Hd - Ä 3169-24
From GDPRhub
| Hd - Ä 3169-24 | |
|---|---|
 | |
| Court: | Hd (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 10 GDPR Article 85 GDPR Article 86 GDPR Chapter 1.7(1) Data Protection Act Chapter 21.7 Public Access to Information and Secrecy Act |
| Decided: | |
| Published: | 25.02.2025 |
| Parties: | Trobar AB |
| National Case Number/Name: | Ä 3169-24 |
| European Case Law Identifier: | |
| Appeal from: | Hovrätten för Övre Norrlands (Sweden) 2024/83 |
| Appeal to: | Unknown |
| Original Language(s): | Swedish |
| Original Source: | Högsta domstolen (in Swedish) |
| Initial Contributor: | cci |
The Supreme Court ordered a court to disclose a large amount of documents relating to criminal proceedings under certain restrictions protecting the personal data contained therein. The documents were previously requested by the provider of a legal data base.
English Summary
Facts
Trobar AB is a digital legal database that engages engages in the collection, processing, analysis and presentation of information, including personal data relating court proceedings. Trobar uses this information to publish news. Additionally, Trobar discloses personal data to customers such as newspapers, magazines, broadcasters, and businesses running background checks.
In the context of these activities, Trobar requested the District Court of Umeå to disclose a large number of documents relating to criminal rulings. These documents included personal data relating to criminal offences and convictions. The District Court rejected the request and claimed that the information was confidential based on Sweden’s Public Access to Information and Secrecy Act.
Trobar appealed the decision. After the appeal was rejected, Trobar took the case to Sweden’s Supreme Court.
Holding
The legal framework
In Swedish law, the Public Access and Secrecy Act regulates access to documents relating to criminal proceedings. Under the Act, documents related to criminal cases are public unless the issuing court decided to keep them confidential. The Act also provides for an exception: documents are confidential when there is reason to believe that their disclosure will create a risk of violations of the GDPR or Sweden’s Data Protection Act. In such cases, the information can still be disclosed; however, the disclosing body must mitigate the risk of data protection violations by imposing restrictions upon the recipient with regards to the use and disclosure of the information.
Sweden's Data Protection Act provides that the Public Access and Secrecy Act takes precedence over the GPDR in case of conflict. Additionally, the Data Protection Act provides for derogations to the GDPR for journalistic purposes. These derogations covered some of Trobar's activities (but not its background checks).
The questions
Within this legal framework, the Supreme Court dealt with two questions:
- Were the documents requested by Trobar confidential, as the District Court claimed?
- If so, could Trobar require the District Court to disclose the documents under reservations?
The first question: confidentiality
The Court found that there were reasons to believe that Trobar could violate Article 10 GDPR[1] by collecting and disclosing personal data relating to criminal convictions and offences on a large scale. Therefore, the Court held that the information requested by Trobar was confidential under the Public Access and Secrecy Act.
The second question: restrictions
The Court observed that national law can create derogations to the GDPR in order to grant other fundamental rights. In this case, the exemptions in the Public Access and Secrecy Act were covered by Articles 85 and 86 GDPR (respectively: "Processing and freedom of expression and information", and "Processing and public access to official documents").
The Supreme Court held that such exemptions under national law must reconcile the right to data protection with other rights. This is only the case when the derogations to the GDPR are prescribed by law, are compatible with the essence of the fundamental rights, and meet the requirement of the principle of proportionality. In this regard, the Supreme Court referred to the case law of the EU Court of Justice[2].
With such a balance in mind, the Supreme Court ordered the District Court to grant Trobar’s request while restricting Trobar’s use of information. Specifically, the District Court had to forbid Trobar from:
- providing documents to the public and customers customers if the disclosure allowed access to the names, social security numbers, or addresses of individuals:
- allowing the public and customers to search its database based on names, social security numbers, or addresses:
- notifying the public or customers when certain names, social security numbers, or addresses appeared in its database.
In practice, these restrictions would likely prevent Trobar from offering background checks as a service (or at least, make it very difficult to do so) while still allowing the company to publish news based on court documents. In the Court’s perspective, this would strike a correct balance between the fundamental rights involved: the protection of personal data, freedom of expression, and access to public documents.
Comment
The Court did not, strictly speaking, hold that Trobar violated the GPDR. The Supreme Court stressed that even the mere suspicion that GDPR violations would occur as a result of the disclosure of information, was sufficient to make the data confidential. So, the Court did not investigate Trobar’s activities in depth: the mere suspicion that such activities could breach the GDPR, was sufficient to answer the question on the data’s confidentiality.
The ruling is similar to the Panoptes ruling of the Swedish Supreme Court (available here), in which, the Supreme Court upheld the restriction imposed by the Court of Appeals upon the disclosure of court documents to a business. In both rulings, the Supreme Court concluded that a system where criminal convictions are disclosed on a large scale, resulting in a significant amount of personal data processed in a database and made available to others, is not compatible with EU law.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
Page 1 (31) SUPREME COURT DECISION Case no announced in Stockholm on 25 February 2025 Ä 3169-24 PARTIES Appellant Trobar AB, 559036-0748 c/o TNG Group AB, CO Representatives: Attorneys FS, AB and ÄP and lawyer AF THE CASE Disclosure of public documents APPEAL DECISION Upper Norrland Court of Appeal decision 2024-03-27, case number 2024/83 __________ SUPREME COURT DECISION The Court of Appeal's decision is amended in such a way that the requested documents shall be disclosed by Umeå District Court with a reservation that entails: 9 3 Visiting address Opening hours Postal address E-mail 3 Riddarhustorget 8 Monday–Friday Supreme Court [email protected] . Telephone 08:45–12:00 Box 2066 Website o 08-561 666 00 13:15–15:00 103 12 Stockholm www.hogstadomstolen.se D Page 2 (31) SUPREME COURT DECISION Ä 3169-24 – that the documents, regardless of the form, may not be provided to the public or paying customers if the public or the customers thereby obtain personal names, personal identification numbers or addresses of individuals , – that Trobar may not otherwise offer the public or paying customers search options in the documents in a way that provides access to personal names, personal identification numbers or addresses of individuals, and – that the documents may not be used to notify the public or paying customers in such a way that it is possible to monitor whether a certain person appears in the documents. APPLICATIONS IN THE SUPREME COURT Trobar AB has requested that the Supreme Court order the District Court to release the requested documents. REASON Background Trobar AB provides information via a legal database that is obtained from the country's courts as well as from the Swedish Public Prosecutor's Office and the Swedish Economic Crime Authority. The information in the database consists of judgments, decisions, minutes, diaries and decisions on penalty orders and non-prosecutions. Trobar's database is aimed at companies and organizations that wish to access information of this kind for their operations, e.g. for background checks but also for journalism or research. Among other things, there is a service that means that a customer is notified when a certain personal 9 3 3 . o D Page 3 (31) SUPREME COURT DECISION Ä 3169-24 or organization number appears in a document. The database is not aimed at private individuals and a review is carried out before anyone is allowed to become a customer of the company. Trobar's legal database is covered by a certificate of publication and thus by constitutional protection according to Chapter 1, Sections 4 and 5 of the Freedom of Expression Act. Trobar has requested from Umeå District Court to obtain judgments, decisions, minutes and diaries in criminal cases at the district court. The district court decided to reject Trobar's request with reference to that Trobar requested information to such an extent and with such content that it can be assumed that Trobar's processing of the information will be in conflict with the EU Data Protection Regulation. According to the district court, therefore, the information was subject to confidentiality according to Chapter 21, Section 7 of the Public Access and Secrecy Act (2009:400). The Court of Appeal has rejected Trobar's appeal. The case in the Supreme Court The case concerns the question of whether the requested information is confidential and, if so, whether the information should be disclosed with reservations. The case raises the issue of the relationship between Chapter 21, Section 7 of the Public Access and Secrecy Act, Chapter 1, Section 7 of the Act (2018:218) with supplementary provisions to the EU Data Protection Regulation (hereinafter the Data Protection Act) and the rules in the Data Protection Regulation. 9 1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of 0 natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). k D Page 4 (31) SUPREME COURT DECISION Ä 3169-24 On disclosure of judgments and other court documents In order to promote a free exchange of opinion, free and comprehensive information and free artistic creation, everyone has the right to access public documents to the extent that the rules on secrecy do not prevent this (see Chapter 2, Sections 1 and 2 of the Freedom of the Press Ordinance). Rules on secrecy are contained in the Public Access and Secrecy Act. Secrecy means that it is prohibited to disclose the information that is subject to secrecy, regardless of whether it is done orally, by disclosure of a public document or in any other way (see Chapter 3, Section 1 of the Public Access and Secrecy Act). The starting point is that criminal judgments are public. If information is included in a court judgment, any confidentiality of the information ceases to apply, unless the court decides on continued confidentiality (cf. Chapter 43, Section 8 of the Public Access and Secrecy Act). Criminal judgments have, in line with this, generally been disclosed to the person who has requested it, even when it has involved a larger quantity. Other documents with links to criminal cases, such as diaries and minutes, are also regularly disclosed, unless there is a special confidentiality provision that applies to the information in them. As is clear from the Court of Appeal's decision, the question has been raised to the extent to which Chapter 21, Section 7 of the Public Access and Secrecy Act, which refers to the Data Protection Regulation – or the Data Protection Regulation as such – can constitute an obstacle to the disclosure of such documents. The provision in Chapter 21 Section 7 of the Public Access and Secrecy Act According to Chapter 21, Section 7 of the Public Access and Secrecy Act, confidentiality 9 3 applies to personal data if it can be assumed that the data, after disclosure 3 . o D Page 5 (31) SUPREME COURT DECISION Ä 3169-24 will be processed in violation of the Data Protection Regulation or the Data Protection Act. The confidentiality provision in Chapter 21, Section 7 differs from other confidentiality provisions in that it does not focus on the data as such, but on what can be assumed to happen to them after disclosure. According to the provision, the disclosing authority must take into account what can be assumed about the upcoming processing and its nature. A similar provision has existed since 1973. The provision was motivated at that time, among other things, by the need to create some control over the possibilities of collecting personal data from existing registers to build up new registers for purposes other than the original ones (see Bill 1973:33 p. 100 f.). An assessment according to the section only needs to be made if there are concrete circumstances indicating that the recipient will process the data in a way that is contrary to data protection regulations, e.g. that it is a matter of mass extraction. A full assessment of whether the processing will be contrary to the Data Protection Regulation or the Data Protection Act does not need to be made. (Cf. Bill 2017/18:105 p. 135 f.) Data Protection Regulation The Data Protection Regulation is binding and directly applicable in all EU Member States (see Article 288, second paragraph, of the Treaty on the Functioning of the European Union). The Regulation was introduced to, among other things, guarantee a uniform and high level of protection for natural persons that is equivalent in all Member States. It should be seen in the light of the fact that the protection of natural persons with regard to the processing of personal data is a fundamental right under the Charter of Fundamental Rights of the European Union. (Cf. the Data Protection Regulation, recitals 1 and 10; cf. also Article 8 of the Charter and Article 16 of the Treaty on the Functioning of the European Union.) 3 3 . o D Page 6 (31) SUPREME COURT DECISION Ä 3169-24 Article 5 of the Data Protection Regulation states that certain fundamental principles shall be observed when processing personal data. These principles include that the data shall be processed lawfully, fairly and transparently and that they shall be adequate, relevant and not excessive in relation to the purposes for which they are processed. Furthermore, they shall not be kept in a form which permits identification of the data subject for longer than is necessary for the purposes for which the personal data are processed and may be stored for longer periods only for certain purposes. The principles set out in Article 5 are supplemented in Article 6 with more concrete requirements that must be met for the processing of the data to be lawful. A key requirement is that one of the grounds set out in the article must be applicable for the processing of data. Examples of such grounds are that there is consent from the data subject or that the processing is necessary for compliance with a legal obligation. Article 9 regulates the processing of certain special categories of personal data. This applies, among other things, to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health or data concerning a natural person's sex life or sexual orientation. The processing of such data is prohibited unless the data subject has expressly given his or her consent or the processing is necessary for certain specified reasons. Article 10 contains rules that specifically address the processing of personal data relating to criminal convictions, offences constituting a criminal offence and related security measures. The processing of such data may be carried out only under the control of a public authority or where processing is authorised by Union law or the national law of the Member States, which lays down suitable safeguards for the rights and freedoms of the data subjects 3 3 . o D Page 7 (31) SUPREME COURT DECISION Ä 3169-24 A complete register of criminal convictions may be kept only under the control of a public authority. (On the interpretation of the CJEU of the concepts of offences and convictions, see the judgment of the Court of Justice of 24 September 2019, GC and Others, C-136/17, EU:C:2019:773, p. 72.) The purpose of Article 10 is to ensure increased protection against such processing of personal data which, due to the particularly sensitive nature of the data, may constitute a particularly serious interference with the fundamental right to respect for private life and the protection of personal data as set out in Articles 7 and 8 of the EU Charter of Rights (see the judgment of the CJEU of 22 June 2021, Latvijas Republikas Saeima, C-439/19, EU:C:2021:504, p. 74). According to Article 85 of the General Data Protection Regulation, Member States shall, by law, reconcile the right to privacy under the Regulation with the freedom of expression and information. They shall also – if necessary to reconcile the right to privacy with the freedom of expression and information – provide for exceptions or derogations from certain listed parts of the Regulation (including Article 10) for certain processing operations, such as those carried out for journalistic purposes. The case-law of the Court of Justice of the European Union has shown that the expression “processing for journalistic purposes” should be interpreted broadly. It includes, among other things, disseminating information, opinions or ideas to the public. The technology used or whether the activity is carried out for profit does not affect the assessment. Processing of personal data that involves the commercial provision of material that has been collected from authorities in an unaltered form may also constitute processing operations for journalistic purposes. (See the judgment of the Court of Justice of 16 December 2008, Satakunnan Markkinapörssi and Satamedia, C-73/07, EU:C:2008:727, p. 55–62.) 9 3 3 . o D Page 8 (31) SUPREME COURT DECISION Ä 3169-24 In order to reconcile the public's right of access to public documents with the right to the protection of personal data in accordance with the Regulation, authorities may, inter alia, in accordance with the applicable Union or Member State law, disclose personal data in public documents (see Article 86). There is therefore scope under Articles 85 and 86 of the Regulation to restrict the right to the protection of personal data, but only provided that the restrictions are provided for by law, are compatible with the essence of the fundamental rights and meet the requirements arising from the principle of proportionality of EU law. This means, among other things, that the restrictions may not go beyond what is strictly necessary, and it is also assumed that there are clear and precise provisions regulating the scope and application of the exceptions. (Cf. e.g. Latvijas Republikas Saeima, pp. 105 and 106 with further references.) This means that it is assumed that the protection of personal data may vary between Member States. However, it is not certain that the balancing of different interests that has been made is acceptable under EU law. Data Protection Act The Data Protection Act contains supplementary provisions to the Data Protection Regulation. Chapter 1, Section 7, first paragraph, stipulates that the Data Protection Regulation and the Data Protection Act shall not be applied to the extent that it would conflict with the Freedom of the Press Ordinance or the Freedom of Expression Act. The provision covers not only such application of data protection regulations that would 9 3 3 . o D Page 9 (31) SUPREME COURT DECISION Ä 3169-24 conflict with freedom of the press and expression, but also such that would conflict with the principle of publicity (cf. Bill 2017/18:105 p. 43). The second paragraph of the section states that Articles 5–30 and 35–50 of the Data Protection Regulation and Chapters 2–5 The Data Protection Act shall not apply to the processing of personal data for journalistic purposes or for academic, artistic or literary creation. In the case, it is primarily the exception for journalistic purposes that is of interest. The expression processing for journalistic purposes shall be given the same meaning as under Union law (see p. 22, cf. “The Foundation’s website” NJA 2001 p. 409). Rulings from the Court of Justice In a couple of rulings, the Court of Justice of the EU has dealt with issues that have concerned the disclosure of personal data by authorities in relation to, among other Article 10 of the Data Protection Regulation. In the case of Latvijas Republikas Saeima, the Court held that the provisions of the Data Protection Regulation preclude national legislation which requires a public body responsible for a register containing information on the fines imposed on drivers for traffic offences to make the information available to the public, without the person requesting access to the information having to demonstrate a particular interest in obtaining it. The Data Protection Regulation was also considered to preclude the public body from transferring such information to economic operators for further use, so that a person wishing to obtain information on any fines can turn directly to those operators and obtain the information. (See Latvijas Republikas Saeima, pp. 122 and 129.) When examining whether the national rules could be considered to be compatible with the Data Protection Regulation, an assessment was made of whether 9 3 these, which thus entailed a limitation of the protection in the Data Protection Regulation, 3 . o D Page 10 (31) SUPREME COURT DECISION Ä 3169-24 were necessary and proportionate in relation to the objectives pursued by the regulation. Within the framework of that assessment, the Court took into account both the right to freedom of information under Article 85 and the public's right to access to public documents under Article 86, but found that the right to protection of this type of personal data must be considered to have greater weight. (See Latvijas Republika Saeima, pp. 102–121 and 126.) In a later ruling, the European Court of Justice has similarly held that the Data Protection Regulation prevents information on criminal convictions of natural persons in a register kept by a court from being disclosed to anyone in order to ensure public access to public documents, without the person requesting the disclosure needing to demonstrate that the person has a particular interest in obtaining the information. (Judgment of the Court of Justice of 7 March 2024, C-740/22, Endemol Shine Finland, EU:C:2024:216, p. 58.) Compatibility of the Swedish system with EU law The Supreme Court must decide whether, and if so in what way, the examination of a request for public documents that contain information about violations of the law is affected by the Data Protection Regulation. As is clear from the foregoing, Chapter 1, Section 7, first paragraph of the Data Protection Act provides that that Act and the Data Protection Regulation shall not be applied to the extent that it would conflict with the Freedom of the Press Ordinance or the Freedom of Expression Act. The legislator's intention with the provision can be said to have been that the Data Protection Regulation and the Data Protection Act shall not be applied at all to the area protected by the Constitution. This would mean that in an activity covered by the Freedom of the Press Ordinance or the Freedom of Expression Act, one would not have to comply with the Data Protection Ordinance. o D Page 11 (31) SUPREME COURT DECISION Ä 3169-24 and that the Ordinance would not restrict the authorities' obligations to disclose personal data. (Cf. Bill 2017/18:105 p. 40 ff., also cf. Bill 1997/98:44 p. 43 ff. regarding the previously applicable regulation.) With such a starting point, it is consistent to interpret Chapter 21, Section 7 of the Public Access and Secrecy Act in such a way that secrecy according to the provision cannot exist in these cases; the provision presupposes an assessment of what can be assumed about the compatibility of the upcoming processing with the data protection regulation. The same applies to cases where the exception in Chapter 1, Section 7 the second paragraph of the Data Protection Act is applicable, e.g. when processing personal data for journalistic purposes outside the constitutionally protected area. The paragraph stipulates that in such processing, several of the central provisions of the Data Protection Regulation, including Articles 5–10, shall not apply. However, when applying national regulation, the requirements of Union law must be taken into account. According to Articles 85 and 86 of the Data Protection Regulation, the Member States must indeed balance the interest of freedom of expression and information and the public's right of access to public documents on the one hand, and the right to the protection of personal data on the other. However, it is questionable whether a regulation that means that personal data about violations of the law should be disclosed on a large scale while the data protection regulation does not apply at all – or only to some extent – to the subsequent processing of the data, can be reconciled with the requirements of EU law. Criminal judgments contain many different types of sensitive information. 9 They do not only contain personal data about the accused and the convicted, the crime to which a decision relates and the possible penalty imposed. There is 3 . o D Page 12 (31) SUPREME COURT DECISION Ä 3169-24 also a large number of other personal data, including about the injured party and witnesses and about circumstances surrounding the accused events that can be linked to different persons. Regarding Chapter 1 If Section 7, first paragraph of the Data Protection Act is understood in the way that the legislator may be said to have intended, the regulation means that the protection of these personal data – in the constitutionally protected area – will exclusively be based on the possibilities for intervention provided for in the Freedom of the Press Ordinance and the Freedom of Expression Act, which basically have other purposes than creating personal data protection. If the provision is understood in this way, there are also no rules on how personal data may be processed or any conditions for exercising supervision with regard to information about violations of the law. Also in the cases referred to in Chapter 1, Section 7, second paragraph, such regulation (see paragraphs 35–37) means that the protection of personal data will to a very large extent have to take precedence over the interest in freedom of expression and information. The Supreme Court concludes that it cannot be considered compatible with EU law to have a system that means that criminal convictions are disclosed on a large scale, with the result that a significant amount of personal data relating to offences can then be processed in a database and made available to others. In principle, there is no other protection for the privacy interest than that which can lie in interventions based on the basic media laws and the Criminal Code. Such a system almost completely undermines the protection when processing data relating to offences that the Data Protection Regulation aims to provide and cannot be considered to mean that appropriate safeguards have been established for the rights and freedoms of the data subjects in the manner required by Article 10 of the Data Protection Regulation. The assessment that this is not acceptable also applies in relation to 9 3 3 . o D Page 13 (31) SUPREME COURT DECISION Ä 3169-24 processing that takes place for journalistic purposes or other purposes referred to in Article 85. It is therefore not possible to reconcile the Swedish regulation with the Data Protection Regulation in the manner that the legislator may be assumed to have intended. The consequences for the examination to be carried out pursuant to Chapter 21, Section 7 of the Public Access and Secrecy Act Starting points It is not possible for the Supreme Court to resolve in a single decision more generally the issues associated with the Swedish regulation of the applicability of the Data Protection Regulation. The Court's task is to take a position on how the issues in the case should be assessed and in particular how Chapter 21, Section 7 of the Public Access and Secrecy Act should be applied. It may be recalled that the general issues concerning the lack of protection for the privacy interest when processing personal data in the constitutionally protected area are far from new. Already in connection with the introduction of the system of voluntary release certificates in the Freedom of Expression Act, the Constitutional Committee had concerns that constitutional protection could come to include databases that constitute pure personal registers and that this could conflict with provisions that have the purpose of protecting personal privacy (cf. report 2001/02:KU21 p. 31 f.). It is also worth mentioning here that two proposals have been submitted to the Riksdag aimed at better balancing the interests of freedom of expression and freedom of information with the protection of personal data regarding violations of the law (see Bill 2017/18:49 and Bill 2021/22:59). However, these have 9 3 3 . o D Page 14 (31) SUPREME COURT DECISION Ä 3169-24 not led to legislation. In addition, proposals have been submitted again regarding, among other things, this issue (see SOU 2024:75). In this context, the Swedish Data Protection Authority's legal position 2024:1 can also be mentioned, which is, however, limited to search services with a certificate of publication. In light of what has now been said, the question arises whether it is possible to interpret and apply the Swedish regulatory framework in a way that can be reconciled with the Data Protection Regulation. The provision in Chapter 1, Section 7, first paragraph, of the Data Protection Act As has been seen from the foregoing, the legislator's intention can be said to have been that the Data Protection Regulation and the Data Protection Act should not be applied at all to the constitutionally protected area. However, it can be stated that this is not expressed in the text of the law. Chapter 1, Section 7, first paragraph of the Data Protection Act states that the Data Protection Regulation shall not be applied "to the extent that it would conflict with the Freedom of the Press Ordinance or the Freedom of Expression Act". The wording of the provision thus most likely suggests that the Data Protection Regulation may only be applied when there is a conflict between the regulatory frameworks. It should be emphasized that the fact that confidentiality applies to certain information as a starting point cannot be considered to mean that there is a conflict with the Freedom of the Press Ordinance or the Freedom of Expression Act. On the contrary, the Freedom of the Press Ordinance provides that the Riksdag shall be able to legislate on confidentiality and that confidentiality then also applies in relation to activities covered by the Freedom of the Press Ordinance or the Freedom of Expression Act. 9 3 3 . o D Page 15 (31) SUPREME COURT DECISION Ä 3169-24 There is also reason to note that Chapter 1, Section 7 of the Data Protection Act and Chapter 21, Section 7 of the Public Access and Secrecy Act, insofar as is currently relevant, were drafted in the same legislative context. The natural starting point should be that one provision does not exclude the application of the other. It is also worth noting that there are no statements in the preparatory work for Chapter 21, Section 7 that concern the issue of whether confidentiality should apply in relation to activities covered by constitutional protection under the Freedom of the Press Ordinance or the Freedom of Expression Act. Against this background, the Supreme Court assesses that there is scope to interpret Chapter 1, Section 7, first paragraph, of the Data Protection Act so that the provision does not prevent the requirements of the Data Protection Ordinance from being taken into account when applying the special confidentiality provision in Chapter 21, Section 7 of the Public Access and Secrecy Act also in the area protected by the Constitution. And such an interpretation should be made regardless of how one views the meaning of Chapter 1, Section 7, first paragraph, with regard to the issue of whether the Ordinance can be applied to the subsequent processing in the activity covered by constitutional protection. This means that the authority that has to conduct an examination according to Chapter 21 Section 7 of the Act on Public Access and Secrecy shall assess whether the information after disclosure can be assumed to be processed in violation of the provisions of the Data Protection Regulation, without taking a position on the extent to which the Swedish regulation means that the regulation shall not be applied in the activities carried out by the person who has requested the information to be disclosed. The Data Protection Regulation can, in the application of Chapter 21, Section 7, then most be seen as an independent yardstick for when confidentiality prevails for information that would otherwise have been public. 9 3 3 . o D Page 16 (31) SUPREME COURT DECISION Ä 3169-24 In this way, the requirements of the regulation can be taken into account when it is decided whether public documents containing personal data should be disclosed. The provision in Chapter 1 Section 7, second paragraph, Data Protection Act Chapter 1, Section 7, second paragraph, states that exemptions from the application of the Data Protection Regulation shall be made in principle in all parts where the Regulation allows for exemptions. More specifically, as has been stated, Articles 5–30 and 35–50 of the Data Protection Regulation are exempted. Here, the legislator has more clearly used the procedure for national adaptation that the Data Protection Regulation specifies in Article 85. It is clear from the preparatory work that the main purpose of the exemption in the second paragraph has been to ensure that, among other things, journalistic activities that are not covered by the Freedom of the Press Regulation and the Freedom of Expression Constitution are exempted from parts of the Data Protection Regulation and the Data Protection Act. A starting point in the formulation of the provision has been that exceptions should be introduced to the extent that the regulation allows it (see Bill 2017/18:105 pp. 44 f. and 187). It can be noted that the provision – even if it aims to cover activities that are not covered by the Freedom of the Press Regulation or the Freedom of Expression Act – according to its wording also covers activities that have constitutional protection. The wording of the second paragraph does not provide the same opening for an interpretation in accordance with EU law as the first paragraph. However, the two paragraphs must be seen in context. The second paragraph cannot reasonably be given the meaning that the exception from the application of the Data Protection Regulation for non-constitutionally protected activities is more far-reaching than the exception that relates to the constitutionally protected area. 9 3 3 . o D Page 17 (31) SUPREME COURT DECISION Ä 3169-24 The second paragraph should therefore, in a similar way to the first paragraph, be applied so that it does not prevent the Data Protection Regulation from being fully taken into account in an examination pursuant to Chapter 21, Section 7 of the Act on Public Access and Secrecy. The authority that is to carry out the examination shall thus assess whether the data after disclosure can be assumed to be processed in violation of the provisions of the Data Protection Regulation, without taking a position on whether the exempted articles of the Regulation shall be applied in the activities conducted by the person who has requested the information to be released. Summary conclusion Overall, the above means that Chapter 1, Section 7 of the Data Protection Act – assessed in the light of Union law – does not prevent the Data Protection Regulation from being taken into account when applying the confidentiality provision in Chapter 21 7 § of the Public Access and Secrecy Act. The assessment in this case Does confidentiality apply according to Chapter 21, Section 7 of the Public Access and Secrecy Act? In order for confidentiality according to Chapter 21, Section 7 of the Public Access and Secrecy Act to apply to the information that Trobar has requested to be disclosed, it is required that it can be assumed that the information, after disclosure, will be processed in a manner that is incompatible with the Data Protection Regulation. The assumption must be based on that there are concrete circumstances indicating this, but no complete assessment of whether the processing that can be assumed to take place is incompatible with the Data Protection Regulation needs to be made (see p. 14). No position shall be taken on the extent to which the regulation shall be applied in Trobar's operations, but the regulation shall be used as an independent yardstick in the assessment (see p. 52 and 57). 9 3 3 . o D Page 18 (31) SUPREME COURT DECISION Ä 3169-24 Trobar has requested to obtain a larger number of criminal judgments and other documents linked to criminal cases, such as decisions, minutes and diaries. The documents contain information about violations of the law and other information of a sensitive nature. Trobar has repeatedly requested public documents in a similar manner. Against this background, and taking into account the extensive processing of personal data of this kind that takes place at Trobar, it can be assumed that the personal data contained in the requested documents will be processed in a manner that is incompatible with Article 10 of the Data Protection Regulation (cf. p. 42). Confidentiality therefore applies to the personal data contained in the documents that have been requested. Are there conditions for releasing the documents with reservations? If an authority finds that such a risk of damage, harm or other inconvenience that, according to a provision on confidentiality, prevents information from being released to an individual can be eliminated by a reservation that restricts the individual's right to release the information or use it, the authority shall make such a reservation when releasing the information to the individual (Chapter 10, Section 14, first paragraph, of the Act on Public Access and Secrecy). It is clear that the provision is written with a view to such confidentiality provisions whose application requires consideration of damage, harm or other inconvenience. There is no reference to such factors in Chapter 21, Section 7 of the Public Access and Secrecy Act, but there is also no exception in Chapter 10, Section 14 that means that it cannot be applied to confidentiality pursuant to Chapter 21, Section 7. The latter provision, like several other confidentiality rules, is also intended to protect information about individuals' personal circumstances. Disclosure of information that is incompatible with the Data Protection Regulation may therefore be considered to be capable of causing damage, harm or other inconvenience. Even if the result of a reservation is not fully the same as in other cases, the provision in Chapter 10, Section 14 3 3 . o D Page 19 (31) SUPREME COURT DECISION Ä 3169-24 the first paragraph can therefore also be applied when confidentiality applies according to Chapter 21, Section 7. To establish a reservation on the disclosure of documents on the basis of Chapter 10, Section 14 can be a way of achieving, to some extent, such a balance between different interests as the Data Protection Regulation requires. This applies in particular when the interest of freedom of expression and information is to be combined with the right to privacy. The documents in the case show that Trobar's database, to a not inconsiderable extent, aims to enable different types of background checks. There is, among other things, a service that means that the customer is notified when a certain personal identification number appears in a document in the database. However, Trobar also publishes its own news and news materials to some extent. The interest in being able to continue to conduct that activity should be taken into account when considering whether a reservation should be issued. With regard to the activity consisting of enabling background checks, a reservation, which is designed in such a way as to eliminate the risk of damage or harm that accompanies the disclosure of the documents, will mean that the activity cannot continue. Disclosing the documents with reservations may then appear pointless. However, Trobar also engages to a certain extent in activities that can be assumed to be carried out for journalistic purposes. The documents should therefore be disclosed with reservations that ensure that the interest in being able to conduct that activity is balanced against the interest in privacy. A reasonable balance between these interests can be achieved if the reservation is designed so that it aims to prevent, on the one hand, the documents – with the personal data contained in them – from being provided by Trobar, and, on the other hand, that 9 3 the personal data is made searchable by others or used to notify 3 . o D Page 20 (31) SUPREME COURT DECISION Ä 3169-24 others about the content of the documents, but at the same time does not prevent the personal data from being used in, for example, news texts or news materials that Trobar produces. This means that the documents shall be released by the district court with such a reservation. __________ ____________________ ____________________ ____________________ ____________________ ____________________ ____________________ ____________________ The decision was made by Justices Anders Eka, Henrik Jermsten (dissenting), Kristina Ståhl, Agneta Bäcklund (dissenting), Thomas Bull (dissenting), Petter Asp (rapporteur) and Cecilia Renfors. The rapporteur was the Registrar of Justice Malin Falkmer. 9 0 3 k D Page 21 (31) SUPREME COURT DECISION Ä 3169-24 DISSENTING OPINION Justices Henrik Jermsten and Thomas Bull disagree and believe that the appeal should be dismissed. In their opinion, the reasons should be as follows. REASONS Background 1. Trobar AB provides information via a legal database that is retrieved from the country's courts, the Swedish Public Prosecutor's Office and the Swedish Economic Crime Authority. The information in the database consists of judgments, decisions, minutes, diaries and decisions on penalty orders and non-prosecutions. 2. Trobar's database is aimed at companies and organisations that have a need for information of this kind for their operations, such as background check companies or those involved in journalism or research. Among other things, there is a service that means that a customer is notified when a certain personal or organisation number appears in a document. The database is not aimed at private individuals and a review is carried out before someone is allowed to become a customer of the company. Trobar's legal database has constitutional protection according to the Swedish Freedom of Expression Act through a certificate of publication (see Chapter 1, Sections 4 and 5 of the Freedom of Expression Act). Trobar requested from Umeå District Court to obtain judgments, decisions, minutes and diaries in criminal cases. The District Court decided to reject Trobar's request with reference to that Trobar requested information to such an extent and with such content 9 that it can be assumed that the processing will be in breach of the EU's 3 3 . o D Page 22 (31) SUPREME COURT DECISION Ä 3169-24 Data Protection Regulation. According to the District Court, the information was therefore confidential in accordance with Chapter 21, Section 7 of the Public Access and Secrecy Act (2009:400). The Court of Appeal rejected Trobar's appeal. Regarding the disclosure of judgments, etc. In order to promote a free exchange of opinions, free and all-round information and free artistic creation, everyone has the right to access public documents to the extent that the rules on confidentiality do not prevent this (Chapter 2, Sections 1 and 2 of the Freedom of the Press Ordinance). According to Chapter 21, Section 7 of the Public Access and Secrecy Act, personal data is confidential if it can be assumed that the data, after disclosure, will be processed in violation of the EU Data Protection Regulation or the Act (2018:218) with supplementary provisions to the EU Data Protection Regulation (Data Protection Act). The current confidentiality provision differs from other confidentiality provisions in that it does not focus on the data as such, but on what can be assumed to happen to them after disclosure. An assessment according to the section only needs to be made if there are concrete circumstances indicating that the recipient will process the data in a way that is in violation of data protection regulations, e.g. that it is a matter of mass extraction. A full assessment of whether the processing will violate the Data Protection Regulation or the Data Protection Act need not be made. (Cf. Bill 2017/18:105 p. 135 f.) The Data Protection Regulation sets out in Articles 5 and 6 certain fundamental requirements for the processing of personal data. Among other things, that they shall be collected for specific, explicit and legitimate purposes and 9 not subsequently processed in a manner incompatible with those purposes. 3 3 The data shall further be processed lawfully, fairly and transparently in relation to the data subject and be adequate, relevant and not excessive in relation to the purposes for which they are processed. A further central requirement is that one of the grounds set out in Article 6 must be applicable for the processing of data. Examples of such grounds include the consent of the data subject or the fact that the processing is necessary for compliance with a legal obligation. Article 9 regulates the processing of certain special categories of personal data. This applies, among others, to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health or data concerning a natural person's sex life or sexual orientation. The processing of such data is prohibited unless the data subject has explicitly given his or her consent or the processing is necessary for certain specified reasons. Article 10 contains rules specifically aimed at the processing of personal data relating to criminal convictions, offences constituting a criminal offence and security measures relating thereto. The processing of such data may be carried out only under the supervision of a public authority or where processing is authorised by Union or Member State law, which lays down suitable safeguards for the rights and freedoms of the data subjects. A complete register of criminal convictions may be kept only under the control of an authority. According to Article 85 of the Regulation, Member States shall by law reconcile the right to privacy under the Data Protection Regulation with the freedom of expression and information, including processing carried out for journalistic purposes or for academic, artistic or literary creation. They shall further, for processing carried out for such purposes – where necessary to reconcile the right to privacy with the freedom of expression and information – 9 3 3 . o D Page 24 (31) SUPREME COURT DECISION Ä 3169-24 provide for exceptions or derogations from certain listed parts of the Regulation, including Articles 5, 6, 9 and 10. In Chapter 1 Section 7, first paragraph, of the Data Protection Act states that the Data Protection Regulation and the Data Protection Act shall not be applied to the extent that it would conflict with the Freedom of the Press Regulation or the Freedom of Expression Act. The second paragraph of the same section follows that, among other things, Articles 5, 6, 9 and 10 of the Data Protection Regulation shall not be applied to the processing of personal data that takes place for journalistic purposes or for academic, artistic or literary creation. The Swedish harmonisation according to Article 85 Initially, it can be stated that an EU regulation is binding in all respects and directly applicable in each Member State. According to established practice, provisions in regulations generally have immediate effects in the national legal systems, without requiring the national authorities to take any implementing measures (judgment of the Court of Justice of the European Union of 15 May 2021, Facebook Ireland and Others, C-645/19, EU:C:2021:483, p. 110 and the case-law cited therein). However, with regard to certain articles of the Data Protection Regulation, these do not constitute a complete regulation, but the Regulation requires supplementary regulation in national law. This is the case, for example, with regard to the Regulation's requirement for national harmonisation of the Regulation's rules on the protection of personal data with the freedom of expression and information. It is therefore not clear from the Data Protection Regulation how freedom of expression, freedom of information and the protection of personal data are to be combined and harmonised. There is also room for differences between Member States regarding the content of provisions that 9 3 reconcile the right to protection of personal data with the right to freedom of expression and 3 . o D Page 25 (31) THE SUPREME COURT DECISION Ä 3169-24 freedom of information (judgment of the Court of Justice of the European Union of 24 September 2019, Google, C-507/17, EU:C:2019:772, p. 69). It is clear that several Member States have made extensive exemptions from the provisions of the Data Protection Regulation for journalistic activities (see SOU 2024:75 p. 120 ff. regarding Norway, Denmark and Finland). The Netherlands and Austria have also, in a manner that is similar to the Swedish regulation in substance, exempted journalistic activities from the scope of the Regulation. The picture also includes that, when harmonizing according to Article 85, it must be taken into account that the rights in the Charter of Fundamental Rights of the European Union have an equivalent position. The protection of personal data is regulated in Article 8 and freedom of expression and information is protected by Article 11. From a Union law perspective, neither right has a stronger position than the other, but in the event of conflicts, they must be balanced against each other. According to Swedish law, the Data Protection Regulation shall not be applied to the extent that it would conflict with the Freedom of the Press Ordinance or the Freedom of Expression Act (Government Bill 2017/18:105, p. 40 ff.). Furthermore, Articles 5, 6, 9 and 10 of the Data Protection Regulation shall not be applied to the processing of personal data for journalistic purposes, even outside the constitutionally protected area. Based on Article 85 of the Data Protection Regulation, this position can be said to mean that the Swedish legislator has assessed that it is necessary from a freedom of expression perspective to completely exclude such actors who are covered by constitutional protection from the provisions of the Regulation and that the same should apply as far as possible to such actors who lack 9 constitutional protection but whose activities have journalistic purposes. The 3 3 . o D Page 26 (31) SUPREME COURT DECISION Ä 3169-24 practical effect of this is that the processing of personal data is in all essential respects unregulated. In light of the judgments of the Court of Justice of 22 June 2021 in the case Latvijas Republika Saeima (C-439/19, EU:C:2021:504) and of 7 March 2024 in the case Endemol Shine Finland (C-740/22, EU:C:2024:216), the question can be asked whether the Swedish regulation constitutes a balancing of freedom of expression, freedom of information and the protection of personal data that is fully compatible with Union law. In the opinion of the Supreme Court, there is reason to initially note the following regarding the judgments of the Court of Justice of the EU. The former case concerned the reconciliation under Article 86 of the Data Protection Regulation between the right to public documents and the right to the protection of personal data and only concerned Article 85 insofar as it deals with the right to freedom of information. There was no freedom of expression aspect in the case and the requirements that Article 85 imposes on national harmonisation based on that interest were not affected. The decision therefore has no direct relevance to the current situation. In the second decision, the ECJ found that respect for private life and the protection of personal data must be considered to outweigh the public interest in having access to public documents. It was further emphasized that the right to freedom of information under Article 85 of the Data Protection Regulation should not be interpreted as justifying the disclosure of personal data relating to criminal convictions to anyone who requests such information (paragraphs 55 and 56). The ECJ's reasoning thus focused on the balancing of interests between the protection of personal data relating to offences and the public's access to public documents and freedom of information in general. 3 3 . o D Page 27 (31) SUPREME COURT DECISION Ä 3169-24 The ruling therefore does not have any direct bearing on situations when an actor requests information about violations of the law for other purposes. The conclusion that can be drawn from the rulings of the European Court of Justice is that when reconciling freedom of information and the protection of personal data, the principle of proportionality must be observed and the national rules that are introduced must not go beyond what is necessary. What this means in concrete terms in a context where interests other than those that were at issue in the two cases are at odds is, however, not given. Another observation that can be made based on the two cases is that the European Court of Justice's assessment of whether the reconciliation according to Articles 85 and 86 of the Data Protection Regulation is acceptable has been made based on the concrete circumstances of the individual case. Although the design of a national system must be taken into account at an abstract level, it is the effects in the specific case that are decisive for the assessment of whether, for example, the requirement of proportionality is met or not. The assessment in this case In the present case, the issue is a request for public documents by an actor who has constitutional protection for his database through a certificate of release (see Chapter 1, Sections 4–6 of the Freedom of Expression Act). In an application for a certificate of release, no assessment is made of the content or purpose of the database. The fact that voluntary constitutional protection applies to a certain activity does not allow any conclusions to be drawn as to the extent to which personal data is collected for journalistic purposes or not. Trobar has provided the following information about its activities. 9 3 3. o D Page 28 (31) SUPREME COURT DECISION Ä 3169-24 Trobar collects information from courts and prosecutors' offices. The information consists of judgments, decisions, protocols, diaries, penalty orders and non-prosecutions. The database is aimed at professional and serious companies and organizations that need the information in the database for their professional practice. One target group is serious background check companies that are members of the background check companies' trade association. Another target group is engaged in, among other things, journalism and research or other academic activities. To access the legal database, you must be a customer of Trobar. Before you can become a customer, Trobar carries out a test. The test aims to ensure that the database is used only for legal, legitimate and serious purposes. Within the framework of the review, Trobar checks what kind of company or organization the person applying to become a customer is. Trobar also examines what the applicant intends to use the information in the database for. Only applicants who meet Trobar's requirements may become customers of Trobar. The Supreme Court finds, like the Court of Appeal, that Trobar's request may be considered to be primarily aimed at obtaining information for a database aimed at companies and organizations that need information about violations of the law for so-called background checks. The actual purpose of the processing of the requested personal data cannot therefore be considered to be journalistic. The fact that the activity also includes the provision of information to actors active in journalism or research does not change this assessment. As far as Trobar is concerned, it is therefore not a question of weighing the interest in processing for journalistic purposes against the interest in the protection of privacy when assessing whether the harmonization of the Swedish regulatory framework pursuant to Article 85 has been carried out in a proportionate manner. Here, instead, 3 3 . o D Page 29 (31) SUPREME COURT DECISION Ä 3169-24 the interest in being able to carry out background checks should be weighed against the interest in the protection of personal data and privacy. Particular attention should then be paid to how sensitive information about violations of the law may be for individuals (Latvijas Republika Saeima, pp. 112 and 113). In the balancing exercise to be carried out, the Supreme Court considers that the data subjects' interest in the protection of privacy outweighs Trobar's claim to freedom of expression and information. The fact that Trobar has a certificate of release should therefore not mean that the company's processing of personal data should be considered unregulated. Such a system is not compatible with the requirement of proportionality that applies to how Member States reconcile the interest in the protection of personal data with the freedom of expression and information. There is therefore reason, as regards Trobar's request for access to public documents, to disregard the constitutional protection that follows from the certificate of release when examining whether confidentiality applies according to Chapter 21, Section 7 of the Public Access and Secrecy Act. The Supreme Court finds, as the Court of Appeal has done, that there is reason to assume that Trobar's processing of the personal data contained in the requested documents on violations of the law will be in violation of the rules of the Data Protection Regulation. Confidentiality therefore exists and the appeal shall be dismissed. ________ 9 3 3 . o D Page 30 (31) SUPREME COURT DECISION Ä 3169-24 DISSENTING OPINION Councillor for Justice Agneta Bäcklund dissents and considers that the appeal should be dismissed. She considers that the reasons from point 61 onwards should be as follows 61. If an authority finds that such a risk of damage, harm or other inconvenience that, according to a provision on confidentiality, prevents information from being provided to an individual can be eliminated by a reservation that restricts the individual's right to pass on the information or use it, the authority shall make such a reservation when the information is provided to the individual (Chapter 10, Section 14, first paragraph, of the Public Access and Secrecy Act). 62. It appears clear that the provision is written with in mind such confidentiality provisions the application of which requires consideration of damage, harm or other inconvenience. There is no reference to such factors in Chapter 21, Section 7, of the Public Access and Secrecy Act. 63. It is difficult to see that a reservation would fully satisfy the possibility of balancing the interest in privacy and the interest in carrying out journalistic activities when it comes to the processing of a large amount of data relating to violations of the law. The risk that the provision in Chapter 21, Section 7 is intended to prevent – that the data will, after disclosure, be processed in violation of the Data Protection Regulation – cannot therefore be eliminated by a reservation. 64. With the interpretation of the relationship between Chapter 1, Section 7 of the Data Protection Act and Chapter 21, Section 7 that the Supreme Court makes, it is also hardly possible to issue any regulations on the processing of the data relating to violations of the law that have been disclosed, without taking a position on Article 10 of 9 3 3 . o D Page 31 (31) SUPREME COURT DECISION Ä 3169-24 the data protection regulation applies to that processing. A reservation that means that it is not permitted to disclose certain information does not appear to be appropriate with regard to the right to freely communicate information on any subject. 65. The conclusion is therefore that there are no conditions for disclosing the documents with reservations. A release with reservations does not appear to be an appropriate measure either. 66. The appeal must therefore be dismissed. ________ 7 0 d k D
