There’s starting to be a bit of a flurry here in Sweden with the upcoming new Regulation.

One of the communications I received last week was concerning the fact that here in Sweden our personal data, including our ID is considered public information. This will not be the case once the Regulation comes into effect. What I find funny (you know the funny, not-so-funny British humour ;-)) is that those I talk to here think this is new in the Regulation, but it’s not. It is included in the Directive of today, just not implemented as law here in Sweden.

This is going to require significant work to get compliance in Sweden, especially the way our personal data is sold with the use of ‘utgivningsbevis’ without the consent of the data subject. In fact it is impossible for data subjects in Sweden to remove their personal data from public viewing!

Hurry up new Regulation so I can get my personal data removed from ratsit.se, birthdays.se and hitta.se… just to name a few!

I am being continually amazed by the lack of respect there is here in Sweden for personal data. I have written so much on this subject already. However I came across this article a couple of weeks ago concerning Ratsit (who are one of those companies that have an ‘utgivningsbevis’ which means they can use our personal data and make it public to make money). Well they have been so kind as to remove from their search results names of vulnerable women living in shelters, and other categories of individuals that should be protected!

Thank you for being so considerate Ratsit…… now would you be so kind as to remove my name too…..

I’ve been publishing on the subject of personal privacy since 2007, and finally, now, in 2015 I decided to take my CIPP/E. The CIPP credential says you know privacy laws and regulations and how to apply them according to the International Association of Privacy Professionals (IAPP).

Why did I take this certification? After all I have a Masters Degree in Information Security in supposedly the most famous (in this subject) globally, with the Royal Holloway University of London (RHUL). I also have an MBA with Henley Management School (University of Reading). On top of 20 years of rich experience in IT and IS, it looks as though I am in the league of ‘over-qualified’ and then ‘what next?’. Or am I?

No! I am driven by a desire to ‘fix the Swedish ID promiscuity problem’. (There is more on this in my blog, lots of posts.) I took CIPP/E to get a toolkit that I could use to stop, my and your Swedish ID, being publicly sold online without my or your consent! So now I finally understand what the problem is, and I believe I can solve this, to finally squash this conflict between ‘freedom of information’ laws and ‘PuL’. Watch this space…..

Yes I know, I’m here again complaining about the Swedish law protecting personal information that has no teeth! Now it seems that there is another loophole in the law following a new ruling that enables foreign companies to extract and use PII of Swedish residents/citizens, any persons associated with a Swedish ID#. Read more in this article which is in Swedish, but I’ve done an English translation below.


In previous posts I’ve discussed the weaknesses in Swedish law pertaining to the protection of personal information. Basically there is a conflict between the PUL (Personal Data Act) and the Freedom of Expression Act; which present a loophole for companies wanted to make money from PII. Both laws have good intentions, but the latter is being abused.

 

TRANSLATION
Foreign companies can bypass Personal Data Act (PUL)
Foreign companies can get information on Swedes denied to domestic companies with reference to the Personal Data Act (PUL) . A judgment of the Supreme Administrative Court states that a Norwegian agency workers are entitled to get information about all Swedish nurses from the National Board despite the fact that the authorities first denied because it would violate the PUL . But as the law is written, it can not be denied information because PUL is not applicable abroad , reports P3 News . The ruling means that it is now free for foreign companies to request public documents from Swedish authorities and that Swedish companies can open subsidiaries abroad in order thereby to request information , says Dennis Töllborg , professor of jurisprudence.
– There is a remarkable gap in the law.

imagesI am amazed at how little publicity there was on Daniel Eks, founder of Spotify that had his identity stolen. The identity fraudster purchased goods of nearly 1 million kronor in his name and has now been indicted to 2 years in prison. A small price to pay for 1 million kronor don’t you think?

I have talked a lot on how easy it is to steal someone’s identity in Sweden, so this should come as no surprise I would expect to virtualshadows blog followers 😉

The Swedish press is now starting to discuss the problems with the law that gives easy access to the id numbers of Swedish residents. There is documented the background concerning this problem here.

The rapid increase in identity fraud in Sweden is gaining some media attention (http://www.svd.se/opinion/brannpunkt/krafttag-kravs-mot-id-kapning_3767990.svd). However they are missing the point. The solution is not to purely simplify the ‘clean-up process, but to change the law. And changing the law is not purely about criminalizing the crime but to enforce an individual’s basic fundamental right to information privacy. You should have the right to remove your personal information from websites making money from it! For example I have tried removing my date of birth from http://www.birthdays.se (see previous posts) and request was refused. The problem I have with my date of birth being public is that:

1) it is my personal information, and;
2) it is the first 6 digits of my Swedish personal id (YYMMDD-xxxx).

The root of the problem is that although the Personal Data Law (PuL) is here to protect our personal information, in this context the PuL is impotent. The Swedish codification of the European Union Directive on Data Protection just does not work. The source of the problem is that the Personal Data Act (PuL) does not apply if its application is in contrary to the Fundamental Law on Freedom of Expression (1991).

So what this means is that the Fundamental Law on Freedom of Expression is being abused by companies making money from our identities. And I think that It is about time that this abuse is stopped!