority sector. In 2004 and 2005, the DIB handled several requests from schools regarding the use of fingerprint-recognition devices for allowing access to school canteens. The DIB said that processing of biometric data for this purpose was not compatible with the necessity and proportionality principles prescribed by the PDA and the EU Data Protection Directive. The fact that consent would be obtained from the students or their parents did not change this view. Despite this warning, biometrics, in the form of finger scans, are being used in the Kvarnby School in Stockholm to log in to school computers.
The DIB published a report in 2005 about store bonus cards and found many privacy concerns. The report found that the cards contained detailed information about the customers and their purchases. The DIB suggested that the companies gain consent from consumers before using the data for directed advertising and improve the information given to new bonus customers so they could make an informed decision regarding their private data. The DIB also suggested the companies keep the data for as short a time as possible and restrict the information that is registered. In addition to the report, the DIB also issued supervisory decisions, including the three decisions of the DIB which have now been upheld by the County Administrative Court.
On June 22, 2006 the DIB issued a decision that SafeSite, a computer system that exchanges information and warnings between hotels and stores, did not violate the PDA because the warnings and descriptions examined by the Board to be so vaguely formulated that they were not to be considered as personal data as it is defined in the PDA. SafeSite allows the warnings to be transferred to a document in order to make a police report.
With regard to privacy in the health and medical sector, the use of information technology has increased. While information technology can facilitate documentation of health and medical care, and contribute to using resources more efficiently, it also involves new challenges in terms of privacy and data protection. The National Board of Health and Welfare has proposed in a report that the Act on Patients’ records should explicitly allow that one comprehensive record is kept for each patient. The Board has said that using one record covering all occasions when a patient has sought medical care at different care providers would even further reduce the time spent on documentation of medical treatment. Moreover, the Board has said that this requires that obstacles in terms of secrecy do not exist and that possibilities are given to jointly process personal data. The DIB has pointed to several problems that this proposal poses from both a secrecy perspective and a privacy point of view.
Personal data processing in the health and medical sector is currently regulated by the Health Care Register Act of 1998 and the Patients’ Records Act of 1985. In 2005, the DIB issued a report about accessibility to patient data that found that there was a lack of working routines to check that unauthorized users do not gain access to patient’s data. The report created a list of guidelines that the medical community needs to review and implement to protect sensitive information.” The report was the means to provide guidance to the medical community and to create a base for discussion. The Government Offices are also analyzing the handling of patients’ records and other information about individuals’ health within insurance companies. Sweden has signed, but not ratified, the Coucil of Europe Convention on Human Rights and Biomedicine, which mandates confidentiality of personal data.
In 1999, the Swedish government established a Committee to study workplace privacy issues. In March 2002, the Committee issued a proposal recommending specific legislation to protect the personal information of current and former employees, and employment applicants in both the private and public sectors. The proposal has not led to legislation. In 2005, the DIB issued a report about workplace privacy and found that few employers monitored email, or used comer surveillance, or used biometrics. The study also found that few employers had procedures for deleting data in accordance with the PDA.
Recently, the question of collecting and storing DNA information about all Swedish citizens has been subject to public debate. In June 2004, proposals were made to widen the scope of DNA use in law enforcement. According to current legislation, DNA samples fall under the rules in Chapter 28 of the Code of Judicial Procedure and rules in the Police Data Act of 1998. The inquiry tasked with reviewing the current legislation suggested introducing specific rules regarding DNA samples in law enforcement and allowing such samples to be taken from persons who are arrested, taken into custody, or suspected of crimes that can lead to imprisonment, but also from other persons if it is required in the investigation of such crimes. According to the inquiry's report, results from DNA analyses should be put into the DNA register kept by the National Police Board regarding persons who are suspected of, or sentenced for, crimes where the penalty includes imprisonment. The current rules on the DNA register only allows registration of those who have been convicted of a crime that involves a penalty of more than two years' imprisonment. According to Section 24 of the Police Data Act, registration must be limited to such data that provides information about identity – other DNA information must not be registered. The inquiry suggested that information in the register should be deleted when the preliminary investigation is withdrawn or when charges against the individual in question have been withdrawn or rejected. Information regarding persons who have been convicted should continue to be retained until the person is deleted from the register of convicted persons in accordance with the specific rules in the Act of 1998.
Sweden is implementing Council Regulation No. 2252/2004 on Standards for Security Features and Biometrics in Passports and Travel Documents Issued by Member States. The new biometric passports, based on the International Civil Aviation Organizations (ICAO) specifications, were introduced in Sweden on October 1, 2005. The passport contains a digital facial image that is stored in a chip included in the passport. The biometric data that can be retrieved from the facial image is to be destroyed immediately after the delivery of the passport to the applicant or after a passport check. No other kinds of data than those already registered will be entered into the centralized register of passports.
Identification of individuals within public administration is based on the system of national identification numbers. Such numbers have been used in Sweden since the 1940s. Since 1994, the data protection legislation includes restrictions on the use of identification numbers. Under Section 22 of the PDA, national identification numbers may only be processed without consent if the processing is clearly justified with regard to the purpose of the processing, the importance of secure identification, or some other substantial reason.
In October 2005, Sweden began accepting applications for national ID cards. This card includes information about nationality and contains a chip for storage of electronic certificates, which enables the cardholder to fill in tax-return forms or sign payments via the Internet. Swedish citizens traveling in the Schengen area will also be able to use an ID card instead of a passport to prove their nationality. The national ID card is not mandatory.
The 1998 Public Camera Surveillance Act and the Public Camera Surveillance Ordinance restrict the use of such surveillance. In principle, video surveillance in places to which the public has access requires a permit from the County Administrative Board. In certain situations, it is sufficient to notify the County Administrative Board about the surveillance. The notification duty applies to post offices, banks, and stores where the surveillance only covers entrances, exits, and cash points. In a few other situations neither a permit nor notification is required. In all cases, the Act requires that clearly visible notices about the video surveillance are posted. Image and audio material may be stored for up to a month. The police and courts are able to store material for longer if it comprises part of an investigation of a crime. Penalties for breach of the law include fines or a maximum imprisonment of one year. The Act has been subject to review by an inquiry that presented its report in November 2002.
Secret camera surveillance, wire surveillance and wiretapping require a court order according to the specific Act on secret camera surveillance and to Chapter 27 of the Code of Judicial Procedure. A specific Act of 1952 widens the scope for using these measures if specific risks for national security are involved. In 2003, the scope of the 1952 Act was extended to terrorist crimes referred to in the legislation that implements the EU Framework decision of June 13, 2002, on combating terrorism (2002/475/JHA). The limited period of validity of the 1952 Act and of the 1995 Act on secret camera surveillance has been prolonged numerous times and both Acts now apply until the end of 2007. The Government has submitted a report to Parliament every year with details of all of electronic surveillance conducted. According to the 2003 government report to the Parliament, the use of secret surveillance increased "considerably" in 2002. Human rights organizations, including the International Helsinki Federation for Human Rights, expressed concern in 2006 over increased use of surveillance techniques by the police and insufficient protection of the individual's right to privacy. During 2006, Swedish courts issued 833 permits for wiretapping and denied 12. The Swedish Helsinki Committee (SHC), a non-governmental organization that monitors human rights compliance with the Helsinki agreement of 1975, has concluded that the state authorities’ right to interfere in the private life of citizens, as allowed in certain instances by Swedish law, continued to lack both the necessary legality and transparency. The SHC has called for an independent assessment of the necessity and effectiveness of secret surveillance methods used in Sweden. However, in connection to the prolongation of the legislation, the Government stated that combating crimes related to national security have been given increased priority and that secret camera surveillance, wire surveillance, and wiretapping are all efficient tools for investigating terrorist and other serious crimes.
There have been a number of government bills in 2006 to extend the use of secret surveillance, including a law to allow telephone tapping for preventative reasons and a law to allow for hidden microphones. On May 31, 2006 the parliament decided to postpone discussion on the bill for at least a year and “insisted that safeguards against abuse of power be introduced into the bill, including an obligation for police to inform those subject to secret surveillance whenever this is considered safe for investigative reasons.” In 2007, a proposed bill would allow the National Defense Radio Establishment (Försvarets Radioanstalt - FRA) permission to use data mining software to search for sensitive keywords in all phone and e-mail communication passing through cables or wires across the country’s borders without a court order. The FRA would have to get approval from a parliamentary committee on military intelligence affairs and it would only be permitted to “tap into communications through pattern analysis and key word searches, and would not be entitled to target specific individuals.” Currently, such traffic can only be monitored with court approval if police suspect a crime, although the agency is free to spy on airborne signals, such as radio and satellite traffic.
Internal security is the responsibility of the Security Police, also known as National Security (Intelligence) Service or SÄPO, an independent agency under the overall control of the National Police Board. Oversight is conducted by the Register Board, which was established in 1996.
In March 2006, the EU enacted Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks. The Directive aims at harmonizing the rules on retention of traffic data throughout the EU in order to facilitate judicial cooperation in criminal matters. All traffic data generated in publicly available electronic communications, such as telephony or the Internet, would have to be retained by service providers for law enforcement purposes. The data would have to be kept for a minimum period of six months and a maximum period of two years. Member States have until September 15, 2007 to transpose the requirements of the Directive into national laws; however, a delay of 18 additional months, until March of 2009, is available for retention of communications. Sweden is postponing application of this Directive.
Sweden has also in 2004 laid a proposal for new EU Framework rules on exchange of information between law enforcement authorities. The proposal would require law enforcement authorities in EU Member States to supply certain information and intelligence to such authorities in other EU Member States, upon request, for the purpose of investigating crimes, particularly serious offenses and terrorist acts. This proposal has been criticized by privacy groups as being too broad and going far beyond the relatively narrow range of offenses covered by other EU instruments, such as the Europol Convention.
A new political party dedicated to “reform of copyright laws, the abolishing of patents and working against installing more regulations, and remove the Data Retention Act, that are seriously threatening citizens' privacy” is “making a bid for representation in the Swedish parliament in the upcoming national elections in September.”
Sweden announced on January 31, 2007 that it would be the first country to open an official embassy in the virtual world of Second Life.
There is currently debate in Sweden over whether police can access Internet records to fine file-sharers. A Swedish court of appeals upheld the country’s first conviction of file-sharing. This case is of note because the conviction was based on supporting evidence consisting of an IP address linked to a file-sharing network. Previously, in October 2006, a Swedish judge ruled that evidence was insufficient to prove guilt. This case could continue to the Swedish Supreme Court and shows that “electronic evidence, such as traffic, location and time data, can originate, be scattered and end on different formats and different coordinates in time and space, and may easily be manipulated and hard to identify, due to services offering anonymity or pseudonymity.”
In 2006, the ECHR examined the power of SÄPO to compile, register and save information about individuals. The applicants – a journalist, a peace activist, a political activist and a member of the European Parliament – requested access to their files but were refused on the grounds of national security. The ECHR found that maintaining files on the applicants was in violation of article 8 (right to respect for private and family life) because the file was not “necessary in a democratic society.” The court held that SÄPO’s refusal to grant the applicants full access to their files did not violate article 8 and accepted the government’s reason citing national security. The court also held that the registration of the applicant’s information violated articles 10 (freedom of expression) and 11 (freedom of association and assembly), since the information concerned political opinion, membership in political parties and political activities. Lastly, the Court found a violation of article 13 (the right to an effective remedy) since none of the relevant national authorities were able to order the deletion of the files.
In 2002, the Swedish Parliament approved two anti-terrorism laws in order to implement the UN Convention on the Suppression of the Financing of Terrorism and the Framework Decision of the European Union Council on Combating Terrorism. Sweden signed, but has not ratified the Council of Europe Convention on the Prevention of Terrorism. The Act on Criminal Responsibility for Terrorist Crimes entered into force in July 2003 and classifies certain crimes – such as murder or kidnapping – as terrorist acts when committed against countries, their institutions or their citizens with the aim of intimidating, altering or destroying political, economic or social structures. Strict punishments apply. The SHC noted, in addressing an appeal to the Swedish Government, that the definition of terrorist crimes in the Act is unclear, and that neither the Act nor the EU Decision addresses the issue of how to draw the line between politically motivated violence and terrorism. In July 2003, the Parliament also adopted an Act on surrender from Sweden in accordance with the European Union Council Framework Decision of June 13, 2002, on the European arrest warrant (2002/584/JHA). The Act came into force in January 2004. At the same time, a new Act on Joint Investigation Teams for Criminal Investigations came into force. The Act applies to joint investigation teams for criminal investigations set up between authorities in Sweden and those in one or more EU Member States. The Act implements the European Union Council Framework decision of June 13, 2002, on joint investigation teams 82002/465/JHA). The Act contains rules on, for example, conditions for the use of information received through a joint investigation team.
Voting is open to those aged 18 and older but is not mandatory. National elections are managed by the Swedish Election Authority or Valmyndigheten, which was established in July 2001. The Election Authority is responsible for all voting material from voter registration cards to paper ballots, including development of and support for the information technology systems used during the election process. The Election Authority keeps a register with voter registration information for the purpose of producing voter registration cards. Voter registration information is also kept in secured files at the Central Bureau of Statistics. The Election Authority prepares a list of those who are entitled to vote in the election based on information that, 30 days prior to the election day, is contained in the population registration database in accordance with the Processing of Personal Data in the Swedish Tax Agency’s population registration and the Land Registration Act. Individuals are sent a voting card with the voter’s name and number in the electoral roll, what elections the voter may participate in and the voter’s polling station and its opening hours. Voting can take place at a voting booth, by messenger, or by mail. Voters who cannot vote at their polling station on election day may vote in advance at any voting place, such as the municipal office, a library, school or post office. Advance voting begins 18 days before election day. Voting secrecy is highly valued. Ballots are cast on paper ballots that are placed in envelopes, which are then given to a poll official to place in the appropriate ballot box.
Sweden is a country that has traditionally adhered to the Nordic tradition of open access to government files. The world's first freedom of information act was the Riksdag's (Swedish Parliament's) Freedom of the Press Act of 1766. The Act required that official documents should "upon request immediately be made available to anyone making a request" at no charge. The Freedom of the Press Act is now part of the Constitution and provides that "every Swedish citizen shall have free access to official documents." Restrictions in several situations are stipulated in the Secrecy Act. Decisions by public authorities to deny access to official documents may be appealed to general administrative courts and, ultimately, to the Supreme Administrative Court. The Parliamentary Ombudsman has some oversight functions for freedom of information.
Sweden is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). It has also signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. Sweden signed, but has not ratified, the Council of Europe Convention on Cybercrime (ETS No. 185). An additional protocol to the Convention concerning the criminalization of acts of a racist and xenophobic nature committed through computer systems was signed on January 28, 2003. The Swedish Parliament also decided in October 2004 to approve an EU Framework decision on attacks against information systems. Sweden is a member of the Organization for Economic Cooperation and Development (OECD) and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Sweden is a member of the European Network and Information Security Agency (ENISA). The ENISA board has a representative from each EU country; Sweden’s representative is a civil servant from the Ministry of Industry, Employment and Communications. ENISA’s “was set up to enhance the capability of the European Union, the EU Member States and the business community to prevent, address and respond to network and information security problems.”
Constitution, English version available at
 Regeringsformen, SFS 1974:152, available at <http://www.riksdagen.se/templates/R_Page____6307.aspx>.
 Tryckfrihetsförordningen, SFS 1949:105, available at <http://www.riksdagen.se/templates/R_Page____6313.aspx>.
Personuppgiftslagen, SFS 1998:204, English version available at
 Datalagen, SFS 1973:289.
 SFS 1998:622.
 SFS 2000:224.
 SFS 2000:344.
 SFS 2001:454.
 SFS 1980:100.
 SFS 1973:1173.
 SFS 1974:182.
 SFS 1986:223.
 See for example the Health Care Register Act of 1998 and the Credit Information Act of 1973.
SFS1949:105, available at
 SFS 1991:1469 and 2002:209, available at <http://www.riksdagen.se/templates/R_Page____6316.aspx>.
 Supreme Court, June 12 2001, see Nytt Juridiskt Arkiv (NJA) 2001 at 409, available at <http://www.rattsinfosok.dom.se/lagrummet/index.jsp> (in Swedish).
 Göta Court of Appeal, April 7 2004, case B 747-00.
 EC Court of Justice, November 6, 2003, case C-101/01, available at <http://curia.europa.eu/jurisp/cgi-bin/form.pl?lang=en&newform=newform&alljur=alljur&jurcdj=jurcdj&jurtpi=jurtpi&jurtfp=jurtfp&alldocrec=alldocrec&docj=docj&docor=docor&docop=docop&docav=docav&docsom=docsom&docinf=docinf&alldocnorec=alldocnorec&docnoj=docnoj&docnoor=docnoor&typeord=ALLTYP&allcommjo=allcommjo&affint=affint&affclose=affclose&numaff=C-101%2F01&ddatefs=6&mdatefs=11&ydatefs=2003&ddatefe=&mdatefe=&ydatefe=&nomusuel=&domaine=&mots=&resmax=100&Submit=Submit>.
 Chapter 1,
section 9 of The Fundamental Law on Freedom of Expression, SFS 1991:1469 and
2002:209, available at
 The Swedish Radio and TV Authority <http://www.rtvv.se>.
 Ministry of Justice (JU) nr 2003:04, see terms of reference 2003:58, available in Swedish at <http://www.riksdagen.se/debatt/dir/index.asp>.
 EC Directive 2002/58 of July 12, 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector, OJ L 201, 31.7.2002, at 37.
 See the Report on a Swedish strategy to secure Internet infrastructure, by the National Post and Telecom Agency, page 51 (PTS-ER-2005:7), available in English at <http://www.pts.se/Dokument/dokumentlista.asp?Sectionid=2253&Itemid=&Languageid=EN>.
 Swedish PDA Amendments of 2007, SFS 2006:398 available in Swedish at <http://rixlex.riksdagen.se/htbin/thw?%24%7BOOHTML%7D=SFST_DOK&%24%7BSNHTML%7D=SFSR_ERR&%24%7BBASE%7D=SFST&BET=1998%3A204&%24%7BTRIPSHOW%7D=format%3DTHW>.
 SFS 1995:450, § 13b.
 <http://www.pts.se> (in Swedish).
 <http://www.konsumentverket.se> (in Swedish).
See generally, Post &
 Privacy International, “National Privacy ranking 2006 – European Union and Leading Surveillance Societies,” <http://www.privacyinternational.org/survey/phr2005/phrtable.pdf>.
Website, available in English at
 Data Inspection Board’s 2006 Annual Report, at page 15, available in Swedish at <http://www.datainspektionen.se/pdf/arsredovisningar/arsred_06.pdf>.
1998:204, § 36.
 Data Inspection Board’s 2006 Annual Report, supra note 2, at 22.
 SFS 1998:204, § 41.
 City of Stockholm Schools, “Precise Biometrics simplifies login procedures at the Kvarnby School,” <http://www.ibia.org/membersadmin/casestudy/pdf/17/Stockholms_School_System.pdf>.
 The Data Inspection Board, “Bonus Cards and the Personal Data Act,” 2005:3, English summary available at <http://www.datainspektionen.se/pdf/rapporter/bonus_cards.pdf>.
 Decision of the DIB of June 20, 2006, summary available in English at <http://www.datainspektionen.se/in_english/adilimo2.shtml>.
 Referred to
in terms of reference nr 2004:95, by the Ministry of Health and Social Affairs,
available in Swedish at
 The Data Inspection Board’s opinion of September 5, 2002, case 991-2002, available at <http://www.datainspektionen.se/infobestall/infomaterial/remissvar.jsp>.
 The Data
Inspection Board, “Increased Accessibility to Patient Data,” 2005:1,
English summary available at
 See terms of reference nr 2004:95, supra.
 European Council, Additional Protocol to the Convention on Human Rights and Biomedicine, concerning Biomedical Research, CETS No. 195 <http://conventions.coe.int/Treaty/EN/Treaties/Html/195.htm>.
Concerns over Employer Monitoring," BNA World Data Protection Report, Volume 2,
Issue 4, April 2002. The proposal is available at <http://naring.regeringen.se/propositioner_mm/sou/pdf/sou2002_18a.pdf>
(in Swedish with summary in
 The Data Inspection Board, Monitoring in Working Life, 2005:3, English summary available at <http://www.datainspektionen.se/pdf/rapporter/bonus_cards.pdf>.
 Ministry publications series 2004:35, Genetiska fingeravtryck, July 7 2004, Ministry of Justice, available in Swedish at <http://www.regeringen.se/sb/d/108/a/27189>.
 See <http://www.polisen.se/inter/nodeid=33591&pageversion=1.html>.
 See fact sheet from the Ministry of Justice, (Ju 05.04) March 2005, available in Swedish at <http://www.regeringen.se/content/1/c6/04/02/02/aa286ad5.pdf>.
 The personal identity number uses ten digits where the first six give the birth day in YYMMDD format, the national Swedish ID uses a 12 digit number to allow YYYYMMDD. This is followed by a hyphen. People over the age of 100 replace the hyphen with a plus sign. The seventh through ninth digits are a serial number – an odd number for men, an even for women. The tenth digit is a checksum.
 LVF Group
Swedish Airports and Air Navigation Services,
 See <http://www.polisen.se/inter/nodeid=33595&pageversion=1.html>.
 SFS 1998:314.
 Swedish Government Official reports (SOU) 2002:110, Allmän kameraövervakning, Ministry of Justice, available at <http://www.regeringen.se/sb/d/108/a/437>.
 SFS 1952:98.
 Section 1 amended by SFS 2003:151.
 SFS 2004:617.
 Government report to the Parliament in November 2003 (Regeringens skrivelse 2003/2004:36) (reporting on 2002 figures); available upon request at <firstname.lastname@example.org>.
 International Helsinki Federation for Human Rights, Human Rights in the OSCE Region: The Balkans, the Caucasus, Europe, Central Asia and North America, Report 2004 (events 2003), available at
 U.S. Department of State, Country Reports on Human Rights Practices: Sweden: 2006, March 6, 2007, <http://www.state.gov/g/drl/rls/hrrpt/2006/78841.htm>.
 International Helsinki Federation for Human Rights (IHF) Annual report 2004, available at <http://www.ihf-hr.org/documents/doc_summary.php?sec_id=3&d_id=3860>.
 Government bill 2003/04:74, at 8-9.
See IHF, “Human Rights in the
OSCE Region: Report 2006”
 IHF, “Human Rights in the OSCE Region: Report 2007,” <http://www.ihf-hr.org/documents/doc_summary.php?sec_id=3&d_id=4387>.
 Paul O’Mahony, “Google likens Sweden to dictatorship,” The Local, May 30, 2007, <http://www.thelocal.se/7452/20070530/>.
 Iain Cameron & Dennis Töllborg, Internal Security in Sweden, in J.P. Brodeur, P. Gill & D. Töllborg (eds), Democracy, Law and Security: Internal Security Services in Contemporary Europe (Ashgate 2002).
Directive 2006/24/EC (March 15, 2006)
Framework decision on simplifying the exchange of information and intelligence
between law enforcement authorities of the Member States of the European Union,
in particular as regards serious offences including terrorist acts (10215/04),
the Council of the European Union, available at
 Council Act of July 26, 1995, drawing up the Convention based on Article K.3 of the Treaty on European Union, on the establishment of a European Police Office (Europol Convention), OJ C 316, 27.11.1995, p. 1.
 Piratpartiet, Introduction to Politics and Principles, <http://www.piratpartiet.se/the_pirate_party>.
 Swedish Institute, “Sweden to open world’s first embassy in Second Life,” January 31, 2007 <http://www.si.se/templates/CommonPage____3052.aspx>.
Pollard, “Swedish court upholds file-sharing conviction,” Reuters,
June 12, 2007
 Jan Libbenga, “Swedish file sharers fined,” The Register, October 19, 2006 <http://www.theregister.co.uk/2006/10/19/swedish_file_sharers_fined/>; see also “Filesharing And Digital Evidence Case in Sweden,” Digital Civil Rights in Europe October 11, 2006 <http://www.edri.org/edrigram/number4.19/p2p_sweden>.
 Segersted-Wiber and others v. Sweden, App. No. 62332/00, Eur. Ct. H.R. (June 6, 2006).
 Council Framework Decision of June 13, 2002, on combating terrorism, EU Official Journal L 164, June 22, 2002, at 3-7 <http://europa.eu.int/eur-lex/en/search/search_lif.html>.
 Council of Europe, CETS No. 196 <http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=196&CM=3&DF=7/2/2007&CL=ENG>.
 SFS 2003:148.
 International Helsinki Federation for Human Rights (IHF) Annual report 2004, supra.
 SFS 2003:1156, available in English at <http://www.sweden.gov.se/sb/d/3288/a/19568>.
 EU Official Journal L 190, July 18, 2002, page 1-20, <http://europa.eu.int/eur-lex/en/search/search_lif.html>.
 SFS 2003:1174, available in English at <http://www.sweden.gov.se/sb/d/3288/a/19568>.
EU Official Journal L 162, June 20, 2002, page 1-3, <http://europa.eu.int/eur-lex/en/search/search_lif.html>.
 See sections 5 – 7 of the Act 2003:1174.
 CIA Country
Fact Book, January 1, 2004, available at <https://www.cia.gov/library/publications/the-world-factbook/geos/sw.html>.
 <http://www.val.se> (in Swedish).
 SFS 2001:183.
 European Commission CyberVote Report (IST-1999-20338), available at <http://www.eucybervote.org/MSI-WP6-D21-v1.0.pdf>.
 SFS 2005:837, available in English at <http://www.val.se/pdf/2005_elections_act.pdf>.
 SFS 2005:837, explanatory version of the law available in English at <http://www.val.se/pdf/2005_elections_act.pdf>.
 SFS 2005:837, supra.
 The Election Authority, “Voting,” <http://www.val.se/in_english/general_information/voting/index.html>.
 SFS 1980:100.
January 28, 1981; ratified September 29, 1982; entered into force October 1,
 Signed November 28, 1950; ratified February 4, 1952; entered into force September 3, 1953.
 Signed November 23, 2001.
 See Government bill 2003/04:164 and the Swedish Parliament’s Web site <http://www4.riksdagen.se/debatt/dokstatus.aspx?doktyp=betankande&bet=2004/05:JuU4>.
 European Council Regulation No. 460/2004 <http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=32004R0460&model=guicheti>.
 Post & Telestyrelsen, “ENISA,” March 9, 2007 <http://www.pts.se/Sidor/sida.asp?SectionId=3137>.
 ENISA, “Activities,” <http://www.enisa.europa.eu/pages/01_03.htm>.