1. Digitalising the Public Sector in Sweden
From a rule of law perspective, it is clear that digital transformations of public services and decision-making are means to an end, rather than a goal in itself. However, when navigating a broad legal landscape which harbours multiple intermediary goals, comprising also service and efficiency objectives, the specific mandates of the rule of law values may not always be clear. It therefore becomes evident that the realisation of the ‘rule of law’ within the digital realm depends on legal and practical materialisation at various levels in the legal frameworks and administrative structures governing the integration of technologies into public activities. Careful consideration of the interplay between the technologies, legal requirements, and the administrative structures in which the technologies are to be implemented is therefore necessary.
Sweden generally exhibits a high level of digital maturity. However, it consistently attains higher rankings in terms of economic and societal digitalisation than it does regarding digital public governance. While ranking outcomes are largely dependent on the specific focus with which they are performed, as well as on the methods used, the Swedish public administration does exhibit quite large variations in the manifestations of digitalisation or automation implementations between different authorities. These variations encompass both the breadth and focus of the digital or automated services provided to citizens, and the extent of digital or automated support systems employed to facilitate operations and decision-making processes. Here, the underlying course and trajectory of this development has been influenced by the interplay of administrative culture and organisation combined with the legislative culture and organisation. The subsequent sections will therefore delve into the foundational legal aspects of the Swedish administrative model, to provide a background for further analysis of how the rule of law underpins and interacts with Sweden's regulatory approach as well as response to digitalisation within public administration.
1.1. Introduction to the Swedish Administrative Model
When trying to summarise the features of a nation’s administrative legal order, one generally must start at the constitutional level, since the constitutional acquis sets the framework for the administrative order both institutionally and in terms of powers. The Swedish constitutional order is commonly described as being of Scandinavian or Nordic type. Common characteristics are a rooting in the Roman civil law tradition, a primary reliance on codified laws (distinguishing judges from formal law makers). Furthermore, the incorporation of a social dimension in legal reasoning, a significant emphasis on the role of the people's will in law-making, and a tradition of legal cooperation among Nordic countries are distinctive features. From an international, and in part also from a Nordic perspective, the Swedish administrative order, however, displays some unique characteristics which bears effects on the national strategies, advantages as well as challenges to further the digitalisation process within the public sector.
In Sweden, the constitution and governance are founded on a separation of functions rather than a separation of powers. Importantly, the Swedish administrative order does not build on a ‘separation of powers’ doctrine and is therefore not arranged around ideas on balancing of powers between a legislative, executive and judicial branch. The foundational principle is, instead, the notion of popular sovereignty (folksuveränitetsprincipen), which builds on the idea that all public power emanates from the people, for which the democratically elected Parliament (riksdag) is the main representative. This means that the will of the people will be channelled through legislative acts (as they are adopted by political bodies which have been attributed legislative powers by the people). The constitutional order of Sweden thus emphasises the democratic rule of law principle, where legislators via attribution are meant to enjoy a fairly generous space for manoeuvre precisely because they are channelling the will of the people.
That the will of the people can change, and that the legislature therefore may adapt to changing circumstances or policy concepts through rapid regulatory changes, is thus an important part of the idea of popular sovereignty. Consequently, constitutional limitations on legislative power or the role of the courts in limiting it have traditionally not been so strong. Today, Sweden is bound by several international agreements, where not least the ratification and incorporation of the European Convention of Human Rights, ECHR, into Swedish law, as well as the membership to the European Union, have imposed limits on the Swedish legislature’s powers. In turn, this means that the Swedish ‘will of the people’ often cannot have the same direct impact and turnaround in the design of national legislation as the principle of popular sovereignty implies.
The Swedish administrative tradition is generally considered to be of east Nordic type, essentially meaning that there is a particularly strong kinship to the Finnish administrative order. Important features are the existence of designated administrative courts and a high degree of institutional independence for administrative authorities. This autonomy has an organisational component in that those authorities which organisationally sort under the Government are seen as free standing and independent from each other. This autonomy and independence (between the authorities) is also reinforced by the fact that the Parliament, by law, and the Government, by ordinance or other directives, allocates different responsibilities and assignments to these authorities (which are also often regulated in different regulations). The fairly strong independence of Swedish government authorities also has a normative component in that the constitutional Instrument of Government states that no administrative authority, including the Government, or decision-making body of any municipal authority, may determine how an administrative authority shall decide in a particular case relating to the exercise of public authority vis-à-vis an individual or a municipality, or relating to the application of law. As a main rule, this means that the administrative authorities’ application of law must be made independently and without political influence.
Despite this relatively strong independence from Government or other authorities, there are means of control for Parliament as well as Government over national administrative authorities. They may (under the limitations set by the Instrument of Government) decide which tasks are to be assigned to which authority and add or delete such tasks by regulation or decision. Another important instrument is of course the budgetary power, where it is the Parliament that decides on the respective budgets of the authorities based on proposals made by the Government. The Government thus possesses considerable influence over the functioning of government authorities, but lacks authority to interfere with the authorities' decisions regarding the application of the law or their exercise of power in specific cases. While in many other nations, individual ministers have the power to directly intervene in an authority's daily operations, this is not the case in Sweden. Instead, collective decision-making by the Government and the prohibition against instructing authorities in individual matters are measures to prevent ‘ministerial rule’. The Government is responsible for monitoring and preventing any such rule. In the event that the Government finds that an authority has not correctly implemented a law, the available recourse is thus to seek amendment of the relevant legislation.
In other words, the idea is that Parliament should exercise its control over the national administration through legislation. The same applies to a large extent to the Government's control of its state authorities, although these possibilities are not as limited. Authorities have a duty of obedience to the Government, but this is limited in three important respects. Firstly, the Government's ability to control the administration is limited by legislation passed by Parliament, and thus the Government cannot issue binding directives to an authority that contravene a law passed by Parliament. Secondly, the Government can only take decisions that are binding on the authorities as a collective, which means that individual ministers cannot direct the authorities' activities. The third important restriction is the aforementioned requirement of independence, which means that the authorities must observe independence when applying the law and taking decisions in individual cases involving the exercise of public authority. One could say that this arrangement expresses the idea of a division between the political and administrative levels – in that the authorities are supposed to function independently within the organisation of the Government.
However, the strong position of the principle popular sovereignty does not mean that the legislative mandate is reserved exclusively for Parliament. Legislative power may in many cases be delegated, not only to the (politically constituted) Government, but also to a large extent to parliamentary, government or municipal authorities. Swedish authorities together account for the majority of Swedish regulations. In summary this means that the Swedish public sector is highly decentralised, with municipalities, regions and government authorities typically each making their own decisions when it comes to digitalisation and IT.
1.2. A Model Built on a Separation of Functions Rather than of Powers
The Swedish administrative organisation is divided into three levels – national, regional and local – at each of which elections are held to democratically composed decision-making assemblies.
At the national level, the elected assemblies consist of the Parliament (riksdag) and the (indirectly elected) Government (regering), both of which have legislative powers. The detailed division of legislative powers will not be discussed here, but Parliament is the main legislator, and the division of legislative powers is regulated in Chapter 8 of the Instrument of Government. The Government is assisted in its work by the Cabinet Office, which is mainly made up of a number of ministries with different responsibilities. By international standards, Sweden has a relatively small Government Office. This is explained by the fact that administrative tasks are largely carried out by authorities that sort under the Government (there are currently some 340 such authorities).
At the regional level, Sweden is divided into 21 counties where each county is administered by a government regional authority, a County Administrative Board (Länsstyrelse). Their tasks include, for example, coordinating regional emergency preparedness and the management of certain environmental issues, and issues related to regional business, social development, animal welfare, gender equality, integration, transport, infrastructure, and housing. Also at the regional level, Sweden is divided into 20 different so-called ‘regions’. These are primarily responsible for health care, but also hold other responsibilities in areas such as regional development strategies and planning for regional transport infrastructure.
Finally, at the local level, Sweden is divided into 290 municipalities. Each municipality is run by a municipal council, which is an elected assembly that makes decisions on municipal matters. Municipalities are responsible for services such as schools, elderly care, culture and leisure, and water and sewage.
Although regions and municipalities have different geographical responsibilities and different overall responsibilities, there are also many overlaps and similarities between their basic legal powers and functions. Both regions and municipalities are constitutionally empowered to levy taxes on their residents to finance their activities. Both regions and municipalities also enjoy a fairly high degree of independence from Parliament and Government through the constitutionally enshrined so-called principle of local self-government. This means that municipalities and regions are, by default, granted the authority for self-determination that is independent and unrestricted. While the central government is responsible for ensuring that local governance functions in a manner that supports a stable economy, it also establishes some limitations for self-governance through legislation. However, municipalities have the right to exercise autonomy beyond what is prescribed by the Parliament and the Government within the established framework. Only the Parliament can limit this autonomy by imposing tasks on regions or municipalities by ordinary legislative acts.
The constitutional mandate for local self-government states that any restrictions on municipal self-government should not go beyond what is necessary with regard to the purposes that have prompted it. Taken together, this essentially means that the Parliament is obliged to respect a principle of proportionality before placing any statutory burdens on regions or municipalities, thus creating a presumption of local self-government. Despite the constitutional status of the principle, however, it must be said that the activities of both the regions and the municipalities are today largely governed by law. Despite this principle of local self-governance, there is thus nevertheless extensive statutory regulation that imposes a number of mandatory tasks on municipalities. In addition, there has been a tendency to impose more and more statutory tasks on municipalities, with a consequent reduction in the scope for local self-government. Swedish state control over municipalities and regions has increased especially since the early 1990s, both through regulatory control and through targeted government grants or agreements and strategies with more or less detailed objectives. This has, for example, spurred a debate in political and legal literature on the de facto strength of the principle. In other words, despite local self-government, there is still a relatively substantial basis for the Parliament to control parts of local government work. Notably, this control has not been extensively exercised in the realm of digitalisation matters. However, one important example exception, to which I will return in section 2.3, is the introduction in the Local Government Act (Kommunallag (2017:725)) of a power to make decisions automatically for a large part of municipal decision-making.
In summary, the Swedish administrative structure, characterised by its national, regional, and local levels, reflects a tiered and decentralised governance approach. The relatively strong independence that these levels have in relation to each other also creates a dynamic interplay of autonomy and collaboration. This has shaped a diverse landscape where regions and municipalities, while constitutionally empowered for self-determination, navigate a regulatory environment that has evolved over time, impacting the extent of their local self-government. As will be developed in the next section, this is also one critical aspect discussed in relation to Swedish governance strategies for the digitalisation of public administration, highlighting the balancing between local autonomy and centralised oversight in the face of technological advancements.
1.3. Digitalisation in the Face of the Decentralised Swedish Administrative Order
It is a recurring notion that has been surfacing both in research and in legal policy contexts that the Swedish administrative model may not be well suited to the realisation of broad and comprehensive digitisation strategies. The manifestations or the legal anchoring of this notion is, however, rarely explored more in depth. What is usually meant is that the Swedish decentralised administrative structure, in which the relatively large degree of independence that the authorities enjoy, can make it difficult to implement digitalisation initiatives which require cross-sectoral solutions and initiatives. The separate and independent authorities are usually responsible discretely and individually for interpreting their regulated mandates, where, as has been shown, neither the government nor other authorities are allowed to exert pressure (although the government does have the authority to influence such initiatives mainly through regulation). As will be shown, neither the Parliament nor the Government makes much use of their options for detailed regulatory control of digitalisation initiatives in public administration. Although increasingly common, it is still fairly unusual that statutory obligations to implement specific digitalisation initiatives are placed directly on public authorities. More common is that the Government opts to, via decisions or appropriation directions, assign authorities to cooperate with a defined set of other authorities for a defined digitalisation objective. Such governance options are, however, only available to the government in relation to government authorities. For the municipal level (both local and regional), the government’s available governance tools include the enabling or encouraging of digitalisation initiatives by, for example, allocating budget funds.
In 2018 the OECD concluded, in an evaluation of Sweden's digital transformation, that Sweden is far ahead in utilising the opportunities of digitalisation, but that the government needs to develop its capacity for analysis and monitoring in order to improve its governance of the sector. Partially against this background, the Swedish Agency for Public Management (Statskontoret) (which is the Swedish Government’s organisation for analysis and evaluation of state and state-funded activities), evaluated the Swedish government's digitalisation governance. The authority found that there are few Swedish authorities with direct statutory responsibilities in relation to national public digitalisation policy (it identified the Swedish Post and Telecom Authority (Post- och telestyrelsen) and The Agency for Digital Government (Myndigheten för digital förvaltning), DIGG, as having the most explicit and pronounced responsibilities). The authority, however, also found that responsibilities for various initiatives which contribute to those same digitalisation objectives were distributed amongst around 60 other Swedish authorities. One general finding was that the Government mainly controls these initiatives through temporary government assignments (rather than through regulation), and that many authorities contribute to digitisation objectives more indirectly by implementing various digitisation initiatives of their own within the framework of their instructions. The summary conclusion was that this arrangement overall appeared reasonable in light of that digitalisation should be seen as a means of achieving objectives in other areas. The overall assessment was therefore that the Swedish Government as a whole has an administrative structure for implementing initiatives in most areas of the national digitalisation strategy. On a similar note, DIGG, in a 2022 follow-up of the digitalisation of government authorities, concluded that while the Swedish administrative structure may be associated with some challenges to coordinated digitalisation initiatives, it can also be seen as particularly well suited to managing the changes brought about by digitalisation – precisely because the model is both decentralised and dynamic. Instead, the authority identified that the biggest challenges stem from a lack of understanding of what digitalisation of public administration means, as well as from a lack of a fundamental vision of how it can contribute to the development of society. DIGG emphasised collaboration between the various actors in the administration and open communication between the Government Offices and the authorities as a path to success.
The view that the Swedish administrative model creates challenges for the digitalisation of public administration is, thus, not unanimous. However, even though opinions on the drawbacks or benefits of the administrative model’s configuration in relation to the feasibility of substantial digitisation initiatives may differ, it remains grounded in a multi-level governance system. This system intricately delegates the exercise of public power to an (in itself) intricate structure of public authorities, each possessing a substantial degree of independence from the central government. In the context of public sector digitalisation, this has meant that much of the digitisation work undertaken by Swedish authorities to date has taken place within the separate authorities. As will be seen further on in this section, the Swedish government has in many cases, at a general level, pressed for the imperative to increase digitisation, automation, or the use of artificial intelligence in public administration, and has also allowed these ambitions to be reflected in the budgets of the authorities. However, in general there has been little direct steering of the authorities' digitisation work by the Parliament and the Government. As a result, there is relatively little national legislation that directly regulates digitisation efforts or the conditions for, for example, automating administrative activities. At the same time, however, the EU, through regulations such as the General Data Protection Regulation, the Singe Digital Gateway Regulation, has introduced direct imperatives or requirements for Swedish national authorities to collaborate as well as design and implement the technical solutions required for compliance.
The Swedish constitutional framework, in conjunction with its administrative structure, is thus designed to ensure that government authorities apply the law and make decisions in individual cases autonomously, free from interference by the government or other entities. As a result, digitisation efforts within the Swedish public administration have frequently operated with limited direct national political oversight. However, as the Swedish mode of governance revolves much around governance by law, it is time to turn to the general tendencies in the Swedish legislative approach to digitalisation efforts within public administration.
2. Swedish Rule of Law and Good Administration Principles in Light of Public Sector Digitalisation
The digitalisation and automation of public administration has the potential to introduce tensions concerning the administration's capacity to uphold the rule of law and principles of good administration in varied ways. This may involve diverse aspects of the authorities' activities, including a reduction in transparency as technology introduces an element of opacity to the exercise of their power. The digital transformation could also introduce or amplify risks to personal integrity, life, health, and national security, adding layers of complexity and potential vulnerabilities in these areas. These examples underscore the intricate interplay between technological advancements and legal frameworks, highlighting their implications for the rule of law and good administration in the context of public sector digitalisation. The subsequent sections will therefore, from the perspective of Swedish public sector digitalisation, delve into main aspects and regulatory conditions for public sector digitalisation across human rights, constitutional, and administrative law levels.
2.1 Swedish Public Sector Digitalisation and Human Rights Law
A comprehensive account for Sweden’s international commitments is not expedient here. Sweden is, however, an EU member state and has also ratified several international human rights instruments, including the United Nation, UN, Convention on the Rights of the Child, CRC, the UN Convention on the Elimination of All Forms of Discrimination Against Women, CEDAW, the UN Convention on the Rights of Persons with Disabilities, CRPD, and the UN International Convention on the Elimination of All Forms of Racial Discrimination, ICERD. Sweden has also ratified several regional human rights instruments, including the Council of Europe´s European Convention on Human Rights, ECHR, and the European Social Charter, ESC, (with the revised charter).
Of the above-mentioned instruments, the ECHR and the CRC enjoy special legal status in Sweden as they are both legal instruments which have been incorporated in the national legal order. The ECHR is often said to enjoy a semi-constitutional status, as Chapter 2 Section 19 of the constitutional Instrument of Government prohibits any regulatory body to adopt any law or other provision which contravenes Sweden’s undertakings under the ECHR. As the EU Charter of fundamental rights, CFR, in turn, holds the rights guaranteed in the ECHR as the minimum standard for the rights of the charter, this means that the ECHR and thus the ECtHR case law must be taken into consideration by national legislators utilising the space for manoeuvre provided for by EU and other national legislation to regulate and implement different digitalisation strategies. No comprehensive legal study on the ECHR’s influence on the design of Swedish national legislation affecting the legal conditions for digital public administration has yet been done. However, at least in those legislative inquiries which have been broadly tasked with examining the boundaries of current law as well as the need for legislative initiatives in the field of digitalisation, especially discussions about the Article 8 ECHR right to respect for private and family life seems to have been influential. This is the case mainly against the background of the technologies’ associated risks of increased privacy intrusion through their reliance on, or capacity to, process large amounts of personal data. There is, however, as of yet, no national case law where the rights and freedoms of the ECHR has been tried against the imposition of limitations on what national legislation may permit in a national and digital administration setting.
The CRC’s legal status in Sweden has a different orientation than the ECHR’s. The convention has no constitutional anchoring but is since 2018 incorporated into Swedish law via the Law (2018:1197) on the United Nations Convention on the Rights of the Child (Lag (2018:1197) om Förenta nationernas konvention om barnets rättigheter), which states that the Articles 1-42 of the CRC shall apply as Swedish law. The stated aim was to clarify for those tasked with applying Swedish provisions affecting children’s rights, such as administrative authorities and legal practitioners, that they must interpret such provisions so that they conform with Sweden’s obligations under the CRC. Consequently, the CRC should therefore be applied by authorities and courts as a binding legal instrument (although the CRC does not take precedence over national legislation). As of yet, the incorporation of the CRC does not seem to have led to any direct national regulatory imprint in relation to the legal conditions for digital public administration. There are, for example, no direct national provisions related to technologically assisted public administration operations concerning children (such as automated decision-making or profiling, for example).
However, there are examples where the CRC's fundamental principle of the best interests of the child, through its substantive manifestations in national law, has been viewed to limit the possibilities of automating decision-making concerning children. Although the principle of the best interests of the child antedates the CRC in parts of Swedish national law, the Convention reinforced the principle's legal status and impact outside the area of custody and access issues. In preparatory works relating to the legal conditions for municipalities to engage in automated decision-making, the type of procedural requirements introduced to ensure that account is taken to the best interests of the child were discussed as possibly affecting which decisions on children that can be automated. The preparatory works exemplified and expressed the opinion that the legal requirements for carrying out adoption investigations (Chapter 14, sections 4-5 of the Children and Parents Code (Föräldrabalk (1949:381))) must be taken to mean that only a natural person can perform them. Another mentioned example was the requirement in Chapter 11, Section 10 of the Social Services Act, SSA, (Socialtjänstlag (2001:453)), requiring that children must be given the opportunity to express their opinions in matters relating to them. As it was considered difficult to ensure that the child's views in such cases were accounted for by other means than a natural person, the view was that the regulation prohibits fully automated procedures where applicable. A further example is the regulation in Chapter 3, Section 3 as of the SSA, which imposes special competence requirements on caseworkers who perform certain tasks in cases involving children and young people. This reasoning from the preparatory works have later been included in the non-binding but influential guidelines on automated decision-making in local and regional municipalities issued by The Swedish Association of Local Authorities and Regions. The CRC and its applications in Swedish national law thus have effects on the legal conditions for automating administrative tasks involving benefits or responsibilities relating to children.
As indicated above, a complete overview of the impact of Sweden's international or regional commitments on the national legal landscape for different aspects of public administration digitalisation cannot be given. In addition to the already mentioned instruments, the Convention on the Rights of Persons with Disabilities, CPRD is, however, also one instrument which have influenced Swedish law in various ways – and of interest here particularly in the area of digital services by public administrations. Sweden, like all member states of the EU including the EU itself, has ratified the CPRD. The convention intersects public digitalisation strategies or regulations as it includes obligations on the accessibility of public services and lays down obligations to ensure that digital services and decision-making systems respect the privacy of persons with disabilities. The CPRD’s most direct influence on the Swedish digital public administration arises by proxy of the EU’s Web Accessibility Directive, which draws from and builds on the CPRD. The Swedish implementation of the directive is found in the Act (2018:1937) on accessibility to digital public services. The act establishes a general obligation for public authorities as well as for other specified actors performing public tasks to comply with the accessibility requirements under regulations issued pursuant to the Act. More specific digital accessibility requirements are therefore specified and fleshed out by DIGG (via delegated regulatory powers), as well as supervised by DIGG in terms of compliance.
Furthermore, the CPRD has also laid the basis for the national Ordinance on the responsibility of state authorities for implementing disability policy. This ordinance places obligations on government authorities to ensure that their premises, activities and information are accessible to people with disabilities, and Section 1 of the ordinance explicates that the CPRD shall provide guidance in this work. Administrative authorities implementing digital solutions must therefore ensure, among other things, that technical choices, interfaces or the design of various public digital services do not exclude potential user groups. They must also try to ensure that new technologies are compatible with various additional services such as assistive devices that people with disabilities may need. Here, the Swedish Agency for Participation (Myndigheten för delaktighet) has a monitoring role for which the CPRD also is to form the basis of the work. The authority’s overarching assignment is to promote the implementation of disability policy. The authority is also specifically assigned to contribute to the development of knowledge in matters relating to ‘welfare technology’. This assignment, amongst other, includes to monitor and where necessary participate in strategically important national and international standardisation in welfare technology and accessibility, and work to ensure that accessibility and universal design are included in relevant standards.
This short account for Sweden’s international and regional legal commitments shows that these make up an intricate web of obligations in the human rights law area, which intersects with digitalisation policies as well as digitalisation legislation in different ways. As introduced in section 1.3, the Swedish legislature generally has not made much use of the option to enact technology specific regulations. Consequently, the considerations related to international and regional legal commitments, particularly in the field of human rights law, are not concentrated within dedicated technology regulations. Instead, these considerations are often dispersed across various sectors and regulations that are often designed without a specific focus on technology.
2.2 Swedish Public Digitalisation and Constitutional Law
At the constitutional level, the Swedish legal framework is built up around four fundamental laws: the 1974 Instrument of Government, the 1810 Act of Succession, the 1949 Freedom of the Press Act, the 1991 Fundamental Law on Freedom of Expression. Of these, especially the Instrument of Government and the Freedom of the Press Act have impacted the legal conditions for public administration digitalisation, while having a predominantly technologically neutral design.
The Instrument of Government contains, inter alia, fundamental provisions of the form of government, fundamental rule of law principles as well as basic protection of personal integrity. An in-depth analysis of the potential impact of these regulations on the digitalisation of public administration is beyond the scope of this section. However, some examples of where the administration's digitalisation efforts have led to discussions about compatibility with the regulation may be noted.
The Parliamentary ombudsman have, for example, found practises where digital communication is treated more favourably timewise than analogue (paper) communication without objective reasons, to be in breach of fundamental requirements to observe equality before the law as well as objectivity and impartiality. In the case, the Migration Agency had prioritised online applications over paper-based ones, for the reason of encouraging people to apply online. Another example relates to the social services’ use of so-called welfare technology in performing care tasks. The core question has been whether the use of such technologies could conflict with the constitutional protection against significant intrusion into personal integrity (where such intrusions take place without consent and involves monitoring or mapping of the individual's personal circumstances), as protected in Chapter 2, Section 6 in the Instrument of Government. The Swedish committee on welfare technology in elderly care in 2020 identified the perceived legal uncertainties in the area to be a decisive obstacle to the government’s policy objective of increasing the use of such technologies. Against this background, the Swedish government has therefore adopted specific statutory regulation explicitly clarifying that such uses must be based on consent of the individual and their cohabiting family.
Lack of clarity about the constitutional limitations on the digitalisation of public administration has been identified by various official inquiries. One such example, which was highlighted by the The Digitisation Law Committee (Digitaliseringsrättsutredningen), is the legal uncertainty regarding if and under what circumstances the utilisation of private companies for developing systems used to make automated decisions may conflict with the express prohibition in Chapter 12 Section 4 of the Instrument of Government against delegating administrative functions which involves the exercise of public authority to other legal entities or to individuals without statutory recognition. Another example is that the Integrity Committee (Integritetskommittén) identified diverging interpretations and applications of Chapter 2 Section 6 in the Instrument of Government between different official inquiries, authorities as well as within the Government Offices. The provision protects individuals in their relations with the public institutions against invasions of personal privacy, and thus aims to strike a balance between, inter alia, individual interests of privacy protection and the benefits of integrity intrusive data processing often associated with public administration digitalisation. The committee stressed that a more uniform understanding and application of the provision would benefit both the protection of privacy and the digitalisation of the administration.
For digitalisation, the Freedom of the Press Act also importantly features a general principle of public access to official documents. In relation to the digitalisation of public administration, this principle has primarily raised questions about when information should be considered official in digital contexts. Unlike when both internal as well as incoming and outgoing communication was primarily handled through paper documents, the transition to new digital communication and data management methods has in some cases been associated with certain difficulties in assessing what the right of access to official documents covers in digital contexts. By extension, questions about transparency in the digital administration have therefore been raised, where the right to transparency in automated decision-making has received particular attention. Unlike the Instrument of Government, the Freedom of Press Act does contain some specific provisions that have been added to clarify its application against the background of some technological developments. Following a legislative proposal in 2001, the act now includes a specific provision on so-called material recorded for automatic data processing. Clarifications on the scope and meaning of the principle of public access to official documents have also been made in case law. The Supreme Administrative Court, for example, has clarified that that computerised messages, so-called cookie files and global/history files, are official documents, and that the same applies to e-mail logs of the authorities. A related challenge is that digitalisation has shifted the focus from the documents themselves to the information content or data as the carriers of information. Questions have then arisen about the extent to which the authorities, within the framework of the principle of public access to official documents, must assist in compiling information that is not readily available. Here, for example, the Supreme Administrative Court, with reference to a statement in the preparatory works of the act, has stated that the provision in Chapter 2, Section 3, second paragraph of the Freedom of the Press Act is an expression of the principle of equality, which means that the public should have access to computerised information to the same extent as it is available to the authority. However, the court did not consider that a compilation of data from a recording for automated data processing that requires a labour input of 4–6 hours as being accessible with such routine measures as referred to in the provision.
As shown by the examples above, there has been some discussions as well as legal developments regarding how Swedish constitutional provisions impacts the legal conditions for digitalising the public administration. Generally, however, complex legal questions on the boundaries and application of constitutional provisions in specific digital contexts are often left to the authorities themselves to resolve through statutory interpretation. Further legal analysis or developments in case law would therefore be welcome.
2.3 Swedish Public Digitalisation and Administrative Law
At the administrative level, the Administrative Procedures Act (Förvaltningslagen 2017:900), APA, serves as the legal framework in Swedish law that delineates the fundamental standards governing effective and legally sound administrative practices. Its primary objective is to ensure legal certainty in interactions with public authorities. The APA is generally applicable on all the processing of matters at administrative authorities as well as the processing of administrative matters at the courts. The applicability of specific APA-provisions may be overridden through exceptions in ordinary acts or government ordinances, but overall, the regulation has a broad applicational scope on public sector operations. It is thus an important component of the legal, technical, and organisational infrastructures within which the authorities at the national as well as regional and local levels operate. The APA is therefore also a central legislation to ensure that the digitalisation and automation of public administration does not challenge the soundness of their operations from a rule of law perspective. The Swedish emphasis and preference for a technology neutral approach to legislation is also evident in the APA. The technology-neutral design of the APA means that the actual materialisation of the various legal certainty requirements in the regulation’s provisions need to be interpreted and applied to digital environments, both internally within authorities and in relation to individuals.
Over the past 40 years, the APA has undergone two major reforms, in 1986 and 2017. Already at the time of the 1986 reform, public authorities were using technology to varying degrees to process their cases. The 1986 APA did not, however, contain any provisions that specifically regulated either the digitalisation or automation of case administration. The preparatory works did nevertheless hint an emerging recognition that different types of technological support was becoming an increasingly integral aspect of the administrative practice, as these made clear that the act applied also to automated procedures and automated decision-making.
The first time the APA was subject to any amendments explicitly aimed at adapting the wording of the legislation to some features of technological developments was as late as in 2003. An express (and since then repealed) provision which established an obligation for authorities to respond private individuals via telefax or email was then introduced.
By the time of the 2017 reform of the APA, the technology use had obviously increased significantly in most areas of public administration. There were discussions on whether and how to reflect this new standard mode in the APA, and the initial proposal of the 2017 APA did include some substantive provisions relating to digitalisation - in particular to the handling of electronic documents and how to determine their time of arrival. These proposals did, however, not follow through to the final act. Proposals for some more technology-specific or digitalisation-friendly provisions in the APA have continued to be made to some extent. Some of the discarded proposals of explicit regulation on the handling of electronic documents were, for example, repeated by The Digitisation Law Committee (Digitaliseringsrättsutredningen) shortly after the 2017 APA entered into force. That inquiry, which was tasked with proposing legislative amendments to improve the legal conditions for a digitally cooperating administration, also made further propositions for additions and amendments to the 2017 APA – such as to add an express obligation for authorities to appropriately designate one or more digital reception functions and rules on digital communication (including a right for individuals to notify that they do not wish to communicate digitally). However, none of these proposals have yet been realised. Even though there have been some investigations and proposals to provide the APA with more specific regulation in relation to the increasingly digital forms of administration, the regulation is thus still essentially characterised by a technology-neutral approach.
As will be elaborated, an exception to the APA's essentially technology-neutral approach is that the regulation since its 2017 reform clarifies that decisions may be made automatically. The relevant Section 28 of the APA is, however, primarily of a declaratory nature. The provision does not specify the substantive conditions for lawful automated decision-making but was rather implemented against the background of many years of legal uncertainty as to whether automated decision-making in Swedish administrative law should be considered to require explicit legal authorisation. Before the 2017 APA, public automation efforts had been the subject of some, but not particularly intense, discussions in legal research and the legislative process. As fully automated decision-making became more prevalent in Swedish public administration, debates did emerge particularly around the legality of such practises and whether specific statutory recognition was a prerequisite. This legal uncertainty was reflected though the fact that specific legislation expressly allowing for specific automated decision-making was introduced in some legislative sectors, such as the social security, tax and transportation sectors, while automated decisions were also made in other government sectors without any such specific statutory authorisation.
A public inquiry carried out by the so-called E-delegation (E-delegationen) investigated and made the overall assessment that Swedish law did now require any explicit statutory recognition for the authorities to make decisions automatically, and recommended as a consequence that all the sector specific regulations allowing for automated decision-making that had already been introduced should be repealed. Perhaps boosted by the E-delegation’s conclusions, it over time became widely accepted that government authorities could switch from manual to automated decision-making without the need for express legislative authorisation. Against the recommendations of the E-delegation, however, some sector specific regulation authorising automated decision-making remained in force. Requests for a clear and comprehensive regulation were therefore reiterated, and eventually led up to the introduction of the provision that made it expressly clear that no specific legal authority is required for public automated decision-making in Section 28 of the 2017 APA. The government acknowledged that automation has become increasingly prevalent in those parts of the administration that handle a large volume of cases, and by enshrining the use of automated decision-making in law, it sought to eliminate the need for specific rules in sector-specific acts. The specified overarching goal was to improve the conditions for the continued growth of digital administration.
Without further specification, Section 28 now simply states that decisions can be made automatically and according to the preparatory works this merely codifies the law that had already been established. The first paragraph in Section 28 now reads as follows:
'A decision can be made by an officer on their own or by several jointly or be made automatically. In the final processing of a matter, the reporting clerk and other officers can participate without taking part in the determination.'
The novelty here is the addition of the phrasing ‘or be made automatically’ to the provision regulating how decisions may be made. Notably, however, the provision does not impose any explicit limitations or include any additional criteria or instructions regarding which types of decisions that are suitable for being made automatically.
Section 28 of the APA thus makes clear that there are no formal constraints on automating any type of administrative decision-making, while at the same time also making it clear that it is not a qualifying rule (but rather one of declaratory nature). Whether a particular decision may be made automatically must thus be assessed against the broader legal context in which it is to be made. For one, the automated decision-making system must operate in a lawful way, meaning that it must comply with substantive rules such as data protection rules, data security rules, etc. It also means that the automatic decision-making process must meet the fundamental requirements of legality and equal treatment, as well as the principles of good administration set out in the APA (such as those provisions aimed at materialising the right to be heard or the duty to state reasons, for example).
Since the fact that a system has a lawful design does not guarantee that it will also produce lawful decisions, a system’s capacity to support or make both procedurally and substantively correct decisions also needs to be qualitatively evaluated before it could be put into lawful use. While such a qualitative evaluation is predominantly risk-based, the question of whether a system can be trusted to produce lawful decisions is of course imperative from a legality- as well as a broader rule of law perspective. It is noteworthy here that Swedish administrative law does not, neither in the APA or any other comprehensive administrative regulation, expressly regulate the responsibility for conducting such proactive or preventive evaluations of an automated system’s functionality. However, such obligations in some cases apply under European law. Express obligations to make data protection impact assessments where a type of processing, in particular when using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons follow from Article 35(1) GDPR. In 2019, for example, the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten) found the municipality of Skellefteå to have acted in breach of Article 35 GDPR for having deployed facial recognition tools for purposes of identification in local schools without having performed a data impact assessment. Furthermore, as far as the technologies used will qualify as AI technologies under the EU Artificial Intelligence Act, AIA, this regulation will at least for high-risk AI systems (such as those deployed in the areas of access to and enjoyment public services and benefits) likely require fundamental rights impact assessments and conformity assessments before they are put into used, as well as and risk management systems to be implemented and maintained during their use.
Thus, even though there are some regulations in place at the EU level requiring impact assessments to be made prior to the use of IT systems for public administration or decision-making in cases where the risks for adverse consequences are high, and even though the principle of legality contains an abstractly formulated requirement to assess, consider and minimise risks to unlawful practises, there are no explicit, general or comprehensive rules at the Swedish national level. For Swedish authorities assessing whether an automated system can operate lawfully as well as with low risk of adverse consequences to legality or proportionality, for example, the APA is therefore a key legal instrument to serve as a yardstick for the rule of law requirements to be realised. At the same time, and as a result of the technology neutral approach of the APA combined with the relatively sparse commentary or explanation in legal preparatory works as well as in case law, there are many legal issues still in need of clarifications in order for the act’s framework in the digital context to relief more clearly. Some of these issues, including the national discussions around them, will be addressed below.
One example where the APA’s technologically neutral language has led to legal uncertainty relates to how the legality of digital administrative practices should be affected when they take a form that in a strictly formal sense does not match the wording of the regulation. As an example, Section 31 of the APA states that there for every written decision should be a document showing which person or persons took the decision (or were the reporting officers or participated in the final processing without taking part in the determination of the decision). As this requirement is not realisable in contexts where decisions are made fully automated (as no human decision-maker has taken part in the decision and therefore cannot be named), a formalistic interpretation of the Section 31 requirements would mean that the APA, despite Section 28 expressly allowing for automated decision-making, hinders such decisions. The preparatory works of the APA does directly address this issue from a pragmatic standpoint and argue that since automated decisions may not fulfil all the formal requirements regarding what information to be included in written decisions, such requirements should not be taken as obligating the authorities to structure their decision-making process to include all information at all times, including in cases of automated decision-making. This argumentation was based on an application practise that had been established around Section 21 of the Government Agency Ordinance (Myndighethetsförordningen 2007:515), which is a corresponding rule to Section 31 of the APA but which only applies to Government authorities. In other words, the preparatory works indicated that information which was not relevant to a specific decision-making process, such as names in automated decision-making, may be omitted from the formal decision. Today, however, there are still some public authorities which have express exemptions from the obligation to name decision-makers while other public authorities omits the decision-makers name from automated decisions without any explicit statutory exemption from the letter of Section 31 APA (just as argued in the preparatory works of the APA). This piecemeal regulation has been perceived as leading to unnecessary legal uncertainty, as clear from government official reports both before and after Section 28 of the 2017 APA was enacted. As of yet, no amendments has, however, been envisaged.
Another example of when the APA’s aptness to protect values of good administration and the rule of law in digital contexts has been discussed relates to whether the regulation’s included range of legal safeguards are sufficiently equipped to counterbalance those risks which may be specific to certain technologies or their uses. A specific example relates to the fact that neither the APA nor any other national regulation contains any explicit provisions requiring human oversight of automated decision-making processes. This is noteworthy given that the notion of ‘human oversight’ over technologies used in public administration, as will be seen, is likely to assume increasingly strong regulatory contours in the next years.
Human oversight measures are usually stressed as safeguarding measures which may (ideally) counterbalance some of the risks that the rigidity and datafication which the digitalisation or automation may premise on in technologically supported exercises of public power. What particular practises that the notion of human oversight may include is a matter of legal as well as scientific debate. In essence, however, the rationale behind human oversight typically involves utilising the more context sensitive judgements of humans to help identify errors or inconsistencies in the workings or outputs of automated systems, to avoid any inherent biases or injustices to affect the subjects which the systems assist in exercising powers on. The functions of humans overseers may thus include the perceiving and accounting for nuances and complexities which are relevant from a legal perspective, and the factoring in of discretion and human contextual assessments that may reveal a decision to be unfair or erroneous in a specific situation. Human oversight is thus a concept which may include many different more specific practises as well as focuses which the human overseer shall exercise in the course of his or her ‘oversight’. The appropriate focus and sufficient extent of such oversight is also matter of debate, as is to what extent that elements of human oversight can be expected to counteract the risks of automation through complex systems.
That human oversight is becoming an increasingly stressed safeguarding measure is visible through the Article 22 GDPR’s enshrined right not to be subject to solely automated decisions, the EU AIA’s Article 14 regulation of human oversight over high-risk AI systems, and the Council of Europe’s draft of a new Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law. As of yet, Article 22 GDPR and the right not to be subject not to a decision based solely on automated processing (of personal data), is the only one of the abovementioned provisions that have yet entered into force. The article establishes a main rule prohibiting fully automated decision-making. It does not, however, introduce a general right to human oversight where public administrations make fully automated decisions, as the article also includes the important exemptions to that prohibition. Importantly, Article 22.2(b) allows for decisions to be made fully (solely) automatically if authorised by Union or Member State law to which the controller is subject if this law also lays down suitable measures to safeguard the rights, freedoms and legitimate interests of the data subject. For public sector decision-making, Article 22 GDPR thus allows for rather generous exemptions, albeit conditional upon there being an appropriate level of safeguards assured through regulation. From the Swedish perspective and in the context of the digitalisation and automation of the national public administration, a relevant question has thus been whether a sufficient level of safeguards by the standards of the GDPR is guaranteed though the national legal system. Against this background, the APA, as it applies to the handling of matters at administrative authorities, has naturally been of interest in the national discussions. Although the GDPR was underway at the time of the 2017 APA revision, the preparatory works of the latter regulation did not touch upon whether Article 22 GDPR would prompt the need for introducing any specific safeguards in the national system. Later discussions in preparatory works as well as amongst legal scholars have, however, related to the interpretation of Recital 71 of the GDPR, as it states that any fully automated processing, even if mandated by law, should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention. Although non-binding, the recital’s express mention of human intervention in combination with the phrasing ’should include’ has spurred some national discussions on whether the recital implies that human intervention, in general or at least in some contexts, must be seen as a required safeguarding measure – and whether a right to human intervention therefore should be secured through an amendment of the APA.
That the Swedish government’s position is that the APA in its present form contains a sufficient level of safeguards to allow for decisions to be made fully automated has, nevertheless, been made clear through later legislative bills. The Swedish Authority for Privacy Protection (Then Datainspektionen, now Integritetsskyddsmyndigheten), which is the national competent data protection authority under GDPR, did not agree on this position and questioned that the generally applicable APA provisions show that the safeguarding requirements under Article 22(2)(b) are met. As indicated, however, the Government’s stance on the matter is still that the APA's general provisions on administrative procedure, including the principles of legality, objectivity, and proportionality, as well as the right to be heard, the possibilities and obligations to correct, change and vary decisions, and make appeals, collectively provide adequate safeguards by the standards of Article 22 GDPR. The entering into force of the GDPR did thus not lead to any specific amendments of the APA, and no legislative proposals yet have concerned requirements of human intervention or oversight.
Turning to the AIA, its Article 14 expressly includes human oversight as one safeguarding measure in relation to certain AI system usages. As the AIA takes effect in 2026, his provision will apply to all AI systems which qualifies as being high-risk systems, for example including AI systems deployed in many public sector settings such as where used in the areas of access to and enjoyment of essential private services and public services and benefits, or the administration of justice and democratic processes. The regulation will apply to both public as well as private parties, as well as to any deployment of high-risk AI systems (and not just in those cases where AI technologies are used to make decisions). It is, however, noteworthy that the focus of the AIA is on the technical capacity of AI systems to enable human oversight to be performed. This means that the draft indicates that requirements are imposed primarily on the oversight functionalities of AI systems, and that the regulation does not go so far as to impose direct requirements on system deployers (such as public authorities) to also utilise these oversight capabilities to any specified scope or modality. It should be added that system deployers, under the Articles 13 and 29 of the AIA, are obliged to use the system in accordance with its instructions – where instructions on human oversight performance may be included. Deployers must also ensure that ensure that the natural persons assigned to ensure human oversight of the high-risk AI systems have the necessary competence, training and authority as well as the necessary support. Overall, however, the AIA does not impose any direct requirements on public authorities to carry out human oversight at given intervals or on given impulses. The regulation nevertheless requires public administrations to provide the various AI systems they use with human oversight capabilities, which will at least indirectly raise questions about what should be overseen, when the oversight should be carried out and by whom. Swedish administrative law does not provide direct answers to these questions and there is reason to consider whether, for example, the APA or any national implementing legislation to the AIA should be amended to provide more direct guidance to the authorities on their responsibilities to carry out human oversight over AI systems. In the event of such a development there is, however, a need to consider, from a national perspective, whether a threshold effect in terms of available safeguards would be justified when only based on whether the authorities use AI systems as compared to when they use automated systems based on other technologies. Such threshold effects might appear unwarranted from the perspective of good administration, as other technologies may also build complex systems with associated risks of rigid and formalistic applications, where human oversight may be just as pertinent.
Further on, the Council of Europe’s envisaged AI Convention states as its aim to set out standards for a human rights-based approach to AI. Article 15 of the draft includes the principles of transparency and oversight, which would oblige the contracting parties to ensure that adequate oversight mechanisms as well as transparency and auditability requirements tailored to the specific risks arising from the context in which the artificial intelligence systems are applied are in place. If the convention is finalised in a similar form as well as is ratified by Sweden, it is thus possible that it eventually will necessitate or encourage amendments to Swedish administrative law, in order to equip it with some more direct regulation ensuring a convention compliant level of human oversight.
All in all, and in the present, it is thus debatable whether any direct requirements for the Swedish legislator to introduce human review requirements in certain cases can be derived from the GDPR. Whether any such direct obligations are present at the European level will further depend on the application of the AIA and the final form of the future Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law (which in turn also depends on ratification). The legal developments in the coming years will show whether the Swedish lack of specific human review or oversight regulation will be called into question. It seems likely that the issue of human oversight requirements needs to be monitored in Swedish law.
Another question that has brought to the fore the possible tensions between technology-neutral principles of good administration in the APA and the impact of these principles in digital or automated contexts, concerns the extent to which the duty to state reasons in Section 32 of the APA may impose any legal restrictions on the possibilities for automated decision-making. The ability of individuals to understand the grounds on which a decision has been made, and thus also the grounds on which public power has been exercised, is central to the functioning of the rule of law. This is important both for those that are subject to a decision to be able to challenge it, as well as for courts or other supervisory bodies to be able to scrutinise the legality of the exercised powers. As one of the known drawbacks of automated decision-making is the inability of, or challenges for, such systems to account for and respond to the specific circumstances of each individual case, it is typically a challenge for automated decision-making systems to produce individually tailored and sufficiently clear reasons in more complex cases. The ensuring that the introduction of automated decision-making does not come at the expense of the authorities’ capacities to fulfil their duty to state reasons is thus also a matter of concern from a legal security and rule of law perspective.
Section 32 of the APA requires that reasons are stated for ‘all decisions affecting a person in a not insignificant way’ unless it is ‘obviously unnecessary’. From the perspective of automation, it should therefore be noted, as a distinction, that the challenges to meeting these requirements are of a chiefly practical rather than of legal orientation. As long as the automated decision-making systems are technically able to produce sufficiently reasoned decisions by the standards of Section 32 APA (or any European standards that may apply to particular decisions), the provision does not lay down any limitations to automation. This difference is reflected in some preparatory works touching on issues related to automated decision-making in taxation and the municipal sector, where Section 32 of the APA is described as setting a ‘practical’ legal limit for which decisions that may be made automatically. While the distinction above is an important one, the legal content and scope of the obligation will nevertheless set one bar for lawful automated decision-making in Swedish administrative law.