There’s starting to be a bit of a flurry here in Sweden with the upcoming new Regulation.
One of the communications I received last week was concerning the fact that here in Sweden our personal data, including our ID is considered public information. This will not be the case once the Regulation comes into effect. What I find funny (you know the funny, not-so-funny British humour ;-)) is that those I talk to here think this is new in the Regulation, but it’s not. It is included in the Directive of today, just not implemented as law here in Sweden.
This is going to require significant work to get compliance in Sweden, especially the way our personal data is sold with the use of ‘utgivningsbevis’ without the consent of the data subject. In fact it is impossible for data subjects in Sweden to remove their personal data from public viewing!
Hurry up new Regulation so I can get my personal data removed from ratsit.se, birthdays.se and hitta.se… just to name a few!
I am being continually amazed by the lack of respect there is here in Sweden for personal data. I have written so much on this subject already. However I came across this article a couple of weeks ago concerning Ratsit (who are one of those companies that have an ‘utgivningsbevis’ which means they can use our personal data and make it public to make money). Well they have been so kind as to remove from their search results names of vulnerable women living in shelters, and other categories of individuals that should be protected!
Thank you for being so considerate Ratsit…… now would you be so kind as to remove my name too…..
I’ve been publishing on the subject of personal privacy since 2007, and finally, now, in 2015 I decided to take my CIPP/E. The CIPP credential says you know privacy laws and regulations and how to apply them according to the International Association of Privacy Professionals (IAPP).
Why did I take this certification? After all I have a Masters Degree in Information Security in supposedly the most famous (in this subject) globally, with the Royal Holloway University of London (RHUL). I also have an MBA with Henley Management School (University of Reading). On top of 20 years of rich experience in IT and IS, it looks as though I am in the league of ‘over-qualified’ and then ‘what next?’. Or am I?
No! I am driven by a desire to ‘fix the Swedish ID promiscuity problem’. (There is more on this in my blog, lots of posts.) I took CIPP/E to get a toolkit that I could use to stop, my and your Swedish ID, being publicly sold online without my or your consent! So now I finally understand what the problem is, and I believe I can solve this, to finally squash this conflict between ‘freedom of information’ laws and ‘PuL’. Watch this space…..
Yes I know, I’m here again complaining about the Swedish law protecting personal information that has no teeth! Now it seems that there is another loophole in the law following a new ruling that enables foreign companies to extract and use PII of Swedish residents/citizens, any persons associated with a Swedish ID#. Read more in this article
which is in Swedish, but I’ve done an English translation below.
In previous posts
I’ve discussed the weaknesses in Swedish law pertaining to the protection of personal information. Basically there is a conflict between the PUL (Personal Data Act) and the Freedom of Expression Act; which present a loophole for companies wanted to make money from PII. Both laws have good intentions, but the latter is being abused.
Foreign companies can bypass Personal Data Act (PUL)
Foreign companies can get information on Swedes denied to domestic companies with reference to the Personal Data Act (PUL) . A judgment of the Supreme Administrative Court states that a Norwegian agency workers are entitled to get information about all Swedish nurses from the National Board despite the fact that the authorities first denied because it would violate the PUL . But as the law is written, it can not be denied information because PUL is not applicable abroad , reports P3 News . The ruling means that it is now free for foreign companies to request public documents from Swedish authorities and that Swedish companies can open subsidiaries abroad in order thereby to request information , says Dennis Töllborg , professor of jurisprudence.
– There is a remarkable gap in the law.
I am amazed at how little publicity there was on Daniel Eks, founder of Spotify that had his identity stolen. The identity fraudster purchased goods of nearly 1 million kronor in his name and has now been indicted to 2 years in prison. A small price to pay for 1 million kronor don’t you think?
I have talked a lot on how easy it is to steal someone’s identity in Sweden, so this should come as no surprise I would expect to virtualshadows blog followers 😉
The Swedish press is now starting to discuss the problems with the law that gives easy access to the id numbers of Swedish residents. There is documented the background concerning this problem here.
The rapid increase in identity fraud in Sweden is gaining some media attention (http://www.svd.se/opinion/brannpunkt/krafttag-kravs-mot-id-kapning_3767990.svd). However they are missing the point. The solution is not to purely simplify the ‘clean-up process, but to change the law. And changing the law is not purely about criminalizing the crime but to enforce an individual’s basic fundamental right to information privacy. You should have the right to remove your personal information from websites making money from it! For example I have tried removing my date of birth from www.birthdays.se (see previous posts) and request was refused. The problem I have with my date of birth being public is that:
1) it is my personal information, and;
2) it is the first 6 digits of my Swedish personal id (YYMMDD-xxxx).
The root of the problem is that although the Personal Data Law (PuL) is here to protect our personal information, in this context the PuL is impotent. The Swedish codification of the European Union Directive on Data Protection just does not work. The source of the problem is that the Personal Data Act (PuL) does not apply if its application is in contrary to the Fundamental Law on Freedom of Expression (1991).
So what this means is that the Fundamental Law on Freedom of Expression is being abused by companies making money from our identities. And I think that It is about time that this abuse is stopped!
This makes you vulnerable to identity theft. Swedish residents have no legal right to protect their personal identifying information (PII) which includes the first 6 digits of the 10 digits (AAMMDD-xxxx) of Swedish IDs. Except is if you have a protected identity. Following is the response I received from one of the credit reporting agencies that I contacted.
“We are a credit reporting agency with permission from the Data Inspectorate (Datainspektionen). The data in our database are and should be a reflection of public databases retrieved from authorities such as tax authorities (Skattemyndigheten), payment remarks and debt collecting agencies (Kronofogdemyndigheten), and the bureau of statistics (SCB). Public data means that anyone can contact the respective government authority and get the same information there. We are by the Credit Information Act (Kreditupplysningslagen) required to make changes in our database to correct faults, but you have no right to be omitted from the register. All residents in Sweden who are over the age of 16 are included.
Protected Identity is the only way to hide the address and other personal information with the authorities, and thus also with us, and it may be issued through the tax or police authorities. Once an identity has been protected the data is hidden automatically in our system.”
This was in response to the following request I made.
I would like to kindly request that you do NOT share my personal information with third parties that make money from my personal identifying information, an example is ‘birthday.se”. Due to the sharing of my PII the first 6 digits of my Swedish ID is public, consequences are that it makes me vulnerable to identity fraud.
Can you please confirm that this is done. If not would be be kind enough to give me enough information to understand why not?
This is the letter from the Swedish Data Inspection Board. They were kind enough to reply in English 🙂
The Swedish Data Inspection Board has received your complaint.
The Swedish Data Inspection Board is supervisory authority according to the Personal Data Act (1998:204). There is a possibility for websites to apply for impediment to publication (utgivningsbevis). If a website is granted impediment to publication (e.g. ratsit.se) the website will be protected according to constitutional law. That means that the Personal Data Act is not applicable on information that is posted at such websites.
The Swedish Data Inspection Board is therefore unable to help you in this matter. It is legal for ratsit.se to publish your personal information. Ratsit.se is not obliged to remove your information.
For more information about utgivningsbevis, see The Swedish Broadcasting Authority’s website: http://www.radioochtv.se/en/Licensing/Internet/.
The Swedish Data Inspection Board notes with regularity the problems with utgivningsbevis to the Ministry of Justice. You can read more about it here:
Are there any Swedish lawyers out there that can help me fix this?
Reblog from post in 2009. Very relevant to the Tracey series.