Banner2.png

Hd - Ä 3457-24

From GDPRhub
Revision as of 08:54, 5 March 2025 by Elu (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Hd - Ä 3457-24
Courts logo1.png
Court: Hd (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 10 GDPR
Article 85 GDPR
Article 86 GDPR
Article 5(1)(f) GDPR
Chapter 21.7 Public Access to Information and Secrecy Act
Chapter 1.7(1) Data Protection Act
Decided: 25.02.2025
Published:
Parties: Panoptes Sweden AB
National Case Number/Name: Ä 3457-24
European Case Law Identifier:
Appeal from:
Appeal to: Not appealed
Original Language(s): Swedish
Original Source: Högsta domstolen (in Swedish)
Initial Contributor: elu

The Supreme Court held that the disclosure of criminal convictions by a court to a news agency could be based on the condition that the agency would not subsequently disclose the personal data with the broad public or paying customers.

English Summary

Facts

Panoptes Sweden AB ("Panoptes") is a news agency, which engages engages in the collection, processing, analysis and presentation of information, including personal data. Panoptes sells the personal data to its customers (e.g. newspapers, magazines and broadcasters). In the course of its business, Panoptes requested the Swedish Court of Appeal to disclose to them a large number of documents related to different people's criminal convictions, to then use them in their capacity as a news agency.

In response to this request, the Court of Appeal required Panoptes to guarantee that the requested documents would will be used for journalistic purposes and that the personal identity numbers, names and addresses of individuals will not be made available to the public or paying customers.

Panoptes filed an appeal against that response of the Court of Appeal to the Supreme Court.

Holding

The Court established that the question to be answered was whether the information requested by Panoptes was confidential and, if so, whether its disclosure could be subject to reservation. This matter concerns the relationship between Chapter 21.7 of the Swedish Public Access to Information and Secrecy Act (hereinafter: the Act) and the GDPR.

Background considerations

Section 7(1) of Chapter 1 of the Swedish Data Protection Act provides that, in data disclosures covered by the Act, there is no need to comply with the GDPR. In fact, requiring GDPR compliance would restrict the authorities' obligations to disclose personal data.

The Court however recognizes that, when applying national law, EU law must be respected. Such an obligation stems from Article 85 GDPR and Article 86 GDPR, requiring to balance freedom of expression and the right of public access to official documents with the right to data protection. It is questionable whether such effective balance exists in instances where a national Act allowing for the indiscriminate disclosure of criminal data excludes the application of the GDPR.

Thus, the protection of personal data will be based exclusively on the possibilities for intervention under the Act, which however, has other purposes than ensuring personal data protection.

The Court's concluded that a system whereby criminal convictions are disclosed on a large scale, resulting in a significant amount of personal data processed in a database and made available to others, is not compatible with EU law.

Assessment

The Court followed a two-tier approach.

1. Does confidentiality apply under Chapter 21.7 of the Freedom of Information and Secrecy Act?

To find whether the principle of confidentiality, as per Article 5(1)(f) GDPR, can be applicable, the Court considered whether it can be assumed that the personal data shared with Panoptes will not subsequently be processed in a way that is incompatible with the GDPR.

In this case, Panoptes requested a large number of criminal convictions and other documents related to criminal cases, such as decisions, diary sheets and summons applications.

Thus, the Court considered that the personal data contained in the requested documents will be processed in a way that is incompatible with Article 10 GDPR, meaning that confidentiality applies to the personal data contained in the documents requested.

2. Are there conditions for conditional release of the documents?

The Court found that the risk of damage, harm or other inconvenience which, according to a provision on confidentiality, prevents the disclosure of information to somebody, can be balanced out by a restriction requiring that an individual's right to pass on the information or use it.

Thus, a law shall be written with a view to those confidentiality provisions whose application requires consideration of damage, harm or other inconvenience. This is not the case for Chapter 21.7 of the Act.

Given the nature of Panoptes’ activities, it can be assumed that the data in the requested documents will be processed to a significant extent for journalistic purposes.

In conclusion, the documents should be disclosed, with a reservation which balances the interest of Panoptes to carry out journalistic activities against the interest of individual to have their right to privacy respected. There is reason to take into account that Panoptes publishes editorially processed news text through its database.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

Page 1 (31)

SUPREME COURT

DECISION

Case no
announced in Stockholm on 25 February 2025 Ä 3457-24

PARTIES

Appellant

Panoptes Sweden AB, 559199-4503

Nyhetsbyrån Siren
Box 4211

102 65 Stockholm

Representatives: Lawyers UI and EK and lawyer GT

THE CASE

Disclosure of public document

APPEALDED DECISION
Upper Norrland Court of Appeal decision 2024-04-09, dnr 2024/91

__________

9
3 Visiting address Opening hours Postal address E-mail
3 Riddarhustorget 8 Monday–Friday Supreme Court hogsta.domstolen@dom.se
. Telephone 08:45–12:00 Box 2066 Website
o 08-561 666 00 13:15–15:00 103 12 Stockholm www.hogstadomstolen.se
D Page 2 (31)

SUPREME COURT DECISION Ä 3457-24

SUPREME COURT DECISION

The reservation decided by the Court of Appeal shall be amended to mean:

– that the documents, regardless of the form, may not be provided

to the public or paying customers if the public or customers
thereby obtain personal names, personal identification numbers or addresses of individuals

and

– that Siren may not otherwise offer the public or paying

customers search options in the documents in a way that provides access to

personal names, personal identification numbers or addresses of individuals.

APPLICATIONS IN THE SUPREME COURT

Panoptes Sweden AB has requested that the Supreme Court overturn
the Court of Appeal's decision and grant the company's request to access the requested

documents without reservation.

REASON

Background

Panoptes Sweden AB's operations include the collection,

processing, analysis and presentation of information. The company operates

the Siren News Agency.

Siren's core business consists of identifying and collecting data
for news and communicating such data to other news organizations

or mass media, such as newspapers, magazines and broadcast media companies.

Since Siren is a news agency, the database (siren.se) where,

among other things, criminal convictions are provided is covered by constitutional protection according to Chapter 1, Section 4

of the Swedish Freedom of Expression Act.

9
3
3
.
o
D Page 3 (31)

SUPREME COURT DECISION Ä 3457-24

Siren has requested from the Court of Appeal to access a larger number of public

documents in criminal cases, such as judgments, decisions, diaries and summons applications.

The Court of Appeal has decided that the requested documents shall be disclosed,

but with the following reservation. The personal data that appears

from the documents may only be used in journalistic activities and

personal identity numbers, personal names and addresses of individuals may not

be provided to the public or paying customers through the database or

registers. As a reason for the decision, the Court of Appeal stated that it can be assumed that

the information will be processed in violation of the EU
Data Protection Regulation after disclosure. According to the Court of Appeal, the confidentiality of

the information according to Chapter 21 7 § of the Public Access and Secrecy Act (2009:400)

and reservations constituted an appropriate protective measure.

The company has appealed the decision to the Supreme Court. (No

leave to appeal is required, cf. Chapter 54 § 9 of the Code of Judicial Procedure and

“Journal of the Court of Appeal” NJA 2015 p. 180 p. 5–7.)

The case in the Supreme Court

The case concerns the question of whether the requested information is confidential

and, if so, whether the information should be disclosed with reservations. The case

raises the relationship between Chapter 21 § 7 of the Public Access and Secrecy Act,

Chapter 1 § 7 of the Act (2018:218) with supplementary provisions to the EU

Data Protection Regulation (hereinafter the Data Protection Act) and the rules in

the Data Protection Regulation.

9 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
0 natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
k
D Page 4 (31)

SUPREME COURT DECISION Ä 3457-24

On disclosure of judgments and other court documents

Everyone has the right, in order to promote the free exchange of opinions, free and

comprehensive information and free artistic creation, to access

public documents to the extent that this is not prevented by the rules on confidentiality
(see Chapter 2, Sections 1 and 2 of the Freedom of the Press Ordinance).

Rules on confidentiality are contained in the Public Access and Secrecy Act.

Confidentiality means that it is prohibited to disclose the information that is subject to

confidentiality, regardless of whether it is done orally, by disclosing a

public document or in any other way (see Chapter 3, Section 1 of the Public Access and

Secrecy Act).

The starting point is that criminal judgments are public. If a piece of information

is included in a court judgment, any confidentiality for the information

ceases to apply, unless the court decides to continue the confidentiality (cf. Chapter 43, Section 8

of the Public Access and

Secrecy Act).

In line with this, criminal judgments have generally been disclosed to the person

who has requested it, even when it has involved a larger quantity.

Other documents with links to criminal cases, such as diaries and

minutes, are also regularly disclosed, unless there is a special

confidentiality provision that applies to the information in them.

As is clear from the Court of Appeal's decision, however, the question has been raised to what

extent Chapter 21, Section 7 of the Public Access and Secrecy Act, which refers to

the Data Protection Regulation – or the Data Protection Regulation as such – can

constitute an obstacle to disclosing such documents.

9
3
3
.
o
D Page 5 (31)

SUPREME COURT DECISION Ä 3457-24

The provision in Chapter 21, Section 7 of the Public Access and Secrecy Act

According to Chapter 21, Section 7 of the Public Access and Secrecy Act, confidentiality

applies to personal data if it can be assumed that the data, after disclosure

will be processed in violation of the Data Protection Regulation or

the Data Protection Act.

The confidentiality provision in Chapter 21 Section 7 differs from other

confidentiality provisions in that it does not focus on the data as

such, but on what can be assumed to happen to them after disclosure. According to

the provision, the disclosing authority must take into account what can

be assumed about the upcoming processing and its nature. A similar

provision has existed since 1973. The provision was then motivated, among other things, by the need to create some control over the possibility of

collecting personal data from existing registers to build up new

registers for purposes other than the original ones (see Bill 1973:33 p. 100 f.).

An assessment according to the section only needs to be made if

there are

concrete circumstances indicating that the recipient will process

the data in a way that is in conflict with the data protection regulation, e.g. that it is a matter of

mass extraction. A full assessment of whether the processing

will conflict with the Data Protection Regulation or the Data Protection Act
need not be made. (Cf. Bill 2017/18:105 p. 135 f.)

Data Protection Regulation

The Data Protection Regulation is binding and directly applicable in all EU

Member States (see Article 288, second paragraph, of the Treaty on the Functioning of the European

Union). The Regulation was introduced to guarantee, among other things,

a uniform and high level of protection for natural persons that is equivalent in all

Member States. It should be seen in the light of the fact that the protection of natural persons at

9
3
3
.
o
D Page 6 (31)

SUPREME COURT DECISION Ä 3457-24

processing of personal data is a fundamental right according to

the Charter of Fundamental Rights of the European Union. (Cf.

the Data Protection Regulation, recitals 1 and 10; cf. also Article 8 of the Charter and

Article 16 of the Treaty on the Functioning of the European Union.)

Article 5 of the Data Protection Regulation states that certain fundamental

principles shall be observed when processing personal data. These principles

include that the data shall be processed lawfully, fairly and

transparently and that they shall be adequate, relevant and not excessive in relation to

the purposes for which they are processed. Furthermore, they shall not

be kept in a form which permits identification of the data subject for

longer than is necessary for the purposes for which
the personal data are processed and may be stored for longer periods only

for certain purposes.

The principles set out in Article 5 are supplemented in Article 6 by more

specific requirements that must be met in order for the processing of data

to be lawful. A key requirement is that one of the grounds set out in

that article must be applicable for the processing of data. Examples

of such grounds are that the data subject has given his or her consent or that

the processing is necessary for compliance with a legal obligation.

Article 9 regulates the processing of certain special categories of

personal data. This applies, among other things, to data revealing racial or

ethnic origin, political opinions, religious or philosophical beliefs,

data concerning health or data concerning a natural person's sex life or

sexual orientation. The processing of such data is prohibited unless the

data subject has explicitly given his or her consent or the processing is

necessary for certain specified reasons.

9
3
3
.
o
D Page 7 (31)

SUPREME COURT DECISION Ä 3457-24

Article 10 contains rules specifically aimed at the processing of

personal data relating to criminal convictions, offences constituting a criminal offence and related security measures. The processing of
such data may be carried out only under the supervision of a public authority or when

processing is permitted by Union law or the national law of the Member States, which lays down appropriate safeguards for the rights and freedoms of the data subjects. A complete register of criminal convictions may be kept

only under the supervision of a public authority. (On the interpretation of the CJEU

of the concepts of offences and convictions, see the judgment of the Court of Justice of
24 September 2019, GC and Others, C-136/17, EU:C:2019:773, p. 72.)

The purpose of Article 10 is to ensure increased protection against such

processing of personal data which, due to the particularly

sensitive nature of the data, may constitute a particularly serious interference with the fundamental

right to respect for private life and the protection of personal data as set out in

Articles 7 and 8 of the EU Charter of Rights (see the judgment of the CJEU
of 22 June 2021, Latvijas Republikas Saeima, C-439/19, EU:C:2021:504,

p. 74).

According to Article 85 of the GDPR, Member States shall,

by law, reconcile the right to privacy under the Regulation with the freedom of expression and

information. They shall also – where necessary to reconcile

the right to privacy with the freedom of expression and information – provide for

exceptions or derogations from certain listed parts of the Regulation

(including Article 10) for certain processing operations, such as those carried out for

journalistic purposes.

The case-law of the Court of Justice of the European Union (CJEU) shows that the expression processing for

journalistic purposes is to be interpreted broadly. It includes, among other things, the dissemination

of information, opinions or ideas to the public.

The technology used

9
3
3
.
o
D Page 8 (31)

SUPREME COURT DECISION Ä 3457-24

or whether the activity is carried out for profit does not affect the assessment.

Processing of personal data which involves the commercial provision of material that has been

collected from public authorities in an unaltered form

may also constitute processing for journalistic purposes. (See the judgment of the Court of Justice
of 16 December 2008, Satakunnan Markkinapörssi and Satamedia,

C-73/07, EU:C:2008:727, pp. 55–62.)

In order to reconcile the public's right of access to public

documents with the right to the protection of personal data under

the Regulation, public authorities may, inter alia, in accordance with the applicable Union or Member State law, disclose personal data in public

documents (see Article 86).

There is therefore scope under Articles 85 and 86 of the

Regulation to restrict the right to the protection of personal data, but only

provided that the restrictions are provided for by law, are compatible with

the essence of the fundamental rights and meet the

requirements arising from the principle of proportionality of EU law.

This means, among other things, that the restrictions may not go beyond what is strictly

necessary, and it is also assumed that there are clear and precise

provisions regulating the scope and application of the exceptions.

(Cf. e.g. Latvijas Republikas Saeima, pp. 105 and 106 with further

references.)

This means that it is assumed that the protection of personal data

may vary between Member States. However, it is not certain that the

balancing of different interests that has been made is acceptable under

EU law.

9
3
3
.
o
D Page 9 (31)

SUPREME COURT DECISION Ä 3457-24

Data Protection Act

The Data Protection Act contains supplementary provisions to

the Data Protection Regulation.

Chapter 1, Section 7, first paragraph, stipulates that the Data Protection Regulation and
the Data Protection Act shall not be applied to the extent that it would conflict with

the Freedom of the Press Ordinance or the Freedom of Expression Act. The provision

covers not only such application of data protection regulation that would

conflict with freedom of the press and expression, but also such that would conflict

with the principle of publicity (cf. Bill 2017/18:105 p. 43).

The second paragraph of the section states that Articles 5–30 and 35–50 of

the Data Protection Regulation and Chapters 2–5 The Data Protection Act shall not apply
to the processing of personal data for journalistic purposes or

for academic, artistic or literary creation. In the case, it is primarily

the exception for journalistic purposes that is of interest. The expression

processing for journalistic purposes shall be given the same meaning as under

Union law (see p. 22, cf. “The Foundation’s website” NJA 2001 p. 409).

Rulings from the Court of Justice

In a couple of rulings, the Court of Justice of the EU has dealt with issues

that have

concerned the disclosure of personal data by authorities in relation to, among other

Article 10 of the Data Protection Regulation.

In the case of Latvijas Republikas Saeima, the Court of Justice found that

the provisions of the Data Protection Regulation preclude national

legislation which requires a public body responsible for a register

containing information on the fines imposed on drivers for traffic violations to make the information available to the public, without the

9
3
3
.
o
D Page 10 (31)

SUPREME COURT DECISION Ä 3457-24

requesting access to the data needs to demonstrate that he or she has a

particular interest in obtaining it. The Data Protection Regulation was also considered

to constitute an obstacle to the public body transferring such data to

economic operators for further use, so that anyone wishing to receive

information about any hacking can turn directly to these operators

and obtain the data. (See Latvijas Republikas Saeima, pp. 122 and 129.)

When examining whether the national rules could be considered

compatible with the Data Protection Regulation, an assessment was made of whether

these, which thus entailed a limitation of the protection in the Data Protection Regulation,

were necessary and proportionate in relation to the objectives pursued

by the regulation. In that assessment, the Court took into account both the right to freedom of information under Article 85 and the public's right of access to public documents under Article 86, but found that the right to the protection of such personal data must be considered to outweigh it. (See Latvijas

Republika Saeima, pp. 102–121 and 126.)

In a later judgment, the Court of Justice of the European Union has similarly

held that the Data Protection Regulation prevents information on criminal convictions of natural persons in a register kept by a court from being disclosed to anyone in order to ensure public access to public documents, without the person requesting the disclosure having to demonstrate that the person has a particular interest in obtaining the information.

(Judgment of the Court of Justice of 7 March 2024, C-740/22, Endemol Shine

Finland, EU:C:2024:216, p. 58.)

Compatibility of the Swedish system with EU law

The Supreme Court must decide whether, and if so in what

way, the examination of a request for public documents that

9 contain information about violations of the law is affected by the Data Protection Regulation.

3
3
.
o
D Page 11 (31)

SUPREME COURT DECISION Ä 3457-24

As is clear from the foregoing, Chapter 1, Section 7, first paragraph

of the Data Protection Act provides that that Act and the Data Protection Regulation shall not

be applied to the extent that it would conflict with the Freedom of the Press Ordinance

or the Freedom of Expression Act.

The legislator's intention with the provision can be said to have been that

the Data Protection Regulation and the Data Protection Act should not

be applied to the constitutionally protected area at all. This would mean that in

an activity covered by the Freedom of the Press Regulation or

the Freedom of Expression Act, one would not have to comply with the Data Protection Regulation

and that the regulation would not restrict the authorities'

obligations to disclose personal data. (Cf. Bill 2017/18:105 p. 40 ff.,

also cf. Bill 1997/98:44 p. 43 ff. regarding the previously applicable

regulation.)

With such a starting point, it is consistent to interpret Chapter 21, Section 7

of the Public Access and Secrecy Act in such a way that secrecy according to the provision

cannot exist in these cases; the provision presupposes an assessment of

what can be assumed about the compatibility of the upcoming processing with

the data protection regulation.

The same applies to cases where the exception in Chapter 1, Section 7

the second paragraph of the Data Protection Act is applicable, e.g. when processing

personal data for journalistic purposes outside the constitutionally protected

area. The paragraph stipulates that in such processing, several of

the central provisions of the Data Protection Regulation, including Articles

5–10, shall not apply.

However, when applying national regulation,

the requirements of Union law must be taken into account. According to Articles 85 and

9 86 of the Data Protection Regulation, the Member States must, of course, balance the interest

3
3
.
o
D Page 12 (31)

SUPREME COURT DECISION Ä 3457-24

of freedom of expression and information and the public's right to access

public documents on the one hand, and the right to the protection of

personal data on the other. However, it is questionable whether a regulation that

means that personal data about violations of the law are to be

disclosed on a large scale while the data protection regulation does not apply at all – or only to

some extent – to the subsequent processing of the data, can

be reconciled with the requirements of EU law.

Criminal judgments contain many different types of sensitive information.

They do not only contain personal data about the accused and the convicted, the crimes to which

a judgment relates and the possible penalty imposed.

They also contain a large number of other personal data, including about the injured party and

witnesses and about circumstances surrounding the accused events that can

be linked to different people.

Regarding Chapter 1 If Section 7, first paragraph of the Data Protection Act is understood in the way

that the legislator may be said to have intended, the regulation means that the protection of

these personal data – in the constitutionally protected area – will exclusively

be based on the possibilities for intervention provided for in

the Freedom of the Press Ordinance and the Freedom of Expression Act, which basically

have other purposes than creating personal data protection. If the provision

is understood in this way, there are also no rules on how

personal data may be processed or any conditions for exercising supervision

with regard to information about violations of the law.

Also in the cases referred to in Chapter 1, Section 7, second paragraph, such

regulation means (see paragraphs 35–37) that the protection of personal data will to a very large

extent have to take precedence over the interest in freedom of expression and information.

9
3
3
.
o
D Page 13 (31)

SUPREME COURT DECISION Ä 3457-24

The Supreme Court concludes that it cannot

be considered compatible with EU law to have a system that means that

criminal convictions are disclosed on a large scale, with the result that a significant
amount of personal data relating to offences can then be processed in a

database and made available to others. In principle, there is then no other

protection for the privacy interest than that which can lie in interventions based

on the media fundamental laws and the Criminal Code. Such a system almost completely undermines

the protection in the processing of data relating to offences that

the Data Protection Regulation aims to provide and cannot be considered to mean that

appropriate safeguards have been established for the rights and

freedoms of the data subjects in the manner required by Article 10 of the Data Protection Regulation.

The assessment that this is not acceptable also applies in relation to

processing that takes place for journalistic purposes or other purposes

referred to in Article 85.

It is therefore not possible to reconcile the Swedish regulation with
the Data Protection Regulation in the manner that the legislator may be presumed to have intended.

The consequences for the examination to be carried out pursuant to Chapter 21, Section 7

of the Public Access and Secrecy Act

Starting points

It is not possible for the Supreme Court to resolve in a single decision

more generally the issues that are associated with the Swedish
regulation of the applicability of the Data Protection Regulation. The Court's task

is to take a position on how the issues in the case should be assessed and then in particular how

Chapter 21, Section 7 of the Public Access and Secrecy Act should be applied.

It may be recalled that the general issues concerning

the lack of protection of the privacy interest when processing

9
3 personal data in the constitutionally protected area are far from new.

3
.
o
D Page 14 (31)

SUPREME COURT DECISION Ä 3457-24

Already in connection with the introduction of the system of voluntary release certificates

in the Freedom of Expression Act, the Constitutional Committee had concerns that

constitutional protection could come to encompass databases that constitute pure
personal registers and that this could conflict with provisions that

have the purpose of protecting personal privacy (cf. bet. 2001/02:KU21

p. 31 f.).

There is also reason to mention here that two proposals have been submitted to the

Riksdag aimed at better balancing the interests of freedom of expression and

freedom of information with the protection of personal data regarding
violations of the law (see Bill 2017/18:49 and Bill 2021/22:59). However, these have

not led to legislation. In addition, proposals have

been submitted again regarding, among other things, this issue (see SOU 2024:75). In

this context, the Swedish Data Protection Authority's legal

position 2024:1 can also be mentioned, which is, however, limited to search services with

proof of publication.

In light of what has now been said, the question arises whether it is

possible to interpret and apply the Swedish regulatory framework in a way that can

be reconciled with the Data Protection Regulation.

The provision in Chapter 1 Section 7, first paragraph, Data Protection Act

As has been stated above, the legislator's intention may be said to have been

that the Data Protection Regulation and the Data Protection Act shall not apply at all to
the constitutionally protected area. However, it can be stated that this

is not expressed in the text of the law. Chapter 1, Section 7, first paragraph

of the Data Protection Act states that the Data Protection Regulation shall not apply "to the

extent that it would conflict with the Freedom of the Press Ordinance or

the Freedom of Expression Act". The wording of the provision thus most likely

9 suggests that the Data Protection Regulation may only give way when there is a conflict
3 between the regulations.
3
.
o
D Page 15 (31)

SUPREME COURT DECISION Ä 3457-24

It should be emphasized that the fact that confidentiality applies to

certain information as a starting point cannot be considered to mean that there is

a conflict with the Freedom of the Press Ordinance or the Freedom of Expression Act.

On the contrary, the Freedom of the Press Ordinance provides that the Riksdag shall be able

to legislate on confidentiality and that confidentiality then also applies in relation to

activities covered by the Freedom of the Press Ordinance or

the Freedom of Expression Act.

There is also reason to note that Chapter 1, Section 7 of the Data Protection Act and

Chapter 21, Section 7 of the Public Access and Secrecy Act, insofar as is currently relevant, were drafted in the same legislative context. The natural

starting point should be that one provision does not exclude

the application of the other. It is also worth noting that there are no

statements in the preparatory work for Chapter 21, Section 7 that concern the issue of whether confidentiality

should apply in relation to activities covered by constitutional protection

under the Freedom of the Press Ordinance or the Freedom of Expression Act.

Against this background, the Supreme Court assesses that

there is scope to interpret Chapter 1, Section 7, first paragraph, of the Data Protection Act so that

the provision does not prevent the requirements of the Data Protection Ordinance from being taken into account when

applying the special confidentiality provision in Chapter 21, Section 7

of the Public Access and Secrecy Act also in the area protected by the constitution.

And such an interpretation should be made regardless of how one views the meaning of

Chapter 1, Section 7, first paragraph, with regard to the issue of whether the regulation can be applied

to the subsequent processing in the activity covered by

constitutional protection.

This means that the authority that has to conduct an examination according to

Chapter 21 Section 7 of the Public Access and Secrecy Act shall assess whether the information

after disclosure can be assumed to be processed in violation of

9
3
3
.
o
D Page 16 (31)

SUPREME COURT DECISION Ä 3457-24

the provisions of the Data Protection Regulation, without taking a position on the

extent to which the Swedish regulation means that the Regulation shall not be applied in

the activities carried out by the person who has requested the information to be disclosed.

The Data Protection Regulation can, in the application of Chapter 21, Section 7, then be seen as an independent yardstick for when confidentiality prevails for information that

would otherwise have been public.

In this way, the requirements of the Regulation can be taken into account when

it is decided whether public documents containing personal data

shall be disclosed.

The provision in Chapter 1 Section 7, second paragraph, Data Protection Act

Chapter 1, Section 7, second paragraph, states that exceptions from the application of the Data Protection Regulation shall be made in principle in all parts where

the Regulation allows for exceptions. More specifically, as

has been stated, Articles 5–30 and 35–50 of the Data Protection Regulation are exempted. Here, the legislator

has more clearly used the procedure for national adaptation that

the Data Protection Regulation specifies in Article 85.

It is clear from the preparatory work that the main purpose of the exception in

the second paragraph has been to ensure that, among other things, journalistic activities

that are not covered by the Freedom of the Press Regulation and the Freedom of Expression Act are exempted from parts of the Data Protection Regulation and

the Data Protection Act. A starting point in the formulation of the provision

has been that exceptions should be introduced to the extent that the regulation

allows it (see Bill 2017/18:105 pp. 44 f. and 187). It can be noted that

the provision – even though it aims to cover activities that are not

covered by the Freedom of the Press Regulation or the Freedom of Expression Act –

according to its wording also covers activities that have constitutional protection.

9
3
3
.
o
D Page 17 (31)

SUPREME COURT DECISION Ä 3457-24

The wording of the second paragraph does not provide the same scope for an interpretation

in accordance with Union law as the first paragraph. However, the two paragraphs must

be seen in context. The second paragraph cannot reasonably be given the

meaning that the exemption from the application of the Data Protection Regulation for
non-constitutionally protected activities will be more far-reaching than the exemption

that concerns the constitutionally protected area.

The second paragraph should therefore, in a similar way to the first paragraph,

be applied so that it does not prevent the Data Protection Regulation from being fully taken into

account in an assessment pursuant to Chapter 21, Section 7 of the Act on Public Access and Secrecy. The

authority that is to carry out the assessment shall thus assess whether the data

after disclosure can be assumed to be processed in violation of
the provisions of the Data Protection Regulation, without taking a position on whether the

exempted articles of the Regulation shall be applied in the activities

conducted by the person who has requested the information to be disclosed.

Summary conclusion

Overall, the above means that Chapter 1 Section 7 of the Data Protection Act –

assessed in the light of Union law – does not prevent the Data Protection Regulation

from being taken into account when applying the confidentiality provision in Chapter 21, Section 7

of the Access to Public Information and Secrecy Act.

The assessment in this case

Does confidentiality apply according to Chapter 21, Section 7 of the Public Access and Secrecy Act?

In order for confidentiality according to Chapter 21, Section 7 of the Public Access and Secrecy Act

to apply to the information that the News Agency Siren has requested to be released,

it is required

that it can be assumed that the information will be processed

9
3
3
.
o
D Page 18 (31)

SUPREME COURT DECISION Ä 3457-24

in a manner that is incompatible with the Data Protection Regulation. The assumption

must be based on the existence of concrete circumstances that indicate this,

but no full assessment of whether the processing that can be assumed
to take place is incompatible with the Data Protection Regulation need be made

(see p. 14). No position shall be taken on the extent to which the Regulation shall

be applied in Siren's operations, but the Regulation shall

be used as an independent yardstick in the assessment (see paragraphs 52 and 57).

Siren has requested the release of a larger number of criminal judgments and other

documents linked to criminal cases, such as decisions, diaries and summons applications. The documents contain information on violations of the law and other

information of a sensitive nature. Siren has repeatedly requested the release of public documents in a similar manner from the Court of Appeal. Against this background, and taking

into account the extensive processing of personal data of this kind that

takes place at Siren, it can be assumed that the personal data contained in the requested

documents will be processed in a manner that is incompatible with Article 10

of the Data Protection Regulation (see paragraph 42). Confidentiality therefore applies to the personal data contained in the documents that have been requested.

Are there conditions for disclosing the documents with reservations?

If an authority finds that such a risk of damage, harm or other

inconvenience that, according to a provision on confidentiality, prevents information

from being disclosed to an individual can be eliminated by a reservation that restricts

the individual's right to disclose the information or use it,

the authority shall make such a reservation when disclosing the information to the individual

(Chapter 10, Section 14, first paragraph, of the Act on Public Access to Information and Secrecy).

It appears clear that the provision is written with

in mind such confidentiality provisions whose application requires consideration

9 of damage, harm or other inconvenience.

There is no reference to such factors

3
3
.
o
D Page 19 (31)

SUPREME COURT DECISION Ä 3457-24

in Chapter 21 § 7 of the Public Access and Secrecy Act, but there is

no exception in Chapter 10, § 14 that means that it cannot

be applied in the case of secrecy according to Chapter 21, § 7. The latter provision is also intended,

like several other confidentiality rules, to protect information about

individuals' personal circumstances. A disclosure of information that is

incompatible with the Data Protection Regulation may therefore be considered to be capable of causing

damage, harm or other inconvenience. Even if the result of a reservation is not

fully the same as in other cases, the provision in Chapter 10, § 14

the first paragraph should therefore also be applicable when secrecy applies according to

Chapter 21, § 7.

Setting a reservation in the case of disclosure of

documents on the basis of Chapter 10, § 14 can be a way of achieving, to some extent, such a balance

between different interests as the Data Protection Regulation requires. This is

particularly true when the interest in freedom of expression and information is to be reconciled with

the right to privacy.

Taking into account the activities carried out by Siren, it can be assumed that

the processing of the data in the requested documents will, to a significant extent

be for journalistic purposes. The documents should therefore, as

the Court of Appeal has found, be disclosed but with a reservation that ensures that the interest in

being able to carry out the journalistic activity is balanced against

the interest in privacy. There is reason to take into account when designing the reservation

that Siren makes available, among other things, editorially processed

news text via its database.

A reasonable balance between the different interests can be achieved if

the reservation is designed so that it aims to prevent the documents –

with the personal data contained in them – from being provided by Siren or that

the data is made searchable by others, but does not prevent personal


9

3

.
o
D Page 20 (31)

SUPREME COURT DECISION Ä 3457-24

the data is used in, for example, news texts or news materials that Siren

produces.

Against this background, there is reason to amend the Court of Appeal's decision

in such a way that the reservation is given the meaning:

– that the documents, regardless of the form, may not be provided

to the public or paying customers if the public or customers

thereby obtain personal names, personal identification numbers or addresses of individuals

and

– that Siren may not otherwise offer the public or paying

customers search options in the documents in a way that provides access to

personal names, personal identification numbers or addresses of individuals.

__________

____________________ ____________________ ____________________

____________________ ____________________

____________________ ____________________

The decision was made by Justices Anders Eka, Henrik Jermsten
(dissenting), Kristina Ståhl, Agneta Bäcklund (dissenting), Thomas Bull
(dissenting), Petter Asp (rapporteur) and Cecilia Renfors.

The rapporteur was the Registrar of Justice Malin Falkmer.

9
3
3
.
o
D Page 21 (31)

SUPREME COURT DECISION Ä 3457-24

DISSENTING OPINION

Justices Henrik Jermsten and Thomas Bull disagree and believe that

the appeal should be upheld. In their opinion, the reasons should be as

follows.

REASONS

Background

1. Panoptes Sweden AB's activities include the collection,

processing, analysis and presentation of information. The company operates

the news agency Siren.

2. Siren is focused on government surveillance and its core business

consists of identifying and collecting information for news and communicating
such information to other news organizations or mass media, such
as newspapers, magazines and broadcast media companies. Since Siren is a news agency

information from Siren's database is covered by constitutional protection according to Chapter 1, Section 4

of the Freedom of Expression Act.

3. Siren has requested from the Court of Appeal to receive a larger number of public

documents in criminal cases, such as judgments, decisions, diaries and
applications for summons.

4. The Court of Appeal has decided to release the requested documents, but

with a reservation. The reservation means that the personal data that appears

in the documents may only be used in journalistic activities and that

personal identity numbers, personal names and addresses of individuals may not

be made available to the public or paying customers through
the database/registers.

9
3
3
.
o
D Page 22 (31)

SUPREME COURT DECISION Ä 3457-24

5. As a reason for the decision, the Court of Appeal stated that it can be assumed that

the information after disclosure will be processed in violation of the EU

Data Protection Regulation. According to the Court of Appeal, the information was therefore confidential in accordance with Chapter 21, Section 7 of the Public Access and Secrecy Act (2009:400)

and the reservation constituted an appropriate protective measure.

On disclosure of judgments, etc.

In order to promote a free exchange of opinion, free and

all-round information and free artistic creation, everyone has the right to access

public documents to the extent that the rules on confidentiality
do not prevent this (Chapter 2, Sections 1 and 2 of the Freedom of the Press Ordinance).

According to Chapter 21, Section 7 of the Public Access and Secrecy Act, confidentiality applies to

personal data if it can be assumed that the data, after disclosure, will

be processed in violation of the EU Data Protection Regulation or the Act (2018:218)

with supplementary provisions to the EU Data Protection Regulation

(the Data Protection Act).

The current confidentiality provision differs from other confidentiality

provisions in that it does not focus on the data as such,

but on what can be assumed to happen to them after disclosure. An

assessment under the paragraph only needs to be made if there are concrete

circumstances indicating that the recipient will process

the data in a manner that is contrary to data protection regulations, e.g. that it is a matter of a mass extraction. A full assessment of whether the processing

will be contrary to the Data Protection Regulation or the Data Protection Act

does not need to be made. (Cf. Bill 2017/18:105 p. 135 f.)

The Data Protection Regulation sets out in Articles 5 and 6 certain

fundamental requirements for the processing of personal data, including that they
9
3 shall be collected for specific, explicit and legitimate purposes and
3
.
o
D Page 23 (31)

SUPREME COURT DECISION Ä 3457-24

not subsequently processed in a manner that is incompatible with those purposes.

The data shall be processed lawfully, fairly and transparently in relation to the data subject and shall be adequate, relevant and not excessive in relation to the purposes for which they are processed. A further key requirement is that one of the grounds set out in Article 6 must be applicable for the processing of data. Examples of such grounds are that the data subject has given his or her consent or that the processing is necessary for compliance with a legal obligation. Article 9 regulates the processing of certain special categories of personal data. This includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health or data concerning a natural person's sex life or sexual orientation. The processing of such data shall be prohibited unless the data subject has expressly given his or her consent or the processing is necessary for certain specified reasons. Article 10 contains rules specifically aimed at the processing of

personal data relating to criminal convictions, offences which constitute a criminal offence and security measures related thereto. The processing of

such data may be carried out only under the supervision of a public authority or where

processing is authorised by Union or Member State law, which lays down appropriate safeguards for the rights and freedoms of data subjects. A complete register of criminal convictions may be kept

only under the supervision of a public authority.

According to Article 85 of the Regulation, Member States shall, by law,

reconcile the right to privacy under the Data Protection Regulation with the freedom of expression and

information, including processing for journalistic

purposes or for academic, artistic or literary creation. They shall

further, for processing carried out for such purposes – where necessary

3
3
.
o
D Page 24 (31)

SUPREME COURT DECISION Ä 3457-24

in order to reconcile the right to privacy with the freedom of expression and information –

to establish exceptions or deviations from certain listed parts of

the Regulation, including Articles 5, 6, 9 and 10.

Chapter 1, Section 7, first paragraph of the Data Protection Act states that the Data Protection Regulation and the Data Protection Act shall not be applied to the extent that

it would conflict with the Freedom of the Press Regulation or the Freedom of Expression Act.

The second paragraph of the same section follows that, among other things, Articles 5, 6, 9 and

10 of the Data Protection Regulation shall not be applied to the processing of

personal data for journalistic purposes or for academic,

artistic or literary creation.

The Swedish harmonisation according to Article 85

Initially, it can be stated that an EU regulation is

binding in its entirety and directly applicable in each Member State. According to established practice,

provisions in regulations generally have immediate effects in

national legal orders, without requiring the national

authorities to take any implementing measures (judgment of the Court of Justice of the European Union of

15 May 2021, Facebook Ireland and Others, C-645/19, EU:C:2021:483, p. 110

and the case law cited therein).

However, with regard to certain articles of the Data Protection Regulation, these

do not constitute a complete regulation, but the regulation requires

supplementary regulation in national law. This is the case, for example, with regard to

the regulation's requirement for national harmonisation of the regulation's rules

on the protection of personal data with freedom of expression and information.

How freedom of expression, freedom of information and the protection of personal

data should be combined and reconciled is therefore not clear from

the Data Protection Regulation. In addition, there is room for differences
9
3
3
.
o
D Page 25 (31)

THE SUPREME COURT DECISION Ä 3457-24

between Member States regarding the content of provisions that

reconcile the right to the protection of personal data with freedom of expression and

information (judgment of the Court of Justice of the European Union of 24 September 2019,

Google, C-507/17, EU:C:2019:772, p. 69).

It is clear that several Member States have made extensive exceptions to

the provisions of the Data Protection Regulation for journalistic activities (see SOU 2024:75 p. 120 ff. concerning Norway, Denmark and Finland).

In countries such as the Netherlands and Austria, too, in a manner that is

similar to the Swedish regulation in substance, activities that are

journalistic have been excluded from the scope of the regulation.

The picture also includes the fact that when harmonizing according to Article 85
it must be taken into account that the rights in the Charter of Fundamental Rights of the European Union have an equivalent position. The protection of

personal data is regulated in Article 8 and freedom of expression and information

is protected by Article 11. From a Union law perspective, neither

of the rights has a stronger position than the other, but in the event of conflicts,

they must be balanced against each other.

According to Swedish law, the Data Protection Regulation shall not be applied to

the extent that it would conflict with the Freedom of the Press Regulation or
the Freedom of Expression Basic Law (Government Bill 2017/18:105, p. 40 ff.). Furthermore,

among other things, Articles 5, 6, 9 and 10 of the Data Protection Regulation shall not apply to the processing of personal data

for journalistic purposes, even outside the

constitutionally protected area.

Based on Article 85 of the Data Protection Regulation, this position

can be said to mean that the Swedish legislator has deemed it necessary

from a freedom of expression perspective to completely exempt such actors who are covered

9
3
3
.
o
D Page 26 (31)

SUPREME COURT DECISION Ä 3457-24

of constitutional protection from the provisions of the regulation and that the same shall in all

essentials apply to such actors who lack constitutional protection but whose

activities have journalistic purposes. The practical effect of this is that

the processing of personal data is in all essentials unregulated.

In light of the judgments of the Court of Justice of 22 June 2021 in

the case Latvijas Republika Saeima (C-439/19, EU:C:2021:504) and of

7 March 2024 in the case Endemol Shine Finland (C-740/22, EU:C:2024:216), the question can

be asked whether the Swedish regulation constitutes a

balancing of freedom of expression, freedom of information and the protection of

personal data that is fully compatible with Union law.

In the opinion of the Supreme Court, there is reason

to initially note the following regarding the judgments of the Court of Justice of the EU. The former

case concerned the reconciliation under Article 86 of the Data Protection

Regulation between the right to public documents and the right to the protection of

personal data and only concerned Article 85 insofar as it deals

with the right to freedom of information. There was no freedom of expression aspect in the case

and the requirements of Article 85 for national harmonisation based on

that interest were not affected. The decision therefore has no direct relevance to

the current situation.

In the second decision, the European Court of Justice found that respect for

private life and the protection of personal data must be considered to outweigh

the public interest in having access to public documents.

It was further

emphasized that the right to freedom of information under Article 85 of the Data Protection

Regulation should not be interpreted as justifying the disclosure of personal data

relating to criminal convictions to anyone who requests

such information (paragraphs 55 and 56).

9
3
3
.
o
D Page 27 (31)

SUPREME COURT DECISION Ä 3457-24

The reasoning of the EU Court thus focused on the balance of interests

between the protection of personal data regarding violations of the law and the public's

access to public documents and freedom of information in general.

The ruling therefore does not have any direct bearing on situations when an actor requests information of this kind for journalistic purposes.

The conclusion that can be drawn from the EU Court's rulings is that

when reconciling freedom of information and the protection of

personal data, the principle of proportionality must be observed and the national

rules that are introduced must not go beyond what is necessary. What this

means in concrete terms in a context where interests other than those

that were at issue in the two legal cases are in conflict is, however, not given.

Another observation that can be made based on the two cases is that

the EU Court's assessment of whether the harmonisation under Articles 85 and

86 of the Data Protection Regulation is acceptable has been made based on the concrete

circumstances of the individual case. Although the design of a national system must be taken into account at an abstract level, it is the effects in

the concrete case that are decisive for the assessment of whether, for example, the requirement of

proportionality is met or not.

The assessment in this case

In the current case, it concerns a request for

public documents by an actor who has so-called automatic constitutional protection,

i.e. the constitutional protection follows directly from the constitution (Chapter 1, Section 4

of the Freedom of Expression Act).

From a constitutional point of view, this means that the starting point is that Siren

is an actor whose activities may be assumed to be in line with the purpose of

the Swedish Freedom of Expression Act, i.e. to ensure a free exchange of opinions, a free and

9
3
3
.
o
D Page 28 (31)

SUPREME COURT DECISION Ä 3457-24

all-round information and free artistic creation. These are all purposes

that almost completely coincide with the areas where exemptions from

the provisions of the Data Protection Regulation are granted under Article 85.

What is known about Siren's activities is the following. Siren is

a member of the Newspaper Publishers Association. Siren identifies and collects

news material in order to convey such material to other

news organisations or mass media. Siren handles, assesses and

prepares material based on the documents that courts,

authorities and others have disclosed. This processing is in various ways
intended for publication. It is the editorial staff who analyze
the material and make independent news assessments. The
processed material can then be used for publication in other mass media or in
Siren's own database.
It must be considered clear that Siren's collection of personal data is for
journalistic purposes. Although it can therefore be questioned whether
the Swedish regulation constitutes a balance between freedom of expression,
freedom of information and the protection of personal data that in all respects
meets the requirements of Union law, there is nothing to indicate that, with regard to
an actor like Siren, it would not be acceptable to balance
between different interests in accordance with Article 85 of the Data Protection Regulation in the way
that the Swedish legislator has done.
It cannot therefore be considered contrary to Union law to allow constitutional protection to apply in the manner intended by the Swedish legislature to the request for public documents by Siren. As the Court of Appeal has established, the requested documents are public and must be disclosed unless confidentiality applies under Chapter 21, Section 7, of the Access to Public Information and Secrecy Act. According to that section, confidentiality applies to personal data if it can be assumed that the data, after disclosure, will be processed in breach of the Data Protection Regulation. However, it cannot be assumed that Siren will process the personal data contained in the documents requested by Siren in breach of the Data Protection Regulation, since Siren's processing of personal data is not covered by the provisions of the Regulation. Confidentiality according to Chapter 21, Section 7 of the Public Access and Secrecy Act

therefore does not apply. The appeal shall therefore be upheld.

________

7
7
0
d
k
D Page 30 (31)

SUPREME COURT DECISION Ä 3457-24

DISSENTING OPINION

Councillor for Justice Agneta Bäcklund dissents and believes that the case should

be struck off from further proceedings. She believes that the reasons from point 61

onwards should be worded as follows.

61. If an authority finds that such a risk of damage, harm or other

inconvenience that, according to a provision on confidentiality, prevents information

from being provided to an individual can be eliminated by a reservation that restricts

the individual's right to pass on the information or use it,

the authority shall make such a reservation when the information is provided to the individual

(Chapter 10, Section 14, first paragraph, of the Public Access and Secrecy Act).

62. It appears clear that the provision is written with

in mind such confidentiality provisions the application of which requires consideration of

damage, harm or other inconvenience. There is no reference to such factors

in Chapter 21, Section 7 of the Public Access and Secrecy Act.

63. It is difficult to see that a reservation would fully satisfy

the possibility of balancing the interest in privacy and the interest in

carrying out journalistic activities when it comes to the processing of a large

amount of data relating to violations of the law. The risk that the provision in

Chapter 21, Section 7 is intended to prevent – that the data, after disclosure, will

be processed in violation of the Data Protection Regulation – cannot

therefore be eliminated by a reservation.

64. With the interpretation of the relationship between Chapter 1, Section 7 of the Data Protection Act

and Chapter 21, Section 7 that the Supreme Court makes, it is also hardly

possible to issue any regulations on the processing of the data relating to

violations of the law that have been disclosed, without taking a position on Article 10 of

9

3

.
o
D Page 31 (31)

SUPREME COURT DECISION Ä 3457-24

the data protection regulation applies to that processing. A reservation that

means that it is not permitted to disclose certain information does not

appear to be appropriate with regard to the right to freely communicate information on any subject.

65. The conclusion is therefore that there are no conditions for disclosing

the documents with reservations. A release with reservations does not

appear to be an appropriate measure either.

66. Since the documents to which the action relates have been disclosed to Siren with

reservations, the appeal should not give rise to any further action, but

the case should be struck out of further proceedings.

________

9
0
d
k
D