Happy Birthday 2 years on with GDPR!

In celebration for GDPR 2 years on, I thought to repost some blogposts from June 2018. However, when looking I realised that they were a few and the theme was strong on how our personal data is public in Sweden and the use of utgivningsbevis to keep this status quo. So, I ended writing an additional blogpost, realising that I’m still really unhappy about the Swedish status quo on this.

GDPR has brought progress in ensuring that we, data subjects, have rights over our personal data, but sadly what I posted 2 years ago is still acutely relevant today in 2020.

The fact is in Sweden our personal data is made public and we have no say! After all public is public, impossible to restrict processing when this is the case, and as acknowledged in privacy laws, not just in the EU. The data brokers get to this data scrape from public sources, do some intelligent profiling and sell on to businesses, e.g. based on where you live will determine how you are profiled and to whom you will be sold.

Someone tried to argue with me once that a street name (missing house no.) was not personal data. The fact is that the street where you live says quite a lot about who you are. It gives an indication on your wealth, if you’re young, with kids, or elderly and if you’re likely to have a garden, 1 or 2 cars, etc. Your street name is directly or indirectly linked to you as an individual. The street name could be enough that you receive cold calls either by phone or someone knocking on your door to sell you double-glazing.

In UK for example, you are hidden by default. The difference in Sweden is that it still stands today the clash between laws pertaining to ‘freedom of press’ versus ‘a right to a private life’. In Sweden it is the former which wins.

I read somewhere that there are 100s, maybe 1000s of complaints from Swedish data subjects on the lack of control and rights (as per GDPR) they have over their personal data. This is positive! People are aware of their rights and are asking questions, why is this happening? I can’t find the article now, so would appreciate if anyone can dig it up? The question is if this will change? Can it change?

The e-Privacy Regulation has something to protect from unsolicited calls, and by default protected, as in UK the resident needs to opt-in to be included in a public directory.

Protection against spam: this proposal bans unsolicited electronic communications by emails, SMS and automated calling machines. Depending on national law people will either be protected by default or be able to use a do-not-call list to not receive marketing phone calls. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.

How it works in Sweden today is that every business needs to have a ‘do not call list’, it seems that what is proposed in the e-Privacy Regulation is a national list, which is an improvement, but still does not solve the root of the problem. I do not want my data public unless I have specifically consented to this or I have myself made my data public.

Data brokers and data subject rights

Well I’ve been working hands-on with data subject rights for almost two years now and an area which is still grey, is when it comes to data brokers.

If the data broker has scraped public sites for personal data is one aspect. Personal data has been shared by you and I in LinkedIn, Facebook, etc., a data broker can extract and use, after all it is public data.

The other is, as is the case in Sweden when personal data becomes public data but not at the bequest of the data subject. Still the data brokers are there scraping sites e.g. hitta.se, ratsit.se, all legal due to something called an utgivningsbevis issues in the name of freedom of speech. If you want some background on this, I’ve written loads!

One of the challenges that a lot of businesses are purchasing personal data from data brokers as part of their sales activities. Then requests for access to personal data (Art 15), or to be forgotten (Art 17) come pouring in from individuals who want to know why sales personnel are contacting them when they did not opt-in, saying that it’s not compliant with GDPR.

Well the fact is, there is nothing illegal in this activity as it stands today. Once you make your personal data public you lose some rights. Of course in Sweden it is more complex as individuals have not requested their data to be public, it is like this as a default.

Now often the data subject will ask to be deleted, and does not want to be contacted again, but it is not so simple. If the organisation purchases regularly data from data brokers, deleting the data won’t solve the problem, their name needs to be added to an ‘opt-out’ list. Which means processing additional data. If not, their name will pop-up again, because you see the problem is three-fold:

(1) data is public, whether this is knowingly or not,

(2) there is no mechanism to enable the individual to place themselves on an opt-out list centrally which is accessible to all data brokers, hence

(3) data brokers do not clean, and this means that each organisation purchasing personal data need to have their own opt-out lists.

What complicates the matter further is that the GDPR requires that in order to respond to data subject requests their identity needs to be verified, although Article 11 does say that additional data should not need to be collected in order to verify identity, to be compliant with GDPR.

So where does that leave us when it comes to requests from data subjects who did not ask to be contacted by our sales agents? In short, best to add them to an opt-out list and delete their data, so long as they have never been a customer, have never been employee, etc. If they persist on exercising their rights as per Article 15, request identity which is permitted in Article 11.

Although how do you explain to them why you need to add them to a list? It seems a strange workaround, to something which clearly is not working optimally today.

Sweden is going to have fun with the new Data Protection Regulation

There’s starting to be a bit of a flurry here in Sweden with the upcoming new Regulation.

One of the communications I received last week was concerning the fact that here in Sweden our personal data, including our ID is considered public information. This will not be the case once the Regulation comes into effect. What I find funny (you know the funny, not-so-funny British humour ;-)) is that those I talk to here think this is new in the Regulation, but it’s not. It is included in the Directive of today, just not implemented as law here in Sweden.

This is going to require significant work to get compliance in Sweden, especially the way our personal data is sold with the use of ‘utgivningsbevis’ without the consent of the data subject. In fact it is impossible for data subjects in Sweden to remove their personal data from public viewing!

Hurry up new Regulation so I can get my personal data removed from ratsit.se, birthdays.se and hitta.se… just to name a few!

Ratsit is so kind as to remove sensitve data from public eyes

I am being continually amazed by the lack of respect there is here in Sweden for personal data. I have written so much on this subject already. However I came across this article a couple of weeks ago concerning Ratsit (who are one of those companies that have an ‘utgivningsbevis’ which means they can use our personal data and make it public to make money). Well they have been so kind as to remove from their search results names of vulnerable women living in shelters, and other categories of individuals that should be protected!

Thank you for being so considerate Ratsit…… now would you be so kind as to remove my name too…..

Surprise! 10 more years of PII exposure in Sweden….

It seems that many of the utgivningsbevis that were granted in 2004 are due to expire this year in 2014, and in 2014 it is still legal in Sweden for those holding this exemption certificate can share your personal information, if you are a Swedish resident, or/and Swedish citizen….here is information on this.

So how many companies have been granted an utgivningsbevis, and have the right to publish your personal information public? Well 917 is what I found, and you have not a legal leg to stand on to get your personal information removed.

This includes ratsit.se and birthday.se. Here you can type in the name of the target and search, bingo! Happy hunting!