Can Sweden be both an open society and GDPR-compliant?
One of the things that fascinated me when I moved to Sweden was the ease of looking up a person using an online “yellow pages” service to find out their phone number and address. This was a very useful thing when I was late for a meeting and didn’t have the phone number of the person I was meeting to let them know. Sweden was, and still is, a truly open society.
However, the more I learned about the different services (such as Ratsit, Hitta, MerInfo, MrKoll, Lexbase and Eniro) that collect and publish personal information, the more I grew weary of them. The extent of personal information published by these so-called search sites is astonishing. If you want to spy on a Swede, it’s really easy. Anyone, anywhere in the world can do an online search (using the sites I mention above), to find out not just the phone number and address, but also the birth day, size and value of their property, make and model of their vehicle, pets registered in their name, their taxable income, companies registered to their name, criminal records and current court cases, co-inhabitants (wife, adult children, etc), and more…
One service even listed that I have an alarm installed at my property and prompted the reader to use the link provided if they’d like to purchase something similar. This is what we call an information disclosure vulnerability in the security world. :)
And yes, while you can use these services to send flowers, you can also use them to attempt to steal someone’s identity, stalk them or otherwise invade their privacy.
In 2018, when GDPR finally came into effect replacing the Swedish data protection law (personuppgiftslagen or PuL), I expected these services to go away. In the end, I’ve never given consent to share my personal information with these sites and GDPR had some great promises such as privacy by design and right to be forgotten in addition to an explicit requirement for consent.
But that’s not how the Swedish authorities saw it. Despite an overwhelming amount of complaints from the security and privacy community, the Swedish Data Protection Authority (Datainspektionen) argues that search sites have the right to publish personal information because they hold a certificate (utgivningsbevis) which exempts them from GDPR under the Freedom of Press Act.
Exempt from GDPR?! Difficult to digest, isn’t it?
Imagine all your public information is published without your consent and there is no option to opt-out. When I contacted the search services, some simply rejected to remove my data citing their constitutional right and others only removed parts of it or made it only available to their paying members.
The EU law only allows member states to make exceptions if it’s in the interest of national security (such as police records) or to protect freedom of speech. I would argue that telling the whole world I drive a 2010 Volvo V70 hardly qualifies as freedom of speech.
You may think I’m being paranoid and that there is no real harm in publishing personal information which may at worst lead to gossipy neighbours and a spam-clogged mailbox. Well think again. I can find out exactly who lives in a given Stockholm apartment building and who has a criminal record; which may eventually effect my decision to move there. If that happens, over time the residents of the building may want to get rid of their convict neighbour to make their property more attractive, thus more valuable. This is how open data paves the way for discrimination.
I understand that GDPR goes against the “offentlighetsprincipen”, the open access principle that underpins the open society; but a law is a law and it should be applied to all citizens equally. It does not make sense that many organizations put so much effort and bear the cost of compliance with GDPR when some can just getaway with buying a publishing certificate for 2000 SEK (roughly 200 EUR). For those who are interested, anyone can apply for a publishing certificate from the Swedish Press and Broadcasting Authority using link below. Not only the previously issued certificates are valid post-GDPR, they are still issuing new ones! Then all you’ll need to do is to plug into Swedish Tax Agency’s (Skatteverket) open data APIs to pull any information you want on every single individual registered in Sweden. Well, Skatteverket actually shares this information even if you don’t have a publishing certificate; all you need is to ask (and pay for the API calls!).
It’s the Swedish Tax Agency, Skatteverket, which is the source of all personal information published and they wouldn’t even say with whom they share the data. It’s the only government agency that does not even bother to publish a privacy policy on their web site (apart from a cookie policy). By design, they hold information on every Swedish resident and they seem to believe they can do whatever they want with it.
What I am trying to say is, it’s time we rethink the offentlighetsprincipen. In an age where data is so valuable and so easily misused, we should give power to the owners of that data to decide for themselves if they want to go public with it or not. Today’s privacy preserving technologies are highly capable of solving the consent management problem whilst allowing data sharing for an open society.
Sources
- Datainspektionen on search sites with utgivningbevis: https://www.datainspektionen.se/vagledningar/for-dig-som-privatperson/utgivningsbevis/
- Swedish Press and Broadcasting Authority on publishing certificates: https://www.mprt.se/en/broadcasting-radio-and-tv/online-publication/publishing-certificates/
- Swedish Tax Agency Open Data APIS:
https://skatteverket.se/apierochoppnadata.html - Some of the search services mentioned in the article:
https://www.hitta.se/
https://www.eniro.se/
https://www.merinfo.se/
https://www.ratsit.se/
https://lexbase.se/
https://mrkoll.se/
