1 Introduction

The history of collecting human biological samples in pathology clinics of Swedish hospitals goes far back, and there are today examples of tissue samples in paraffin blocks dating back to the end of the 1800s. However, the large collections at the university hospitals consist mainly of samples dating from the 1940s onwards. Biobanks in Sweden are under the supervision of the Health and Social Care Inspectorate (IVO), which holds an official register of the biobanks.Footnote 1

The biobanks provide an invaluable asset for medical research and are also extensively used for that purpose, albeit hitherto not to their full potential. This is partly due to the lack of a national biobank information system through which information about stored samples can be retrieved for research purposes. This chapter describes the proposed development of such a system. It also covers the general regulatory framework of biobanking, the regulation of personal data in research, and the impact that the General Data Protection Regulation (GDPR) may have on biobank research.

2 Biobank Infrastructure and Regulatory Environment

2.1 Biobanks in Sweden

In 2018, there were around 450 biobanks registered in the official registry for biobanks that held samples taken in a health care setting. In the 250 biobanks kept by the 21 county councils/regions which are responsible for healthcare and the 7 universities with medical faculties, there are over 150 million samples stored and 3 to 4 million samples are added annually. The largest biobanks are located in the county councils/regions, where an estimated 90% of all biobank samples in Sweden are stored. There are also biobanks at private companies such as pharmaceutical companies, private hospitals and caregivers, and at some public authorities, for example, the Public Health Agency and the National Food Agency.Footnote 2 The largest biobanks within healthcare are in the areas of pathology and cytology, carrying around 90% of samples, followed by microbiology, the PKU-biobank and biobanks generated in research, altogether around 7%. The PKU-biobank holds samples collected from the screening of all newborn babies in Sweden since 1975 (the screening started in 1965). The biobank is named after the first disease that was screened for. Today, 25 rare diseases are screened for,Footnote 3 and inclusion of a further disease is under way.

Information about patients and their samples is maintained in the county council/region laboratory information systems (LIS). There are several such systems in different fields of medicine and run by various software providers. The LIS information is part of a patient’s medical record. Some information from LIS is transferred to the Swedish Biobank Register (SBR), which aids in the tracking of patient samples across county councils/regions. The SBR is currently under construction.Footnote 4 Information on collections of samples mainly collected for research is handled in the parallel laboratory information management system (LIMS).Footnote 5 Besides SBR, a nationwide search register to aid researchers to find biobank samples and data is being proposed, as described in the following sections. Such a system would make it possible for authorities holding the register to find samples and link the information to other patient health data using the national personal identification number (PIN) at the request of researchers. Thereafter, an application to the biobanks for access to the samples of interest could be made.

A PIN is provided to each resident of Sweden by the Tax AuthorityFootnote 6 at birth or at a later point after immigration and is used to identify individuals in all sectors of society. National registers and databases using the PIN include not only medical records, statistical health data and vital statistics over long time periods but also demographic and socioeconomic data.

2.2 Regulatory Framework

This section describes the regulatory framework that exists for biobanking in general. Regulation of the use of biobanks in research is covered in subsequent sections.

The Swedish Biobank Act was enacted in 2002.Footnote 7 The Act covers tissue samples collected in healthcare and kept in Swedish biobanks, except samples that are not preserved for an extended time period.Footnote 8 The initiative to regulate biobanks came after a debate on the HUGO-project, which was an international project that conducted human genome organization to map the human genome.Footnote 9

In the Biobank Act, consent based on sufficient information is of central importance for sample processing. Samples may only be collected and stored in a biobank after the sample provider or, if the donor is a minor, his or her custodian, has been informed about that intention and the purposes for which the biobank may be used. Only after this can his or her consent be obtained.Footnote 10 The Biobank Act requires that this is recorded in the sample provider’s medical records.Footnote 11 Specific rules are in place for collecting and storing samples from embryos, foetuses and deceased persons.Footnote 12

The narrow scope of the Biobank Act has been seen as a problem, specifically because biobanks created outside healthcare are not covered. Further, the Act sets out rather complex consent rules, which are discussed further in Sect. 3.2. In addition, the provisions on the release of tissue samples and the transfer of biobanks have led to administrative burdens for the biobank organizations, which in turn led the government in 2008 to commission a committee to draft a new Act. The report was presented in 2010 but no legislation was enacted based on it.Footnote 13 Another committee, commissioned in 2016, presented its report in 2018.Footnote 14 As of Summer 2020, no legislation has been proposed, but it can be assumed that the government will do this in the near future. Meanwhile, the 2002 Act has been updated to be in conformity with the GDPR and the EU Clinical Trials Regulation.Footnote 15

With respect to the handling of information derived from the biobanks, there have been two issues to deal with: firstly, the possibility to search for and find samples of a certain type or pertaining to an identified person, and secondly, the handling of test results based on the samples. Proposals to handle these issues by creating a national register were put forward by a government inquiry in 2014,Footnote 16 in which a national register with information on sample characteristics as well as test results was suggested, and then another inquiry in 2018,Footnote 17 in which a national register was suggested, this time with information on sample characteristics such as PIN, type of sample, the time of sampling and contact information. All this information would be passed on to the responsible biobank, although test results on individual persons would be left out. Government action on these proposals is also expected in the near future.

3 Personal Data and Research

3.1 Implementing GDPR in Swedish Law: Introductory Remarks

Directly or indirectly identifiable samples and data must be handled in accordance with the rules pertaining to personal data in the GDPR and other international and national legislation. Sweden has enacted a Data Protection Act which lays down general, complementary rules to the GDPR. Both pieces of legislation are relevant for handling personal data deriving from biological samples as well as any other type of personal data.Footnote 18 In addition, there are special rules in the Biobank Act on how samples from a biobank may be accessed for research purposes.Footnote 19 In the handling of biobank samples for research purposes, the legislations concerning the processing of biological samples and the processing of personal data must both be taken into account.

Before going into these issues, the Swedish tradition of transparency and the principle of public access to official documents will be introduced briefly. This principle plays an important role in research by providing broad access to publicly-held health data, such as the many registries on health and living conditions held by Swedish authorities.Footnote 20 Openness and transparency have been part of the national constitutional identity of Sweden for centuries; the first Freedom of the Press Act that contained this principle was enacted in 1766.Footnote 21 According to the current Freedom of the Press Act, ‘everyone shall be entitled to have free access to official documents’; this is a right that can only be restricted on certain legal grounds and under a specific Act—the Public Access to Information and Secrecy Act.Footnote 22 All types of document are covered under this right to access, including electronic ones.

Article 86 GDPR allows Member States some regulatory space to ensure that personal data in official documents is disclosed in accordance with Member State law, in order to ‘reconcile public access to official documents with the right to the protection of personal data’.Footnote 23 Sweden has included such provisions in the Data Protection Act, stating that the GDPR and the Swedish Data Protection Act is not to be applied to the extent that it would be contrary to the Freedom of the Press Act or the Freedom of Expression Act.Footnote 24 Due to the strict regulatory regime set out in the Freedom of the Press Act, the right to access to documents can only be restricted by the Public Access to Information and Secrecy Act. Otherwise the document is public. This Act includes a legal basis for keeping personal data secret on condition that there is a risk that the data, after the document has been released, will be processed in conflict with the GDPR, the Data Protection Act or the Ethical Review Act.Footnote 25 Further, documents including information on health, sexual issues, etc., or statistical information, are covered by secrecy, based on different conditions for each category of information.Footnote 26 Researchers may be granted access also to confidential information subject to appropriate conditions, for example, that the information remains confidential and that all documents are returned or destroyed after the research project is finalized.Footnote 27

The Freedom of the Press Act also excludes the possibility to claim some other rights of the individual included in the GDPR. For example, an official document can only be culled in certain specific conditions, notwithstanding the rights to rectification or to be forgotten in regards to personal data recorded in an official document.Footnote 28 Further, the Freedom of the Press Act only recognises a right to appeal the denial of access to an official document.Footnote 29 A data subject cannot appeal the denial of the right of rectification in such a document or appeal the release of personal data from an official document based on the Freedom of the Press Act.

3.2 Consent and Processing of Samples from Biobanks

As described in Sect. 2.2, consent is of central importance for processing of biobank samples when the sample is included in a biobank as well as for the further use of the sample. How the information is to be provided, however, is not regulated in Swedish law, and the preparatory works state that this may vary depending on the purpose.Footnote 30 In Article 4(11) the GDPR has included a clear definition of consent for the purpose of personal data processing. In addition, the GDPR provides guidance on which information should be provided where personal data are collected directly from the data subject at the time of data collection or from another source at a later point in time.Footnote 31 These rules apply to any data derived from biological samples.

Research on human biological samples taken from a living person, and which may be linked to that person, must obtain ethical approval before it can be conducted.Footnote 32 Such a review is conducted by the Swedish Ethical Review Authority. The requirement also applies to research conducted on samples that are collected outside healthcare, and thus outside the scope of application of the Biobank Act. For samples taken within healthcare, rules on consent are made complicated by multiple consent rules since the collection and storage of samples for treatment and other medical purposes are also regulated in the Patient Act.Footnote 33

Further, according to the Biobank Act, samples may not be used for purposes other than those covered by prior information and consent without the donor being informed and consenting to the new purpose, unless permission has been granted by the Swedish Ethical Review Authority.Footnote 34

3.3 Consent and Processing of Personal Data in Research

As seen above, consent is of primary importance in the Biobank Act. Somewhat in contrast to the heavy reliance on consent in that Act, according to the GDPR consent is only one of several available legal grounds for processing personal data in research.Footnote 35 The Swedish legislator has not enacted a general rule regulating research in the context of the GDPR, but the issue was discussed in the preparatory works (an important source of law in the Swedish legal tradition) to the Data Protection Act. The government has stressed that the legal basis for processing personal data in a public context is normally public interest under Article 6(1)(e).Footnote 36 The public interest is spelled out in legal documents governing public authorities and other organizations, as required in GDPR Article 6(2). In general, this requirement is recognized as the principle of legality whereby governments must operate. If processing of personal data is necessary to fulfil the general commission or a specific task of the government organization, then public interest becomes the relevant legal basis for the processing. Legal documents may include laws, ordinances, government decisions and instructions to public agencies as well as some decisions made by public agencies, such as permissions granted by the Swedish Ethical Review Authority.Footnote 37

A general commission to perform academic research was established in the Higher Education Act.Footnote 38 The ordinance applies to higher education institutions for which the Government is the accountable authority, which includes the majority of Swedish research universities. This means that the legal ground for research under this Act is public interest and not consent. In many cases also research conducted by private entities qualifies if the research is regulated by any of the legal documents types listed above or based on a government or government agency decision. In some cases private entities conduct research that does not fall under the Act, for example, some of the research by pharmaceutical companies. When that occurs, the processing of personal data may be allowed by consent or under Article 6(1)(f), i.e. legitimate interest, which entails a case-by-case weighing between the controller’s legitimate interest of processing and the registered subject’s right to privacy protection. In general, the Swedish interpretation of the GDPR puts a strong emphasis on public interest as the default legal ground for processing personal data in research and other publicly-motivated activities.

This also applies to the processing of special categories of personal data (sensitive personal data) as regulated in Article 9.(2)(g). The Ethical Review Act requires that research in Sweden on categories of personal data listed in Article 9.1 GDPR as well as criminal convictions and offenses must be approved by the Swedish Ethical Review Authority.Footnote 39 Accordingly, the Act provides the legally based safeguard required for research performed in Sweden.Footnote 40 The ethical approval of a research project sometimes requires consent as a safeguard, but the legal basis of processing is normally public interest, as discussed above. The traditional requirement for consent in the area of medical studies may therefore be waived under special circumstances, including practical considerations when processing historical data collected across long time periods or very large volumes of data from national registries.

The collection and preservation of samples in biobanks, as well as their general availability for medical treatment and research purposes, is based on mandatory consent according to the Biobank Act as described above. In line with this, for research on biological material from a living person, the Ethical Review Act also prescribes mandatory consent.Footnote 41

As mentioned above, the GDPR offers a definition of consent in Article 4(11), which is further elaborated in Recital 42. When consent is used, that definition should be followed. It is almost identical to earlier definitions based on the Swedish Personal Data Act which implements the EU Data Protection Directive.Footnote 42 But processing of genetic data has now been added to what is considered to be special categories of data (Article 9(1) GDPR, in Sweden referred to as ‘sensitive personal data’Footnote 43). Hence, consent must be freely given, specific, informed, unambiguous and, in the case of sensitive personal data, explicit. It should be based on a statement or a clear affirmative action. The person providing consent must be given sufficient information before making the decision.

The possible scope of consent given for research has been widely discussed.Footnote 44 Article 4(11) GDPR states that consent must be specific and explicit. Swedish medical and social research is frequently based on large data collections preserved over long time periods. Modern epidemiological theories highlight the necessity of very long follow-up periods to investigate the effects of sometimes inherited individual properties and long term exposures to risks starting far back in time. This is relevant, not least for medical research using biological samples. The need to be more open to a broad description of the final purpose of the research is acknowledged in Recital 33 of the GDPR. At the current point in time, the practical importance of Recital 33 for how consent can be obtained for research has not been definitively resolved in Swedish law.

A couple of additional remarks regarding the requirement of explicit consent for sensitive data are needed. According to the current Swedish interpretation, this additional requirement does not exclude consent given orally or by a clear affirmative action, such as knowingly participating in a clinical study.Footnote 45

Further elaboration is needed with respect to the possibility to collect samples and derive data from them for widely defined research purposes. An exception to the rules in Article 5.1(b) GDPR on specific purposes is found in the Biobank Law, which allows for the long-term preservation of biobank samples in repositories together with data on the sample providers. The samples and data may only be used for the purposes for which they have been collected and received consent, unless it is for a research purpose which has been approved by the Swedish Ethical Review Authority or is located within an approved clinical trial.Footnote 46

4 Individual Rights and Safeguards

4.1 General Legislation on Derogations from GDPR Rights in Swedish Law

As mentioned above, in addition to the rights described in Chapter 3 of the GDPR, individuals are protected by the Public Access to Information and Secrecy ActFootnote 47 for any information held by a public authority. This law is based on the constitutional Freedom of Press ActFootnote 48 and provides strong protection against unwarranted disclosure of personal information from official records.

In addition, Sweden has enacted a Data Protection Act which lays down general complementary rules to the GDPR. Initially, a specific Act for research data was plannedFootnote 49 but in a rather late stage of the legislative process rules concerning processing personal data for research were included in the Data Protection Act instead. With this approach, the possibility to make research exemptions and derogations has been implemented in a minimalistic manner, relying on the rules in the GDPR to be applied directly or with already-existing Swedish rules that correspond to the allowable derogations. The government has been delegated the power to enact further regulations to implement exemptions under Article 89.2 GDPR, though no such rules have been enacted as of Summer 2020. The view taken has been that existing national legislation sufficient covers the needs, while being in accordance with the GDPR. Some small and predominantly formal changes have been made in a number of laws and ordinances pertaining to specific registries in the social and medical sector which are frequently used by researchers. As an example, the existing national legislation provides a possibility for a donor to withdraw consent for use of the sample at any time. If the withdrawal applies to all types of use, the sample must be destroyed or anonymized immediately.Footnote 50

4.2 Technical and Organizational Safeguards

According to Article 89.1 GDPR, safeguards must be included to protect personal data in research. In the case of sensitive personal data, such safeguards have to be based on legislation. Procedures for informed consent in biobanking and in research, and requirements for ethical approval, were discussed above (Sects. 3.23.3). In the proposed law on processing personal data in research it was initially planned to explicitly state that the existing procedure for ethical review was a legal requirement for sensitive data in order to strengthen pseudonymization as a preferred safeguard and to make the possibility to opt out from a research project a non-disputable right. In the end, however, the corresponding rules in the GDPR were seen as providing sufficient levels of protection with respect to the right to object to processing and the option to use pseudonymization as a safeguard. In addition, the Swedish Ethical Review Act was considered to already meet the requirement of being a legally grounded safeguard for sensitive personal data. The Swedish Data Protection Act includes a general safeguard rule for purpose limitations in research according to which researchers may only use personal data collected for research purposes to take action vis-a-vis the data subject, if there are particular reasons for the vital interests of the data subject.Footnote 51 Further, the so-called ‘Life Gene Act’, enacted as a response to regulatory difficulties to collect information for a major long term research infrastructure project named Life Gene, states that a data controller must limit the electronic access to personal data to what each person needs to be able to fulfil his or her work tasks in relation to the register.Footnote 52 Direct access to personal data in the register is forbidden.Footnote 53

4.3 Further Adaptions on Rules for Informed Consent in Biobank Research

As mentioned above, all research on human biological samples, sensitive personal data and personal data on criminal offenses must obtain ethical approval before being conducted.Footnote 54 Further, the Biobank Act requires specifically informed consent for collecting and storing samples.Footnote 55 With the proposed Biobank Act, it is suggested that the rules for information, consent and withdrawal in healthcare and research should be applied to biobanks. Accordingly, the Data Protection Act, the Patient Data Act Footnote 56 and the Ethical Review Act for research on identifiable biological samples should be applicable also for samples stored in biobanks.Footnote 57 No rules for consent were therefore proposed to be included in the new Biobank Act. According to the proposal, the Patient Act would give the patient a right to be informed and a right to either withdraw the sample or limit the allowable use of the sample.Footnote 58

The obligation to inform and the right to object to processing in the Patient Data Act does not meet the general GDPR requirement of valid consent. It is not based on a statement or a clear affirmative action but instead requires action by the data subject if he or she wishes to be excluded. But the rule does correspond to the right to object to or restrict processing stated in Articles 18 and 21 GDPR. The Patient Data Act strengthens this right by removing the limitation of the right to object included in Article 21(6) GDPR so that it applies to all patient data, except to those that fall under the communicable diseases legislation on public health hazards.Footnote 59

4.4 Proposals for Further Legislation

Two further legislative Acts have been proposed but not yet enacted, namely, as mentioned above, a new Biobank Act,Footnote 60 and further, an Act that provides long-term regulation of research databases.Footnote 61 Both would be important for regulating the processing of personal data for healthcare and other population-based registries in research, as well as for the creation of a national biobank register where samples can be traced for utilization in research and combined with other clinical data.

5 Law in Context: Individual Rights and Public Interest

5.1 Minimalistic Regulatory Approach, But Hardly a Restrictive View on Research

As seen above, the Swedish legislator has taken a minimalistic approach when it comes to implementing exemptions for handling personal data for research purposes. No general exemptions have been introduced. Instead, the Swedish legislator has chosen to rely on the GDPR directly and on general Swedish law already in place. This could be interpreted as an indication that Swedish law is restrictive in relation to the use of personal data in research, but this is not a correct conclusion.

First, the preparatory works for implementing rules on processing of research data clearly state that the exemptions in the GDPR are to be applied in Sweden.Footnote 62 As described above, according to the government much of the previously-existing Swedish legislation provides such exemptions. The motive for not including any further exemptions is thus that they are already in place and are GDPR-compatible. Further, it may be argued that the wide access to personal data via Swedish public registries in itself calls for a high level of protection for the data subjects concerned.

Second, as mentioned above, academic research is widely seen as a public interest laid down in the law,Footnote 63 which makes it the basic legal ground for research that uses personal data in the field of public health as well as in other areas. This extends to much research carried out also by private research entitiesFootnote 64 which otherwise would have to rely on consent or legitimate interest.Footnote 65 Hence, public interest opens up the possibility to use large databases with personal data collected over long time periods in health-related research.

Third, Sweden has a long tradition of keeping registries with information on identified persons and deceased individuals for the entire or large parts of the population. Statistics Sweden, a government agency producing official statistics, keeps at least 40 registers that are interesting for research. The National Board of Health and Welfare keeps some 15 registers on health, healthcare and social services, such as the national cancer register, the national patient register, the causes of death register, etc. The county councils collaborate around a system of clinical care registers (so-called healthcare quality registers). Currently, there are over 100 clinical registers in different fields that have attained certification as national registers and are partly intended for research use. All of these resources can be used together with biobank data in research.Footnote 66

As mentioned above, since 1947 all Swedish residents have been assigned a PIN, a personal identification number, that applies to all sectors of society and is used by private as well as government organizations as a common mean of identification. The PIN consists of a date of birth and an additional four digits. This provides a fertile ground for register-based research, which can include personal data from biobanks if there is a system whereby biobank data can be found and combined with other register-based data. This would make it possible to combine data from all the registers on the individual level and make retrospective cohort studies of a number of important health problems. Such a searchable national register of biobanks holdings is being proposed as part of the new biobank legislation but has not yet been implemented.

5.2 Further Legislative Reform: Research Databases

There are currently three legislative Acts in force providing possibilities for researchers to build research databases based on personal data from public registries for research purposes which can be used for several purposes within a broadly specified field of research.Footnote 67 A recent governmental inquiry proposed a new Act on research databases which may replace these Acts. The inquiry pointed out that Sweden has a world-leading position in terms of statistics about living conditions and health, and that the proposed Act could provide a stronger regulatory framework to promote an effective use of existing registers and databases in research adapted to modern database and data protection technology. This would make it possible to build new infrastructure for research within broadly defined subject matter areas consisting of both new data and data collected from the public registers. It is proposed that the instrument of ethical review be expanded so that universities can be granted permissions to build national research databases which are accessible exclusively for research and not available for other purposes. The inquiry recommends as an additional safeguard to use remote access to such national research databases when possible instead of distributing a great number of copies of personal data files across the research community. Similar proposals have been discussed in neighbouring countries but have not, to the knowledge of the authors, been proposed as legislation.

As mentioned above, a national biobank register intended for tracing samples collected in Swedish biobanks is also being proposed, which would be accessible for researchers.Footnote 68 Efforts have been made to develop comprehensive patient-oriented medical records which would also be accessible for researchers.Footnote 69

6 Future Possibilities for Biobanks in Research

6.1 Consent and Public Interest

The future role of consent is a matter of uncertainty in the context of biobank research where the handling of samples legally based on consent has to go hand in hand with the processing of personal data in research based on public interest. A similar problem exists in how the pharmaceutical and medical technical industry can obtain permission to collect and keep data for partly proprietary research purposes, given that the basis for processing and preserving data in this area is also based on consent at the time of data collection. The consent given in both these contexts is a general purpose consent, which is at odds with the GDPR principles. The interpretation of Recital 133 on the scope of consent for research processing will be of importance here, as well as the reliance on public interest as the basis for the processing of large data holdings preserved over long time periods where renewed consent becomes impossible in practice.

6.2 Public Disclosure, Secrecy and International Collaboration

Beyond the GDPR and the proposed national laws on biobanks and research databases, the Freedom of the Press Act and the Public Access and Secrecy Act establish important rules governing the access to official documents, including personal data held by the authorities. The secrecy rules of statistical authorities and healthcare providers differ. This has created legal obstacles for the possibility to use a national biobank register to search for samples and combine them with clinical information from healthcare or clinical registers, which has not yet been resolved. The Public Access and Secrecy Act seems to limit the possibility to make the wide searches in population registries that are necessary to find matching cases in morbidity/mortality registries and biobanks in order to build relevant research databases for cohort studies of the biological and social determinants of health.

In addition, the Public Access and Secrecy Act may make it more difficult to achieve the cross-country free flow and exchange of data within the EU that is a goal of the GDPR.Footnote 70 The exchange of personal data for research purposes with third countries is still curtailed by this Act as well, since it requires a guarantee that Swedish law on freedom of information and secrecy will be upheld in the country receiving the personal data. The enactment of the GDPR did not change this fact as it respects existing national legislation in this area.Footnote 71

The matter is further complicated by the difficulty to create international agreements that will extend GDPR data protection rules to territories outside the EU. For instance, this applies to research collaboration with the USA. It has not been granted an ‘adequacy decision’ demonstrating that appropriate data protections are in place, which would enable transfers to proceed without additional justification or safeguards.Footnote 72 The US-EU Privacy Shield does not serve that purpose for public agencies since it is focused on commercial transfer.Footnote 73 US authorities are not able to agree to all of the contractual provisions set forth by European counterparts due to statutory conflicts with US legislation.Footnote 74 Whether the derogations listed for important reasons of public interest in 49(1)(d) GDPR would apply to some specific transfers of research data without the receiving country’s adherence to the GDPR has not yet been sufficiently explored.

7 Concluding Remarks

In conclusion, the Swedish regulatory framework for allowing the use of health data for research is, on the one hand, rather permissive, giving researchers wide access to registries, but, on the other hand, a bit ambiguous. No specific legal basis for processing personal data in research has been introduced in law, but the government has indicated that this is not needed given the legal context that already exists in which public interest is the default.

In general, the research exemptions in the GDPR have not been implemented in a clear and unequivocal manner in Swedish law, thus leaving researchers with an imprecise and ambiguous framework. Lastly, several governmental inquiries have been undertaken over the years, and these have made proposals for clearer and, to some extent, less burdensome regulations for biobanking and register-based research. As of Summer 2020, these have not been enacted. To what extent the GDPR has affected the policy choices of the Swedish legislator is therefore uncertain.