While the General Data Protection Regulation will this week come into effect across the European Union, some companies in Sweden have nothing to fear — for now at least — thanks to a peculiarity of Swedish free-expression law.
In Sweden, a country famous for its open society, those publishing information in databases can get a "publisher's license" that protects what goes in there, as long as the database is publicly available and the contents can only be amended by an editor or a board of editors.
That may sound arcane, but those who have won the protection of the publisher's license include services such as Eniro, Hitta and Ratsit, providing easy access to people's phone numbers, addresses, birthdates and financial information.
And this isn't just an issue that affects Sweden: One of the world's most popular mobile apps, the caller ID service Truecaller, which has 100 million daily active users, is Swedish and also has the publisher's license. Truecaller's massive database of contact numbers is largely derived from its ability to import the contacts of its users, whether or not those individuals have consented to being listed. The company merely asks its users to seek the consent of the people in their address books.
The conflict with European data protection law is not hard to see. But there is nothing that the Swedish data protection authority, Datainspektionen, can do about it. Last year the regulator even had to issue a notice responding to a torrent of complaints about Truecaller, saying its hands were tied; it can't audit or launch action against a company with a publisher's license.
A Truecaller spokesman told The Privacy Advisor that, while the company has a publisher's license, it does not believe that protection from privacy law is the intent of the licensing system. He said Truecaller had taken steps to ensure GDPR compliance anyway.
However, Datainspektionen is still deeply frustrated about the situation.
"Our authority constantly receives a lot of complaints from individuals who perceive [the listings] as a privacy infringement and we have criticized the fact that this system, in some cases, enables systematic privacy infringements on the internet which we cannot intervene against," Elisabeth Jilderyd, Datainspektionen's internal legal advisor, told The Privacy Advisor. "These remarks have been put forward in a written opinion to the legislator but they have not made any amendment."
Sweden is one of the EU member states that has a new data protection act ready to go into force on May 25 — GDPR day — but the implementing act makes it clear that the publisher's license will continue to protect companies as before.
"In the Swedish Data Protection Act it is stated that the GDPR should not be applied to the extent this would be in conflict with the Swedish Fundamental Law on Freedom of Expression," said Paulina Rehbinder, a lawyer at the Stockholm office of law firm Synch.
"If, applying the provisions of the GDPR on databases protected by a publisher's license, it would lead to a direct conflict with some of the fundamental requirements of obtaining a publisher's license, [for example] that only the editor or the board of editors may decide on changes in the database. From a GDPR perspective this means that the publication of personal data in a protected database does not have to comply with the GDPR since this would be in conflict with the Swedish Fundamental Law on Freedom of Expression."
However, Rehbinder identified an upcoming issue that may cause problems for the Swedish publisher's license regime: the EU's ePrivacy Regulation.
In its draft form, Article 15(1) of the upcoming regulation reads thus:
"The providers of publicly available directories shall obtain the consent of end-users who are natural persons to include their personal data in the directory and, consequently, shall obtain consent from these end-users for inclusion of data per category of personal data, to the extent that such data are relevant for the purpose of the directory as determined by the provider of the directory. Providers shall give end-users who are natural persons the means to verify, correct and delete such data."
Said Rehbinder, "Since one of the requirements to obtain and keep a publisher's license is that the content in the database may only be edited based on the decision by the editor or the board of editors, a natural person cannot be provided with the means to correct and delete their data from the directory since this would be in conflict with the requirements of the Swedish Fundamental Law on Freedom of Expression.
"This means that the providers of publicly available directories with a publisher’s license must on one hand comply with the ePrivacy Regulation, but on the other hand comply with the requirements to obtain and keep their publisher's license according to the Swedish Fundamental Law on Freedom of Expression, which constitutes a conflict of laws."
The Synch lawyer said her practice has been in touch about this issue with the government, which indicated that it's raised the conflict with other member states — as yet to no avail. "Our conclusion is that this matter will probably be addressed in additional Swedish legislation in connection to the enforcement of the ePrivacy Regulation," she said.
Truecaller's spokesman said his company's service has made changes "to ensure that we will be GDPR compliant regardless of the publishing certificate."
The changes include a rebuilt app that lets users access, rectify, erase, port and restrict the processing of their data, a new user onboarding process that gives users "more control over ads they see and more transparency about the data shared with advertisers," and new terms of service.
"We no longer store or collect personal data from the phonebooks of our users in the EU and we have limited the reverse number lookup," he said.
If you want to comment on this post, you need to login.