Data Act (Sweden)

The Data Act (Datalagen) is the world's first national data protection law and was enacted in Sweden on 11 May 1973. It went into effect on 1 July 1974 and required licenses by the Swedish Data Protection Authority for information systems handling personal data.

History
Information and communications technologies (ICTs) were far developed in Sweden due to multiple circumstances and the use of computers in public administration was introduced relatively early. Furthermore, the concepts of transparency, public access and openness were traditionally widely present in Swedish society. Widespread public concern was raised in 1969 due to the year's public census.

In 1969, the Royal Commission on Publicity and Secrecy was set up to investigate problems associated with the increasing use of computers to store and process personal data. They provided the initial analysis, recommendations and drafts that addressed these problems. In July 1972, they published their report Computers and Privacy (Sw. Data och integritet).

The Data Inspection Board (DIB), proposed in the report, was set up in July 1973.

In April 1973, the Riksdag uncontentiously passed the Data Act, also proposed in the report, which only slightly modified the commission's draft. It then came into force in July 1973. An associated amendment to the Freedom of the Press Act was adopted in February 1974 − around the same time as the Credit Information Act and the Debt Recovery Acts which regulated computerized credit information.

Problems and succession
As the law's data registration and transborder data flow requirements were considered cumbersome and confusing by private and public organizations and the DIB was soon overcome by the magnitude of registrations the law was amended in 1982 which made the private sector and the government more self-sufficient in terms of registration.

After several more amendments in 1989 a Commission on Data Protection was set up to make a total revision of the act. The commission submitted its final report in 1993 recommending a new Data Protection Act based largely on the then current second proposal from the European Commission for an EC Directive. In 1995 Sweden joined the European Union which had adopted the Data Protection Directive in the same year and a new committee was entrusted with making recommendations on the implementation of the directive and a new total revision of the Data Act. In 1997 it presented a report on the implementation containing a proposal for a new Personal Data Act.

The law was then superseded on 24 October 1998 by the Personal Data Act (Sw. Personuppgiftslagen) that implemented the 1995 EU directive. The 1973 law mainly focused on automated computer processing systems containing assignable information of living persons and not data processing in general and was considered to be outdated in many respects for many years.

The law
The act required a prior permit from the DIB for each computerised personal data register. When a permit was given, the Board issued tailor-made conditions for that register. It did not contain many provisions on when and how the data should be processed, or general data protection principles.

Those who were subject of data contents were guaranteed freedom of access to their records. Exporting data on Swedish citizens outside the country required a license as well which wasn't granted when it was discovered that this was done to evade the regulatory requirements of the law. In 1979 the Swedish government issued a report which also raised concerns over critical data exported to other countries potentially becoming a target of terrorist organizations.

It also requires responsible persons to pay compensations when individuals suffer damage due to incorrect information about them.

The law also criminalized data intrusion but only intended to penalize persons physically breaking into offices to change data and did not consider Internet-based hacking at the time.

Earlier data protection laws
In October 1970 a data protection law went into effect in the West German state of Hesse − the Hessisches Datenschutzgesetz.