Sweden’s privacy protection body reports increased sanctions and supervision in 2023

Big rise in sanctions as IMY seeks sharper focus on data protection and privacy.

Over SKr120m ($11.7m) in sanctions were imposed by Integrationsmyndigheten (IMY) – The Swedish Authority for Privacy Protection – last year, its new annual report shows. That is a big increase from 2022 when ‘only’ Skr10m ($960,000) was sanctioned.

IMY started also started more supervisory proceedings; 210 in total compared with 121 the year before.

A total of approximately 17,400 national matters were handled during the year, up from 15,800 in 2022, which included:

  • 3,600 complaints from individuals;
  • 3,800 written requests;
  • 4,300 answered phone calls;
  • 6,000 notifications of personal data incidents;
  • 2,000 notifications about who is a data protection officer; and
  • 600 permit applications, of which approximately 480 were for camera permits.

The year saw an increase in organized crime and gang shootings across Sweden, and that had an impact on the authority’s work.

“During the year, we have seen an increased influx of camera surveillance questions with connection to organized crime and law enforcement treatment needs of personal data, as well as questions regarding the security of personal data,” IMY said.

“In 2024, we will continue to work to combine technology with strong privacy protection and for a sustainable digitized future, where our children and grandchildren also can have a private life.”

David Törngren, Acting Director General, IMY

Both complaints and personal data incidents increased during the year, yet the number of requests decreased by about 400 cases. The number of whistleblower reports also rose, with 95 reports of allegations in 2023, compared with 20 in 2022. Notable is that the whistleblower function only started in 2022, and can therefore explain the increase in 2023.

More sanctions on companies

During the year, a total of 173 supervisory proceedings were finalized, with 11 cases served with sanctions. Only five cases ended with sanctions in 2022.

The 11 sanctions of 2023 included:

  • Spotify – Skr58m ($5.6m). The company failed to provide sufficient and clear information on how individuals’ data was processed.
  • Trygg-Hansa – Skr35m ($3.2m). The company had security flaws which led to customer data being assessable online for over two years.  
  • Bonnier – Skr13m ($1.3m). Customers and web visitors were being profiled without consent.
  • Tele2 & CDON Skr12m ($1.2m) vs Skr300,000 ($29,121). Both companies had transferred personal data to the USA via the analysis tool Google Analytics.
  • Utbildningsnämnden i Stockholms stad (The Board of Education in the City of Stockholm) – Skr800,000 ($77,657). The camera surveillance at Aspudden’s school was found to had been too extensive.
  • Indecap (Fund advisor) – Skr500,000 ($48,475). An email was sent out to 2,800 customers which contained a file with information about the finances of another 52,000 customers. The information included the customer’s name, social security number, bank, email address, individual fund selection and the most recently read value of the customer’s holdings in these funds.
  • Barn- och utbildningsnämnden i Östersunds kommun (The Children and Education Board in Östersund Municipality) – Skr300,000 ($29,121). The digital school platform Google Workspace was introduced without an impact assessment.
  • H&M – Skr350,000 ($33,936). Violated data protection regulation by not, without undue delay, ceasing to handle complainants’ personal data for direct marketing after complaints.
  • Region Skåne Skr200,000 ($19,405). The region lacked security measures, and lost an unencrypted USB stick with sensitive personal information.
  • Region Dalarna – Skr200,000 ($19,405). The region sent out printed invitations to patient visits where the care facility was fully visible in the window envelope. Sensitive personal data was therefore disclosed in an unauthorized way to an unknown number of people who came into contact with the letters.

“The right to privacy is easy to take for granted, but it is challenged every day,” said David Törngren, Acting Director General. “In 2024, we will continue to work to combine technology with strong privacy protection and for a sustainable digitized future, where our children and grandchildren also can have a private life.”

David Törngren, Acting Director General.
David Törngren.
Photo: IMY

Törngren also said that 2023 was a ‘year of growth’, in which the Government increased IMY’s grant by almost 40%.

IMY says that its goal for 2025 is to see a clear focus on personal integrity and data protection at all levels of society. The authority also wants private and public businesses to work more systematically with data protection, and to run a privacy-friendly digitization. Technology innovation and development and services should also take place in a way that protects personal integrity.

“When we look ahead, we can state that intensive work is underway with new legal acts within the EU which has an extensive impact on Swedish companies and the digitization of public sector – and thus also for IMY’s operations,” Törngren said.