Library of Congress

Law Library of Congress

The Library of Congress > Law Library > News & Events > Global Legal Monitor

Sweden: Data Inspection Board Statement on Social Media Sites

(July 29, 2010) Sweden's Data Inspection Board (DIB), the country's key data protection agency, said in a statement issued on July 5, 2010, that it is the legal responsibility of businesses and government agencies to monitor all data that appears on their official blogs and social media sites, such as Facebook. The DIB stressed that the businesses and agencies should have established procedures for the removal of posted personal information deemed offensive or potentially capable of compromising privacy, including all third-party postings. Failure to comply might constitute breach of data protection provisions under the Personal Data Act or even, in more serious cases, criminal liability for violation of the Penal Code's data protection requirements. (Marcus Hoy, Swedish DPA: Companies, Agencies Liable for Third Party Posts on Social Media Sites, PRIVACY LAW WATCH (July 8, 2010), Bureau of National Affairs online subscription database,
[has link to DIB statement, in Swedish]; Swedish Penal Code (Brottsbalk) (SFS 1962:700) (as last amended July 1, 2010) [in Swedish],; Personal Data Protection: Information on the Personal Data Protection Act (4th rev. ed. 2006) [SFS1998: 204] (with amendments to the Act taken into account up to SFS 2006:398),

The DIB statement was based on three data inspection reports it had compiled, detailing three different organizations' increasing use of Facebook, Twitter, and blogs. The individual reports were on the data management practices of a federal government agency, a local government body, and an amusement park that used Facebook to attract potential employees. Although the DIB found no serious breaches of privacy by the organizations, it ruled that all three should be considered “data controllers,” as defined under the Personal Data Act, “and thus be responsible for all data that appeared on their official Facebook sites and blogs.” (Hoy, supra.)

A data controller, according to the Act, is a person (usually a legal person) who, alone or with others, decides the purpose and means of processing personal data; the controller also selects the third parties to be given access to the processed data and determines when data is to be erased or blocked. (Id.) However, the DIB noted, “the responsibility for third party comments made by 'followers' of an organization's posts to the online networking site Twitter did not fall within the scope of the act, as such third party messages were not administered by the organizations' 'official' websites.” (Id.)

The DIB pointed out two problem areas in particular with the inspected organizations' data management. There were adequate guidelines for removing inappropriate information, the DIB found, but not for allowing user reporting of offensive, inaccurate, or privacy-breaching data. An additional concern was the limited ability of the organizations to administer social media sites, because those sites kept “ultimate administrative control” even though they provide guidelines for organizations on appropriate posting and remedial measures. (Id.) Therefore, DIB Director General George Graslund posited in the July 5 statement: “[w]e recommend that agencies, municipalities and businesses that use social media should set clear rules and internal procedures … . [These should include] what a Facebook page will be used for, what can occur there and how it is managed by an organization's administrators.” (Id.) The DIB plans to develop new guidelines on personal information displayed by organizations on their social media channels, according to the statement. (Id.)