From AI to Policing, Sweden’s Data Protection Authority Maps Where Privacy Risks Loom in 2026

Key Takeaways

• AI in the Public Sector: IMY will closely follow how public authorities deploy AI, especially where citizens cannot opt out and sensitive data is involved.
• Children and Young People: Strengthening protection and awareness around children’s personal data remains a central concern for 2026.
• Law Enforcement Tools: The regulator will scrutinize the privacy impact of intrusive investigative methods, including biometric data collection.
• Risk-Based Supervision: IMY’s priorities reflect areas where integrity risks are seen as highest and regulatory intervention can have the greatest effect.

Deep Dive

The Swedish Data Protection Authority (IMY) has identified three areas that will shape its guidance and enforcement work over the coming year: the use of artificial intelligence in the public sector, the protection of children and young people online, and the expanding range of tools used by law enforcement authorities.

Each year, IMY reassesses where its oversight can have the greatest impact. For 2026, the authority says the chosen priorities reflect both growing integrity risks and clear gaps in knowledge that could undermine compliance with data protection rules.

“Data protection runs through almost every part of society today,” said Eric Leijonram, Director General at IMY. “Private companies, public authorities and non-profits all handle personal data as part of their everyday work. But the risks are not evenly distributed. We focus our efforts where they can make the most difference.”

AI Use in Public Services Comes Under the Microscope

One of IMY’s main concerns for 2026 is the accelerating use of AI across public services. From automated decision-making to digital assistance tools, AI systems are increasingly embedded in how citizens interact with the state. Unlike private services, these systems often leave individuals with little or no choice to opt out.

IMY has signalled that this makes strong data protection safeguards non-negotiable. The authority will spend the year examining how public bodies are using AI in practice, particularly where systems process sensitive personal data. The goal, IMY says, is not to block innovation, but to ensure that AI is deployed in a way that respects privacy and personal integrity.

Children’s Data Remains a Priority

Children and young people continue to be a focal point for the regulator. IMY points to their heavy use of digital services and social media, often without a full understanding of how their personal data is collected, shared, or exploited. At the same time, children’s data is considered especially sensitive under data protection rules.

During 2026, IMY plans to step up efforts to raise awareness about data protection risks affecting children and young people. That work will extend beyond young users themselves to include adults who handle children’s data, such as parents, guardians, schools, and other institutions.

Law Enforcement Powers and Privacy Boundaries

IMY’s third priority reflects growing concerns around the tools available to law enforcement agencies. While effective policing depends on access to modern investigative methods, many of those tools involve deep intrusions into personal privacy. Recent years have seen an expansion of powers, including secret coercive measures and broader use of biometric data.

Over the coming year, IMY will focus on how these tools are used from a data protection perspective, examining whether privacy safeguards keep pace with operational demands and legal authority.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.