Kammarrätten i Stockholm - Mål nr 4413-22

From GDPRhub
Revision as of 12:42, 19 April 2023 by At (talk | contribs)
Kammarrätten i Stockholm - Mål nr 4413-22
Courts logo1.png
Court: KamR Stockholm (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 15(1) GDPR
Article 15(1)(c) GDPR
Brottsdatalagen 4 kap. 3 §
Decided: 04.04.2023
Published:
Parties: Polismyndigheten
National Case Number/Name: Mål nr 4413-22
European Case Law Identifier:
Appeal from: Förvaltningsrätten i stockholm (Sweden)
Appeal to: Pending appeal
Original Language(s): Swedish
Original Source: Kammarrätten i Stockholm (in Swedish)
Initial Contributor: n/a

The Stockholm Administrative Court of Appeals ruled that the Police had not provided sufficient information to the data subject about the processing in ongoing criminal investigation activities and archived investigations.

English Summary

Facts

The data subject made an access request to the Police Authority to receive information on how their personal data was processed by the National Operations Department. In response, the Police provided certain personal data relating to ongoing criminal investigation cases and archived criminal investigations concerning the data subject. The Police provided the data in compilations, hich included information, such as, file number, type of investigative task, type of offence, the data subject's role in the case, and the processing unit. Additionally, the Police stated that what kind of personal data are normally processed in these types of cases: (e.g. name and contact details, information that the data subject or someone else has provided in a report etc.)

The Police refused to provide any further information with reference to Chapter 4, Section 5, of the Swedish Criminal Data Act (brottsdatalagen, the EU's criminal data directive 2016/680 implementation in Swedish law) and Chapter 5, Section 1 of the Swedish Data Protection Act (dataskyddslagen). The Police based their refusal to the argument that such further information is covered by secrecy, and providing such information could jeopardise ongoing investigations, other police actions or future activities.

The data subject appealed against the Police's decision to the Stockholm Administrative Court, which rejected the appeal. The data susbject then took the case before the Administrative Court of Appeals in Stockholm requesting that the Court changes the Administrative Court's judgement in their favor.

The data subject stated that they only had received a summary of the processing activities, but did not receive access to their personal data. The data subject argued that the Swedish Criminal Data Act was not applicable to closed criminal investigation cases. Since this would make the GDPR applicable in their view, the data subject argued the following: Firstly, the data subject argued that under Article 15(1)(c) GDPR they have a right to receive information on the actual recipients of personal data, and secondly, that the information received should be as accurate as possible. The data subject also argued that the Police did not provide information about the purposes of the processing activities for which their personal was processed.

The Police viewed that the appeal should be dismissed, and that it had already provided sufficient information to the data subject under the Criminal Data Act and the GDPR. Firstly, the Police argued that, in their view, 1) the GDPR does not give the data subject a right to obtain a copy of the information if the right to information can be ensured by other means. Secondly, the Police stated that 2) they did not have information of the actual recipients of the data subject's personal data in archived criminal investigations. Therefore, the Police represented that it could only provide the data subject with information about the categories of recipients. Additionaly, the Police also argued that, in their view, 1) the data subject does not have a right to know who has provided information of the data subject, and that 2) the Police had indeed informed the data subject about the purposes of the processing activities.

Holding

Firstly, the Court established that 1) according to Chapter 4, Section 3 of the Swedish Criminal Data Act, the data controller must inform the person who requests it, without undue delay, provide written information on whether personal data concerning him or her is being processed. If such data are being processed, the person shall be given access to them and receive written information on, among other things which personal data concerning the person are being processed and from where the data comes from. In addition, the Court established that under the Swedish Criminal Data Act, the controller is not obliged to disclose reasons for rejection to provide information if it is based on a specific law or statute, that such information may not be disclosed in the interest of, among other things, preventing, or detect criminal activities, investigate or prosecute criminal offences, enforce criminal sanctions or to maintain public order and security. Secondly, the Court established that 2) Article 15 GDPR (and Chapter 5, Section 1 and Chapter 7, Section 2 of the Swedish Data Protection Act) include(s) essentially equivalent regulations.

[The Court established that under national law the procedural rules set out in the Swedish Public Access to Information and Secrecy Act (offentlighets- och sekretesslagen, OSL) apply where rejection is based upon secrecy obligations. Where the Police rejected the access request due to obligation of secracy, the Court viewed that according to the OSL, the Administrative Court of Appeals should have been the first instance to handle the case. Therefore, the Court set aside the corresponding part in this case. The Court stated that it will hear the data subject's appeal in another case of the Police's decision in this part.]

The Court then assessed if the Police had provided sufficient information and access to personal data in accordance with the Swedish Criminal Data Act Chapter 4 Section 3 and Article 15 GDPR, as applicable.

The Court agreed with the lower court that the GDPR applies to the processing of personal data which does not fall under the Swedish Criminal Data Act. Therefore, the Court viewed that the GDPR applies to processing in archived criminal investigations and that the Swedish Criminal Data Act applies to processing in ongoing criminal investigations. However, the Court also agreed with the Police, that in some cases, even cancelled cases can be considered as ongoing criminal investigation activities, e.g. when the offence is not time-barred.

The Court cited a CJEU decision from 12 January 2023 (C-154/21) and held that Article 15(1)(c) GDPR must be interpreted as meaning that the right of the data subject to get access to personal data concerning him or her means - where the data has been disclosed or is to be disclosed to recipient(s) - that the controller is required to provide the data subject with information of the actual identity of recipients, unless it is impossible to identify the recipients, or that the controller demonstrates that the data subject's request for access is manifestly unfounded or unreasonable within the meaning of Article 12(5) GDPR.

Firstly, the Court ruled that the information provided by the Police was too general, as the Police has provided information of data that are generally processed in the type of criminal investigation cases, and that the Police had not fulfilled the requirements of Article 15 GDPR or the Chapter 4 Section 3 of the Swedish Criminal Data Act.

Additionally, the Court noted that an exception of the requirement to provide the identity of the actual recipients under Article 15(c) GDPR applies when it is impossible to identify the recipient(s). The Court ruled that this interpretation of the GDPR can also provide guidance for the interpretation of the meaning of recipients or categories of recipients under the Swedish Criminal Data Act.

Secondly, The Court did not question the Police’s statement that, with regard to archived criminal investigations, they don't have information about the actual identities of recipients of the data subject's personal data. However, with regard to the ongoing criminal investigation activities, the Court viewed that the Police’s decision did not indicate any reason why the Police only provided information about the prospective recipients and not about the actual recipients of the personal data. The Court ruled that the Police had not fulfilled its obligations in respect of the decision either in this respect under Chapter 4, section 3 of the Criminal Data Act and Article 15(1) GDPR. The Court viewed that the Police Authority had indeed provided sufficient information about the purposes for which the data subject’s personal data is processed.

eventually, the Court decided that 1) the Police had not provided sufficient information about the processing of personal data relating to the data subject in the ongoing criminal investigation activities and neither in archived criminal investigations, nor has the DS been given access to the data, and that 2) the information provided to the data subject was also insufficient with regard to the ongoing criminal investigation activities in terms of who are the recipients of the personal data.

The Court annulled the lower courts' decision in the aforementioned parts, and the case was returned to the Police for a new assessment. The Court added that if, in that second review, the Police comes to the conclusion that certain information cannot be disclosed due to secrecy, it must be stated in the decision itself.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

Judgments and decisions Here you can read about what to do when you want to take part in public documents.
Here you will also find links to the supreme courts that publish judgments on their own websites, and to other collections of judgments.