Covid-19 pandemic and data protection issues in Sweden by Patricia Jonason

This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at blogdroiteuropeen@gmail.com

Sweden’s approach for fighting the spread of Covid-19 has been described by some as “the Swedish experiment”. What does this approach consist of (1)? In which measure did Sweden make use of data-driven responses for containing the pandemic (2)? Which Covid-19 related issues has the Swedish Data Protection Authority focused on (3)?

The Swedish approach in the fight against Covid-19

Unlike many other countries, including its Nordic neighbours, Sweden has not taken abrupt and drastic measures such as instituting a clear-cut lockdown to contain the spread of the virus. Indeed, although some prohibitive measures have been taken, such as prohibiting public gatherings of more than 50 people and visits to elderly homes, the majority of the measures have taken the form of strong recommendations, such as encouraging the closure of universities and high schools or discouraging the use of public transportation. In practice, the situation could be described as a form of “soft lockdown”.

The Swedish strategy, which is focused on “flattening the curve” in order to avoid overloading the healthcare system while also minimizing disruptions to society, may be described as a pragmatic approach. At its core, as the Swedish government puts it, it consists in “taking the right measures at the right time”.

This approach is based on a governance model without ministerial rule but strong State Agencies which benefit from a high level of public trust (as in the case of the Public Health Agency, FHM), combined with far-reaching decentralization and local self-government. Another explanatory factors for the measured approach include a relatively civic-minded population. Last but not least the lack of robust legal tools that would allow the Government to take more drastic measures may also explain the soft strategy. This shortcoming was nevertheless temporarily (April 18 to June 30) remedied by means of the enlargement by the Communicable Diseases Act of the delegation of regulatory power from the Parliament to the Government.

The national strategy has by and large been accepted among the Swedish people although mounting death tolls (5,500 deaths due to Covid-19 on 10 July 2020) has led to rising criticism.

The more soft-handed actions taken by Sweden to combat the spread of Covid-19 is also evident in regard to data-driven responses for combating the pandemic.

Few data-driven responses for combating the pandemic

No governmental digital contact tracing system has been proposed and a drafted national platform for digital testing has been scrapped.

Indeed, so far Swedish authorities have been sceptical in regard to the use of digital contact tracing based on mobile phone data. An uncertainty concerning the legal framework as well as privacy arguments, alongside an unwillingness to divert resources, has led the authorities to look past the idea.

The Swedish Data Protection Board (Datainspektionen, DI) has published some information on this issue on its website. It reminds readers of applicable data protection principles and of the importance to ask the DI for prior consultation if there is still a high risk to the rights and freedoms of the data subjects after having carried out a Data Protection Impact Assessment (DPIA). The DI indicates on its website that it has not received such requests yet.

The DI further explains that a specific legal framework applies for localisation data and consequently states a shared responsibility with the Swedish Post and Telecom Authority (Post- och telestyrelsen, PTS). However, when asked whether it had received requests concerning issues related to contract tracing applications, the PTS answered that it had not.

Concerning applications used by the public authorities themselves, the DI assesses that Parliament “might need to ensure that there is sufficient [legal] basis for [such] measures”.

In the meanwhile, some non-governmental actors, such as a group of researchers at the Royal Technology Institute, which is a public university, have developed their own contact tracing applications.

Even digital testing through self-assessment has received tepid support. The Civil Contingencies Agency (Myndigheten för samhällsskydd och beredskap, MSB, which is in charge of issues concerning civil protection, public safety, emergency management and civil defence)

had come far along in the design process for a national digital testing platform before the project was scrapped following criticisms. Local authorities and the organisation which represents and advocates these authorities, the Swedish Association of Local Authorities and Regions (SKR), criticized indeed the project, inter alia because they had not themselves been included in the process and did not find the purpose of mapping the contamination sufficiently convincing.

The service, which the MSB believed could have been extended to include contact tracing, consisted of an online coronavirus questionnaire for mapping symptoms and behavioral changes because of Covid-19. The project was inter alia meant to improve public policies and had a pedagogical purpose; “to make all individuals in Sweden reflect on their own behavior and thereby increase the willingness to follow public recommendations”. The MSB would have acted as the data controller for the involved processing and participation would have been on a voluntary basis.

The data protection and cybersecurity aspects had been taken into account throughout the design process. The Swedish State would have been the owner of the data which would have been stored in a data centre in Sweden. No personal data related to the answers would have been processed. Even though the MSB assessed that processing was not likely to result in a high risk to the rights and freedoms of natural persons, it decided to carry out a DPIA according to Art. 35 of the GDPR. Facing scepticism from the local authorities and also from the FHM, the MSB decided to end the project.

There are however academic initiatives, such as a symptom tracker application launched by researchers at Lund University in order to “help map the spread of infection in Sweden and increase knowledge of the coronavirus”.

The monitoring of Covid-19 cases is carried out by the Public Health Authority by means of a range of public health surveillance systems. The most important of them is the electronic surveillance system SmiNet to which physicians and laboratories notify cases of communicable diseases. This system of surveillance, based on the Communicable Disease Act (2004:168), includes the processing of Covid-19 related data since an amendment of this Act. Personal data, including the identification number, is registered. The system has strong safeguards for data security and privacy, such as restricted access and strict confidentiality rules. The other surveillance systems consist of voluntary laboratory reporting, sentinel surveillance and syndromic surveillance.

The issues selected by the Swedish Data Protection Authority

The DI has been posting information about Covid-19 issues and links to relevant European documents on its website since March.

The DI focuses more specifically on four issues for which it has received many questions: the above-mentioned issue of Contact Tracing, Personal Data issues relating to the coronavirus (especially in relating to employee-employer relationships), Distance learning, and the Live-streaming graduation ceremonies.

On its website, in a Q&A section with the heading Coronavirus and Personal Data, the Swedish Data Protection board answers potential questions, mainly for employers and employees.It also addresses data protection questions raised by distance learning. Indeed, even though primary schools have not been closed, some children have not attended school or done so only sporadically during the crisis, obliging teachers to partly transition to distance learning. Additionally, high schools and universities have been closed since March following recommendations of the Public Health Agency and have since carried out all teaching virtually. One may note that this recommendation ended on 15 June but that universities will probably continue to carry out online teaching for the foreseeable future.

The DI refers to the data protection principles, its own guidelines for data controllers within schools and preschools, and insists on information security as an important part of the data protection work for which it also provides a checklist. Additionally, the DI refers to the guidelines published by the Polish Data Protection regarding Security of personal data during remote learning.

Another practical question of great interest for all Swedish schools and colleges that is handled on the DI’s website since the beginning of June is the question of the possibility to stream graduation ceremonies or even to record them. The DI recalls that graduation ceremonies are related to educational activities and that such data processing is therefore motivated by a public interest. The DI even explains that the situation created by the Covid-19 pandemic may allow for certain kinds of processing that would not be allowed in normal times.

Patricia Jonason Associate Professor in Public Law at Södertörn University