There is a lot happening in the world of IT and telephony. New technology is constantly creating new opportunities. This naturally places new demands on those whose task it is to make laws and ensure this new technology is available and secure for the consumer. The government has drafted a proposal for a new electronic communications act. This is based on EU legislation, the overarching aim of which is to harmonise the regulatory framework for electronic communications networks and services as well as associated services. The proposal covers all electronic communications networks and services. The act will replace the current Telecommunications Act and the Radio Communications Act and will come into force on 25 July 2003.

The aim of the act is to ensure that electronic communications are as accessible and efficient as possible and are open to free competition. We wish to give an authority power to force market-dominating companies to allow competitors access to their networks or to limit their prices to the endcustomer to what is reasonable. This also means that it will be possible to force operators to share 3G masts. This will allow us to limit the number of 3G masts where it is justified from an environmental or public health point of view. We wish to have as few masts as possible with as much competition for supply as possible.

The proposal also contains provisions to ensure that the user is provided with a certain basic range of services at affordable rates and on equal terms throughout the country. We want open broadband networks that provide freedom of choice for the individual consumer regardless of where s/he lives in Sweden.

We will also improve consumer protection. As consumers we will be given the right to demand itemised bills, the possibility to block certain telephone calls, such as premium rate calls, and be able to set a credit limit that temporarily cancels the subscription if costs get out of control. This is important so that we as consumers can feel we have control over the cost of our telecom and IT use.

Ulrica Messing

Minister for Communications and Regional Policy

1. The bill in brief

The bill represents the government’s proposal for an electronic communications act. The new act will replace the current Telecommunications Act of 1993 (1993:597) and the Radio Communications Act of 1993 (1993:599) and is based on EU regulations, the overarching aim of which is to harmonise the regulatory framework for electronic communications. The act applies to electronic communications networks and services as well as associated facilities, services and other radio use. It does not cover the content transmitted in electronic communications networks with the help of electronic communications services.

Extension of the obligation to notify and limitation of the licensing requirement

The proposed act is based on a general obligation to notify the authorities of the commercial supply of public communications networks and publicly available electronic communications services. The proposal also implies an extension of the current obligation to notify under the Telecommunications Act. For example, some Internet operators and broadcasting network suppliers will be covered by the new obligation to notify.

The government proposes that the use of radio transmitters and numbers from a national numbering plan shall require a individual license, whilst the requirement for a telecommunications license will cease to apply. The double licensing requirement that currently applies for mobile telephony under the Telecommunications Act and the Radio Communications Act will therefore cease.

Double license applications will, however, still apply to transmissions of sound radio and TV programmes to the general public. These transmissions will then need a license both under the Radio and Television Act of 1996 (1996:844) and the new act.

Using radio transmitters will therefore still require a license. It should be possible to limit the number of licenses awarded in a frequency spectrum if this is necessary to guarantee efficient use of radio frequencies. Such licenses should be awarded after a public invitation to tender. The selection alternatives can be a comparative selection process (“beauty contest”), a competitive bidding process whereby the price the applicant is prepared to pay for the license shall be the deciding factor (auction) or a combination of these.

It shall be permitted to transfer the license to use radio transmitters or numbers (“secondary trading”).

Effective competition

An authority will be charged by the government to identify product/service markets, especially geographical markets, into which it may be justified to introduce obligations in accordance with the act. This competent authority shall then consider the European Commission recommendation on relevant product and service markets and its guidelines on how to conduct the analysis of the markets and to determine the existence of significant market power (SMP). Decisions shall be taken subsequent to special consultation.

The product/service markets shall be regularly analysed. A decision shall then be taken as to whether there is effective competition on each market. Market analyses shall be performed based on the principles and methodology of competition law. If there is no effective competition, companies with significant market power shall be identified and required to comply with one or more obligations, for example an interconnection obligation, a requirement to provide the end-customer with other forms of access and price controls.

A company, either alone or with others, whose financial position allows it to act independently of its competitors, customers and ultimately the consumers is assumed to possess significant market power.

The new act does not incorporate any general interconnection obligation. As well as obligations for an operator with significant power on the relevant market, it is proposed that the operator who controls access to the end-user can be obliged to interconnect or in some other way ensure that end-users can connect to each other.

Consumer protection

Concerning universal service, the proposal for a new act does not imply any large-scale changes compared to current regulations in the telecommunications field.

The act incorporates provisions for the protection of consumers and other end-users and provisions on the protection of privacy. There are also provisions governing supervision and scrutiny. In addition, the government proposes some amendments to the Television Signal Transmission Standards Act of 1998 (1998:31). The acts shall come into force on 25 July 2003.

The following is hereby enacted1

Introductory provision

1 The purpose of this Act is to facilitate the use of electronic signatures, through provisions regarding secure signature creation devices, qualified certificates for electronic signatures, and the issuance of these certificates.

The Act applies to certificate providers that are established in Sweden, and issue qualified certificates to the public.

Definitions

2 For the purposes of this Act the following definitions apply: Electronic signature: data in electronic form attached to or logically associated with other electronic data, and used to verify that the content originates from the alleged issuer, and has not been altered.

Advanced electronic signature: an electronic signature that

a) is uniquely linked to a signatory,

b) is capable of identifying the signatory,

c) is created using means that are under the signatory’s sole control, and

d) is linked to other electronic data in such a way that any alteration to the said data can be detected.

Qualified electronic signature: an advanced electronic signature based on a qualified certificate and created by a secure signature creation device.

Signatory: a natural person who is authorised to control a signature creation device.

Signature creation data: unique data, such as codes or secret cryptographic keys, used to create an electronic signature.

Signature creation device: software or hardware used to implement the signature creation data.

Secure signature creation device: a signature creation device that meets the requirements set forth in $ 3.

Signature verification data: data, such as codes or open cryptographic keys, used to verify an electronic signature.

Certificate: an attestation in electronic form that links signature verification data to a signatory and confirms the said signatory’s identity.

Qualified certificate: a certificate that complies with the requirements set forth in $ 6 or 7.

Certificate provider: the legal or natural person who issues certificates or who guarantees that the certificate of others complies with certain requirements.

Secure signature creation devices

3 A signature creation device declared to be secure must ensure that the signature is satisfactorily protected against forgery. The device shall further ensure that the signature creation data

1. can practically occur only once,
2. cannot be derived by reasonable means, and
3. can be satisfactorily protected by the legitimate signatory against use or access by others.

A secure signature creation device may not alter the data to be signed electronically, or prevent the data from being presented to the signatory prior to the signature process.

4 The requirements relating to secure signature creation devices set forth in $ 3, shall be deemed to be satisfied by hardware or software devices that comply with the standards for electronic signature products, the reference numbers of which have been established by the Commission of the European Communities and published in the Official Journal of the European Communities.

5 A device declared a secure signature creation device may be released onto the market or used to create a qualified electronic signature only if it meets the requirements set forth in $ 3. The determination of whether these requirements have been fulfilled shall be made by a body designated for that purpose, pursuant to the Technical Conformity Assessment Act (1992:1119).

A determination by a body designated for the same purpose by another State belonging to the European Economic Area shall be deemed the equivalent of a determination pursuant to the first clause of this section.

Qualified certificates

6. In order to be called a qualified certificate, a certificate shall be issued for a specific period of validity by a certificate provider that meets the requirements set forth in 9-12, and any regulations issued under 13, and shall contain:

1. an indication that the certificate has been issued as a qualified certificate,
2. the name and address of the certificate provider, and information regarding the state in which it is established,
3. the name of the signatory, or a pseudonym which shall be identified as such,
4. special information regarding the signatory if that information is relevant to the purpose for which the certificate is intended,
5. signature verification data that corresponds to the signature creation data under the control of the signatory at the time of issue,
6. information regarding the period of validity of the certificate,
7. the identity code of the certificate,
8. the advanced electronic signature of the certificate provider, or an electronic signature with an equivalent level of security, and
9. an indication of any limitations on the use of the certificate, or of any limits on the value of transactions for which the certificate can be used (transaction limit).

More detailed provisions regarding requirements pursuant to the first clause of this section may be issued by the Government or by supervisory body acting pursuant to Government authority.

Information on the Personal Data Act

Foreword

On 24 October 1998, a new act entered into force aimed at preventing the violation of personal integrity by the processing of personal data, namely the Personal Data Act (SFS 1998:204). This Act is based on common rules decided within the EU.

The Government has issued supplementary regulations in conjunction with the Act in the Personal Data Ordinance (1998:1191).

The Data Act (1973) is repealed by the Personal Data Act.

This brochure provides an overall presentation of the Personal Data Act.

Amendments to the Act have been taken into account up to SFS 2006:398.

This brochure presents the Act in its wording from 1 January 2007. Readers wishing to learn more about the Act may read the Government Bills 1997/98:44, 1999/2000:11 and 2005/06:173 together with the Standing Committee on the Constitution Report 1997/98:KU18. The first Bill referred to reports, inter alia, on the underlying EU rules. This material is also available on the Internet: www.riksdagen.se/dokument.

Further information is included in the report presented by the Data Law Commission in March 1997 and which formed the basis for the new Act: Integrity – Public Access to Information – Information Technology (Official Government Report SOU 1997:39). In addition, information about the application of the Act is available in the report presented by the Personal Data Commission in January 2004 which served as the basis for the most recent amendments to the Act: Review of the Personal Data Act (Official Government Report SOU 2004:6).

The Data Inspection Board is the supervisory authority under the Personal Data Act and may, in that capacity, provide information about the rules. Information is also available on the Board’s website on the Internet:

1. Background to the Personal Data Act

Developments within information technology are accelerating. Technology becomes increasingly powerful, simpler to use and less expensive. This means that it is available to increasing numbers of people. At the same time, it is becoming easier to receive and disseminate data stored on the computer. The facilities for storage and searching for information are becoming increasingly fl exible.

The opportunities afforded by new technology have brought with them an increase in the amount of data connected to people, for example, with the use of computers. Awareness has also increased that more and more data is available from an increasing number of sources. The methods that have been used to gather and process data relating to people are being continuously refined. A person using the Internet or modern cards for, for example, payment, can readily – without being aware of the fact – leave a so-called electronic trail behind him/herself.

Developments have meant that technology can be used in a manner that involves an unacceptable intrusion into personal integrity. The individual is entitled to be protected by society against such violations of integrity. At the same time, the need of the individual for protection must be balanced against other fundamental democratic rights and values, for example, freedom of information and freedom of expression. Legitimate needs for using information related to people also exist, for example, for the purpose of social planning.

A considerable amount of balancing is thus necessary when formulating legislation to protect personal integrity as regards personal data. Furthermore, the legislation must not unnecessarily restrict the use of new technology. New technology brings with it not only risks but also advantages. Things that were not previously feasible are now possible thanks to new technology – something which has already involved an improvement in the standard of living and increased freedom for many people.

The Swedish Data Act (1973) has been considered to be outdated for many years. It has not corresponded in all respects with the standards that can be expected for legislation to effectively protect personal integrity. The Data Act therefore needed to be replaced by a new modern Act. The rules have been developed having regard to the Data Protection Directive that was adopted by the EU in 1995 which is now introduced in all Member States. A basic starting point has been that responsibility for ensuring that personal data is conducted in a lawful manner should rest with the person processing such data.

2. What does the Personal Data Act mean?

The main features of the Personal Data Act are presented in this part. These are:

• People shall be protected against the violation of their personal integrity by processing of personal data.
• In contrast with the Data Act, the Personal Data Act does not only apply to automated processing of personal data but, in certain cases, also to manual registers.
• The Personal Data Act does not apply to the processing of personal data that forms part of a course of operation of a purely private nature.
• The provisions of the Act are not applicable to the extent that they would contravene the constitutional provisions relating to freedom of the press and freedom of expression or limit the principle of access to public information.
• The Act does not apply, in principle, to journalistic, artistic or literary activities
• Processing of personal data in unstructured material, for example running text, may take place as long as this processing does not entail a violation of the registered person’s personal integrity. Most of the other provisions of the Act shall not be applied to processing of this kind.
• If another act or ordinance contains rules that deviate from the Personal Data Act, those other provisions apply instead.
• The old system with licences and permits is abolished. Responsibility for ensuring that processing of personal data is conducted in a lawful manner is imposed in the first instance, upon the person processing such data. The Data Inspection Board exercises supervision of compliance with the Personal Data Act.
• The Personal Data Act lists certain fundamental requirements concerning the processing of personal data. These demands include, inter alia, that personal data may only be processed for specific, explicitly stated and justified purposes.
• Personal data may, if these fundamental requirements are satisfied, in principle, only be processed if the registered person gives his or her consent. However, there are several exceptions to this rule, for example, if it is necessary

- in the exercise of official powers

- when a work task of public importance is to be performed

- in order to enable the controller of public data to fulfill a legal obligation

- in order that a contract with the registered person may be performed.

• Particularly stringent rules apply to the processing of sensitive personal data – e.g. concerning political views or health. These rules also apply to the transfer of personal data to other countries.
• The registered person is entitled to information concerning processing of personal data that concerns him/her.
• The processing of personal data shall be notified to the Data Inspection Board. However, this does not apply if the person who is responsible for the processing has appointed a personal data representative.
• A person who contravenes the Personal Data Act may be liable to pay damages or be sentenced to a criminal penalty.

3. The terminology of the Personal Data Act

The Personal Data Act uses some central concepts that reappear at several places in the various connections, inter aliain this brochure, and which are therefore useful to know. The most important of them are presented below.

3.1 Personal data

All kinds of information that is directly or indirectly referable to a natural person who is alive constitute personal data.

The Personal Data Act applies to such processing of personal data as is wholly or partly performed with the aid of computers. The Act also applies to other processing of personal data, if these form part of or are intended to form part of a structured collection of personal data that is available to searches or compilations according to specific criteria (so-called manual registers).

The Act does not apply to the processing of personal information that a natural person performs in an activity of a private nature. This means, for example, that individuals may maintain for purely private use electronic diaries or a register of the addresses of friends and relatives etc. The word and text processing and communication by electronic mail of individuals also normally fall outside the ambit of the Act.

A simplified provision applies to processing of personal data in unstructured material, for example, running text, stipulating that the processing may not entail a violation of the personal integrity of the registered person (see Part 6).

3.2 Processing (of personal data)

Processing means everything one does with personal data, whether performed through a computer or not. The following may be mentioned as examples of processing of personal data

• Collection
• Registration
• Storage
• Processing
• Disclosure by transfer, dissemination or other provision of data
• Compilations or joint processing.

There is no requirement that the information processed as data should be structured in a register or the like. Computerized work and text processing or similar processing of running text containing personal data is therefore per se subject to the Act, although a simplified provision applies to processing personal data in unstructured material, for example, running text (see Part 6).

Personal data in structured material may only be processed for specific, explicitly stated purposes.

Data that one has gathered for a particular purpose may not later be processed in a manner that is not compatible with that purpose.

3.3 The controller of personal data and the personal data assistant

A person who alone or together with others decides why and how personal data shall be processed is called the controller of personal data (the controller). This is usually a legal person – a company, an association, a public authority or a local authority. A natural person – for instance, a businessman – may also be a controller, however.

Personal data assistant (assistant) means a person who processes personal data on behalf of the controller. The assistant may be an independent service provider.

3.4 Personal data representative

A personal data representative (representative) is a natural person who, on the assignment of the controller, shall ensure that personal data is processed in a lawful and proper manner.

The representative must point out any inadequacies for the controller. If the representative has reason to suspect that the controller is contravening the provisions applicable to the processing of personal data, and points this out, but the controller does not rectify the matter as soon as practicable, the representative must notify this to the Data Inspection Board.

The representative shall also liaise generally with the Data Inspection Board if doubt prevails concerning whom the provisions applicable to processing of personal data should apply to. The representative shall also assist the registered person to obtain rectification if there is reason to suspect that personal data processed is incorrect or incomplete. Furthermore, the representative shall maintain a schedule of the processing that the controller performs and which would have been subject to the duty to given notice if the representative had not existed (cf Part 14).

The appointment and removal from office of a representative must be notifyed to the Data Inspection Board.

3.5 Consent

Consent means every kind of voluntary, specific and unambiguous expression of will, by which the registered person, after the receipt of information, accepts the processing of personal data concerning him/her.

Consent may either be verbal or in writing. It must be voluntary.

The registered person must, before consent is given, have received the information necessary to enable him/her to assess the advantages and disadvantages of the processing of the personal data concerned and so that he/she may exercise his/her rights under the Personal Data Act. Consent shall also be unambiguous. Thus, no doubt may prevail about whether voluntary consent has been given. The consent must also be specific, which means that it must apply to a particular processing concerning the registered person that is performed by a particular controller for a particular purpose.

4. The scope of the Personal Data Act

The Personal Data Act applies to those controllers who are established in Sweden. As a main rule, Swedish law is also applicable when a controller from a third country (i.e. a country outside the EU and EEA) uses equipment, for example terminals and questionnaires, situated in Sweden for the processing of personal data. In such cases, the controller must appoint for himself an agent who is established in Sweden. The agent is equated with a controller when applying the Personal Data Act.

The Personal Data Act never applies if equipment is only used to transfer information between two countries that are outside the EU and EEA.

5. The principle of public access to official documents and also freedom of the press and expression

The principle of public access to official documents, which is embodied in the Freedom of the Press Act means that the public authorities are liable upon request to provide copies of public documents unless secrecy applies. The duties of public authorities to save information – and not to alter it in such a manner as the original information is erased – is also of importance to the principle of public access to offi cial documents.

The provisions of the Personal Data Act are not applied in such a manner that they might limit the principle of public access to documents or contravene the provisions concerning the freedom of the press and freedom of expression contained in the Freedom of the Press Act or Fundamental Law on Freedom of Expression.

The Personal Data Act also includes an exemption for such processing of personal data as is only related to journalistic work or artistic or literary creation. However, the provisions of the Act concerning security measures when processing personal data (see Part 12) shall be applied in such cases.

6. Personal data in unstructured material

The great majority of provisions of the Personal Data Act need not be applied when processing personal data in unstructured material, for example, running text. This may entail sound or images, e-mail messages, texts published on the Internet or short or long memoranda or other documents produced with word processing software. In order for the simplified regulation to apply, the material worked with must not be included in or be intended to be included in a document or case management system or any other database. The provisions of the Act on security measures when processing personal data (see Part 12) must also be applied. However, it is not necessary to apply the provisions on fundamental requirements for processing personal data (Part 7), permitted processing of personal data (Part 8), information to the person who is registered (Part 9) and transfer of personal data to a third country (Part 13).

Processing of personal data in unstructured material must not, however, entail a violation of the integrity of the registered person. The following guidelines should be complied with:

• Do not process personal data for improper ends, such as persecution or disgracing.
• Do not compile a large quantity of data about one person without acceptable reason.
• Correct personal data which proves to be incorrect or misleading.
• Do not defame or insult another person.
• Do not breach secrecy or a duty of confidentiality.

In the first place, it is the responsibility of the controller to ensure that no violation takes place in particular cases. However, what constitutes a violation is ultimately determined by the Data Inspection Board, which shall ensure compliance with the rule, and the courts. Provisions on damages and punishments (see Part 16) apply in the event of violations.

Persons who are uncertain of what constitutes a violation or what unstructured material is can instead decide to comply with the provisions of the Personal Data Act. Provided this is done, a violation cannot come into question.

7. Fundamental requirements on the processing of personal data

The controller shall, inter alia, ensure that personal data

• is only processed if it is lawful
• is processed in a proper manner and in accordance with good practice
• is gathered only for specific, explicitly stated and legitimate purposes
• is not processed for any purpose that is incompatible with that for which the data was gathered
• that is treated is adequate and relevant to the purpose of the processing
• is only processed if it is necessary having regard to the purpose of the processing
• which is processed is correct and, if it is necessary, up-to-date
• is rectified, blocked or erased, if it is incorrect or incomplete having regard to the purpose of the processing
• is not kept for a longer period than is necessary.

As regards processing of personal data for historical, statistical or scientific purposes, certain special rules apply. If personal data that is processed for such purposes is also processed later, this shall be considered incompatible with the original purpose for which the data was gathered.

It is also permitted, for such purposes, to save data for a longer period. However, personal data may not be stored in such cases for a longer period than is necessary.

Marknadsföringslagen (1995:450)

Object of the Act

Section 1

The object of this Act is to promote the interests of consumers and of trade and industry in connection with the marketing of products and to counteract marketing that is unfair to consumers and businessmen.

Scope of the Act

Section 2

The Act applies when a businessman markets or is he seeking to acquire products as part of his business.

The Act also applies to those television broadcasts by satellite subject to the Radio and Television Act.

Definitions

Section 3

In this Act:

Products: means goods, services, real property, job opportunities and other utilities.

Marketing: means advertisements and other measures taken in the course of business intended to promote sales and availability of products.

Good marketing practice: means good commercial practice or other established standards aimed at protecting consumers and businessmen when marketing products.

Electronic mail: means an electronic message that is addressed or in another way individualised in the form of text, voice, sound or image sent over a public communications network and which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.

Requirements concerning marketing

General requirements

Section 4

Marketing must be compatible with good marketing practice arid also in other respects be fair towards consumers and businessmen.

When marketing businessmen must provide such information as is of particular importance from the consumer perspective.

Advertising identification

Section 5

All marketing shall be designed and presented so that it is clearly indicated to be a matter of marketing.

It shall also be clearly indicated who is responsible for the marketing.

Misleading advertising

Section 6

When marketing a businessman may not make claims or other statements which are misleading as regards the businessman’s own or another businessman’s business operations.

This applies especially to statements relating to:

1. the nature, quantity , quality or other properties of the product
2. the origin use and environmental and health effect of the product
3. the product’s price, basis of pricing and conditions for payment
4. the businessman’s own or another businessman’s qualifications, market position, distinguishing marks and other rights
5. prices and awards given to the businessman.

Misleading packaging sizes

Section 7

When marketing a businessman may not use packages that by reason of their size or external design generally are misleading as regards the quantity, size or form of the product.

Misleading imitations

Section 8

When marketing a businessman may not use imitations that are misleading as they can easily be confused for another businessman’s known and characteristic products. However, this does not apply to imitations, the design of which primarily serves to make the product functional.

Comparative advertising

Section 8a

A businessman may in his advertisement directly or indirectly identify another  businessman or businessmen’s products, only if the comparison

1. is not misleading
2. relates to products that correspond to the same need or are intended for the same purpose,
3. in an objective manner relates substantially, relevant, verifiable and characteristic properties of the products,
4. does not involve confusion between the businessman and another businessman or between their products, trademarks, business names or other characteristic signs,
5. does not discredit nor is derogatory of another businessman’s operations, circumstances, products, trademarks, business name or other characteristic signs,
6. as regards products with a designated origin, always relates to goods with the same designation,
7. does not take unfair advantage of the reputation of another businessman’s trademark, business name or characteristic sign or the designation of origin of the goods, and
8. does not present a product as an imitation or copy of a product that has a protected trademark or business name.

When making comparisons relating to a special offer, it shall in a clear manner be indicated when the offer ceases to apply or, if the special offer is dependant upon the availability of the product, the limitations which then apply to it. If the special offer has not yet started to apply, this shall also be indicated clearly when the special price or the other special terms begin to apply.

Bankruptcy sales

Section 9

When marketing a businessman may only use the expression “bankruptcy”, whether alone or in association with another expression, if the product is offered for sale by a bankruptcy estate or for its account.

Clearance sales

Section 10

When marketing a businessman may only use the expression “final sale”, “clearance sale” or “closing” or another expression with a corresponding implication, if

1. it relates to a final sale of the whole of the businessman’s stocks or a clearly defined part of them
2. the sale takes place during a limited period of time, and
3. the prices are significantly lower than the businessman’s usual prices for corresponding products.

Bargain sales

Section 11