Controversial Swedish Freedom of Press Exemption challenged by the GDPR

26.09.2024

The GDPR, designed to safeguard personal data, sometimes conflicts with rights like freedom of expression. In Sweden, online publishers can get a certificate of publication, exempting them from GDPR. This exemption, rooted in principles dated back to the second world war of free speech and transparency, is now exploited by websites to share personal data that GDPR would typically protect, such as addresses, incomes, and even criminal records, by offering them to any paying user. Traditional media criticize these practices, and despite lawsuits, such as for defamation, the sites have largely prevailed. However, recent court rulings have started to prioritize GDPR over these exemptions, creating legal uncertainty for any online publishers dependent on the exempti on.

 

This article will clarify what these certificates are, their function in Sweden, and the impact of new court rulings that threaten this constitutional safeguard as well as the repercussions for online publishers.

VOLUNTARY CERTIFICATES OF PUBLICATIONS EXPLAINED

Publications on the internet generally fall outside the scope of the Swedish Fundamental Law on Freedom of Expression ("YGL"). As a result, the provisions in the GDPR become applicable in regards to any personal data being processed as part of such online publication. However, there is an exception in the form of the so-called 'Database Rule'. When the Database Rule applies, the GDPR should not, i.e. its an exemption from the requirements in the GDPR. For media companies such as newspapers and TV, this exemption applies automatically. Other actors can apply for the equivalent in the form of a so-called 'voluntary certificate of publication' from the Swedish Agency for the Media. This Database Rule-exemption (rooted in principles dated back to the second world war of free speech and transparency) is unfortunately now being exploited by websites to share personal data that GDPR would typically protect, such as addresses, incomes, and even criminal records, by offering them to any paying user. Traditional media criticize these practices, and despite lawsuits, such as for defamation, the sites have largely prevailed.
What we now see from Swedish court is perhaps an attempt to rectify the malpractice of the exemption, by stating that this well-established (if however highly controversial) exemption in Swedish constitutional law does not hold up particularly strong in comparison with EU-legislation. This is however a complete u-turn from the assessment that Swedish courts have previously made.

 

NEW COURT PRACTICE CREATES GREAT UNCERTAINTY

In a decision from the Malmö District Court, it was noted, among other things, that there are no guiding rulings regarding the relationship between the GDPR and freedom of expression in the form of publishing information about legal proceedings. The District Court also concluded that one must weigh the protection of privacy in the GDPR and the EU Charter against the Swedish constitutionally established rights in each individual case. In the case at the Malmö District Court, the news agency Siren wanted to obtain preliminary investigation protocols containing large amounts of personal data, and the aforementioned request would also be made on an ongoing basis in the future. The District Court chose to make its own assessment between freedom of expression, the Swedish principle of public access to official documents, and the protection of personal data, and believed that disclosure by making it available in certain databases would result in a significant violation of individual privacy. Thus, the District Court considered that the provisions of the GDPR should be applied to the processing despite the exemption from data protection legislation that voluntary certificates of publication fall under. However, the court emphasized that such a setting aside of Swedish law should be done with the utmost caution.

The Malmö District Court has not been alone in arriving at a judgment where public documents are no longer released e.g., to companies conducting background checks. The Administrative Court of Appeal in Stockholm as well as the Administrative Court of Appel in Upper Norrland also reached the same conclusion in verdicts from March and April, 2024, that a balance must be struck in each individual case between the interest in privacy protection expressed through the GDPR and the constitutional protection in inter alia the YGL. The former verdict also led to the Swedish Data Protection Authority publishing a press release stating that they intend to review how they supervise the matter, as they perceive the verdicts as a change in previous court practice.

The Swedish government has now appointed an inquiry to review the constitutional protection for search services (like background check companies), and this is to be reported by November 15, 2024, at the latest. However, it should be noted that the current legislation in the field is the Swedish constitutional laws. To amend a constitution, the Swedish Parliament must make two identical decisions, with a general election held between the two decisions. Therefore, it is possible that the legal situation may change through new legislation, but this could not happen until after the next parliamentary election at the earliest.

Given the aforementioned, the question has arisen whether the constitutional protection provided through voluntary certificates of publication is still sufficient, and whether the organizations that rely on these certificates for their operations still have the opportunity to continue their activities. It is noteworthy that the courts have chosen to deviate from established legal practice in a way that undermines companies' ability to anticipate legal risks and conduct their businesses reliably. This uncertainty is not merely theoretical but has very concrete consequences for the companies that depend on these certificates of publication for their operations. Companies that have invested resources and structured their business models around the voluntary certificates of publication are now suddenly facing an uncertain future.

 

IN SUMMARY

We must acknowledge that no general limitations in the area of certificates of publication have come into force (yet), but that due to the Swedish court decisions and the statement from the Swedish Data Protection Authority, there is now great uncertainty for market participants. Even though they can theoretically make use of voluntary certificates of publication, there is a risk that these will not hold up in practice. The uncertainty will remain until there is a precedent-setting judgment or new legislation on the matter.

 

Article provided by INPLP members: Fredrik Roos & Emily Svedberg-Possfelt (Setterwalls, Sweden)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.