New article for the Swedish Purchasing Counsil

The Swedish Government recently published the draft A Stronger Protection for Sweden’s Security (only in Swedish) with proposals for a number of news and amendments to the Swedish Protective Security Act, which will affect all operators undertaking security-sensitive activities (operators).

The draft, which is supposed to enter into force as early as 1 December 2021, entail significant changes to the Protective Security Act. For example, the obligation to enter into a protective security agreement will include mere collaborations and cooperation, not only procurements. The Government also proposes that operators shall carry out special security assessment as well as suitability assessments before concluding protective security agreements, and that operators will have an obligation to continuously revise existing protective security agreements.

In addition to the obligations becoming more firm, it is proposed that the supervisory authorities be given increased powers, including the possibility of deciding on administrative fees of up to SEK 50 million.

In other words, it is important that all operators becomes familiar with the proposed changes and prepare their operations in advance, so that they are ready when the proposals are implemented in December this year.

Senior Specialist Viktor Robertson and Associate Albin Svensson have analysed the proposed changes and summarised their consequences for operators, which have been published in an article on the Swedish Purchasing Counsil’s website (only in Swedish).

Chambers ranks Kahn Pedersen as a leading firm in all practice areas

For the second consecutive year, Chambers & Partners ranks Kahn Pedersen’s practice groups Public and Digital in the very highest category “Band 1”. The individual lawyers with Kahn Pedersen are also considered as some of the most regarded in Sweden within their practice areas. For Public Procurement, Kristian Pedersen is ranked in Band 1. For Information Technology, Johan Kahn is ranked as one of two Swedish lawyers in Band 1. Erik Olsson is ranked in Band 2 for Public Procurement. Daniel Lundqvist is previously ranked in Band 2 for Fintech is ranked in Band 3 for Information Technology.

Not many law firms in the World would have all of their practice groups ranked in Band 1. Our high degree of specialization of course makes it easier than for a full-service firm that naturally could not have the same focus. That is why we have chosen to be the firm we are.” Says Kristian Pedersen, CEO

New Article in Svensk Juristtidning

Christian Hybbinette and Michael Nevinson have published an article in the Swedish legal journal Svensk Juristtidning. The article outlines the news in the latest editions of the standard agreements for the Nordic market, for the supply of machinery and standardized goods and other bulk items: NL 17, NLM 19 and NLS 19. In the article, the authors also give an account for the differences compared to the older version of each respective standard agreement.

Kahn Pedersen top-ranked again

The British ranking institute Who’s Who Legal has once again ranked Kahn Pedersen as a leading advisor within the firm’s both practice areas – Digital and Public. Kristian Pedersen is ranked as ”Global Elite Thought Leader” in the Government Contracts category, as well as ”Global Leader” and ”National Leader” in said category. Erik Olsson is ranked as  ”Global Leader” and ”National Leader”, also in the category Government Contracts. Johan Kahn is ranked as ”Thought Leader” in the categories ”Information Technology”, ”Data Privacy and Protection” and “Data Security”. Han he is also ranked as “Global Leader” and ”National Leader” in said categories. For more information, please see:

Daniel Lundqvist top-ranked by Chambers & Partners again

We are delighted to announce that Daniel Lundqvist, partner at Kahn Pedersen, has been ranked as a leading legal advisor for “Fintech” once again. In its 2021 rankings, the international ranking institute Chambers & Partners ranks Daniel as one of three leading advisors in Sweden and states that Daniel is ‘very, very skilled in outsourcing deals and IT contract negotiations in the FinTech space. He has really grown his practice over the years.

Digitalization in the finance sector continues to be one of our core expertise areas within our Digital practice. We are very pleased that Daniel and our Digital-team have represented several Swedish banks, bank joint ventures and insurance companies on issues related to cloud migration, outsourcing and strategic technology sourcing. In connection with these assignments, we have developed several unique methods to analyze and visualize legal risk in connection with digitalization. As an example, our recent report on public cloud services >> [only available in Swedish] introduces the so-called Folke© Model, which we have found extremely useful in connection with cloud migration”, says Kristian Pedersen, MP and CEO of Kahn Pedersen. “We think Daniel’s ranking shows that our legal expertise in this area is market-leading, which is perfectly in line with our ambitions as a highly-specialized law firm”, Kristian Pedersen adds.

Kahn Pedersen further strengthens the Digital team

At the beginning of next year, Christian Hybbinette, Fredrik Sandström and Michael Nevinson will be joining Kahn Pedersen law firm, Christian as Partner, Fredrik as Senior Associate and Michael as Senior Associate. The trio joins from AG Advokat, where they are working today in the same department with a focus on the industrial sector.

Christian has nearly 20 years of experience in providing contract-related advice to clients in the industrial and real estate sectors, and was prior to his time at AG Advokat the head of Vinge’s Commercial Agreements practice. Fredrik has worked at AG Advokat since 2015 and has, among other things, been seconded to one of the world’s largest suppliers of renewable solutions based on wood and biomass. Michael has worked at AG Advokat since 2018 and prior to that served as a law clerk.

“Sweden is facing a huge transformation of the industry in order to keep up with international development. Christian and team have combined expertise in Industry 4.0 that will really strengthen our Digital offering and will alow us to meet the existing demand that we see on the market. We are very happy that they have chosen to join Kahn Pedersen because it means that we are both able to bring market-unique expertise on the industrial side but also that we get some of the country’s foremost contract lawyers on our team.” says Kristian Pedersen, Partner and CEO, Kahn Pedersen.

New publication from Kahn Pedersen

Vi har nu publicerat årets tredje och den sammanlagt elfte rapporten i vår skriftserie. Rapporten behandlar användningen av publika molntjänster i näringslivet. Vår förhoppning är att rapporten ska kunna bidra till en mer nyanserad diskussion och bedömning av användningen av publika molntjänster i näringslivet. Vår bild är att den juridiska debatten om molntjänster i näringslivet annars har präglats av ytterligheter och alltför fyrkantiga resonemang. Vi introducerar också en egen modell för övergripande riskbedömning, den s.k. Folke©-modellen.

Alla rapporter i Kahn Pedersens skriftserie finns att ladda ner kostnadsfritt från vår webbplats.

Länk till rapporten >>

Ny rekommendation om kompletterande skyddsåtgärder vid tredjelandsöverföring

Den Europeiska dataskyddsstyrelsen (EDPB) har publicerat ett utkast till en rekommendation[1] för överföring av personuppgifter till länder utanför EU/EES (tredjelandsöverföringar). Bakgrunden till rekommendationen är EU-domstolens avgörande i Schrems II (se här), vilket sedan sommaren 2020 har skapat stor osäkerhet inom EU när det gäller tredjelandsöverföring och, inte minst, användning av publika molntjänster som medför sådan överföring.

Liksom EU-domstolen i Schrems II placerar EDPB ett stort ansvar på de enskilda organisationer som för ut personuppgifter från EU (eller som använder tjänster som innebär överföring av uppgifter till länder utanför EU). Rekommendationen innehåller bl.a. en checklista för vilka steg personuppgiftsansvariga och personuppgiftsbiträden bör använda vid tredjelandsöverföringar. I det första steget krävs inventering av tredjelandsöverföringar och identifiering av rättslig grund för överföringen (t.ex. standardavtalsklausuler). Därefter krävs alltid en bedömning av skyddsnivån för personuppgifter  i mottagarlandet. Om skyddsnivån i ett visst mottagarland inte bedöms motsvara EU:s skyddsnivå krävs dessutom ”kompletterande skyddsåtgärder”.

EDPB:s rekommendation innehåller ett antal typfall där olika säkerhetsåtgärder beskrivs och bedöms. Det kan konstateras att avtalsmässiga eller organisatoriska åtgärder inte i sig utgör tillräckliga åtgärder för att säkerställa en tillräcklig skyddsnivå för personuppgifter.

När det gäller tekniska skyddsåtgärder drar vi följande preliminära och generella slutsatser:

  1. Det finns enligt EDPB inga effektiva tekniska skyddsåtgärder för tjänster som:
    • Medför att leverantören i ett tredjeland har tillgång till okrypterade personuppgifter i klartext vilket gäller oavsett om kryptering tillämpas vid överföring och vid ”data-at-rest”. Detta torde bl.a. omfatta  SaaS-tjänster som innebär överföring av personuppgifter till USA.
    • Medför fjärråtkomst från tredjeland till personuppgifter lagrade i klartext inom EU. Detta torde bl.a. omfatta många IT-supporttjänster (inklusive kundtjänst) som tillhandahålls genom ”globala” leveransorganisationer utanför EU.
  1. Personuppgifter i klartext får generellt inte överföras via internet i okrypterad form, eller annars göras tillgängliga i klartext till ett tredjeland. Typiskt sett krävs kryptering där leverantören/mottagaren inte har eller enkelt kan skaffa tillgång till krypteringsnyckeln.
  2. Pseudonymisering kan vara en effektiv skyddsåtgärd, under vissa förutsättningar. Detsamma gäller för uppdelning av en personuppgiftsbehandling mellan flera biträden, så att ingen av dem får tillräcklig information för att identifiera fysiska personer.

Slutsatserna ovan är preliminära och bör kompletteras av en rättslig bedömning i det enskilda fallet. EDPB:s rekommendation är preliminär och öppen för synpunkter fram till den 30 november 2020. Den slutgiltiga versionen kommer troligen att innehålla ett flertal ändringar och tillägg.

Vänligen kontakta Johan Kahn eller Daniel Lundqvist om du har frågor om EDPB:s vägledning eller om tredjelandsöverföring av personuppgifter.


[1] Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Adopted – version for public consultations.