Many have reacted with surprise on the near absence of enforcements coming from Scandinavian DPAs since GDPR entered into effect May 2018.

And for sure, compared to a relatively much higher activity level from southern Europe, Scandinavian authorities has not lived up to their reputation of being fast moving.

However, one other peculiarity with Scandinavian governance is its near total transparency, now disclosing that a storm is in fact coming.

Swedish DPA, Datainspektionen, has until now only issued two fines, however, in their newly published annual report, in full disclosing the authorities activities under 2019 in accordance with Swedish transparency law, we get a better idea of what is actually coming – both in Sweden and in the rest of Europe.

  • Swedish DPA has independently started 60 cases under 2019.
  • Swedish DPA has been lead authority for another 60 open cases, involving cross boarder investigations.
  • Swedish DPA has under 2019 been actively involved in 610 cross boarder cases lead by other countries DPA.

Although it is highly unlikely all of these 730 cases will lead to fines, it is certain most of them will, and organizations better prepare for a different reality under 2020, one that Swedish DPA calls “The second wave”.