Complete GDPR loophole in Sweden for $233!

I’ve been researching the privacy issues of Swedish websites such as Hitta, Eniro, MrKoll, Merinfo and many others that automatically collect personal information on individuals from open and semi-open resources and often use it to make money.

Turns out, that in Sweden, all these resources has applied for an exception from the GDPR as per Freedom of Exception right (YGL) and received a formal letter that grants them immunity to.. well, to anything in GDPR. So, legally, they do not have to delete any of personal data, nor be obliged to secure its storage. And IMY (Swedish Data Protection Agency) accepted its defeat and says it can’t do anything to these websites:

To me, this looks like a classic legal loophole where the commercial websites use the utgivningsbevis to collect, process and get rich using the private and personal data of Swedish citizens and residents.

And all of it, under the flag of Freedom of Speech – so this means, they can collect all possible data on a person and run around the internet with it, risking to spill it over, leak and do harm – all because they obtained the exception from the privacy rules.

Now, does obtaining utgivningsbevis from the Media agency require the website being a media? Nope.

Is it given to only websites that exercise their Freedom of Speech actively – i.e. publishing original materials, voicing opinions? Nope.

The voluntary utgivningsbevis can be requested by and given to.. basically anyone who agrees to call themselves a “responsible publisher” and costs SEK2000 (using today’s exchange rate, about $233).

Here’s automatic translation of the full criteria list:

So, in the essence, you can collect personal data, do whatever with it – as long as it is connected to Sweden. And it precedes GDPR because of the realization of the constitutional act.

As of today, there 1561 of granted utgivningsbevis:

And many of them are just poorly designed commercial websites that found a loophole and used it – according to my opinion, exercised under the same Freedom of Speech right as their utgivningsbevis.

Whistle Willow – whistleblowing solution in Jira or Confluence Cloud!

From December 17th, 2021 companies larger than 250 employees need to provide internal reporting channels for whistleblowing tips and suggestions – as per EU directive on whistleblower protection.

First of all, what is whistleblowing and why does EU protect it?

Whistleblowing is what Edward Snowden did to NSA – he exposed the nation-wide illegal surveillance and tools, and in turn was declared an outlaw had to flee the country.

Whistleblowing in general is about bringing threats or harm to public interest to attention of internal stakeholders or external entities. The protection of whistleblowers, their identities and ensuring there is no prosecution for informing on the wrongdoing, even if it goes against company’s business interest, is extremely important – for both whistleblowers and companies. It creates a safe haven for reporters and lets them come through with the knowledge that otherwise would stay suppressed.

Establishing internal reporting channels and enabling whistleblowing program needs to be simple, quick and affordable. And that why I created Whistle Willow – a Jira and Confluence Cloud application that can get up and running in less than 5 minutes. Also, get compliant with the EU Directive as a nice bonus.

Whistle Willow provides whistleblowers a secure channel to submit their reports in Jira or Confluence, and the Compliance team gets to receive submissions, act upon them and keep the report updated with last changes and mitigations – all without revealing identity of a whistleblower.

The entire stack of Whistle Willow operations, from A to Z, is done in Atlassian platform. This means, no data leaves it, and there are no external integrations required. The application is built on top of Atlassian next-gen serverless platform Forge and uses 100% of cloud benefits, while keeping the highest security standards. It can be installed from the Atlassian marketplace and is ready to be used with Atlassian accounts right after.

The security of reports is guaranteed by tenant isolation, unique encryption keys per tenant and randomized submission times for reports. The app allows to establish a two-way communication channel between whistleblower and report reviewer without revealing reporter’s personal details.

Whistle Willow is made for whistleblowers and records no personal information in logs or submissions – and offers 30-day free trial and one-click installation. Also, it costs less than $1 per user and has no hidden charges, all transactions are done via Atlassian. Check the website for more details, or install directly via Marketplace.

Simplicity is really important for establishing the trusted and efficient whistleblowing program, and I believe that Whistle Willow can help more truths come out and let companies act upon them to improve.