IMY (Sweden) - IMY-2022-1621
|IMY - IMY-2022-1621|
|Relevant Law:||Article 9 GDPR|
Article 85(1) GDPR
Article 85(2) GDPR
Article 6(1)(f) GDPR
Article 4(7) GDPR
|National Case Number/Name:||IMY-2022-1621|
|European Case Law Identifier:||n/a|
|Original Source:||IMY (in SV)|
The Swedish DPA reprimanded a controller for violating Article 9 GDPR by publishing sensitive data in its background check database, such as information about compulsory care due to mental illness and addiction.
English Summary[edit | edit source]
Facts[edit | edit source]
The controller was a company which provided background check services in Sweden. For this purpose, it made publicly available a database, which contained legal and financial information of both legal and natural persons, collected among others from court decisions from 2008 onwards. The database included specific search fields for "name", "personal identity number", "city/address" and "free text search". On top of that, an additional "background check extension service" enabled customers, through a consent request from the person to whom the background check related, to obtain a report on any current or past legal disputes regarding compulsory care due to mental illness or addiction.
The Swedish DPA received multiple complaints from data subjects about the service of the controller, especially the processing of sensitive data relating to health. The DPA initiated its own investigation in order to find out whether the controller was subject to and respected the applicable data protection laws. The controller alleged that the GDPR did not apply to its service because it was constitutionally protected under the Swedish Freedom of Expression Act. To illustrate the issue at hand, Swedish law contained exceptions on the applicability of the GDPR in favour of freedom of expression. Member States have the possibility to introduce such exceptions provided in Article 85 GDPR.
The specific provision, Chapter 1.7 Paragraph 1 of the Swedish Data Protection Act, states that the GDPR and the implementing national law shall not apply to the extent that this would conflict, among others, with the Freedom of Expression Act. Under this law, the GDPR generally applies to online publications. As a way of exception, publications using databases developed from publicly available information, are not covered by the GDPR. However, the GDPR is still applicable when sensitive data was published in such a database (Chapter 1 Section 20 of the Freedom of Expression Act).
In the present case, the DPA had to determine whether the controller's database fell within the scope of the above-mentioned provisions.
Holding[edit | edit source]
The Swedish DPA determined whether the exception in Chapter 1 Section 20 Freedom of Expression Act, which made the GDPR applicable to processing of sensitive data, was relevant. Three separate conditions had to be met for this.
First, there had to be a disclosure of sensitive personal data. The DPA recalled that the term "health data" should be interpreted broadly (Article 4(15) GDPR), reflecting both physical and mental state (Lindqvist, Case C-101/01). The DPA held that the respective court cases in the database usually contained information about the health of persons, for example when the data subject had been subject to compulsory care. Therefore, there was a disclosure of sensitive personal data.
Second, the data had to be part of a data collection organised in such a way that it could be searched or compiled. The only requirements were that the data must concern more than one person and the data has to be sorted according to some kind of system. The DPA concluded that, in this case, large amounts of sensitive data were involved. For the data to be searchable, it was sufficient that that the data collection allowed for a free text search, as in the controllers database.
Third, there had to be specific risks of undue intrusion into the privacy of individuals, given the nature of the activities and the forms in which the data collection was made available. The DPA held that, in this case, the controller extensively collected judicial decisions that contained highly privacy-sensitive information. The collection was carried out without assessing the relevance of the individual court decisions. Furthermore, the controller did not take any measures to limit the possibility of searching for personal information linking to a data subject, such as name or social security number. The DPA concluded that the publication of this data posed particular risks of undue interference with the privacy of individuals. In conclusion, the GDPR was applicable to the case at hand.
Further, the DPA assessed whether the rules on journalistic publication in Chapter 1.7, Paragraph 2 of the Data Protection Act applied to the processing. The DPA held that the fact that a website contains certain publications with a journalistic purpose did not mean that all publications on that website should be considered to have such a purpose. The link between the personal data and an editorial element has to be clear and relevant in order for this journalistic exception to be invoked. The DPA determined that the purposes used by the controller, to provide background checks for recruitment amongst other things, were not journalistic purposes. Despite the fact that the controller had argued its activities were necessary for the legitimate interest of the general public in obtaining access to public documents, the DPA held that this did not mean the controller itself had a journalistic purpose for its processing. Therefore, the journalistic exception was not applicable in this case.
Finally, the DPA also assesed the lawfulness of the processing, by looking at whether the processing of sensitive data violated Article 9 GDPR. In this regard, the DPA noted that the controller only asked for consent from the data subject after a background check had already been ordered. Consent was therefore given after the controller had carried out the processing operations to collect and arrange the court decisions. The DPA held that consent obtained after the processing was not valid. Hence, there was no need to consider whether the requirements of explicit consent under Article 9(2)(a) GDPR were met. The DPA noted that the statements of the controller referred to the exception in Article 9(2)(g) GDPR. National rules could be introduced, such as described in Article 9(2)(g) GDPR, to support the processing of sensitive personal data, necessary to ensure the public's freedom of expression and information. However, these national rules should be proportionate and contain appropriate measures to safeguard the fundamental rights and interests of the data subject. Since, the Swedish law did not contain such provisions, the controller was not able to rely on Article 9(2)(g) GDPR for its processing. The DPA concluded that the controller processed health data in violation of Article 9 GDPR.
The DPA reprimanded the controller but did not impose a fine, due to mitigating factors, such as the fact that the controller was a licensed operator and because the matter at stake involved relatively complex assessments.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(28) Verify AB Banérgatan 3 114 56 Stockholm Diary number: IMY-2022-1621 Date: Decision after supervision according to 2022-09-13 data protection regulation - Verify AB Content The Privacy Protection Authority's decision................................................... ............................3 Statement of the supervisory matter ............................................... ........................................3 Information about the Services on the Website................................................... ...........4 What Verifiera AB has stated................................... ...................................6 Opinion on 27 May 2022............................................. ............................6 Opinion on 13 June 2022............................................. ............................7 Limitation of the examination framework in the review............................................... .............10 Justification of the decision................................................... ................................................... ..11 Legal background................................................... ..............................................11 EU law's regulation of the relationship between the right to protection for personal data and the right to freedom of expression and information...............11 The Swedish Data Protection Act's exception for opinion and freedom of information................................................... ................................12 The basic regulation on voluntary issuance certificates.................................13 The interpretation of ch. 1 Section 20 YGL and IMY's authority.......................................15 The exception in ch. 1 § 20 YGL is applicable ............................................. ..........16 Personal information about health is made public................................................. .....16 The data collection has been arranged so that it is possible to search for or compile sensitive personal data................................................. ...17 Mailing address: Box 8114 There are particular risks for improper intrusions into the personal 104 20 Stockholm integrity ............................................... ................................................18 Website: Summative Assessment................................................... ....................21 www.imy.se E-mail: Processing does not take place for journalistic purposes............................................. .....21 email@example.com Applicable regulations, etc. ................................................ ............21 Phone: Assessment by the Privacy Protection Authority............................................22 08-657 61 00 The Swedish Privacy Agency Diary number: IMY-2022-1621 2(28) Date: 2022-09-13 Verifiera is the personal data controller for the processing ........................................23 The processing contravenes Article 9 of the Data Protection Ordinance............................24 Applicable regulations ................................................... ......................24 Consent ................................................... ..............................................24 Article 9.2 g and the freedom of expression and information................................24 Article 9.2 g and the principle of publicity ............................................. ......25 Conclusions ................................................. ..............................................26 Choice of intervention................................................... ................................................26 How to appeal ............................................... ................................................... .....28 The Swedish Privacy Agency Diary number: IMY-2022-1621 3(28) Date: 2022-09-13 The Privacy Protection Authority's decision The Swedish Privacy Protection Agency states that Verifiera AB, during the period on April 6 2022 – 28 June 2022, has processed sensitive personal data (data about health) in violation of Article 9 of the data protection regulation in its services at www.verifiera.se. The Swedish Privacy Protection Authority gives Verifiera AB a reprimand according to article 58.2 b i the data protection regulation for the established violation. The Privacy Protection Authority orders Verifiera AB according to article 58.2 d i data protection regulation to take measures so that in the services that Verifiera offers on www.verifiera.se is no longer possible for users of the services to search on people with one of the search parameters personal name, social security number or address take part in decisions in cases according to the act (1991:1128) on compulsory psychiatric care or the law (1988:870) on treatment of drug addicts in certain cases that applies to the wanted person the person. The measures must have been taken no later than eight weeks after this decision won cook power. Account of the supervisory matter The Swedish Privacy Protection Authority (IMY) has received complaints regarding Verifiera AB's (Verify or the company) services. IMY has subsequently on its own initiative initiated supervision of Verify against the background of the description of its services (hereinafter "the Services") which the company has provided on its website www.verifiera.se (hereinafter the "Website"). 2 The purpose of the inspection was to investigate whether Verify through the provision of The services: • publishes sensitive personal data in such a way as referred to in ch. 1. 20 § YGL, • processes personal data in a manner that is compatible with the principles of legality, correctness, transparency, purpose limitation and data minimization (Article 5 of the Data Protection Regulation), • has support in some legal basis for the processing of personal data (Article 6 i the data protection regulation), and • processes information about health, i.e. sensitive personal data in that sense as referred to in article 9.1 of the data protection regulation, and in that case if any of the exceptions in Article 9.2 of the Data Protection Regulation from the prohibition of processing of such data is applicable. The supervision has taken place through review of the information that Verifiera entered the services on the Website and correspondence. 1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regarding the processing of personal data and on the free flow of such data and on the cancellation of directive 95/46/EC (General Data Protection Regulation). 2For a description of the services, see below under the headings "Information about the Services on the Website" and "What Verifiera AB has stated". Privacy Protection Agency Diary number: IMY-2022-1621 4(28) Date: 2022-09-13 Information about the Services on the Website On April 6, 2022, IMY reviewed and documented the information as Verify provided about the Services on the Website. The documentation has been communicated with Verify and its accuracy has not been questioned by the company. It shows the following. The start page shows example images of how a search in the legal database might look. At personal search there are special search fields for "Name", "Social security number", "City/Address" and "Free text search". On "www.verifiera.se/tjanster" the following appears: "How does Verifiera's service take GDPR into account? Verify and our services follow of course the laws, rules and regulations that apply. Verify has proof of issue and is thereby constitutionally protected according to the Freedom of Expression Act (YGL), which means that the GDPR (Data Protection Regulation) is not applicable to Verify or Verified services. To Verify has proof of publication and is constitutionally protected further means that it is not the Privacy Protection Authority (IMY) that is supervisory authority with regard to Verified certificate of issue, but this accrues The Authority for Press, Radio and Television. As long as our customers are in Verified web interface, our customers' use of our services is covered by the same constitutional protection. As a user, however, you must comply with GDRP just in case chooses to download and process personal data in the sense of the GDPR. For more specific questions, do not hesitate to contact our Customer Service.” “How do I know that the information is correct? Verify retrieves all documents instantly from Swedish courts and authorities. As far as the information that you can find in Verified's legal database extremely reliable. To be verified legal database updated in real time ensures you always get the latest, updated the information. Some changes to the information that appears in the public records the actions do not take place.” “How extensive is the background information? A background check report can at the customer's request include either only legal information or both legal as well as financial information. The legal information extends back i the time until the year 2008 and includes all legal public documents for a certain legal or natural person. The financial information includes historical debt balances as these are registered with the Kronofogden, the most recent taxation years from The Tax Agency and any payment orders. Furthermore, background checks cover personnel such as marital status, management position and, if desired, driver's license permit." On "www.verifiera.se/bakgrundskontroll" the following appears: "If you do a background check on a private person who contains financial information, the person must give their consent to a background check must be possible. A copy of the information is sent to the person requested in accordance with the Credit Information Act.” 3 These descriptions are documented in service notes (file appendix 2 and 2.1-2.7 in the case). Privacy Agency Diary number: IMY-2022-1621 5(28) Date: 2022-09-13 "When a user wishes to do a background check on an individual, the user gets possibility to adjust how comprehensive it should be. The user can exclude financial information in cases where it would not be of interest.” "Depending on what need you have to do background checks, you can choose between buying background check reports piecemeal or a larger quantity reports within the framework of a subscription to Verifiera's legal database." "BACKGROUND CHECK - PIECE BY PIECE. If you only need one background check occasionally you can order a background check piecemeal. They cost SEK 1,295/piece excluding VAT." “Is everything done online? Yes, Verifiera's legal database is a digitization of Swedish public documents of courts and authorities. Our customers' searches and filtering is done in Verifiera's interface and the result is generated online in real time.” “Is it complicated to do a background check? No, you need to know social security number, organization number or personal or company name in order to do a background check. Searches based on person and organization number gives the fastest and safest results." The following appears on "www.verifiera.se/abonnemang": "What does Verifiera's subscription mean? The subscription means that you get access to our easy-to-use online tool, where you get access to our entire legal database and can quickly find and share the information you are looking for. Verified business service addresses companies, authorities and others organizations with a need to carry out background checks on private individuals and companies. The service includes an easy-to-use web interface where you can quickly find and share the information you are looking for. All judgments, decisions, and diary pages are searchable in full text and can be read in their original form as PDF. We also provides API solutions for those who so desire.” "As logged into the legal database, the user can search with a number of different parameters as; social security number, organization number, name, address, legal entity and free text etc.” The following appears on "www.verifiera.se/vart-werktyk": ”Verified legal database regularly collects public documents from Sweden's courts and authorities. The legal database stretches back in time to 2008. In addition to judgments, legal documents such as brought charges, issued subpoenas, diary sheets, non-prosecutions and penalty orders which means that our customers can easily follow the progress of a legal case in the legal department the process. Unlike the police criminal record, Verified is not screened legal database, which ensures that you have the opportunity to decide for yourself whether a legal document is relevant to your business decision or not.” On all pages, reference is made to the possibility to try Verify free of charge for 14 days, both by direct link to the form to try Verify in the header and with others links on the pages about starting the 14-day trial period. The Swedish Privacy Agency Diary number: IMY-2022-1621 6(28) Date: 2022-09-13 During previous checks of the Website, IMY has observed a web page where it is described which documents the legal database contains. The corresponding page no longer seems to be accessible from Verified home page but the linking URL is still working per on April 6, 2022. In the enumeration of target types on from the administrative rights is indicated including the following: • Social security goals, i.e. cases regarding disputes with the Swedish Social Insurance Agency i matters relating to e.g. worker's compensation, parental allowance or various supports to the disabled. • LVU cases (cases according to the law with special provisions on the care of young people), i.e. goals such as is about whether minors must be looked after under duress outside their own home. • LVM cases (cases according to the Act on the care of drug addicts in certain cases), i.e. goals that is about forced care for drug addicts. • Psychiatry goals, i.e. cases dealing with matters relating to compulsory psychiatric care and forensic psychiatric care. What Verifiera AB has stated Opinion on 27 May 2022 Verifiera AB has essentially stated the following in its opinion on 27 May 2022. Verifiera is a Swedish limited company with a certificate of issuance for its operations. On November 2, 2016, the Authority for Radio and Television issued a release certificate for Verifiera.se. The business is therefore constitutionally protected according to freedom of expression the constitution. Something that is also whitewashed by IMY on the authority's website: "The Data Protection Regulation (GDPR) does not affect businesses with certificates of issue." It follows from the constitution that the GDPR shall not be applied to activities covered by the freedom of expression basis. Even outside the scope of the Freedom of Expression Act, it is exempted GDPR through the general exceptions for journalistic purposes as well as motivational statements about the importance of the right to freedom of expression in a democratic society. IMY's supervision involves a violation of the authority's authority and competence. To IMY lacks authority and authority is also evident from the authority's response website on the question of whether to submit complaints to IMY on sites that have proof of issue: “No. Unfortunately, we have no way of getting those types of sites to be removed information if you send us a complaint. To provide feedback regarding the legislation regarding issuance certificates, we recommend that you contact the legislator, in this case the Constitution Committee. They are responsible for preparing questions of constitutional and administrative law significance.” On the Website, Verifiera provides, within the scope of its certificate of issuance, among otherwise scanned judgments obtained from Sweden's Courts. The actions are public and accessible to the common man, credit companies and other equivalents services, which follows from the Swedish principle of openness. Verifiera is a news agency regarding, among other things, research and background checks. Verifiera uses a subscription form which means that mainly different types of organizations and professional actors with a need for the information on The website in its professional practice, for example companies and authorities, uses of the Website. Only paying users can access the material on The website, after which the users can, through active measures in real time, receive information from the Integrity Protection Agency Diary number: IMY-2022-1621 7(28) Date: 2022-09-13 and decisions which are scanned and available on the Website. Before a customer signs an agreement with Verifiera, the customer can try the service for fourteen days during condition that the customer undergoes a demonstration of the service. During the trial period are offered access to a standard subscription. Through its activities, Verifiera contributes to free and comprehensive information on an appropriate basis way. Verified's business is also not unique. On the contrary, the equivalent is provided service or more extensive services since a long time from well-established services (eg www.infotorg.se and www.juno.se, formerly Karnov). Like these services, it is possible to The website find judgments and decisions, including administrative law judgments through free text search or through more specific search fields (called filters in some databases). Because the documents on the Website consist of public documents that are available for anyone to take part in many places other than the Website, not least through other services such as or the courts or authorities themselves, thereby there is no particular risk with the publication that takes place on the Website. The background extension service enables customers, through a consent request from the person to whom the background check relates, obtain a background check report regarding any ongoing or previous legal disputes. The legal data is retrieved from courts and authorities and consists of public documents. A prerequisite for one such background report is that the person in question agrees to this, verification takes place including bank ID. The service has no connection to the data protection regulation. As for Verifiera's data and IT security, it is very high. The company has its own servers located in data centers within the EU. Verify using software that is not accessible via the internet which means that all services are isolated from each other as well internet. Only Verified CTO and Network Administrator have access to the software. In case an IP address is available from the internet, it is protected with one firewall bound to specific IP addresses. All Verifiera's systems are built with protection against various types of IT attacks. With regard to decisions on health care, information on the state of health of individuals applies strong confidentiality, which means that such information may only be disclosed if it is clear that the individual or someone close to him does not suffer but. The same applies in other medical activities, for example forensic and forensic psychiatric examination. Judgments and decisions relating to such conditions are subject to confidentiality and the courts therefore does not disclose information about health or the like. Then the judgments found on The website corresponds to those at the court, the same applies to the documents available on the Website. Opinion on 13 June 2022 Verifiera AB has essentially stated the following in its opinion on 13 June 2022. Introduction and general Verify maintains the positions expressed in the opinion of May 27, 2022. It is Verifiera's opinion that IMY lacks any right to initiate the present review as well as to exercise supervision over Verify. The relationship to Verify in a more detailed way answering questions regarding compliance with the data protection regulation does not mean that Verify that the data protection regulation is applicable or that IMY at all has the right to conduct the review that is carried out. Concepts such as "personal data treatment" and more are used even if Verifiera's view is that the company's Privacy Protection Agency Diary number: IMY-2022-1621 8(28) Date: 2022-09-13 handling of public documents does not constitute a processing of "personal data" which covered by the data protection regulation. The purposes of the personal data processing carried out in the services Verify provides general documents to the users of the Services for the purpose of carry out their constitutionally protected activities and in a wider sense promote a all-round information and a free opinion formation. Who decides on the purposes and means of the processing in the respective service Verify decides on the purposes and means of the "personal data processing" of The services. Verifiera would like to point out, however, that from a journalistic point of view it is the user who decides on the purposes, in the same way as a newspaper reader himself determines the purpose when this takes part in a published journal, and not the newsroom that published the newspaper. If consent is collected from affected persons before processing in any of the services Consent in the sense referred to in article 6.1 a of the data protection regulation, and express consent in the sense referred to in 9.2 a, is collected in connection with background checks in the Background Supplement Service from the person to whom the check applies. The service enables customers, through a consent request from the person who the background check refers to obtaining a background check report regarding any ongoing or past legal disputes. The legal data is taken from courts and authorities and consists of public documents. A prerequisite for such background report is that the person in question agrees to this and verification takes place among other with bank ID. Consent is not otherwise collected. Legal basis for the processing and circumstances showing that it is valid The processing in the Services is necessary to protect the interests of fundamental importance for the data subject or for another natural person, i.e. the public's right to freedom of expression and access to public documents, etc. The processing in the Services is necessary for purposes related to Verified eligible interest in being able to run their constitutionally protected activities within the framework of their certificate of issue. The processing in the Services is necessary for purposes that concern the common man legitimate interest in, within the framework of Verifiera's constitutional protection, being informed of public documents available in the Services. In the present case, the interests of the "registered" do not outweigh the right to freedom of expression. hot. The documents found in the Services are available through several others sources. The type of court decision in question should be uninteresting then courts have to apply confidentiality to the extent that information about health is present. If information about health in the sense referred to in Article 9.1 is processed Verifiera has understood it to mean that IMY's review refers to information in court decisions from the general administrative courts. Administrative courts rule over a wide range of legal areas, the majority of which are Torde lacking any relevance for IMY such as cases of tax, PBL, migration, legality review, driver's license interventions, different types of permits, foundations, land and environment, animal welfare, public procurement etc. The Swedish Privacy Agency Diary number: IMY-2022-1621 9(28) Date: 2022-09-13 IMY has not specified in more detail exactly which target types they think it can contain "sensitive personal data", however some exemplification has been done. Furthermore, IMY has not asserted the extent to which they believe such targets contain “sensitive personal data" but seem to draw all exemplary target types under the same roof, an order that Verify questions. It is possible that some target types may, to an unknown extent, contain data regarding people's health. However, as stated above, the courts have to follow one strict confidentiality regarding health and similar information. Is a judgment from one administrative court public (and not protected by secrecy), are also data, in it to the extent such are apparent, public. Courts are generally reticent to state data that can in any way be described as "sensitive". The courts limit the information in judgments to the level necessary to explain the outcome i the target. To the extent that a court decision nevertheless contains information that can is designated as "sensitive", the processing is necessary, among other things, with regard to a important public interest on the basis of Swedish law. The treatment done by Verify is commensurate with the purpose pursued and is also consistent with the how rules on data protection must be processed within the constitutionally protected area. What information is provided to the persons concerned Verifiera provides information about the content on Verifiera.se to its users. One registered has the opportunity to become a user on Verifiera.se and can thus take part in the public documents available there. If users of the Background Check service receive information that they are wanted the person appears as the appellant in cases of compulsory psychiatric care Users of the Services get access to the information available on the Website and that including any judgments that may affect them. Information about judgments provided on the Website is clearly stated. Regarding the background control function, refer to what was stated above. Any changes made to the Services compared to the description which appeared on the website on April 4, 2022 No changes have been made. To the extent that a law is issued on prohibitions regarding personal data relating to health, Verifiera will review its operations on expedient manner. Addendum regarding ch. 1 Section 20 YGL From the wording of ch. 1. Section 20 YGL states that the YGL does not prevent it from being announced by law regulations on prohibition of publication of personal data. In the preparatory work for ch. 1. Section 20 YGL does not state that the data protection regulation would be applicable to the provision. That would have been the case if it was intended that it, contrary to the provision wording, would accommodate other laws on prohibition. By comment to YGL on Juno it appears that the delegation provision has not been followed up by any legislation. It is not possible to interpret a constitution for its purpose. It is not possible to see what consequences a possible negative decision may have and the legal situation afterwards such a decision will be highly unclear. A legally secure course of action would have been to await a possible law of prohibition before starting a review. Then had Verify had knowledge of the legal situation and the content of any prohibition. Verify had then able to act and adapt accordingly. Current review lacks all forms of the Privacy Protection Agency Diary number: IMY-2022-1621 10(28) Date: 2022-09-13 predictability and legal certainty. Verified's view is that the review as such and any negative decision containing corrective measures may constitute abuse of authority. The Credit Information Act – a comparative outlook In the constitutions, there are provisions regarding credit information activities (which includes operations with certificates of issue) that do not prevent it from being notified regulations on the prohibition of such activities in certain specific situations. Such regulations have, with the support of delegation provisions in the constitution, been introduced in the Credit Information Act, whereby special references are expressly made to the data protection regulation and the data protection act. It also expressly states that IMY is the supervisory authority. In these respects, IMY thus derives its authority from law and has through express provisions in law introduced with the support of delegation provision right to apply the data protection regulation in certain expressly stated respects. All this is missing now. In the present case, the delegation provision in ch. 1. Section 20 YGL has not been utilized and IMY lacks both the authorization and the authority to review Verified constitutionally protected activities. Especially about other databases As stated above, Verifiera's business is not unique. Corresponding service or more comprehensive services are provided by long-established services. As a result of IMY's review, Verifiera has carried out searches for such well-established services, for example juno.se. On juno.se, Verifiera has received hits on wanted social security numbers, names and addresses. These search results show Verified operations follow the industry standard for operations with certificates of issue and that If verified, the activity is not improper, on the contrary, the activity is essential in everything the same as with the market-leading companies in the industry. A decision that the data protection regulation is applicable would have unforeseeable consequences consequences for the entire industry. In light of this and what is stated in paragraph above, it is very strange that IMY chooses to turn to Verify instead of the well-established market-leading companies in the industry as is customary. Limitation of the trial frame i the review Against the background of the nature of the matter - including the answers that Verifiera has provided – IMY limits its examination of the Services during the relevant period to • about 1 ch. § 20 YGL is applicable regarding the collection of data in the Services, • on the exception for journalistic purposes ch. 1 Section 7, second paragraph of the Act (2018:218) with supplementary provisions to the EU's data protection regulation is applicable for the processing in the Services and • if the company processes personal data about health in the sense referred to in Article 9 of the Data Protection Regulation by including rulings in cases under the law on compulsory psychiatric treatment and according to the law on treatment of drug addicts in the Privacy Protection Agency Diary number: IMY-2022-1621 11(28) Date: 2022-09-13 certain cases in the data collection and, if so, whether the processing is compatible with Article 9. The review therefore does not cover whether Verified is processing personal data in the Services is otherwise compatible with the data protection regulation. The trial also does not cover one assessment about Verify, by disclosing in the Services financial information about private persons, conducts credit reporting activities and if this is the case compatible with the provisions of the Credit Information Act (1973:1173) and data protection the regulation. Justification of the decision Legal background EU law's regulation of the relationship between the right to protection of personal data and the right to freedom of expression and information The purpose of the Data Protection Regulation is to protect personal integrity in processing of personal data and harmonizing the data protection regulation in order to enable a free flow of personal data within the EU. In the data protection regulation specifies the fundamental right to protection of personal data which is established in Article 8 of the Charter of Fundamental Rights of the European Union (below the charter). According to Article 8.1 of the charter, everyone shall have the right to protection of the personal data concerning him or her. According to Article 8.2, personal data must processed lawfully for specific purposes and on the basis of the data subject consent or any other legitimate and lawful basis. Everyone has the right to receive access to collected data concerning him or her and to have it rectified. IN Article 8.3 stipulates that an independent authority must check that these rules is complied with. A right that is closely linked with the right to protection for personal data is the right to respect for private life and family life which is laid down in Article 7 of the charter. Article 11 of the charter establishes the right to freedom of expression and information. There it is stipulated that everyone has the right to freedom of expression. It is further stipulated that this right includes freedom of opinion and freedom to receive and disseminate information and thoughts without public authority involvement and independence from territorial boundaries. Neither the right to protection of personal data nor the right to opinion and freedom of information are absolute rights. Article 52.1 of the charter states that limitations in the exercise of the rights and freedoms recognized in the charter shall be prescribed by law and compatible with the essential content of these rights and freedoms. Furthermore, it is stated that limitations, taking into account proportionality principle, may only be done if they are necessary and actually meet the objectives of public interest recognized by the Union or the need for protection of others people's rights and freedoms. Against this background, the Data Protection Ordinance has been designed with regard to other freedoms and rights other than the right to protection of personal data, including opinion and freedom of information. The task of balancing these two rights has essentially handed over to the member states within the framework of the regulation in article 85. In article 85.1 4See article 1 of the data protection regulation and i.a. recital 10 to the regulation. 5 Cf. recital 1 to the data protection regulation. 6See recital 4 of the data protection regulation. 7 Cf. the EU Court's judgment Buivids, C-345/17, EU:C:2019:122, p. 50. Data Protection Agency Diary number: IMY-2022-1621 12(28) Date: 2022-09-13 the data protection regulation stipulates an obligation for member states to harmonize the right to privacy according to the data protection regulation with opinion and freedom of information, including processing that takes place for journalistic purposes or for academic, artistic or literary creation. According to Article 85.2 shall Member States, for processing that takes place for journalistic purposes or for academic, artistic or literary creation, establish exceptions or deviations from chapter II (principles), chapter III (data subject's rights), chapter IV (personal data controller and personal data assistant), chapter V (transfer of personal data to third countries or international organizations), Chapter VI (independent supervisory authorities), Chapter VII (cooperation and consistency) and Chapter IX (special situations when processing personal data) if these are necessary for to reconcile the right to privacy with freedom of expression and information. Article 52 of the statute and Article 85 of the data protection regulation thus set limits for how Member States may combine the right to the protection of personal data with the right to freedom of expression and information. That the rights must be combined means that one of the rights must not be given a general priority over the other. Further get exceptions from the right to protection of personal data according to the data protection regulation only take place if 8 the exceptions are necessary to unify the rights. The European Court of Justice has stated that to make a balanced trade-off between the fundamental rights is required that exceptions and limitations in relation to the protection of personal data do not apply beyond the limits of what is strictly necessary. This statement was directive 10 95/46/EG , which was replaced by the data protection regulation, but is according to IMY's assessment relevant also in relation to the data protection regulation. The European Court of Justice has also ruled that in order to take into account the importance of freedom of expression i democratic societies, the concepts associated with this, including journalism, interpreted in a broad sense. This means, among other things, that exceptions from and limitations of the data protection regulation should not only apply to media companies, but on all persons who are active in journalism. It is clear from the court's practice further that "journalistic activity" is such activity that aims to disseminate information, opinions or ideas to the public, regardless of the medium this happens.11 The Swedish Data Protection Act's exception for freedom of expression and information In Swedish law, regulations based on Article 85 of the Data Protection Regulation have announced in ch. 1 Section 7 of the law (2018:218) with supplementary regulations to the EU's data protection regulation (hereinafter the data protection act). In ch. 1 Section 7, first paragraph, of the Data Protection Act, an exception is made for such processing as covered by the Freedom of Press Ordinance (TF) and the Freedom of Expression Act (YGL), below collectively referred to as the basic media laws. The said provision states that the data protection regulation and the data protection act shall not be applied to the extent that would conflict with TF or YGL. According to the preparatory work, it is thereby made clear that the basic media laws take precedence over the data protection regulation and 12 the provisions of the Data Protection Act. 8 Cf. ECJ judgment Buivids, C-345/17, EU:C:2019:122, p. 63. 9 10th ECJ judgment Buivids, C-345/17, EU:C:2019:122, p. 64. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with 11 regarding the processing of personal data and the free flow of such data. See ECJ judgment Buivids, C-345/17, EU:C:2019:122, pp. 51–53. 1 See prop. 2017/18:105, p. 187. The Swedish Privacy Agency Diary number: IMY-2022-1621 13(28) Date: 2022-09-13 The basic media laws provide far-reaching protection for freedom of expression and information. For example, according to the so-called instruction, the person who is to judge abuse should of the freedom of the press and expression – or in other ways watch over that the constitutions are complied with - always bear in mind that the freedom of the press and expression are the foundations of a free social condition, always pay attention to the subject and the thought more than the expression illegality, as well as the purpose more than the method of presentation and in doubtful cases rather free from trap (ch. 1 § 10 TF and ch. 1 § 15 YGL). Furthermore, an authority may not prohibit or impede such provision due to its content, without support i the constitution, the so-called obstruction ban (ch. 1 § 11 YGL). In addition, an authority gets nor intervene against anyone for abuse of freedom of expression, unless there is support for it the intervention in the constitution (ch. 1 § 14 YGL). In ch. 1 Section 7, second paragraph of the Data Protection Act, exceptions are made for opinion and freedom of information outside the constitutionally protected area. The exception includes processing of personal data that takes place for journalistic purposes or for academic, artistic or literary creation. It could, for example, be a matter of journalistic activity conducted in blog form but without proof of publication. IN the provision states that Articles 5–30 and 35–50 of the EU Data Protection Regulation and 2–5 chap. The Data Protection Act shall not be applied to processing that takes place for e.g. journalistic purposes. The exception means that the data protection regulation and the provisions of the Data Protection Act on supervision, remedies, liability and sanctions i the practice is applicable only to the extent of supervision of or violations of the provisions on security for personal data. 13 The basic regulation on voluntary issuance certificates Because the exception in ch. 1 Section 7 first paragraph of the Data Protection Act shall be applicable it is required that it is a question of treatment that is covered by constitutional protection according to the media fundamentals. As a general rule, publications on the internet fall outside YGL's scope scope of application. This means that the data protection regulation is normally applicable to such processing. However, exceptions to the main rule are made through among otherwise the database rule (ch. 1 § 4 YGL). For the processing of personal data such as covered by the database rule, the data protection regulation, according to ch. 1 Section 7 first paragraph the Data Protection Act, is not applied to the extent it would conflict with the freedom of expression basis. Under certain conditions, the database rule provides constitutional protection for statements that take place through provision to the public from databases. What is typically meant is provision of stored information from websites upon request. For some actors apply the constitutional protection automatically, i.e. without anyone special action needs to be taken. This is the case for periodicals and editorial boards for programs. Also other traditional mass media companies, such as book publishers that publish printed books and news agencies, have automatic constitutional protection for theirs databases. Other actors have the opportunity at the Norwegian Press, Radio and Television Authority apply for a certificate of issue and thus receive so-called voluntary constitutional protection (cf. 1 Cape. § 4 first paragraph 1 d and § 5 YGL). In the case of an application for a certificate of issue, this is done not any examination of the content or purpose of the database. The voluntary constitutional protection for databases was introduced in 2003 following a development which meant that other than the traditional mass media companies to an ever greater extent had started providing information to the public on the Internet. Other media companies and individuals had become involved in news reporting, opinion formation and the enlightenment, and the new communication was considered necessary for 13 See prop. 2017/18:105, p. 187. 14 Prop. 2021/22:59, p. 30. The Swedish Privacy Agency Diary number: IMY-2022-1621 14(28) Date: 2022-09-13 freedom of expression and freedom of information. Against this background, the government did the assessment that there were reasons to offer constitutional protection equivalent to that which 15 previously had been reserved for the mass media companies also for the new actors. But already when the voluntary constitutional protection was introduced, the constitutional committee warned so that conflicts with the protection of personal integrity could arise and pointed out in particular that the constitutional protection could in the worst case include databases that are pure personal records. The Constitution Committee therefore considered that the government should further analyze or have analyzed whether the voluntary constitutional protection could come into conflict with the provisions intended to protect the personal integrity. The Riksdag agreed with the committee's assessment and 17 announced this to the government. The Free Speech Committee was tasked with analyzing the issue, but did the assessment that there was no need for constitutional amendments. The year 2014 gave the government Media Basic Law Committee tasked with re-investigating the issue. The Media Basic Law Committee made the assessment that there were reasons to restrict constitutional protection for certain types of search services and instead allow regulations on team level. The Committee therefore proposed an express exception in TF and YGL for some search services that provide sensitive personal data (among other things such as revealing political or religious views or relating to health and sexual life) and information 19 about legal violations, etc. The government agreed with the committee's assessment and proposed changes in TF and YGL in accordance with the committee's proposal. 20 The Riksdag adopted the government's proposal for amendments to TF and YGL in that part of the amendments referred to data collections with sensitive personal data but rejected the proposal in that part it concerned personal data on legal offences. However, the Riksdag announced for the government that an inquiry should be commissioned to re-investigate the question of whether limit the constitutional protection of search services that contain personal information that individuals have committed legal offences, appear in convictions or have been subject to criminal procedural coercive measures. 21 On January 1, 2019, the amendment to the basic media laws entered into force (ch. 1. 13 TF and 1 Cape. § 20 YGL). It is clear from these provisions that the provisions of the YGL do not prevents regulations being issued by law prohibiting the publication of personal data about, among other things, health (Chapter 1 § 20 first paragraph 2 YGL). This applies only if the personal data is included in a data collection that has been arranged so that it is possible to search for or compile these (chapter 1 § 20 second paragraph 1). In addition, it is required that with regard to the business and the forms under which the data collection is kept available, there are special risks of improper intrusions the personal integrity of individuals (Chapter 1 § 20 second paragraph 2). The government gave, in accordance with the Riksdag's announcement, the 2018 print and freedom of expression committee tasked with investigating the question of a restriction of the constitutional protection for data collections with information about legal violations, etc. The committee presented proposals which meant that the existing delegation provisions if sensitive personal data would be supplemented in such a way that personal data about offenses were added to the list of categories of personal data that can 15 Prop. 2001/02:74, pp. 47–48. 16 Bet. 2001/02:KU21, p. 32. SEK 17 2001/02:233. 18SOU 2009:14 and SOU 2012:55. 19 20SOU 2016:58. 21 Prop. 2017/18:49, p. 144. See bet. 2017/18:KU16 and 2018/19:KU2, SEK 2017/18:336 and 2018/19:16. Data Protection Agency Diary number: IMY-2022-1621 15(28) Date: 2022-09-13 regulated by common law. The committee also proposed certain other changes in 22 the design of the existing delegation provision. The government presented proposal for changes in ch. 1 § 13 TF and ch. 1 § 20 YGL in accordance with the committee's 23 suggestions. However, the Riksdag rejected these proposals with the exception of a correction of linguistic inaccuracies in the regulations. 24 The interpretation of ch. 1 Section 20 YGL and IMY's authority According to ch. 1 § 20 first paragraph 2 YGL does not prevent the provisions of YGL that in law regulations are issued on the prohibition of publication of personal data about among other health. The first question that IMY has to decide on is thus whether the provisions of the data protection regulation constitute such prohibition regulations announced in law referred to in ch. 1. Section 20 YGL. IMY makes the assessment that the expression regulations in law in ch. 1. § 20 YGL covers EU- regulations and that regulations on prohibitions in ch. 1. § 20 YGL does not only cover clean ban on the publication of personal data but also regulations that are smaller intervention and which limit the possibility of publishing personal data. IMY does this assessment for the following reasons. When the expression "law" is used in Swedish constitutions in the way that occurs in ch. 1 Section 20 25 YGL the term normally covers EU regulations without being specified in the legal text. Of the preparatory work for ch. 1 Section 20 YGL states that this provision must also be interpreted accordingly this way. It states that EU regulations are equalized by law, according to the practice which developed in connection with the existing delegation provision. It is further stated that the provision also includes an opportunity to prescribe measures that are smaller 27 intervention than prohibition. Similar statements are made in the legislative matter of corollary changes in ordinary law to the changes in the basic media laws. It states that the provisions of the Data Protection Ordinance and the Data Protection Act would regulate them data collections with personal data covered by the proposed exceptions the provisions of the Freedom of the Press Ordinance and the Freedom of Expression Act (i.e. ch. 1 § 13 TF and ch. 1 § 20 YGL). Also in the bill that was prompted by the report from the 2018 Press and Freedom of Expression Committee states that the provisions of the data protection regulation constitute such regulations in law as referred to in 1 ch. Section 20 YGL. This means that the data protection regulation must be applied in those cases the conditions in ch. 1 § 20 YGL are fulfilled. In other words, exceptional the provision in ch. 1 § 7 first paragraph of the Data Protection Act not applicable to such processing because an application of the data protection regulation would not conflict with YGL. IMY is a supervisory authority according to the data protection regulation and thus authorized to exercise supervision of such treatment that is exempt from constitutional protection according to ch. 1 Section 20 YGL. This means that IMY has the authority to try whether ch. 1. § 20 YGL is applicable 2SOU 2020:45. 2 Prop. 2021/22:59. 2Bet. 2021/22:KU14 appendix 3, SEK 2021/22:283. 25 See e.g. prop. 2017/18:105, pp. 27, 127, 130 and prop. 2020/21:172, p. 258. Cf. also see prop. 1999/2000:126, p. 135 f. and 272. 2 Prop. 2017/18:49, p. 147 f., 154, 188 and 255. See also SOU 2016:58, p. 406. 2 Prop. 2017/18:49, pp. 188 and 255. See also SOU 2016:58 p. 406. 2 Prop. 2021/22:59, p. 39 f. and Ds 2017:57, p. 118. 2 Prop. 2021/22:59, p. 39 f. Section 33 of the regulation (2018:219) with supplementary provisions to the EU's data protection regulation and Section 2 a the regulation (2007:975) with instructions for the Swedish Privacy Agency. Swedish Privacy Agency Diary number: IMY-2022-1621 16(28) Date: 2022-09-13 on a certain processing to clarify whether the data protection regulation is applicable 31 or not. The exception in ch. 1 § 20 YGL is applicable In order for the delegation provision in ch. 1 § 20 YGL shall be applicable to the person in question the processing of personal data in the Services requires that the following three conditions are met: 1) that sensitive personal data is made public (first paragraph), 2) that the data is part of a collection of data that has been arranged so that it is possible to search for or compile these (second paragraph 1) as well as 3) that with regard to the business and the forms in which the data is collected is kept available, there are particular risks of improper intrusion into individuals' personal privacy (second paragraph 2). Personal information about health is made public IMY states at the outset that the information included in the Services is published on the way referred to in ch. 1. Section 20 YGL. The next question is about the data that Verify provides through the Services contain such personal data as specified in 1 Cape. § 20 YGL first paragraph. As stated above, IMY has limited its review to rulings in cases in the general administrative courts under the Psychiatric Act compulsory care (LPT), so-called psychiatry cases, and according to the law on the care of drug addicts in some cases (LVM), so-called LVM targets. The sensitive personal data that may primarily appear in such rulings are information on health according to ch. 1. § 20 YGL first paragraph 2. According to the preparatory work, the concept of personal data on health has been taken from Article 9.1 i data protection regulation and shall be given the same meaning as in the regulation. 32 Data on health is defined in Article 4.15 of the Data Protection Regulation as personal data relating to a natural person's physical or mental health, including provision of healthcare services, which provide information about his health status. The European Court of Justice has ruled that the special categories of personal data specified in Article 9 of the Data Protection Regulation, i.a. information about health, must be given a broad interpretation. According to the European Court of Justice, it is sufficient that the data indirectly discloses sensitive information to 33 to be covered by the protection in Article 9 of the Data Protection Regulation. Further includes, according to The European Court of Justice, the concept of "data on health" all aspects of a person's health, 34 both physical and psychological ones. The European Data Protection Board (EDPB) has stated that the concept of "information about health" should be interpreted broadly and includes, among other things information collected by healthcare providers in a patient record (e.g. medical history and results of examinations and treatments). 35 Verifiera's own information shows that the company provides all of the Services rulings in psychiatry cases and LVM cases from the general administrative court since 2008 in unchanged condition. 31 Prop. 2021/22:59, pp. 53–54. 32 33 Prop. 2017/18:49, p. 188. 34 ECJ judgment Vyriausioji tarnybinės etikos komisija, C-184/20, EU:C:2022:601, pp. 125–128. 35 ECJ judgment Lindqvist, C-101/01, EU:C:2003:596, p. 50–51. Guidelines 3/2020 on the processing of data on health for scientific research purposes in connection with covid- 19 outbreak, p. 7–8. The Swedish Privacy Agency Diary number: IMY-2022-1621 17(28) Date: 2022-09-13 Section 3 of the LPT states that compulsory care according to that law may only be given if the patient is suffering of a serious mental disorder and if certain other conditions are met. According to § 4 LVM mandatory care must be ordered according to that law for someone as a result of ongoing abuse of alcohol, drugs or volatile solvents is in need of care to get away from his abuse and certain other prerequisites are met. IMY finds that information that someone is or has been the subject of compulsory care with support of LPT or LVM - which means that the prop "suffers from a serious mental disorder" or props "as a result of ongoing abuse of alcohol, drugs or fugitives solvent is in need of care to get out of their addiction” is fulfilled – is information about health in the sense referred to in ch. 1. Section 20 first paragraph 2 YGL and article 9.1 of the data protection regulation. That the actual diagnosis or cause as well appears is not a prerequisite for this assessment. The decisions of the general administrative courts mainly refer to review of authorities' decisions after appeals by individuals. Some particularly drastic decisions however, is tried or made there without the individual having appealed any decision, either after the authority that made the decision submitted it to judicial review or applied about the decision to be made. This applies, among other things, to psychiatric cases, where a patient who is subject to compulsory care can appeal certain decisions connected to the care to the administrative rights (see §§ 32 and 33 LPT) while certain more intrusive decisions must is subject to review by the administrative court (see e.g. § 12 LPT) or is only taken after the authority's application to the administrative court (see e.g. § 7 LPT), regardless of the individual attitude. This also applies to LVM cases, where the court decides to prepare for compulsory care according to LVM (see § 5) or review decisions on immediate care according to LVM after submission (see §§ 15 and 17). Cases in the general administrative courts are decided by judgment or decision (collectively referred to as rulings). Such rulings must state the reasons as determined the end (section 30 second paragraph of the Administrative Procedure Act [1971:291]). Further shall i the decision states the parties (i.e., among other things, who has complained or who is subject for the application or the subordinated decision), the matter in brief and to the extent that an account of the judgment or decision which has been appealed is needed or subordinated (Section 13 of the Ordinance [2013:390] on cases in general administrative court). Against this background, IMY states that the general administrative courts rulings in psychiatry cases and LVM cases typically contain information about health the person who is the subject of compulsory care, i.e. the person who has appealed the decision which has been made with the support of the respective law or which is the subject for the application or the subordinated decision without appeal. Because such rulings in their unaltered state are provided by Verify Through The services are the criterion in ch. 1. Section 20 first paragraph YGL to sensitive personal data published fulfilled. The data collection has been arranged so that it is possible to search for or compile sensitive personal data The second question that IMY must decide on is whether the sensitive data is included in a collection of information that has been arranged so that it is possible to search for or compile these (chapter 1 section 20 second paragraph 1 YGL). Initially, it is stated that the word "data collection" in YGL was chosen to avoid confusion with the term "register", which is what is meant in normal parlance. The Swedish Privacy Agency Diary number: IMY-2022-1621 18(28) Date: 2022-09-13 According to the preparatory work, no large amount of data is required, but there must be personal data relating in any case to more than one person and the data must be sorted according to some kind of system. 36 Verifiera has stated that all decisions from 2008 onwards exist and have been made searchable in the Services and, when asked, did not provide detailed information about that number decisions that are actually processed. IMY has therefore obtained the official statistics which The Courts Agency has brought up settled cases in the general administrative courts. Verifiera has had the opportunity to comment on this basis but has not submitted anything 37 opinion. The statistics show that during the period 2008–2021 there is a total of approx 210,000 decisions, of which approx. 193,000 (approx. 13,800 per year) in psychiatric cases and approx. 188 39 000 (approx. 1,300 per year) in LVM cases for rulings in the administrative courts alone. Also if it can be assumed that some of these rulings apply to the same people, it can it is established that it involves a large amount of information about health about a large amount people. According to IMY, there is no doubt that it is such a case data collection referred to in ch. 1 Section 20 second paragraph 1 YGL. With regard to the expression “arranged so that it is possible to search for or compile the tasks" it is stated in the preparatory work that the data collection does not need to have been structured on a way that facilitates searching for exactly the personal data covered the provision. For the provision to become applicable, it is sufficient that the data collection provides the opportunity for free text searching. 40 Verifiera's own information shows that it is possible to search in the Services the data collection through free text search as well as through special fields for searches on name, social security number, city and address. The data collection has thus been arranged as follows that it is possible to search for or compile sensitive personal data in that way as referred to in ch. 1 Section 20 second paragraph 1 YGL. There are particular risks of undue intrusions into personal privacy Applicable regulations, etc. The last question for the applicability of ch. 1. § 20 YGL on which IMY has to take a position is if there are particular risks of undue intrusions into individuals' personal integrity. According to the provision, the assessment of whether there are such special risks be done with regard to the business and the forms under which the data collection is held available (chapter 1 section 20 second paragraph 2 YGL). The implication is that the scope of the provision is narrowed down and made dependent on the risks of breaching it the personal integrity that a certain type of data collection entails. So it is only for certain qualified situations, which entail special risks of impropriety intrusion into the personal integrity of individuals covered. 41 36 37 Prop. 2017/18:49, p. 150. Available here https://www.domstol.se/om-sveriges-domstolar/statistik-styrning-och-utveckling/statistik/officiell- court statistics/. 38Decided psychiatric cases in the administrative courts per year according to statistics from the Norwegian Judicial Agency: 13,649 (2008), 13,551 (2009), 13,309 (2010), 13,267 (2011), 13,242 (2012) 12,942 (2013), 13,836 (2014), 14,034 (2015), 13,881 (2016), 13,425 (2017), 14,108 (2018), 14,561 (2019), 14,594 (2020) and 14,840 (2021). 39Decided LVM cases in the administrative courts per year according to statistics from the Norwegian Judicial Agency: 1,196 (2008), 1,166 (2009), 1 280 (2010), 1,164 (2011), 1,126 (2012), 1,222 (2013), 1,422 (2014), 1,462 (2015), 1,391 (2016), 1,390 (2017), 1,298 (2018), 1,280 (2019), 1,252 (2020) and 1,183 (2021). 40 Prop. 2017/18:49, p. 189. 41 Prop. 2017/18:49, p. 189. The Swedish Privacy Agency Diary number: IMY-2022-1621 19(28) Date: 2022-09-13 The government stated in the bill Amended media basic laws (prop. 2017/18:49) 42 including the following. "The proposal therefore means that an overall assessment must be made of the nature of them data collections that are intended to be met by the applicable legal regulation. Assessment grounds of importance should, as the committee states, be able to be the target group of the data collections, the forms of provision and the services' search and compilation functions. In this lies the fact that the data collections basic structure can be attributed importance. Services that make it possible for the public to search on e.g. name, social security number or address get information about individuals' health, sex life or occurrence of criminal convictions would normally entail such risks for undue privacy breaches that they falls within the scope of the delegation provision. […] Data collections with a so-called personal data related structure that aims to Facilitating searches for personal data normally means greater risks for undue breaches of privacy than services with a general structure that makes it possible to search for data with free text search, although the differences are not so great that they in themselves determine the applicability of the provision. Special search fields for someone or some of the personal data concerned or the possibility of obtaining a compilation of these, for example in the form of a map image, typically entail great risks for undue intrusions into personal privacy. In this context, it should normally irrelevant if the service is only available to professional operators. […] According to the government, the starting point should be that legal databases that clearly target themselves to a circle that, on professional grounds, has a legitimate need for them the current information falls outside the scope of application of the provision. At however, the assessment should also for such databases the search and compilation functions are given importance. For example, get special search fields for any or some of the personal data concerned or the possibility of obtaining one compilation of these, for example in the form of a map image, typically said entail great risks for undue intrusions into personal integrity. Such structures should normally mean that there are conditions for legislation with support of the delegation provision, even when legislation hits databases there the information is provided for a fee and the target group is professional.” 43 The Constitution Committee stated, among other things, the following: "The committee opposes making a distinction between whether a service addresses the general public or a certain professional category. A search service that caters to the broad the public can in and of itself mean a greater breach of privacy than a search service which is only open to a smaller circle, e.g. a certain occupational category. But also one search service that caters to a certain occupational category may become available for a very large number of users. The committee does not consider that the target group, i.e. the intended or actual user group, in itself must be given some meaning at the assessment of whether a collection of data falls within or outside it constitutionally protected area. The assessment should instead be made on the basis of 42 Prop. 2017/18:49, pp. 152–153 and 190. 43 Bet. 2017/18:KU16, p. 41. The Swedish Privacy Agency Diary number: IMY-2022-1621 20(28) Date: 2022-09-13 the purpose of the provision of the data collection and the type of data provided. Privacy breaches resulting from data collections provided with the aim of contributing to a free exchange of ideas and a free and comprehensive information can are not considered inappropriate and should therefore be excluded as a starting point the scope of the delegation provisions. The committee wishes to underline that it is very important that a significant margin be applied as to what falls within the constitutionally protected area so that the interest in freedom of expression does not get give way to the interest in protecting the privacy of individuals in borderline cases or those that are difficult to judge situations. Such an approach also gains support in the so-called the instruction i the constitutions, according to which the person entrusted to judge or watch over print and freedom of expression should always bear in mind that freedom of press and expression is a foundation for a free state of society, should always pay attention to the subject and the thought more than the expression as well as the purpose more than the method of presentation and in doubtful cases rather should free than trap. Pure search services for the provision of sensitive personal data according to the exhaustive enumeration in the provision can be said to be far from them purposes which the constitutions are to protect, and such services are thus met typically by the delegation provisions.” IMY's assessment According to IMY, the reported operator's statements mean the following in summary. What the constitutional committee stated in connection with the constitutional amendment means that it when assessing the risks of privacy breaches according to ch. 1 § 20 YGL should not is any significance attached to whether a search service addresses the general public or is available for a certain occupational category. Instead, an overall assessment must be made taking into account, among other things, the purpose of providing the data collection, the type of data provided and search and aggregation functions. It should be taken into account that data collections aimed at facilitating searches for in particular, personal data normally involves greater risks. However, data collections should which is provided with the aim of contributing to a free exchange of meaning and a free and versatile information is not considered improper and should therefore be excluded as a starting point the scope of application of ch. 1 Section 20 YGL. The collection of data that Verifiera provides is the result of an extensive collection of judicial decisions in psychiatry cases and LVM cases that contain a lot privacy-sensitive information. The collection takes place without assessment of its relevance the individual decision has for e.g. the public debate or investigative journalism. The result is a collection of data on everyone who has been the subject of this since 2008 compulsory care due to mental illness or substance abuse. It also appears from the investigation that the purpose of the data collection is, among other things, to provide background checks in, for example, recruitment. Treatment of them the current data on health in such contexts can lead to noticeable consequences for the data subjects. It appears from Verifiera's own data that the data collection has been structured in this way that when searching for people, there are special search fields for name, social security number, city, address and free text and that search results are displayed in real time. Furthermore, it has not appeared to Verify taken any measures to exclude or limit the possibility of applying to data that can be directly attributed to a natural person, such as name or social security number. Nor has it appeared that Verify removed or masked such information in the documents. The Swedish Privacy Agency Diary number: IMY-2022-1621 21(28) Date: 2022-09-13 According to IMY's assessment, it is a question of such a search service for the provision of sensitive personal data which, in accordance with what the constitutional committee stated in connection with the constitutional amendment, is far from the purposes for which the constitutions are intended to protect.44 All in all, this means, according to IMY's assessment, that Verified publication of the collection of data entails special risks for improper interference with individuals' personal information integrity. Thus, the third and last criterion in ch. 1 is also § 20 YGL fulfilled. Summative assessment In conclusion, IMY does – even taking into account the significant assessment margin as assigned by the constitutional committee – the assessment to Verify provides such a data collection as referred to in ch. 1. § 20 YGL, in that part the collection of information involves the publication of decisions in psychiatric cases and LVM- goal. This part of the data collection is thus not protected according to YGL, which means that the exception in ch. 1 Section 7 first paragraph of the Data Protection Act is not applicable to the treatment. The next issue that IMY has to assess is whether the exception for journalistic purposes in 1 Cape. Section 7, second paragraph, of the Data Protection Act is applicable to the processing. The processing does not take place for journalistic purposes Applicable regulations, etc. Through ch. 1 Section 7, second paragraph of the Data Protection Act exempts large parts of the data protection regulation for processing that takes place for, among other things, journalistic purposes purpose. According to the exception, articles 5–30 and 35–50 of the data protection the regulation and ch. 2–5 in the Data Protection Act applies to such processing. The European Court of Justice has judged that in order to take into account the importance of freedom of expression in democratic societies, the concepts associated with this, including journalism, must be interpreted in a broad sense. This means, among other things, that exceptions from and limitations of the data protection regulation should not only apply to media companies, but to everyone persons who are active in journalism. The practice of the European Court of Justice also shows that "journalistic activity" is such activity aimed at disseminating information, 45 opinions or ideas to the public, regardless of the medium through which this occurs. At the same time, the European Court of Justice has ruled that not all information that is made available on internet and which contains personal data is covered by the term "journalistic Operation". The European Court of Justice has further found in the judgment Google Spain and Google that a search engine provider's processing through the provision of the search engine could not considered to be for journalistic purposes. 47 In the ministerial memorandum Consequential changes to amended media fundamental laws, it was stated i.a. the following in the matter of search services with criminal convictions could be covered the concept of journalistic activity. "With this assessment, it is difficult to imagine a situation where it the committee mentioned the typical case of a data collection that is hit by the exceptions i 44Bet. 2017/18:KU16, p. 41. 45 ECJ judgment Buivids, C-345/17, EU:C:2019:122, pp. 51–53. 46 ECJ judgment Buivids, C-345/17, EU:C:2019:122, p. 58. 47 ECJ judgment Google Spain and Google, C-131/12, EU:C:2014:317, p. 85. Data Protection Agency Diary number: IMY-2022-1621 22(28) Date: 2022-09-13 the Freedom of the Press Ordinance and the Freedom of Expression Act – one aimed at the general public pure search service regarding criminal convictions - with application of the The European Court of Justice indicated that the proportionality assessment would be considered to fail the journalist exception in the data protection act. This taking into account that the data quite obviously are very sensitive to privacy and then such a register cannot said to inform, exercise criticism and provoke debate on social issues of importance to the public. It would therefore go too far to claim that an exception from the protection of personal data in such a case is strictly necessary. That may also be considered to be the case the case of other sensitive personal data regarding, for example, ethnic background, sexual orientation or religious beliefs. As stated in section 5.2.2, it is also relevant for the search service in question contains editorial material. It would, however, be required that the connection between the personal data and the editorial feature appear clear and relevant so that the exception for journalistic activities can be invoked. Regarding the example of a private load register directed at the public is made the assessment that this cannot reasonably fall under the journalist exception simply because there are also independent articles and legal articles in connection with the register analyzes. Another arrangement would mean that privacy protection can easily circumvented in a way that cannot be considered responsive to the balanced assessment between the protection of privacy and freedom of expression as indicated by the European Court of Justice The Satakunnan goal.” 48 In the bill An appropriate protection for the freedom of the press and expression (prop. 2021/22:59, p. 54) the following was stated: "Against that background, it is difficult to imagine a situation where one data collection provided in a constitutionally protected activity is exempt from constitutional protection due to the nature of the data collection but is covered by the data protection act's journalist exception. An assessment of every conceivable situation can although of course not generally done in advance. When the delegation provisions well are applicable, it may be determined in the usual way in the individual case which requirements in the data protection regulation that the provider of the data collection needs follow." The Swedish Privacy Protection Authority's assessment The issue that IMY has to decide on is about the processing of personal data health that Verify performs by including rulings in psychiatry targets and LVM targets i The services are provided for journalistic purposes in the sense referred to in ch. 1. § 7 second 49 paragraph of the Data Protection Act and Article 85 of the Data Protection Ordinance. It can initially ascertained, in accordance with what appears from the operator's statements above, that the scope for assessing that a data collection covered by ch. 1 Section 20 YGL is done for journalistic purposes must be considered very limited. IMY further notes that the fact that a website contains certain publications with a journalistic purpose does not mean that all publications on it 50 the website must be considered to have a journalistic purpose. That in connection with a data collection with legal rulings there are independent articles and legal analyzes thus do not automatically mean that the entire data collection has one 48Ds 2017:57, p. 121. 49 For a more extensive review of the interpretation of the term "journalistic purposes", see IMYRS 2022:2, which is available here https://www.imy.se/globalassets/dokument/rattsligt-stallningstagande/imyrs-2022-2-undantaget- for-journalistic-andamal.pdf. 50 See NJA 2001 p. 409, Ds 2017:57, p. 121 and IMYRS 2022:2, pp. 25–27. Privacy Protection Agency Diary number: IMY-2022-1621 23(28) Date: 2022-09-13 journalistic purpose. It should be required that the connection between the personal data and that the editorial element appears to be clear and relevant because the exception for journalistic activity must be able to be invoked. It has not emerged in the case that it there is an editorial content with a clear and relevant connection to it in the case current part of the data collection with decisions in psychiatry cases and LVM cases. The investigation shows that the Services aim, among other things, to provide personal data for background checks of natural persons in connection with, for example recruitment. According to IMY's assessment, such processing of personal data cannot considered to have journalistic purposes. However, Verifiera has stated that the Services also have purposes other than background checks, e.g. research. As IMY notes above, it is data collection that Verify provides the result of an extensive collection of legal rulings with very privacy-sensitive information. The collection takes place without assessment of the relevance of the ruling for e.g. the general debate or investigative journalism. There is also no processing of the rulings, e.g. to remove direct personal data such as name and social security number. The result is one data collection in which it is possible to search for anyone who has been the subject of since 2008 compulsory care due to mental illness or substance abuse. This data collection cannot is considered to have the main purpose of disseminating information, opinions or ideas to the public in the manner referred to in ch. 1. Section 7 second paragraph of the Data Protection Act and Article 85 of the Data Protection Ordinance. For the purpose of Verify stated that the activity is necessary for the common man legitimate interest in obtaining access to public documents, there is reason to underline that the relationship that the public may have a legitimate interest in taking part in public documents in an easily accessible way does not in itself mean that Verifiera has one journalistic purpose with its treatment. The European Court of Justice stated in the judgment Google and Google Spain that the public could have a legitimate interest in participating information by searching a person's name in a search engine. At the same time beat the court held that the search engine provider could not invoke the exception for journalistic purposes when processing personal data in such searches. This applied according to the court even in cases where the search hit referred to a newspaper article and in itself had 52 journalistic purposes. According to IMY's assessment, the business Verifiera is located conducts through the relevant part of the data collection in the case, on the corresponding way as a search engine provider's business, outside of the journalistic exception purpose. In summary, IMY makes the assessment that the publication of rulings is verified in the target types in question are not covered by the exception in ch. 1. Section 7, second paragraph the data protection act. Verifiera is the personal data controller for the processing As can be seen above, IMY makes the assessment that the data protection regulation is applicable to processing in the Services. The personal data controller according to the data protection regulation is the person who alone or together with others determines the purposes and means for the processing of personal data (Article 4.7). 51 See IMYRS 2022:2, p. 23 f. 52 ECJ judgment Google Spain and Google, C-131/12, EU:C:2014:317, p. 81, 85 and 95. Data Protection Agency Diary number: IMY-2022-1621 24(28) Date: 2022-09-13 IMY states that it is Verifiera that provides the Services for financial consideration compensation to paying users. Furthermore, Verify has stated that it is Verify who decide on the purposes and means for the personal data processing of their service, let it be that Verifiera points out that "in journalistic terms, it is the user who decides on the purposes, in the same way that a newspaper reader himself decides the target when this takes part in a published magazine, and not the newsroom which published the paper.” Against this background, IMY finds that Verifiera is the personal data controller for the personal data processing consisting of the provision of the Services and the data collection. The processing is contrary to Article 9 of the Data Protection Regulation Applicable regulations As stated above, IMY makes the assessment that Verifiera processes sensitive data personal data consisting of information about health in the Services. According to Article 9.1 i data protection regulation, the processing of such data is generally prohibited. In order for the processing to be permitted, it is required that one of the exceptions specified in Article 9.2 of the Data Protection Regulation is applicable to the processing. According to Article 9.2 a of the data protection regulation, the prohibition in Article 9.1 shall not be applied the data subject has expressly consented to the processing. According to Article 9.2 g, the prohibition in Article 9.1 does not apply if the processing is necessary for consideration of an important public interest, on the basis of Union law or Member the national law of the states, which must be proportionate to the intended purpose, be consistent with the essential content of the right to data protection and contain provisions on appropriate and specific measures to ensure the registered fundamental rights and interests. Consent The collection of information that is the subject of IMY's review consists of a large number legal rulings in psychiatry and LVM cases. The data collection is used by Verify to provide the Services. One of these is called the background check service. Verifiera has argued that express consent, according to Article 9.2 a of the data protection regulation, exists for the part of the processing that relates to this service. IMY notes, however, that Verifiera obtains consent only in connection with a background check is ordered from Verify. Consent is thus only given after Verify performed the treatments to collect and arrange for searchability the decisions therein the sensitive personal data is processed. A consent that is obtained after the fact is not valid. There is therefore no reason to state about the express consent which Verifiera claims to collect otherwise meets the conditions of the data protection regulation. Article 9.2 g and freedom of expression and information Regarding the processing in general, Verifiera has claimed that the processing "is necessary for purposes relating to Verified's legitimate interest in being able to operate its constitutionally protected activity within the framework of its certificate of issue". According to Verify in the present case, the interests of the data subjects do not outweigh the right to freedom of speech. Finally, state Verify that the documents in the data collection exist available through the majority of other sources as well as what type of ruling applies should be uninteresting as courts have to apply confidentiality to the extent that information about health exists. The Swedish Privacy Protection Agency Diary number: IMY-2022-1621 25(28) Date: 2022-09-13 IMY initially states that legitimate interest (also called balancing of interests) is one of several legal bases according to Article 6.1 f of the Data Protection Regulation which is required for that the processing of personal data must be legal. However, this basis is not included in it enumeration of exceptions in Article 9.2 which can legitimize the treatment of such sensitive personal data referred to in Article 9.1 and which is now in question. Like that of course, Verify with the above stated that the exception in Article 9.2 g constitutes legal support for the processing. IMY notes that the public's freedom of expression and information is an important general principle interest. This is also expressed in Article 85 of the Data Protection Regulation which imposes an obligation on Member States to incorporate in law the right to privacy i in accordance with the data protection regulation with freedom of expression and information. According to Article 85(2) of the Data Protection Regulation, Member States may make exceptions to the provisions of, among other things, Article 9 if it is necessary to combine the right to integrity with freedom of expression and information. In Swedish law, this has taken place through 1 Cape. Section 7 of the Data Protection Act, which according to IMY's assessment in this decision is not applicable on the portion of Verifiera's data collection reviewed in this decision. The regulation in the data protection regulation can be interpreted as only Article 85 which, in accordance with the principle of lex specialis, must be used to regulate in national law the relationship between the right to protection of personal data and the right to expression and freedom of information. According to IMY, however, it cannot be ruled out that, in addition, it is possible to introduce national regulation of the kind referred to in Article 9.2 g of the data protection regulation to provide support for the processing of sensitive personal data that is necessary to cater for the public's freedom of expression and information. Such regulation would among other things need to contain provisions on appropriate and special measures to ensure the data subject's fundamental rights and interests. Someone like that however, regulation has not been introduced into Swedish law. There is thus no option for Verify to apply Article 9.2 g of the data protection regulation with reference to the public freedom of expression and information. Article 9.2 g and the principle of publicity Verifiera has also stated that the processing in the data collection is necessary for the common man's legitimate interest in that, within the framework of Verified constitutional protection, get access to public documents available in the Services. IMY therefore finds reasons to assess whether the rules on the publicity principle in ch. 2 TF can provide support for Verified treatment. The data protection regulation regulates the relationship between the right to protection for personal data and the principle of publicity in Article 86. It states that personal data i public documents kept by an authority, a public body or a private one body for carrying out a task of public interest may be disclosed by the authority or the body in accordance with the national law of the Member State to adjust combines the public's right to access public documents with the right to protection for personal data in accordance with the regulation. In ch. 1 Section 7 first paragraph the data protection act has also introduced regulations that make it clear that the data protection regulation shall not be applied to the extent that it would conflict with 53 the rules on public documents in ch. 2 TF. The provisions on the public record in ch. 2. TF gives everyone the right to take part of public documents that are not covered by confidentiality. For it to be a matter of 5 Prop. 2017/18:105, pp. 42–43. The Swedish Privacy Agency Diary number: IMY-2022-1621 26(28) Date: 2022-09-13 a public document, the document must be kept with an authority or another body which is covered by the principle of publicity (Chapter 2, Sections 4 and 5 TF). The rules in ch. 2 TF thus does not give the public a right to take part in public documents released by an organization which, like Verify, is not subject to the obligation to disclose documents according to the principle of publicity. The rules in ch. 2 TF also does not give a right to the person who receives public documents to spread them further or further process them in another way. the purpose with the publicity principle, as expressed in ch. 2. § 1 TF, is admittedly that promote a free exchange of ideas, a free and comprehensive enlightenment and a free artistic creative. However, the further processing of disclosed public documents is covered not of the provisions in ch. 2. TF without other rules, especially other parts of the media fundamentals. The basic media laws give, among other things, the right to publish general information documents or information from such documents and to disseminate such publications (see, among other things, ch. 1 § 1 second paragraph and ch. 6 TF and ch. 3 YGL). It should be emphasized that the Swedish data protection regulation creates a large scope to further process personal data in public documents to satisfy it fundamental importance that freedom of press and expression has for the Swedish language state of affairs. This takes place through the exception for the basic media laws in ch. 1. Section 7 first paragraph of the Data Protection Act and the exception for, among other things, journalistic purposes in 1 Cape. Section 7, second paragraph of the Data Protection Act. As IMY notes in this decision, covered however, not the personal data processing of these exceptions in question. Against this background, IMY states that ch. 2 TF does not regulate Verified publication of sensitive personal data and therefore cannot constitute a basis according to 9.2 g of the data protection regulation for this processing. In addition, it can be stated that the rules in ch. 2 Nor does the TF contain any such appropriate and special measures to protect the rights of the data subjects in the further processing of released public data actions. Conclusions Since nothing has come to light to suggest that any other exception in Article 9.2 is applicable, IMY finds that Verify during the period 6 April 2022 – 28 June 2022 has processed sensitive personal data (data on health) in violation of Article 9 i the data protection regulation in its services at www.verifiera.se. Choice of intervention From article 58.2 i and article 83.2 of the data protection regulation it appears that IMY has power to impose administrative penalty charges in accordance with Article 83. Depending on the circumstances of the individual case, the administrative sanction fees are imposed in addition to or instead of the other measures referred to in Article 58(2), which for example injunctions and prohibitions. Furthermore, Article 83.2 states which factors which shall be taken into account when deciding whether administrative penalty charges shall be imposed and at determining the size of the fee. If it is a question of a minor violation, IMY gets as set out in recital 148 instead of imposing a penalty charge issue one reprimand according to article 58.2 b. Consideration must be given to aggravating and mitigating factors circumstances of the case, such as the nature, severity and duration of the infringement as well as previous violations of relevance. IMY has established that during the relevant period, Verifiera has carried out a comprehensive collection of sensitive personal data about a large number of people in the Services through the Swedish Privacy Protection Agency Diary number: IMY-2022-1621 27(28) Date: 2022-09-13 to publish, among other things, 210,000 decisions from the administrative courts, of which approx 193,000 are psychiatric cases and approx. 18,000 are LVM cases. The goals contain a lot privacy-sensitive information regarding people who are or have been in a very vulnerable situation. The result is a collection of data on everyone who has been since 2008 subject to compulsory care due to mental illness or substance abuse. Of the investigation it further appears that the purpose of the data collection is, among other things, to provide background checks on recruitment. Processing of the current data on health i such contexts can lead to noticeable consequences for the registered, to example in the form of reduced opportunities to be considered for employment and exclusion. According to IMY, the violation of Article 9 found in this decision thus of such scope and degree of seriousness that it would normally cause a known penalty fee. In this supervisory case, however, there are special circumstances that militate against a sanction charge. It concerns the processing of personal data on a website that has a certificate of publication and as a starting point has constitutional protection according to the basic media laws. The limitation of the constitutional protection of data collections that make public sensitive personal data introduced in 2019 through ch. 1 Section 20 YGL has not previously been applied by IMY. The provision has also not, as far as can be seen, been applied by any court or any other authority. There is thus a lack of practice regarding how constitutional the provision - which in some respects requires relatively difficult considerations - shall be applied. In addition, until recently there has been indicative information on IMY's website which has been perceived as meaning that IMY has no opportunity to intervene against web pages with proof of publication. Overall, this means according to IMY's assessment that it would not be proportionate to impose Verify a penalty fee for the established violations in the current case. Verify AB must therefore, with the support of Article 58.2 b of the data protection regulation, instead a reprimand is given for it found the violation. The publication of the sensitive personal data means a serious breach of privacy for the persons concerned. Verified proof of issue does not allow any exception to the data protection regulation as long as the company continues to publish sensitive personal data in a data collection covered by ch. 1. 20 § YGL. It is important to ensure that this breach of privacy ends. IMY therefore assesses that there are grounds to order Verify according to Article 58.2 d i data protection regulation to take measures so that in the services that Verifiera offers on www.verifiera.se is no longer possible for users of the services to search on people with one of the search parameters personal name, social security number or address take part in decisions in cases under the Act on Compulsory Psychiatric Care or the Act on Care of drug addicts in certain cases concerning the wanted person. The actions must have taken no later than eight weeks after this decision became final. ______________ This decision has been taken by the general manager Lena Lindgren Schelin after a presentation by the lawyer Martin Wetzler. In the final proceedings, the Chief Justice David also has Törngren, unit manager Catharina Fernquist and department director Hans Kärnlöf participated. The lawyer Olle Pettersson has participated in the proceedings. Lena Lindgren Schelin, 2022-09-13 (This is an electronic signature) Privacy Agency Diary number: IMY-2022-1621 28(28) Date: 2022-09-13 How to appeal If you want to appeal the decision, you must write to the Swedish Privacy Protection Agency. Enter in the letter which decision you are appealing and the change you are requesting. The appeal shall have been received by the Privacy Protection Authority no later than three weeks from the day you received it part of the decision. If the appeal has been received in time, send The Privacy Protection Authority forwards it to the Administrative Court in Stockholm examination. You can e-mail the appeal to the Privacy Protection Authority if it does not contain any privacy-sensitive personal data or information that may be covered by secrecy. The authority's contact details appear on the first page of the decision.