This article is available to Members of The Local. Read more Membership Exclusives here.
A recent newcomer to Sweden, Dani* was "horrified" when she found information about her spouse, her car, and her pet through Google as soon as she received a personal number. In a conversation with The Local, the woman said she has a "personal problem" due to which she needs her data to be hidden, but websites like Eniro, Ratsit, and Hitta had already published it.
It is hard to keep such things private in Sweden: the so-called ‘principle of openness’ is a part of the country’s famed press freedom law. Dani, like many in Sweden, was hoping that General Data Protection Regulation (GDPR) coming into effect across the EU on May 25th 2018 could help her get off the grid. But would it?
The two kinds of data held and how GDPR impacts it
Companies like Eniro, Ratsit, and Hitta process two types of data, Sara Malmgren, a Senior Associate from legal firm Foyen Advokatfirma explained in a written comment to The Local.
The primary kind is the information that they obtain from Swedish authorities such as the Tax Agency (Skatteverket), and publish in their databases.
By obtaining a “publishing certificate” Eniro, Ratsit and Hitta have a constitutionally protected right to publish those databases, similar to exercising their right to free speech.
"The companies with a publishing certificate do not need to delete personal data due to GDPR. They can choose to do it anyway, but it's something they do voluntarily,” communications manager Per Lövgren from the Swedish Data Protection Authority wrote in an email to The Local.
GDPR does however cover the second type of personal data used by Eniro, Ratsit, and Hitta: the kind they collect when you start an account with them and use their services.
That could be your IP address, your username or your password. "This is not published and they must act in accordance with GDPR regarding that information, as must anyone with a customer database, like H&M or (supermarket chain) ICA with their membership schemes," lawyer Malmgren noted.
With regards to that type of data, GDPR gives you the right "to be forgotten" or the “right to erasure” if certain conditions apply, she continued. Those conditions are listed in article 17 here.
Despite not being obliged to do so, when Dani contacted Eniro, Ratsit, and Hitta requesting that they delete the first form of personal data held on her her, she received a positive response.
Removing data from Eniro, Ratsit and Hitta: how it works
You can send the form to Eniro over email and the request will be processed within 3-4 days. It is not necessary to specify the reasons for your request.
Ratsit asks users to send a request through the contact form on their website and promises a response within 30 days. When Dani filed her request, she received an application form, seen by The Local, which may be sent back by regular mail to their office in Mölndal.
The applicant does not need to state any reason why they wish to have data removed, but Ratsit points out that is not legally obliged to complete your request.
The same page reminds that you need to make sure your phone number is also listed as private by your network provider, otherwise the data will be republished. In order to process your request, Hitta also requests you have a Swedish Bank ID.
As such, while Dani says she managed to get her data unpublished from Eniro and Ratsit, the process with Hitta is taking some time as the newcomer hasn’t yet received a Bank ID. “I am still crossing my fingers that the reason I wanted to lay low hasn’t already got the data before I removed it,” she added.
Since May 25th Ratsit has received and completed 500 such requests. The Local also contacted Eniro and Hitta on the matter, but has not yet received any response.
A further law change could come into force in 2019
In 2017 the Swedish government proposed changes to the freedom of speech regulation that covers companies like Eniro, Ratsit, and Hitta. The Ministry of Justice proposal advises limitations on search services that contain potentially sensitive personal data. This would include, for example, political opinions, religion, skin color, health and sexual orientation. But due to risks it poses to press freedom the proposal was widely criticized, SVT reported.
Since such changes would require amendments to the Swedish constitution, the parliament needs to approve the alterations twice, usually in two successive terms with qualified majorities. The first vote could be replaced with a referendum, an idea proposed by the Sweden Democrats in February 2018, and a general election must take place first.
*Name changed in order to protect the identity