Skyddet för den personliga integriteten i informationssamhället - Om tredjelandsöverföringar av personuppgifter och datalagring

Sammanfattning: The development of the information society brings new challenges to legal constructions created in a landscape of traditional boundaries when these are to be upheld and enforced in a borderless digital environment, mainly due to a technical development that is constantly pushing the boundaries. An increased digitalisation of the society gives rise to not necessarily new legal questions but put them in a non-familiar context which brings uncertainty to many legal situations. From this outset this essay addresses the problems associated with transfers of personal data to third countries and the storage of personal data outside the EU or the EEA, specifically regarding personal data that are being retained for the purpose of crime prevention in accordance with the Electronic Communications Act in Sweden. The Electronic Communications Act contains no requirements on where the data that are being retained are to be stored. Whether or not there should be a requirement on where the data have to be stored geographically is one of the question that has been raised after the Court of Justice of the European Union (CJEU) found that the Data Retention Directive was invalid in its judgement delivered in April 2014 in the joined cases Digital Rights Ireland and Seitlinger and others. The question of where to store this information refers specifically to the difficulties of control of compliance with the rules that are to be ensured by an independent authority, and the possibilities to do this if the personal data that are being retained are stored outside the EU or the EEA. This is one of the issues that the CJEU once again will have to take a closer look at since the Swedish Administrative Court of Appeal in Stockholm has requested a preliminary ruling in the pending case between Tele2 and Post- och telestyrelsen (the Swedish Post and Telecom Authority). Where personal data are being stored is fundamentally a question concerning compliance with human rights. The close connection between the right to protection of personal data in article 8 of the EU Charter of Fundamental Rights (EU Charter) and the right to respect for private life layed down in article 7 in the EU Charter and article 8 of the European Convention on Human Rights is therefore examined in the essay. It is concluded that the right to respect for private life and the right to protection of personal data are closely related, and to a certain extent overlapping, but the special characteristics of the latter are highlighted. The concept of privacy, or personal integrity as it is usually called in Sweden, is examined in the essay and it is concluded that privacy is hard to define. This can be explained by the dynamic nature of the concept which varies depending on the social context. Nevertheless, it is usually described as a concept and a right of great importance, although not an absolute right but a relative one. Furthermore, the challenges associated with the digitalisation of society with regards to matters of privacy are highlighted. The dichotomy between privacy and effective crime prevention is also further examined. A thorough examination is made in the essay of the EU law concerning privacy in relation to the protection of personal data, especially regarding the Data Protection Directive. The Data Protection Directive is the central legal instrument concerning privacy in relation to data protection within the EU and contains the specific rules for third country transfers of personal data. The prerequisites for a third country transfer of personal data to take place and possible derogations from the main rule, that an adequate level of protection has to be ensured, are presented and problematized. The recent CJEU ruling in the case Schrems, in which the court invalidated the European Commission’s decision to allow transfers of personal data from the EU to the US, is highlighted in the essay. The establishment of independent supervisory authorities as an essential component of the protection of individuals with regard to the processing of personal data is also emphasized, in particular the possibility for the supervisory authorities to cooperate across national borders. The interaction between the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108) and the EU Data Protection Directive is also examined in the essay. Furthermore, the provisions in the invalidated Data Retention Directive and the categories of data to be retained which, taken as a whole, allowed for very precise conclusions to be drawn concerning the private lives of the persons whose data that had been retained, are touched upon. The essay also sheds light on the Swedish legislation for protection of personal integrity in the Swedish Instrument of Government and in the Personal Data Act. The fact that the explicit reference made to supervisory authorities is found in the Additional Protocol to the CETS No.108, yet no distinction is made in the Swedish Personal Data Act between third country transfers of personal data to states which have ratified both the CETS No. 108 and the Additional Protocol, or just the former, is a problem that is particularly highlighted in the essay. It is concluded in the essay that the current system for third country transfers of personal data, retained in accordance with the Electronic Communications Act, still could be possible as long as the control by an independent authority is fully ensured. This is possible if certain prerequisites are met within the assessment of an adequate level of protection for transfers of personal data to third countries. These prerequisites would require a high standard regarding the control of compliance by an independent authority in a third country and may consequently imply that many transfers may not be able to take place. The risks associated with mission creep, the expansion of a mission beyond its original goals, are also presented and how this might cause problems from a national security perspective. Furthermore, the possibility to transfer personal data to third countries based on the possible derogations in the Data Protection Directive or the Personal Data Act are viewed upon as doubtful in relation to the data retained in accordance with the Electronic Communications Act. However, they are not excluded as possible ways to perform third country transfers. Consent as a legal basis for third country transfers is particularly highlighted in the essay as one possible derogation. All together, an overview of the European Commission’s decisions on the adequacy of the protection of personal data in third countries and the standard contract clauses, which Member States have to comply with, are recommended. Lastly, the possibility to impose a future prohibition on third country transfers of the data being retained in accordance with the Electronic Communications Act is elaborated on, given the sensitive nature of the data being retained. Concluding remarks are made on the possibility to introduce mandatory prior checking for this specific category of personal data as a security measure.