Tag Archives: Opinion

Article 29 Working Party (WP29)

Opinion of Article 29 WP29 on the EU – Privacy Shield draft adequacy decision

The Article 29 Data Protection Working Party (WP29) adopted its opinion on the EU-US Privacy Shield draft adequacy decision on April 13, 2016. The Privacy Shield saw the light after the invalidation by the Court of Justice of the European Union or CJEU (Schrems judgement) of the previous Safe Harbor agreement. The Opinion is complemented by a Working Document on the justification of interferences with the fundamental rights to privacy and data protection through surveillance when transferring personal data (European Essential Guarantees).

Months before, on October 2015, the WP29 stated that an assessment of the consequences of the Schrems decision with respect to all mechanism permitting data transfers to the US will be carried out. The WP29 proceed then to inventor and examine the jurisprudence of the CJEU as regards to Articles 7, 8 and 47 of the European Union Charter of Fundamental Rights and the Jurisprudence as well as the of the European Court of Human Rights related to Article 8 of the European Convention on Human Rights dealing with surveillance issues. The conclusions of this assessment led to the four European Essential Guarantees.

The Opinion of the WP29 includes an assessment of the Guarantees for data transfer to the US. According to it, the Privacy Shield includes significant improvements compared to the EU-US Safe Harbor framework. However, major points of concern remain and further clarification is needed in several aspects. The Working Party stressed the general complexity and lack of clarity regarding the Privacy Shield and expressed concerns with respect to both the commercial and national security aspects of the new framework.



Objections in Principle to new government data law

The Data Inspection Board has objections in principle to the proposed new “myndighetsdatalag” (Government data law) and believes that the investigation does not sufficiently take into account the requirement for privacy protection as is available in both EU legislation that the Swedish Constitution.

A study has been commissioned by the government revising the legislation governing the state and municipal authorities processing of personal data. The report proposes a new government data law that apply generally to most authorities’ handling of personal data.

The Data Inspection Board has fundamental objections to how the law is designed. ECHR, the EU Charter of Fundamental Rights, the Data Protection Directive and the form of government gives citizens a right to protection of privacy and personal data concerning him or her. The Data Inspection Board believes that the inquiry does not take the requirements for protection sufficiently into account.

– Of course, the ambition must be to the public business should be conducted as efficiently and effectively as possible. It may not happen in a way that sets basic privacy mechanisms sidelined, says Data Inspectorate General of Kristina Svahn Starrsjö.

Within the EU, work is now ongoing to develop new legislation on data protection. The Data Inspection Board believes that it is therefore important for a Swedish government data law to wait until it is known the final EU legislation will be crafted. It is only then that it is clear whether it is at all possible for Sweden to introduce a new government data law.


The commission set up by the Swedish government has proposed a law that will include provisions concerning data processing in all state and municipal authorities. In response the Swedish DPA has produced a report on the proposals.

The data inspection board’s full report expressed concerns on both practical and principled grounds. The proposed official information act will largely replace the Swedish Personal Data Act , the primarily implementation of the Data Protection Directive (95/46 / EC). The comments also stated that the investigation did not have a mandate to include any proposals for any significant changes to if and how authorities may treat personal information, but that the commission’s proposal includes several significant deviations from the rules and principles currently governing authorities processing of personal data. The board also expressed concerns that the combined set of requirements between the new law and existing requirements would not create a clear regulatory regime.

The statement and the associated report represent an intervention by the Swedish data protection authority in the national legislative (legitimate given their role and expertise) which draws upon both the existing national laws as well as the existing EU data protection frameworks. It also clearly highlights the problem with revising national laws on data protection issues when the General Data Protection Regulation reform effort has not yet been completed. Waiting until this is completed will reveal what legal and administrative space there remains at the national level. The investigation has also found that a comprehensive settlement is more appropriate to meet the change that will occur by EU Data Protection Regulation.