Fining practice
Trend: Have the national data protection authorities in Sweden focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?
The Swedish Authority for Privacy Protection (“Integritetsskyddsmyndigheten”, “IMY”) has declared in its supervision plan for 2024 that it will continue to focus on investigating complaints from data subjects after both, the Court of Justice of the European Union (“CJEU”) and the Swedish Supreme Administrative Court, have concluded in their case law that data protection authorities have a broader obligation to review complaints than IMY had previously assessed.
According to IMY’s annual report for 2023, most complaints are directed against the private sector. Complaints from neighbours regarding camera surveillance make up approximately a third of the complaint-based supervisions.
Further, IMY has stated in March 2024 that it will review its handling of complaints against holders of publication certificates in accordance with the Swedish Freedom of the Press Act/the Swedish Fundamental Law on Freedom of Expression. The Court of Appeal in Stockholm has recently ruled that the protection of the Swedish Constitution does not always take precedence over the GDPR. The matter concerns private sector companies that manage publicly available search services that are used to retrieve information about individuals, such as criminal convictions.
In addition to the complaint-based supervision, IMY will initiate both, risk-based supervision and planned supervision, according to its plan for 2024. This includes reviews of municipalities’ work in connection with the GDPR and new technical solutions in camera surveillance.
The Swedish Post and Telecom Authority (“Post- och telestyrelsen”, “PTS”) is the supervisory authority for use of cookies under the Swedish Act on Electronic Communications. PTS has not been very active in its supervisory activities. So far, PTS has only initiated four supervisiory proceedings against two companies and two authorities regarding the rules on cookies at the end of 2022. After PTS notified them of suspected violations, the companies and authorities remedied the violations and PTS closed the matters in late 2023 without taking any further action.
Overall, what was the most significant fine in Sweden to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?
The most significant fine in Sweden to date was imposed by IMY on Spotify on 12 June 2023 in the amount of SEK 58 million (approx. EUR 4.9 million) for its handling of data subjects’ rights to access their personal data. IMY found that although Spotify gives data subjects access to their personal data, it does not clearly inform them about how their personal data is used. As Spotify has users in many countries, the decision was taken in cooperation with other supervisory authorities in the EU. Spotify has appealed against the decision.
Prior to the Spotify decision described above, IMY imposed a fine of SEK 75 million (approx. EUR 7 million) on Google on 11 March 2020 for failing to adequately comply with its obligations regarding the right of data subject to have search results removed from the results list. After an appeal against the fine, the The Administrative Court of Stockholm announced that it had rejected Google’s appeal. However, the court reduced the fine to SEK 50 million (approx. 5 million). The judgement has gained legal force.
Organisation of authorities and course of fine proceedings in Sweden
How is the data protection authority organised in Sweden? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?
IMY is the supervisory authority under, inter alia, the GDPR and the supplementary Swedish Data Protection Act. IMY is also the supervisory authority for the processing of cookies under the GDPR. IMY is placed under the Ministry of Justice.
IMY is a so-called unanimous authority with a transparency council that monitors the authority. IMY is led by a Director General. The Director General of IMY is appointed by the Swedish government.
The budget for IMY for 2024 is approximately SEK 180 million (approx. EUR 15 million). IMY has approximately 140 employees.
PTS is the supervisory authority under, inter alia, the Swedish Act on Electronic Communications, including the use of cookies.
PTS is placed under the Ministry of Finance and is led by a board appointed by the Swedish government. PTS also has a Director General which is appointed by the Swedish government.
The budget for PTS for 2024 is approximately SEK 153 million (approx. EUR 13 million). PTS has approximately 420 employees.
- There are two DPAs in Sweden. One (IMY) for compliance under the GDPR and one (PTS) for use of cookies under the Swedish Act on Electronic Communications.
- IMY is placed under the Ministry of Justice. The budget for IMY for 2024 is approximately SEK 180 million (approx. EUR 15 million). IMY has approximately 140 employees.
- PTS is placed under the Ministry of Finance. The budget for PTS for 2024 is approximately SEK 153 million (approx. EUR 13 million). PTS has approximately 420 employees.
How does a fine procedure work in Sweden? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?
- Supervision can be conducted through desk supervision or/or on-site supervision. The DPA’s publish information on their websites on initiated proceedings.
- If PTS suspects that the target for the supervision regrading use of cookies under the Swedish Act on Electronic Communications does not comply with the rules, it shall give the target for the supervision the opportunity to respond and to take actions.
- IMY has essentially the same competences as set out in the GDPR. A fine cannot be imposed on the target if the target has not had the opportunity to give their opinion within five years of the day on which the violation took place. A decision to impose a fine must be served the target.
- Decisions on fines under the GDPR can be appealed to the competent administrative court.
When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?
Fines under the GDPR shall be paid to “Kammarkollegiet” (the Legal, Financial and Administrative Service Agency).
Kammarkollegiet is a state authority under the Ministry of Finance with various tasks such as providing service within the governmental area, primarily regarding finance, law, asset management, risk management and administration.
Is there a common, official calculation methodology for fines in Sweden (such as the fining models in the Netherlands or Germany)?
There is no common, official calculation methodology to establish fines under the GDPR in Sweden.
However, we assume that IMY follows the Guidelines on the applicable and setting of administrative fines from Article 29 (wp533) and guidelines on the calculation of administrative fines under the GDPR from EDPB (04/2022).
Can public authorities be fined in Sweden? If they can: Where does this money go?
Public authorities can be fined in Sweden when in breach of articles 83.4, 83.5 and 83.6 of the GDPR. The maximum fine that can be imposed is SEK 10 million (approx. EUR 870,000).
Such fines shall be paid to “Kammarkollegiet” (the Legal, Financial and Administrative Service Agency).
In Sweden, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?
IMY publishes decisions, including fines imposed, in supervision matters.
IMY publishes a summary the decision as news on its website and through its newsletter subscription service. The decision itself is also attached and can be found on their website.
PTS also publishes decisions regarding cookie supervision under the Swedish Act on Electronic Communications on its website.
If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines?
Apart from publishing supervisory decisions, IMY also provides aggregated information on cases and total amount of fines under the GDPR in its annual reports that are available in Swedish on their website.
Further, PTS has also provided short information regarding its supervisions under the Swedish Act on Electronic Communications in its annual report for 2023.
- In 2023, IMY initiated 210 supervisory matters, 39 of the initiated supervisory matters where cross borders.
- In 2023, IMY closed 173 supervisory matters. IMY imposed fines in 11 of the closed supervisory matters.
- In 2023, the total amount of fines imposed by IMY was SEK 120,4 million (approx. EUR 10 million).
Other legal consequences of non-compliance in Sweden
Does Sweden have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?
- The Swedish Act on Representatives’ Actions for the Protection of The Collective Interests of Consumers from 2023 entitles approved entities to bring injunction claims and claims for compensation against data controllers.
- In addition, the Swedish Group Proceedings Act from 2002 entitles individuals, organisations and authorities with similar claims to assert claims on behalf of the members without power of attorney and without members/the group participating.
What is more relevant in Sweden: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?
To date, fines under the GDPR by IMY have been more relevant than court proceedings concerning claims for damages or injunctions.
The amount of GDPR-based civil claims lodged by individuals is not high and only a few have been heard by higher instances. However, there is a trend regarding the tension between the constitutional protection in the Swedish Freedom of the Press Act/the Swedish Fundamental Law on Freedom of Expression to publish information on individuals online with a publication certificate and the data protection of such individuals under the GDPR. The Swedish Supreme Court has granted review of a case at the Svea Court of Appeal. Further, a local court has requested a preliminary ruling from the CJEU on this matter (C-199/24).
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.