I was surprised when taking a coffee with one of my colleagues in the office. She received an SMS thanks from another of our colleagues her for the birthday greeting. When I asked her, how did she know, she said she found it online at http://www.birthday.se/kontakta-oss/Default.aspx. She then told me when my birthday was and even a map to where I lived (although they did get this wrong). Nevertheless surprise became horror. I had already removed my details from www.hitta.se only to find myself at another site. So I checked with a previous colleague of mine (Martin Da Fonseca) that studied security law in Sweden if this was in fact legal? And this was his response.

“It is legal. The service provided by Upplysning.se is regulated in Kreditupplysningslagen (credit information legislation) (1973:1173).

I believe the service provided by birthday.se is using (or exploiting) the fact that this information is considered “public information” (allmän handling), because it is stored at a goverment agency. As part of Tryckfrihetsförordningen (“freedom of press”, sort of) (1949:105) 2:1 it says that every Swedish citizen shall have the right to access to public documents. All documented information that a goverment agency has is to be considered public. This is also regulated by Sekretesslagen (official secrets legislation) (1980:100), which states when information is to be considered secret and not part of public documentation. Personuppgiftslagen (1998:204) is also in effect here; it is applied on the actual agencies storing the information. And perhaps to some extent on companies like Birthday.se, depending on what they do with the information (if they store it).”

Should I really be surprised? Not really, as mentioned it’s not the first time in Sweden I’ve needed to remove my personal information from some public register. And getting it removed is a pain, many phone calls, and then like magic it pops up again a year or two later! I believe that this is in direct contravention of the EU directive on Data Privacy. Am I wrong here? Surely I must be? Although Sweden is quite ‘transparent’ in how it operates, there there is much trust between the government and its citizens that makes Sweden quite unique. Transparency is a part of the EU directive, although we should give our consent to sharing personal data. Maybe i have done this automatically by becoming a resident of Sweden. The personal ID is not compulsory in Sweden but its just about imposssible to operate without it. Just try taking out a prescription at the chemist without this ID, you can when they realise that they have no choice, like what happened when I lost my ID, but it takes time and is very annoying if you end up with someone that insists on following the rules. This ID is shared everywhere and is really easy to get hold of. It is composed of date-of-birth (which you can find on http://www.birthday.se) yymmdd-xxxx and four digits, that are even if you are female and odd if you are mail.

There are cases in the U.S. whereby the addresses of car drivers were public until some celebrity was murdered due to the availability of this information. This is evidence that placing this type of information in public domain is dangerous! Does this mean that Sweden has worse data privacy for their citizens than what is found in the U.S.? Is this possible for a country of the EU?