Hd - Ä 3457-24
From GDPRhub
| Hd - Ä 3457-24 | |
|---|---|
 | |
| Court: | Hd (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 10 GDPR Article 85 GDPR Article 86 GDPR Article 5(1)(f) GDPR Chapter 21.7 Public Access to Information and Secrecy Act Chapter 1.7(1) Data Protection Act |
| Decided: | 25.02.2025 |
| Published: | |
| Parties: | Panoptes Sweden AB |
| National Case Number/Name: | Ä 3457-24 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | Not appealed |
| Original Language(s): | Swedish |
| Original Source: | Högsta domstolen (in Swedish) |
| Initial Contributor: | elu |
The Supreme Court held that the disclosure of criminal convictions by a court to a news agency could be based on the condition that the agency would not subsequently disclose the personal data with the broad public or paying customers.
English Summary
Facts
Panoptes Sweden AB ("Panoptes") is a news agency, which engages engages in the collection, processing, analysis and presentation of information, including personal data. Panoptes sells the personal data to its customers (e.g. newspapers, magazines and broadcasters). In the course of its business, Panoptes requested the Swedish Court of Appeal to disclose to them a large number of documents related to different people's criminal convictions, to then use them in their capacity as a news agency.
In response to this request, the Court of Appeal required Panoptes to guarantee that the requested documents would will be used for journalistic purposes and that the personal identity numbers, names and addresses of individuals will not be made available to the public or paying customers.
Panoptes filed an appeal against that response of the Court of Appeal to the Supreme Court.
Holding
The Court established that the question to be answered was whether the information requested by Panoptes was confidential and, if so, whether its disclosure could be subject to reservation. This matter concerns the relationship between Chapter 21.7 of the Swedish Public Access to Information and Secrecy Act (hereinafter: the Act) and the GDPR.
Background considerations
Section 7(1) of Chapter 1 of the Swedish Data Protection Act provides that, in data disclosures covered by the Act, there is no need to comply with the GDPR. In fact, requiring GDPR compliance would restrict the authorities' obligations to disclose personal data.
The Court however recognizes that, when applying national law, EU law must be respected. Such an obligation stems from Article 85 GDPR and Article 86 GDPR, requiring to balance freedom of expression and the right of public access to official documents with the right to data protection. It is questionable whether such effective balance exists in instances where a national Act allowing for the indiscriminate disclosure of criminal data excludes the application of the GDPR.
Thus, the protection of personal data will be based exclusively on the possibilities for intervention under the Act, which however, has other purposes than ensuring personal data protection.
The Court's concluded that a system whereby criminal convictions are disclosed on a large scale, resulting in a significant amount of personal data processed in a database and made available to others, is not compatible with EU law.
Assessment
The Court followed a two-tier approach.
1. Does confidentiality apply under Chapter 21.7 of the Freedom of Information and Secrecy Act?
To find whether the principle of confidentiality, as per Article 5(1)(f) GDPR, can be applicable, the Court considered whether it can be assumed that the personal data shared with Panoptes will not subsequently be processed in a way that is incompatible with the GDPR.
In this case, Panoptes requested a large number of criminal convictions and other documents related to criminal cases, such as decisions, diary sheets and summons applications.
Thus, the Court considered that the personal data contained in the requested documents will be processed in a way that is incompatible with Article 10 GDPR, meaning that confidentiality applies to the personal data contained in the documents requested.
2. Are there conditions for conditional release of the documents?
The Court found that the risk of damage, harm or other inconvenience which, according to a provision on confidentiality, prevents the disclosure of information to somebody, can be balanced out by a restriction requiring that an individual's right to pass on the information or use it.
Thus, a law shall be written with a view to those confidentiality provisions whose application requires consideration of damage, harm or other inconvenience. This is not the case for Chapter 21.7 of the Act.
Given the nature of Panoptes’ activities, it can be assumed that the data in the requested documents will be processed to a significant extent for journalistic purposes.
In conclusion, the documents should be disclosed, with a reservation which balances the interest of Panoptes to carry out journalistic activities against the interest of individual to have their right to privacy respected. There is reason to take into account that Panoptes publishes editorially processed news text through its database.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
Page 1 (31) SUPREME COURT DECISION Case no announced in Stockholm on 25 February 2025 Ä 3457-24 PARTIES Appellant Panoptes Sweden AB, 559199-4503 Nyhetsbyrån Siren Box 4211 102 65 Stockholm Representatives: Lawyers UI and EK and lawyer GT THE CASE Disclosure of public document APPEALDED DECISION Upper Norrland Court of Appeal decision 2024-04-09, dnr 2024/91 __________ 9 3 Visiting address Opening hours Postal address E-mail 3 Riddarhustorget 8 Monday–Friday Supreme Court hogsta.domstolen@dom.se . Telephone 08:45–12:00 Box 2066 Website o 08-561 666 00 13:15–15:00 103 12 Stockholm www.hogstadomstolen.se D Page 2 (31) SUPREME COURT DECISION Ä 3457-24 SUPREME COURT DECISION The reservation decided by the Court of Appeal shall be amended to mean: – that the documents, regardless of the form, may not be provided to the public or paying customers if the public or customers thereby obtain personal names, personal identification numbers or addresses of individuals and – that Siren may not otherwise offer the public or paying customers search options in the documents in a way that provides access to personal names, personal identification numbers or addresses of individuals. APPLICATIONS IN THE SUPREME COURT Panoptes Sweden AB has requested that the Supreme Court overturn the Court of Appeal's decision and grant the company's request to access the requested documents without reservation. REASON Background Panoptes Sweden AB's operations include the collection, processing, analysis and presentation of information. The company operates the Siren News Agency. Siren's core business consists of identifying and collecting data for news and communicating such data to other news organizations or mass media, such as newspapers, magazines and broadcast media companies. Since Siren is a news agency, the database (siren.se) where, among other things, criminal convictions are provided is covered by constitutional protection according to Chapter 1, Section 4 of the Swedish Freedom of Expression Act. 9 3 3 . o D Page 3 (31) SUPREME COURT DECISION Ä 3457-24 Siren has requested from the Court of Appeal to access a larger number of public documents in criminal cases, such as judgments, decisions, diaries and summons applications. The Court of Appeal has decided that the requested documents shall be disclosed, but with the following reservation. The personal data that appears from the documents may only be used in journalistic activities and personal identity numbers, personal names and addresses of individuals may not be provided to the public or paying customers through the database or registers. As a reason for the decision, the Court of Appeal stated that it can be assumed that the information will be processed in violation of the EU Data Protection Regulation after disclosure. According to the Court of Appeal, the confidentiality of the information according to Chapter 21 7 § of the Public Access and Secrecy Act (2009:400) and reservations constituted an appropriate protective measure. The company has appealed the decision to the Supreme Court. (No leave to appeal is required, cf. Chapter 54 § 9 of the Code of Judicial Procedure and “Journal of the Court of Appeal” NJA 2015 p. 180 p. 5–7.) The case in the Supreme Court The case concerns the question of whether the requested information is confidential and, if so, whether the information should be disclosed with reservations. The case raises the relationship between Chapter 21 § 7 of the Public Access and Secrecy Act, Chapter 1 § 7 of the Act (2018:218) with supplementary provisions to the EU Data Protection Regulation (hereinafter the Data Protection Act) and the rules in the Data Protection Regulation. 9 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of 0 natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). k D Page 4 (31) SUPREME COURT DECISION Ä 3457-24 On disclosure of judgments and other court documents Everyone has the right, in order to promote the free exchange of opinions, free and comprehensive information and free artistic creation, to access public documents to the extent that this is not prevented by the rules on confidentiality (see Chapter 2, Sections 1 and 2 of the Freedom of the Press Ordinance). Rules on confidentiality are contained in the Public Access and Secrecy Act. Confidentiality means that it is prohibited to disclose the information that is subject to confidentiality, regardless of whether it is done orally, by disclosing a public document or in any other way (see Chapter 3, Section 1 of the Public Access and Secrecy Act). The starting point is that criminal judgments are public. If a piece of information is included in a court judgment, any confidentiality for the information ceases to apply, unless the court decides to continue the confidentiality (cf. Chapter 43, Section 8 of the Public Access and Secrecy Act). In line with this, criminal judgments have generally been disclosed to the person who has requested it, even when it has involved a larger quantity. Other documents with links to criminal cases, such as diaries and minutes, are also regularly disclosed, unless there is a special confidentiality provision that applies to the information in them. As is clear from the Court of Appeal's decision, however, the question has been raised to what extent Chapter 21, Section 7 of the Public Access and Secrecy Act, which refers to the Data Protection Regulation – or the Data Protection Regulation as such – can constitute an obstacle to disclosing such documents. 9 3 3 . o D Page 5 (31) SUPREME COURT DECISION Ä 3457-24 The provision in Chapter 21, Section 7 of the Public Access and Secrecy Act According to Chapter 21, Section 7 of the Public Access and Secrecy Act, confidentiality applies to personal data if it can be assumed that the data, after disclosure will be processed in violation of the Data Protection Regulation or the Data Protection Act. The confidentiality provision in Chapter 21 Section 7 differs from other confidentiality provisions in that it does not focus on the data as such, but on what can be assumed to happen to them after disclosure. According to the provision, the disclosing authority must take into account what can be assumed about the upcoming processing and its nature. A similar provision has existed since 1973. The provision was then motivated, among other things, by the need to create some control over the possibility of collecting personal data from existing registers to build up new registers for purposes other than the original ones (see Bill 1973:33 p. 100 f.). An assessment according to the section only needs to be made if there are concrete circumstances indicating that the recipient will process the data in a way that is in conflict with the data protection regulation, e.g. that it is a matter of mass extraction. A full assessment of whether the processing will conflict with the Data Protection Regulation or the Data Protection Act need not be made. (Cf. Bill 2017/18:105 p. 135 f.) Data Protection Regulation The Data Protection Regulation is binding and directly applicable in all EU Member States (see Article 288, second paragraph, of the Treaty on the Functioning of the European Union). The Regulation was introduced to guarantee, among other things, a uniform and high level of protection for natural persons that is equivalent in all Member States. It should be seen in the light of the fact that the protection of natural persons at 9 3 3 . o D Page 6 (31) SUPREME COURT DECISION Ä 3457-24 processing of personal data is a fundamental right according to the Charter of Fundamental Rights of the European Union. (Cf. the Data Protection Regulation, recitals 1 and 10; cf. also Article 8 of the Charter and Article 16 of the Treaty on the Functioning of the European Union.) Article 5 of the Data Protection Regulation states that certain fundamental principles shall be observed when processing personal data. These principles include that the data shall be processed lawfully, fairly and transparently and that they shall be adequate, relevant and not excessive in relation to the purposes for which they are processed. Furthermore, they shall not be kept in a form which permits identification of the data subject for longer than is necessary for the purposes for which the personal data are processed and may be stored for longer periods only for certain purposes. The principles set out in Article 5 are supplemented in Article 6 by more specific requirements that must be met in order for the processing of data to be lawful. A key requirement is that one of the grounds set out in that article must be applicable for the processing of data. Examples of such grounds are that the data subject has given his or her consent or that the processing is necessary for compliance with a legal obligation. Article 9 regulates the processing of certain special categories of personal data. This applies, among other things, to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health or data concerning a natural person's sex life or sexual orientation. The processing of such data is prohibited unless the data subject has explicitly given his or her consent or the processing is necessary for certain specified reasons. 9 3 3 . o D Page 7 (31) SUPREME COURT DECISION Ä 3457-24 Article 10 contains rules specifically aimed at the processing of personal data relating to criminal convictions, offences constituting a criminal offence and related security measures. The processing of such data may be carried out only under the supervision of a public authority or when processing is permitted by Union law or the national law of the Member States, which lays down appropriate safeguards for the rights and freedoms of the data subjects. A complete register of criminal convictions may be kept only under the supervision of a public authority. (On the interpretation of the CJEU of the concepts of offences and convictions, see the judgment of the Court of Justice of 24 September 2019, GC and Others, C-136/17, EU:C:2019:773, p. 72.) The purpose of Article 10 is to ensure increased protection against such processing of personal data which, due to the particularly sensitive nature of the data, may constitute a particularly serious interference with the fundamental right to respect for private life and the protection of personal data as set out in Articles 7 and 8 of the EU Charter of Rights (see the judgment of the CJEU of 22 June 2021, Latvijas Republikas Saeima, C-439/19, EU:C:2021:504, p. 74). According to Article 85 of the GDPR, Member States shall, by law, reconcile the right to privacy under the Regulation with the freedom of expression and information. They shall also – where necessary to reconcile the right to privacy with the freedom of expression and information – provide for exceptions or derogations from certain listed parts of the Regulation (including Article 10) for certain processing operations, such as those carried out for journalistic purposes. The case-law of the Court of Justice of the European Union (CJEU) shows that the expression processing for journalistic purposes is to be interpreted broadly. It includes, among other things, the dissemination of information, opinions or ideas to the public. The technology used 9 3 3 . o D Page 8 (31) SUPREME COURT DECISION Ä 3457-24 or whether the activity is carried out for profit does not affect the assessment. Processing of personal data which involves the commercial provision of material that has been collected from public authorities in an unaltered form may also constitute processing for journalistic purposes. (See the judgment of the Court of Justice of 16 December 2008, Satakunnan Markkinapörssi and Satamedia, C-73/07, EU:C:2008:727, pp. 55–62.) In order to reconcile the public's right of access to public documents with the right to the protection of personal data under the Regulation, public authorities may, inter alia, in accordance with the applicable Union or Member State law, disclose personal data in public documents (see Article 86). There is therefore scope under Articles 85 and 86 of the Regulation to restrict the right to the protection of personal data, but only provided that the restrictions are provided for by law, are compatible with the essence of the fundamental rights and meet the requirements arising from the principle of proportionality of EU law. This means, among other things, that the restrictions may not go beyond what is strictly necessary, and it is also assumed that there are clear and precise provisions regulating the scope and application of the exceptions. (Cf. e.g. Latvijas Republikas Saeima, pp. 105 and 106 with further references.) This means that it is assumed that the protection of personal data may vary between Member States. However, it is not certain that the balancing of different interests that has been made is acceptable under EU law. 9 3 3 . o D Page 9 (31) SUPREME COURT DECISION Ä 3457-24 Data Protection Act The Data Protection Act contains supplementary provisions to the Data Protection Regulation. Chapter 1, Section 7, first paragraph, stipulates that the Data Protection Regulation and the Data Protection Act shall not be applied to the extent that it would conflict with the Freedom of the Press Ordinance or the Freedom of Expression Act. The provision covers not only such application of data protection regulation that would conflict with freedom of the press and expression, but also such that would conflict with the principle of publicity (cf. Bill 2017/18:105 p. 43). The second paragraph of the section states that Articles 5–30 and 35–50 of the Data Protection Regulation and Chapters 2–5 The Data Protection Act shall not apply to the processing of personal data for journalistic purposes or for academic, artistic or literary creation. In the case, it is primarily the exception for journalistic purposes that is of interest. The expression processing for journalistic purposes shall be given the same meaning as under Union law (see p. 22, cf. “The Foundation’s website” NJA 2001 p. 409). Rulings from the Court of Justice In a couple of rulings, the Court of Justice of the EU has dealt with issues that have concerned the disclosure of personal data by authorities in relation to, among other Article 10 of the Data Protection Regulation. In the case of Latvijas Republikas Saeima, the Court of Justice found that the provisions of the Data Protection Regulation preclude national legislation which requires a public body responsible for a register containing information on the fines imposed on drivers for traffic violations to make the information available to the public, without the 9 3 3 . o D Page 10 (31) SUPREME COURT DECISION Ä 3457-24 requesting access to the data needs to demonstrate that he or she has a particular interest in obtaining it. The Data Protection Regulation was also considered to constitute an obstacle to the public body transferring such data to economic operators for further use, so that anyone wishing to receive information about any hacking can turn directly to these operators and obtain the data. (See Latvijas Republikas Saeima, pp. 122 and 129.) When examining whether the national rules could be considered compatible with the Data Protection Regulation, an assessment was made of whether these, which thus entailed a limitation of the protection in the Data Protection Regulation, were necessary and proportionate in relation to the objectives pursued by the regulation. In that assessment, the Court took into account both the right to freedom of information under Article 85 and the public's right of access to public documents under Article 86, but found that the right to the protection of such personal data must be considered to outweigh it. (See Latvijas Republika Saeima, pp. 102–121 and 126.) In a later judgment, the Court of Justice of the European Union has similarly held that the Data Protection Regulation prevents information on criminal convictions of natural persons in a register kept by a court from being disclosed to anyone in order to ensure public access to public documents, without the person requesting the disclosure having to demonstrate that the person has a particular interest in obtaining the information. (Judgment of the Court of Justice of 7 March 2024, C-740/22, Endemol Shine Finland, EU:C:2024:216, p. 58.) Compatibility of the Swedish system with EU law The Supreme Court must decide whether, and if so in what way, the examination of a request for public documents that 9 contain information about violations of the law is affected by the Data Protection Regulation. 3 3 . o D Page 11 (31) SUPREME COURT DECISION Ä 3457-24 As is clear from the foregoing, Chapter 1, Section 7, first paragraph of the Data Protection Act provides that that Act and the Data Protection Regulation shall not be applied to the extent that it would conflict with the Freedom of the Press Ordinance or the Freedom of Expression Act. The legislator's intention with the provision can be said to have been that the Data Protection Regulation and the Data Protection Act should not be applied to the constitutionally protected area at all. This would mean that in an activity covered by the Freedom of the Press Regulation or the Freedom of Expression Act, one would not have to comply with the Data Protection Regulation and that the regulation would not restrict the authorities' obligations to disclose personal data. (Cf. Bill 2017/18:105 p. 40 ff., also cf. Bill 1997/98:44 p. 43 ff. regarding the previously applicable regulation.) With such a starting point, it is consistent to interpret Chapter 21, Section 7 of the Public Access and Secrecy Act in such a way that secrecy according to the provision cannot exist in these cases; the provision presupposes an assessment of what can be assumed about the compatibility of the upcoming processing with the data protection regulation. The same applies to cases where the exception in Chapter 1, Section 7 the second paragraph of the Data Protection Act is applicable, e.g. when processing personal data for journalistic purposes outside the constitutionally protected area. The paragraph stipulates that in such processing, several of the central provisions of the Data Protection Regulation, including Articles 5–10, shall not apply. However, when applying national regulation, the requirements of Union law must be taken into account. According to Articles 85 and 9 86 of the Data Protection Regulation, the Member States must, of course, balance the interest 3 3 . o D Page 12 (31) SUPREME COURT DECISION Ä 3457-24 of freedom of expression and information and the public's right to access public documents on the one hand, and the right to the protection of personal data on the other. However, it is questionable whether a regulation that means that personal data about violations of the law are to be disclosed on a large scale while the data protection regulation does not apply at all – or only to some extent – to the subsequent processing of the data, can be reconciled with the requirements of EU law. Criminal judgments contain many different types of sensitive information. They do not only contain personal data about the accused and the convicted, the crimes to which a judgment relates and the possible penalty imposed. They also contain a large number of other personal data, including about the injured party and witnesses and about circumstances surrounding the accused events that can be linked to different people. Regarding Chapter 1 If Section 7, first paragraph of the Data Protection Act is understood in the way that the legislator may be said to have intended, the regulation means that the protection of these personal data – in the constitutionally protected area – will exclusively be based on the possibilities for intervention provided for in the Freedom of the Press Ordinance and the Freedom of Expression Act, which basically have other purposes than creating personal data protection. If the provision is understood in this way, there are also no rules on how personal data may be processed or any conditions for exercising supervision with regard to information about violations of the law. Also in the cases referred to in Chapter 1, Section 7, second paragraph, such regulation means (see paragraphs 35–37) that the protection of personal data will to a very large extent have to take precedence over the interest in freedom of expression and information. 9 3 3 . o D Page 13 (31) SUPREME COURT DECISION Ä 3457-24 The Supreme Court concludes that it cannot be considered compatible with EU law to have a system that means that criminal convictions are disclosed on a large scale, with the result that a significant amount of personal data relating to offences can then be processed in a database and made available to others. In principle, there is then no other protection for the privacy interest than that which can lie in interventions based on the media fundamental laws and the Criminal Code. Such a system almost completely undermines the protection in the processing of data relating to offences that the Data Protection Regulation aims to provide and cannot be considered to mean that appropriate safeguards have been established for the rights and freedoms of the data subjects in the manner required by Article 10 of the Data Protection Regulation. The assessment that this is not acceptable also applies in relation to processing that takes place for journalistic purposes or other purposes referred to in Article 85. It is therefore not possible to reconcile the Swedish regulation with the Data Protection Regulation in the manner that the legislator may be presumed to have intended. The consequences for the examination to be carried out pursuant to Chapter 21, Section 7 of the Public Access and Secrecy Act Starting points It is not possible for the Supreme Court to resolve in a single decision more generally the issues that are associated with the Swedish regulation of the applicability of the Data Protection Regulation. The Court's task is to take a position on how the issues in the case should be assessed and then in particular how Chapter 21, Section 7 of the Public Access and Secrecy Act should be applied. It may be recalled that the general issues concerning the lack of protection of the privacy interest when processing 9 3 personal data in the constitutionally protected area are far from new. 3 . o D Page 14 (31) SUPREME COURT DECISION Ä 3457-24 Already in connection with the introduction of the system of voluntary release certificates in the Freedom of Expression Act, the Constitutional Committee had concerns that constitutional protection could come to encompass databases that constitute pure personal registers and that this could conflict with provisions that have the purpose of protecting personal privacy (cf. bet. 2001/02:KU21 p. 31 f.). There is also reason to mention here that two proposals have been submitted to the Riksdag aimed at better balancing the interests of freedom of expression and freedom of information with the protection of personal data regarding violations of the law (see Bill 2017/18:49 and Bill 2021/22:59). However, these have not led to legislation. In addition, proposals have been submitted again regarding, among other things, this issue (see SOU 2024:75). In this context, the Swedish Data Protection Authority's legal position 2024:1 can also be mentioned, which is, however, limited to search services with proof of publication. In light of what has now been said, the question arises whether it is possible to interpret and apply the Swedish regulatory framework in a way that can be reconciled with the Data Protection Regulation. The provision in Chapter 1 Section 7, first paragraph, Data Protection Act As has been stated above, the legislator's intention may be said to have been that the Data Protection Regulation and the Data Protection Act shall not apply at all to the constitutionally protected area. However, it can be stated that this is not expressed in the text of the law. Chapter 1, Section 7, first paragraph of the Data Protection Act states that the Data Protection Regulation shall not apply "to the extent that it would conflict with the Freedom of the Press Ordinance or the Freedom of Expression Act". The wording of the provision thus most likely 9 suggests that the Data Protection Regulation may only give way when there is a conflict 3 between the regulations. 3 . o D Page 15 (31) SUPREME COURT DECISION Ä 3457-24 It should be emphasized that the fact that confidentiality applies to certain information as a starting point cannot be considered to mean that there is a conflict with the Freedom of the Press Ordinance or the Freedom of Expression Act. On the contrary, the Freedom of the Press Ordinance provides that the Riksdag shall be able to legislate on confidentiality and that confidentiality then also applies in relation to activities covered by the Freedom of the Press Ordinance or the Freedom of Expression Act. There is also reason to note that Chapter 1, Section 7 of the Data Protection Act and Chapter 21, Section 7 of the Public Access and Secrecy Act, insofar as is currently relevant, were drafted in the same legislative context. The natural starting point should be that one provision does not exclude the application of the other. It is also worth noting that there are no statements in the preparatory work for Chapter 21, Section 7 that concern the issue of whether confidentiality should apply in relation to activities covered by constitutional protection under the Freedom of the Press Ordinance or the Freedom of Expression Act. Against this background, the Supreme Court assesses that there is scope to interpret Chapter 1, Section 7, first paragraph, of the Data Protection Act so that the provision does not prevent the requirements of the Data Protection Ordinance from being taken into account when applying the special confidentiality provision in Chapter 21, Section 7 of the Public Access and Secrecy Act also in the area protected by the constitution. And such an interpretation should be made regardless of how one views the meaning of Chapter 1, Section 7, first paragraph, with regard to the issue of whether the regulation can be applied to the subsequent processing in the activity covered by constitutional protection. This means that the authority that has to conduct an examination according to Chapter 21 Section 7 of the Public Access and Secrecy Act shall assess whether the information after disclosure can be assumed to be processed in violation of 9 3 3 . o D Page 16 (31) SUPREME COURT DECISION Ä 3457-24 the provisions of the Data Protection Regulation, without taking a position on the extent to which the Swedish regulation means that the Regulation shall not be applied in the activities carried out by the person who has requested the information to be disclosed. The Data Protection Regulation can, in the application of Chapter 21, Section 7, then be seen as an independent yardstick for when confidentiality prevails for information that would otherwise have been public. In this way, the requirements of the Regulation can be taken into account when it is decided whether public documents containing personal data shall be disclosed. The provision in Chapter 1 Section 7, second paragraph, Data Protection Act Chapter 1, Section 7, second paragraph, states that exceptions from the application of the Data Protection Regulation shall be made in principle in all parts where the Regulation allows for exceptions. More specifically, as has been stated, Articles 5–30 and 35–50 of the Data Protection Regulation are exempted. Here, the legislator has more clearly used the procedure for national adaptation that the Data Protection Regulation specifies in Article 85. It is clear from the preparatory work that the main purpose of the exception in the second paragraph has been to ensure that, among other things, journalistic activities that are not covered by the Freedom of the Press Regulation and the Freedom of Expression Act are exempted from parts of the Data Protection Regulation and the Data Protection Act. A starting point in the formulation of the provision has been that exceptions should be introduced to the extent that the regulation allows it (see Bill 2017/18:105 pp. 44 f. and 187). It can be noted that the provision – even though it aims to cover activities that are not covered by the Freedom of the Press Regulation or the Freedom of Expression Act – according to its wording also covers activities that have constitutional protection. 9 3 3 . o D Page 17 (31) SUPREME COURT DECISION Ä 3457-24 The wording of the second paragraph does not provide the same scope for an interpretation in accordance with Union law as the first paragraph. However, the two paragraphs must be seen in context. The second paragraph cannot reasonably be given the meaning that the exemption from the application of the Data Protection Regulation for non-constitutionally protected activities will be more far-reaching than the exemption that concerns the constitutionally protected area. The second paragraph should therefore, in a similar way to the first paragraph, be applied so that it does not prevent the Data Protection Regulation from being fully taken into account in an assessment pursuant to Chapter 21, Section 7 of the Act on Public Access and Secrecy. The authority that is to carry out the assessment shall thus assess whether the data after disclosure can be assumed to be processed in violation of the provisions of the Data Protection Regulation, without taking a position on whether the exempted articles of the Regulation shall be applied in the activities conducted by the person who has requested the information to be disclosed. Summary conclusion Overall, the above means that Chapter 1 Section 7 of the Data Protection Act – assessed in the light of Union law – does not prevent the Data Protection Regulation from being taken into account when applying the confidentiality provision in Chapter 21, Section 7 of the Access to Public Information and Secrecy Act. The assessment in this case Does confidentiality apply according to Chapter 21, Section 7 of the Public Access and Secrecy Act? In order for confidentiality according to Chapter 21, Section 7 of the Public Access and Secrecy Act to apply to the information that the News Agency Siren has requested to be released, it is required that it can be assumed that the information will be processed 9 3 3 . o D Page 18 (31) SUPREME COURT DECISION Ä 3457-24 in a manner that is incompatible with the Data Protection Regulation. The assumption must be based on the existence of concrete circumstances that indicate this, but no full assessment of whether the processing that can be assumed to take place is incompatible with the Data Protection Regulation need be made (see p. 14). No position shall be taken on the extent to which the Regulation shall be applied in Siren's operations, but the Regulation shall be used as an independent yardstick in the assessment (see paragraphs 52 and 57). Siren has requested the release of a larger number of criminal judgments and other documents linked to criminal cases, such as decisions, diaries and summons applications. The documents contain information on violations of the law and other information of a sensitive nature. Siren has repeatedly requested the release of public documents in a similar manner from the Court of Appeal. Against this background, and taking into account the extensive processing of personal data of this kind that takes place at Siren, it can be assumed that the personal data contained in the requested documents will be processed in a manner that is incompatible with Article 10 of the Data Protection Regulation (see paragraph 42). Confidentiality therefore applies to the personal data contained in the documents that have been requested. Are there conditions for disclosing the documents with reservations? If an authority finds that such a risk of damage, harm or other inconvenience that, according to a provision on confidentiality, prevents information from being disclosed to an individual can be eliminated by a reservation that restricts the individual's right to disclose the information or use it, the authority shall make such a reservation when disclosing the information to the individual (Chapter 10, Section 14, first paragraph, of the Act on Public Access to Information and Secrecy). It appears clear that the provision is written with in mind such confidentiality provisions whose application requires consideration 9 of damage, harm or other inconvenience. There is no reference to such factors 3 3 . o D Page 19 (31) SUPREME COURT DECISION Ä 3457-24 in Chapter 21 § 7 of the Public Access and Secrecy Act, but there is no exception in Chapter 10, § 14 that means that it cannot be applied in the case of secrecy according to Chapter 21, § 7. The latter provision is also intended, like several other confidentiality rules, to protect information about individuals' personal circumstances. A disclosure of information that is incompatible with the Data Protection Regulation may therefore be considered to be capable of causing damage, harm or other inconvenience. Even if the result of a reservation is not fully the same as in other cases, the provision in Chapter 10, § 14 the first paragraph should therefore also be applicable when secrecy applies according to Chapter 21, § 7. Setting a reservation in the case of disclosure of documents on the basis of Chapter 10, § 14 can be a way of achieving, to some extent, such a balance between different interests as the Data Protection Regulation requires. This is particularly true when the interest in freedom of expression and information is to be reconciled with the right to privacy. Taking into account the activities carried out by Siren, it can be assumed that the processing of the data in the requested documents will, to a significant extent be for journalistic purposes. The documents should therefore, as the Court of Appeal has found, be disclosed but with a reservation that ensures that the interest in being able to carry out the journalistic activity is balanced against the interest in privacy. There is reason to take into account when designing the reservation that Siren makes available, among other things, editorially processed news text via its database. A reasonable balance between the different interests can be achieved if the reservation is designed so that it aims to prevent the documents – with the personal data contained in them – from being provided by Siren or that the data is made searchable by others, but does not prevent personal 9 3 . o D Page 20 (31) SUPREME COURT DECISION Ä 3457-24 the data is used in, for example, news texts or news materials that Siren produces. Against this background, there is reason to amend the Court of Appeal's decision in such a way that the reservation is given the meaning: – that the documents, regardless of the form, may not be provided to the public or paying customers if the public or customers thereby obtain personal names, personal identification numbers or addresses of individuals and – that Siren may not otherwise offer the public or paying customers search options in the documents in a way that provides access to personal names, personal identification numbers or addresses of individuals. __________ ____________________ ____________________ ____________________ ____________________ ____________________ ____________________ ____________________ The decision was made by Justices Anders Eka, Henrik Jermsten (dissenting), Kristina Ståhl, Agneta Bäcklund (dissenting), Thomas Bull (dissenting), Petter Asp (rapporteur) and Cecilia Renfors. The rapporteur was the Registrar of Justice Malin Falkmer. 9 3 3 . o D Page 21 (31) SUPREME COURT DECISION Ä 3457-24 DISSENTING OPINION Justices Henrik Jermsten and Thomas Bull disagree and believe that the appeal should be upheld. In their opinion, the reasons should be as follows. REASONS Background 1. Panoptes Sweden AB's activities include the collection, processing, analysis and presentation of information. The company operates the news agency Siren. 2. Siren is focused on government surveillance and its core business consists of identifying and collecting information for news and communicating such information to other news organizations or mass media, such as newspapers, magazines and broadcast media companies. Since Siren is a news agency information from Siren's database is covered by constitutional protection according to Chapter 1, Section 4 of the Freedom of Expression Act. 3. Siren has requested from the Court of Appeal to receive a larger number of public documents in criminal cases, such as judgments, decisions, diaries and applications for summons. 4. The Court of Appeal has decided to release the requested documents, but with a reservation. The reservation means that the personal data that appears in the documents may only be used in journalistic activities and that personal identity numbers, personal names and addresses of individuals may not be made available to the public or paying customers through the database/registers. 9 3 3 . o D Page 22 (31) SUPREME COURT DECISION Ä 3457-24 5. As a reason for the decision, the Court of Appeal stated that it can be assumed that the information after disclosure will be processed in violation of the EU Data Protection Regulation. According to the Court of Appeal, the information was therefore confidential in accordance with Chapter 21, Section 7 of the Public Access and Secrecy Act (2009:400) and the reservation constituted an appropriate protective measure. On disclosure of judgments, etc. In order to promote a free exchange of opinion, free and all-round information and free artistic creation, everyone has the right to access public documents to the extent that the rules on confidentiality do not prevent this (Chapter 2, Sections 1 and 2 of the Freedom of the Press Ordinance). According to Chapter 21, Section 7 of the Public Access and Secrecy Act, confidentiality applies to personal data if it can be assumed that the data, after disclosure, will be processed in violation of the EU Data Protection Regulation or the Act (2018:218) with supplementary provisions to the EU Data Protection Regulation (the Data Protection Act). The current confidentiality provision differs from other confidentiality provisions in that it does not focus on the data as such, but on what can be assumed to happen to them after disclosure. An assessment under the paragraph only needs to be made if there are concrete circumstances indicating that the recipient will process the data in a manner that is contrary to data protection regulations, e.g. that it is a matter of a mass extraction. A full assessment of whether the processing will be contrary to the Data Protection Regulation or the Data Protection Act does not need to be made. (Cf. Bill 2017/18:105 p. 135 f.) The Data Protection Regulation sets out in Articles 5 and 6 certain fundamental requirements for the processing of personal data, including that they 9 3 shall be collected for specific, explicit and legitimate purposes and 3 . o D Page 23 (31) SUPREME COURT DECISION Ä 3457-24 not subsequently processed in a manner that is incompatible with those purposes. The data shall be processed lawfully, fairly and transparently in relation to the data subject and shall be adequate, relevant and not excessive in relation to the purposes for which they are processed. A further key requirement is that one of the grounds set out in Article 6 must be applicable for the processing of data. Examples of such grounds are that the data subject has given his or her consent or that the processing is necessary for compliance with a legal obligation. Article 9 regulates the processing of certain special categories of personal data. This includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health or data concerning a natural person's sex life or sexual orientation. The processing of such data shall be prohibited unless the data subject has expressly given his or her consent or the processing is necessary for certain specified reasons. Article 10 contains rules specifically aimed at the processing of personal data relating to criminal convictions, offences which constitute a criminal offence and security measures related thereto. The processing of such data may be carried out only under the supervision of a public authority or where processing is authorised by Union or Member State law, which lays down appropriate safeguards for the rights and freedoms of data subjects. A complete register of criminal convictions may be kept only under the supervision of a public authority. According to Article 85 of the Regulation, Member States shall, by law, reconcile the right to privacy under the Data Protection Regulation with the freedom of expression and information, including processing for journalistic purposes or for academic, artistic or literary creation. They shall further, for processing carried out for such purposes – where necessary 3 3 . o D Page 24 (31) SUPREME COURT DECISION Ä 3457-24 in order to reconcile the right to privacy with the freedom of expression and information – to establish exceptions or deviations from certain listed parts of the Regulation, including Articles 5, 6, 9 and 10. Chapter 1, Section 7, first paragraph of the Data Protection Act states that the Data Protection Regulation and the Data Protection Act shall not be applied to the extent that it would conflict with the Freedom of the Press Regulation or the Freedom of Expression Act. The second paragraph of the same section follows that, among other things, Articles 5, 6, 9 and 10 of the Data Protection Regulation shall not be applied to the processing of personal data for journalistic purposes or for academic, artistic or literary creation. The Swedish harmonisation according to Article 85 Initially, it can be stated that an EU regulation is binding in its entirety and directly applicable in each Member State. According to established practice, provisions in regulations generally have immediate effects in national legal orders, without requiring the national authorities to take any implementing measures (judgment of the Court of Justice of the European Union of 15 May 2021, Facebook Ireland and Others, C-645/19, EU:C:2021:483, p. 110 and the case law cited therein). However, with regard to certain articles of the Data Protection Regulation, these do not constitute a complete regulation, but the regulation requires supplementary regulation in national law. This is the case, for example, with regard to the regulation's requirement for national harmonisation of the regulation's rules on the protection of personal data with freedom of expression and information. How freedom of expression, freedom of information and the protection of personal data should be combined and reconciled is therefore not clear from the Data Protection Regulation. In addition, there is room for differences 9 3 3 . o D Page 25 (31) THE SUPREME COURT DECISION Ä 3457-24 between Member States regarding the content of provisions that reconcile the right to the protection of personal data with freedom of expression and information (judgment of the Court of Justice of the European Union of 24 September 2019, Google, C-507/17, EU:C:2019:772, p. 69). It is clear that several Member States have made extensive exceptions to the provisions of the Data Protection Regulation for journalistic activities (see SOU 2024:75 p. 120 ff. concerning Norway, Denmark and Finland). In countries such as the Netherlands and Austria, too, in a manner that is similar to the Swedish regulation in substance, activities that are journalistic have been excluded from the scope of the regulation. The picture also includes the fact that when harmonizing according to Article 85 it must be taken into account that the rights in the Charter of Fundamental Rights of the European Union have an equivalent position. The protection of personal data is regulated in Article 8 and freedom of expression and information is protected by Article 11. From a Union law perspective, neither of the rights has a stronger position than the other, but in the event of conflicts, they must be balanced against each other. According to Swedish law, the Data Protection Regulation shall not be applied to the extent that it would conflict with the Freedom of the Press Regulation or the Freedom of Expression Basic Law (Government Bill 2017/18:105, p. 40 ff.). Furthermore, among other things, Articles 5, 6, 9 and 10 of the Data Protection Regulation shall not apply to the processing of personal data for journalistic purposes, even outside the constitutionally protected area. Based on Article 85 of the Data Protection Regulation, this position can be said to mean that the Swedish legislator has deemed it necessary from a freedom of expression perspective to completely exempt such actors who are covered 9 3 3 . o D Page 26 (31) SUPREME COURT DECISION Ä 3457-24 of constitutional protection from the provisions of the regulation and that the same shall in all essentials apply to such actors who lack constitutional protection but whose activities have journalistic purposes. The practical effect of this is that the processing of personal data is in all essentials unregulated. In light of the judgments of the Court of Justice of 22 June 2021 in the case Latvijas Republika Saeima (C-439/19, EU:C:2021:504) and of 7 March 2024 in the case Endemol Shine Finland (C-740/22, EU:C:2024:216), the question can be asked whether the Swedish regulation constitutes a balancing of freedom of expression, freedom of information and the protection of personal data that is fully compatible with Union law. In the opinion of the Supreme Court, there is reason to initially note the following regarding the judgments of the Court of Justice of the EU. The former case concerned the reconciliation under Article 86 of the Data Protection Regulation between the right to public documents and the right to the protection of personal data and only concerned Article 85 insofar as it deals with the right to freedom of information. There was no freedom of expression aspect in the case and the requirements of Article 85 for national harmonisation based on that interest were not affected. The decision therefore has no direct relevance to the current situation. In the second decision, the European Court of Justice found that respect for private life and the protection of personal data must be considered to outweigh the public interest in having access to public documents. It was further emphasized that the right to freedom of information under Article 85 of the Data Protection Regulation should not be interpreted as justifying the disclosure of personal data relating to criminal convictions to anyone who requests such information (paragraphs 55 and 56). 9 3 3 . o D Page 27 (31) SUPREME COURT DECISION Ä 3457-24 The reasoning of the EU Court thus focused on the balance of interests between the protection of personal data regarding violations of the law and the public's access to public documents and freedom of information in general. The ruling therefore does not have any direct bearing on situations when an actor requests information of this kind for journalistic purposes. The conclusion that can be drawn from the EU Court's rulings is that when reconciling freedom of information and the protection of personal data, the principle of proportionality must be observed and the national rules that are introduced must not go beyond what is necessary. What this means in concrete terms in a context where interests other than those that were at issue in the two legal cases are in conflict is, however, not given. Another observation that can be made based on the two cases is that the EU Court's assessment of whether the harmonisation under Articles 85 and 86 of the Data Protection Regulation is acceptable has been made based on the concrete circumstances of the individual case. Although the design of a national system must be taken into account at an abstract level, it is the effects in the concrete case that are decisive for the assessment of whether, for example, the requirement of proportionality is met or not. The assessment in this case In the current case, it concerns a request for public documents by an actor who has so-called automatic constitutional protection, i.e. the constitutional protection follows directly from the constitution (Chapter 1, Section 4 of the Freedom of Expression Act). From a constitutional point of view, this means that the starting point is that Siren is an actor whose activities may be assumed to be in line with the purpose of the Swedish Freedom of Expression Act, i.e. to ensure a free exchange of opinions, a free and 9 3 3 . o D Page 28 (31) SUPREME COURT DECISION Ä 3457-24 all-round information and free artistic creation. These are all purposes that almost completely coincide with the areas where exemptions from the provisions of the Data Protection Regulation are granted under Article 85. What is known about Siren's activities is the following. Siren is a member of the Newspaper Publishers Association. Siren identifies and collects news material in order to convey such material to other news organisations or mass media. Siren handles, assesses and prepares material based on the documents that courts, authorities and others have disclosed. This processing is in various ways intended for publication. It is the editorial staff who analyze the material and make independent news assessments. The processed material can then be used for publication in other mass media or in Siren's own database. It must be considered clear that Siren's collection of personal data is for journalistic purposes. Although it can therefore be questioned whether the Swedish regulation constitutes a balance between freedom of expression, freedom of information and the protection of personal data that in all respects meets the requirements of Union law, there is nothing to indicate that, with regard to an actor like Siren, it would not be acceptable to balance between different interests in accordance with Article 85 of the Data Protection Regulation in the way that the Swedish legislator has done. It cannot therefore be considered contrary to Union law to allow constitutional protection to apply in the manner intended by the Swedish legislature to the request for public documents by Siren. As the Court of Appeal has established, the requested documents are public and must be disclosed unless confidentiality applies under Chapter 21, Section 7, of the Access to Public Information and Secrecy Act. According to that section, confidentiality applies to personal data if it can be assumed that the data, after disclosure, will be processed in breach of the Data Protection Regulation. However, it cannot be assumed that Siren will process the personal data contained in the documents requested by Siren in breach of the Data Protection Regulation, since Siren's processing of personal data is not covered by the provisions of the Regulation. Confidentiality according to Chapter 21, Section 7 of the Public Access and Secrecy Act therefore does not apply. The appeal shall therefore be upheld. ________ 7 7 0 d k D Page 30 (31) SUPREME COURT DECISION Ä 3457-24 DISSENTING OPINION Councillor for Justice Agneta Bäcklund dissents and believes that the case should be struck off from further proceedings. She believes that the reasons from point 61 onwards should be worded as follows. 61. If an authority finds that such a risk of damage, harm or other inconvenience that, according to a provision on confidentiality, prevents information from being provided to an individual can be eliminated by a reservation that restricts the individual's right to pass on the information or use it, the authority shall make such a reservation when the information is provided to the individual (Chapter 10, Section 14, first paragraph, of the Public Access and Secrecy Act). 62. It appears clear that the provision is written with in mind such confidentiality provisions the application of which requires consideration of damage, harm or other inconvenience. There is no reference to such factors in Chapter 21, Section 7 of the Public Access and Secrecy Act. 63. It is difficult to see that a reservation would fully satisfy the possibility of balancing the interest in privacy and the interest in carrying out journalistic activities when it comes to the processing of a large amount of data relating to violations of the law. The risk that the provision in Chapter 21, Section 7 is intended to prevent – that the data, after disclosure, will be processed in violation of the Data Protection Regulation – cannot therefore be eliminated by a reservation. 64. With the interpretation of the relationship between Chapter 1, Section 7 of the Data Protection Act and Chapter 21, Section 7 that the Supreme Court makes, it is also hardly possible to issue any regulations on the processing of the data relating to violations of the law that have been disclosed, without taking a position on Article 10 of 9 3 . o D Page 31 (31) SUPREME COURT DECISION Ä 3457-24 the data protection regulation applies to that processing. A reservation that means that it is not permitted to disclose certain information does not appear to be appropriate with regard to the right to freely communicate information on any subject. 65. The conclusion is therefore that there are no conditions for disclosing the documents with reservations. A release with reservations does not appear to be an appropriate measure either. 66. Since the documents to which the action relates have been disclosed to Siren with reservations, the appeal should not give rise to any further action, but the case should be struck out of further proceedings. ________ 9 0 d k D
