Between 250 years of free information and 20 years of EU and Internet

Inger Österdahl

Faculty of Law, Uppsala University, Uppsala, Sweden, inger.osterdahl@jur.uu.se

The constitutionally-based right of access to documents has a long history in Sweden and is considered crucial to Swedish democracy. On entering the EU in 1995, Sweden declared that public access to official records forms part of Sweden’s constitutional, political and cultural heritage. The members of the EU for their part declared that they took it for granted that Sweden would fully comply with Community (now Union) law with respect to openness and transparency. Sweden continues to push for transparency when EU legislation that potentially contains secrecy clauses is negotiated. It turns out, however, that EU membership does pose challenges to the strong Swedish right of access to documents. The protection of personal data is controversial in Sweden to the extent that the stricter EU legislation clashes with the traditionally weak protection of privacy in Swedish law; the Swedish right of access to information has largely outweighed the right to privacy. Large amounts of publicly available personal data are amassed in databases by private actors for commercial reasons, under the protection of the Swedish constitution. This is causing problems, especially since Sweden considers Swedish constitutional law to precede EU legislation in the field of access to information. Sweden will somehow have to solve the dilemmas caused by the differing traditions of transparency between itself and other EU member states. Official Swedish inquiries and the EU Regulation will provide many answers to these questions in 2016.

Keywords: access to documents, personal data, privacy, transparency, database

Introduction

Sweden is caught between its long-standing tradition of openness in public affairs and its much newer membership in the European Union (EU) and exposure to EU law. Swedish law places a great value on maximal openness, whereas EU law tends to be more secretive in general and to place a great value on the protection of personal privacy in particular. In addition, the global wave of technical developments in the information sphere is sweeping through Sweden, leaving in its wake a different arena altogether in which issues of openness in the public administration may be regulated. These changes bring manifold challenges to the centuries-old Swedish regulatory model of openness in public affairs. The conflict is acute in the field of the personal data protection.

This contribution will sketch the background to the conflict between Swedish openness and EU law on the protection of personal data and discuss different efforts to resolve the conflict.

Protection of personal data

The protection of privacy has traditionally been weak in Sweden, whereas the right of public access to information is strong (Hirschfeldt 1998; Bohlin 2015; Funcke 2014). The state of EU law is largely the opposite: the protection of privacy is strong, whereas the right of the public to access to information is weak, at least by Swedish standards. In an effort to strengthen the protection of personal privacy, Sweden in 2010 amended the provision on the protection of privacy in Chapter (Ch.) 2 Article (Art.) 6 in the Constitution (Instrument of Government (Regeringsform 1974:152)).

Prior to 2010, the protection of privacy in the Swedish Constitution was limited to the following:

Everyone shall…be protected against body searches, house searches and other such invasions of privacy, against examination of mail or other confidential correspondence, and against eavesdropping and the recording of telephone conversations or other confidential communications.

In addition to this, the recent amendment to the Instrument of Government on the issue of protection of privacy added the following passage:.

In addition to what is laid down in paragraph one, everyone shall be protected in their relations with the public institutions against significant invasions of their personal privacy, if these occur without their consent and involve the surveillance or systematic monitoring of the individual’s personal circumstances.

It should be noted that the Instrument of Government, among other limitations in its scope, is directed toward invasions of individual privacy on the part of the state, the “public institutions”, as shown by the passage quoted above. This, of course, is the traditional perspective in human rights protection. Today, however, due to the developments in information technology, combined with free access to public documents in Sweden, invasions of privacy may almost as easily be undertaken by private actors as by the state.

Upon joining the EU in 1995, Sweden made a Declaration on open government to be attached to the treaty of accession (Treaty concerning the accession of the Kingdom of Norway, the Republic of Austria, the Republic of Finland and the Kingdom of Sweden to the European Union 1994, Declaration No. 47). In the Declaration, Sweden welcomed the development in the EU toward greater openness and transparency and declared that:

[o]pen government and, in particular, public access to official records as well as the constitutional protection afforded to those who give information to the media are and remain fundamental principles which form part of Sweden’s constitutional, political and cultural heritage.

The Member States of the EU declared that they took note of the unilateral Swedish Declaration and took it for granted that “as a member of the European Union, Sweden will fully comply with Community law in this respect”.

On the subject of the then-approaching transferral to the EU of law-making powers, the constitutional committee of the Swedish parliament also made an authoritative statement on the significance of openness to the Swedish system of government (Konstitutionsutskottets betänkande (Report of the constitutional committee) 1993/94:KU21: 27-28). The constitutional committee found that public access to official documents and the freedom to give information to the media form part of the fundamental principles of Sweden’s constitutional system, among other provisions contained in the Freedom of the Press Act and the Fundamental Law on Freedom of Expression, which have constitutional status (Konstitutionsutskottets betänkande (Report of the constitutional committee) 1993/94:KU21: 27; Tryckfrihetsförordning (1949:105) and Yttrandefrihetsgrundlag (1991:1469) respectively).¹ Law-making powers that would substantially modify these constitutional principles could not be transferred to the EU (Konstitutionsutskottets betänkande (Report of the constitutional committee) 1993/94:KU21: 28). Significant political prestige was thus invested in the Swedish principle of openness.

Swedish law versus EU law

The Directive on the protection of personal data was adopted shortly after Sweden became a member of the EU (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data). Although Sweden had just joined the EU in 1995, there was still time for the insertion into the Directive of a passage crucial to the Swedish interest in maintaining its free access to official documents. Perhaps it is no coincidence that Sweden’s concerns were inserted in the last paragraph of the preamble to the Directive, since Sweden presumably came in late to the process of elaborating the directive. The 72nd – and final – paragraph of the preamble lays down that the Directive allows the principle of public access to official documents to be taken into account when implementing the principles set out in the Directive. This was before the right of access to documents was inserted into the EC Treaty (in 1997), currently Art. 15(3) of the Treaty on the Functioning of the EU. In 2000, the right to respect for private and family life (Art. 7) and the right to protection of personal data (Art. 8), as well as the freedom of information (and expression) (Art. 11) and the right of access to Union documents (Art. 42), were included in the Charter of Fundamental Rights of the EU, which was promoted to the level of EU primary law after the Lisbon Treaty (2007).

Art. 3(1), the Directive on the protection of personal data, states that the Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system. There are certain exceptions, but basically the scope of the Directive is very wide and covers all processing of personal data. In Sweden, subject to the provisions on secrecy in the Freedom of the Press Act Ch. 2 Art. 2 and the ensuing Public Access to Information and Secrecy Act (Secrecy Act), personal data form an important part of what may be extracted from public authorities in the name of free access to official documents (Offentlighets- och sekretesslag (2009:400)).

In order to ease the implementation into Swedish law of the potentially troublesome Directive, Sweden inserted two particularly interesting passages into the Personal Data Act, by which it implemented the EU Directive (Personuppgiftslag 1998:204). First, under the rubric of “Relationship to the freedom of the press and the freedom of expression”, the Personal Data Act in Article (Art.) 7 lays down that the Act will not be applied to the extent that it would conflict with the provisions on the freedom of the press or with the freedom of expression in the Freedom of the Press Act and the Fundamental Law on Freedom of Expression, respectively. Secondly, with respect to free access to official documents, the Swedish Personal Data Act under the rubric of “Relationship to the principle of access to documents” states in Art. 8 that the law will not be applied to the extent it would limit the duty of a public authority under Ch. 2 in the Freedom of the Press Act to disclose personal data; the duty of the public authority corresponds to the individual right of access to documents.

The interesting situation arises that Sweden implements the EU Directive on the protection of personal data by a law that expressly states that if the EU law conflicts with the Swedish Freedom of the Press Act or Fundamental Law on Freedom of Expression, then the Swedish law – having constitutional status - will prevail. This is in direct conflict with the prevailing doctrine of EU law, which states that EU law precedes national law in case of conflict. The issue of the potential direct effect of the EU Directive in Swedish law has (unfortunately) never arisen in practice.

The interesting Swedish way of implementing the EU Directive on the protection of personal data has not caused Sweden any troubles in its relations with the EU or other Member States so far.² The possibility of individuals and other private actors amassing and using great amounts of data for different purposes not foreseen when the right of access to documents was elaborated, places the issue of access to documents in Sweden in a new light and is causing the free access to official documents to be potentially questioned. This new element in the balancing of Swedish public access to official documents and EU protection of personal data may affect the Swedish stance vis-à-vis the law emanating from the EU in the field of personal data, as well as the EU stance so far – arguably of benign neglect – towards Swedish relative openness.

Effectively distancing itself even further from the EU model of protecting personal data, Sweden amended the Personal Data Act in 2006 in order for unstructured – as opposed to structured – processing of personal data to escape the reach of the law most of the time, except when the unstructured processing involves violations of individuals’ integrity (Lag (2006:398) om ändring i personuppgiftslagen (1998:204) (Law (2006:398) amending the Personal Data Act (1998:204)). As a consequence, the Swedish Personal Data Act does not normally cover harmless unstructured processing of personal data. With the spread of computers, the Swedish government argued (Proposition (Government bill) 2005/06:173: 12, 19) that most people in principle engage in the processing of personal data in simple forms, obviating any need from the point of view of the interest of individual integrity for that kind of simple processing to be covered by the detailed processing rules contained in the EU Directive. Sweden labels this approach to the protection of personal data a risk-based approach, and is the sole member of the EU that has adopted this approach in its implementation of the Directive.

Databases cause problems

The fact that the Swedish Freedom of the Press Act and the Fundamental Law on Freedom of Expression will prevail in case of conflict with the EU Directive on the protection of personal data, makes possible the rather unrestricted amassing of great amounts of personal data and the creation of large databases containing personal data by private individuals and commercial businesses, irrespective of the EU Directive.

Under the Swedish Fundamental Law on Freedom of Expression Ch. 1 Art. 9, the creator of a database may on application be granted a so-called “certificate of no legal impediment to publication” (certificate of publication), which allows the database a large amount of freedom as to the publication of different kinds of data, including personal data. The so-called database rule was introduced into the Fundamental Law on Freedom of Expression in 2003 (Lag (2002:909) om ändring i yttrandefrihetsgrundlagen (Law (2002:909) amending the Fundamental Law on Freedom of Expression)). Given the fulfillment of certain technical and administrative conditions on the part of the database and its creators (and the payment of a small fee), the process of granting such a certificate is largely automatic (Lag (1991:1559) med föreskrifter på tryckfrihetsförordningens och yttrandefrihetsgrundlagens område (Law (1991:1559), with regulations in the area of the Freedom of the Press Act and the Fundamental Law on Freedom of Expression, Ch. 3 Art. 19ff)). The certificate is valid for ten years. Except in cases where publication of personal data amounts to defamation or insult, which would be the most likely potential crimes, Swedish law does not allow any restrictions on the contents of the database. In addition, the law neither requires a permit for such a database to be set up, nor does the law allow the closing of the database. Thus, the EU Directive on the protection of personal data does not affect the databases established in Sweden that have been granted a certificate of publication, even if the databases contain large amounts of potentially sensitive personal data.

The so-called “responsible editor” of the database, who must be appointed in order for a certificate of publication to be issued, may under exceptional circumstances be charged with crimes under the Fundamental Law on Freedom of Expression (Ch. 5 Art. 1), which refers to the Freedom of the Press Act (Ch. 7 Arts. 4-5). Defamation and insult are listed among the possible offences that may be committed against the freedom of the press in Ch. 7 Art. 4 of the Freedom of the Press Act to which the Fundamental Law on Freedom of Expression refers. The list of offences against the freedom of the press is exhaustive, and in order to be punishable, the act must also be included under an ordinary Swedish law.

This is no problem in the case of defamation and insult, which are punishable under the criminal law of Sweden (Brottsbalk (Criminal law) Ch. 5 Art. 5). Offences against the freedom of the press, however, must be prosecuted by a particular prosecutor (the Justice Chancellor) according to Ch. 9 Art. 2 of the Freedom of the Press Act. With respect to defamation, which has so far been the potential offence in cases involving databases and the Internet, the possibility of prosecuting the responsible editor of a database – where such a responsible editor exists – is further circumscribed by the fact that under the criminal law Ch. 5 Art. 5, a particularly strong public interest in the prosecution of the crime must exist. A trial for crimes against the freedom of the press would furthermore – and uniquely for the Swedish legal system – involve a jury.

Due to recent debates in Sweden involving individuals publishing defamatory information on the Internet about other individuals, the rules circumscribing the prosecution of the crime of defamation have been eased a little in order to make public prosecution possible in more cases. The requirement that there be particular reasons (särskilda skäl) before public prosecution could be undertaken was deleted from the text of the provision (Lag (2014:222) om ändring i brottsbalken (Law (2014:222) amending the criminal law)). Still, in order for the prosecutor to be able to prosecute someone for defamation, there must be a particular public interest in the prosecution of the crime. This change in the law entered into force on 1 July 2014.

Also, in Ch. 1 Art. 4 of the Freedom of the Press Act (and Ch. 1 Art. 5 of the Fundamental Law on Freedom of Expression), a general rule of leniency is prescribed for anyone who is entrusted with passing judgments on abuses of the freedom of the press. This rule applies when a responsible editor and a certificate of publication exist. The point of the rule is to emphasize the fundamental importance of the freedom of the press and – with respect to other media than the printed press – the freedom of expression in a free society. Today, when powerful means of mass communication are at almost anyone’s disposal, the generosity toward the freedom of expression is placed in a somewhat different light. The question arises whether a different balance should be struck between the freedom of expression and the protection of privacy than before.

In early 2014, a Swedish case that never went to court illustrated many of the issues treated above. The case gave rise to extensive and intensive debate. All the judgments from all courts of first instance in the entire country were entered into a database named Lexbase, so that anyone interested in looking up anyone else to see whether he or she had been sentenced in court, could easily do so. The geographic location of the individuals who had been involved in Swedish criminal trials could also be obtained through the database, enabling everyone to look up any criminals who might be in their neighbourhood. The information in the database was available to anyone against payment and was an entirely and exclusively commercial enterprise.

Judgments are normally open to the public to read, and available from the court in question to anyone who is interested. The point here is the compilation made possible by the new information technique.³ Also, whereas judgments are already available on a large scale in databases open to certain categories of professionals, Lexbase is open to anyone with an interest in knowing who has been involved in court of first instance trials. Lexbase has since been expanded to include information on all licensed medical doctors and dentists working in Sweden, as well as decisions from medical responsibility boards. These decisions are also accessible through the right of access to documents.

It is quite obvious, at least with respect to the judgments involving criminal charges, that Lexbase violates the Swedish Personal Data Act in implementing the EU Directive on the protection of personal data (see Art. 21 in the Personal Data Act saying that it is prohibited for anyone but public authorities to process personal data relating to crimes). Yet the Swedish authorities, primarily through the Data Inspection Board, are prevented from intervening to ensure that the database is closed and that the responsible editor is punished. It is also likely that at least some of the information available in Lexbase constitutes defamation under Swedish criminal law.

In debates in the mass media, representatives of Lexbase have emphasized the fact that they are only making information available to the general public that the general public already has a democratic right to access. Representatives of Lexbase argue that since free access to official documents was instituted with the general public in mind, Lexbase is working in line with the free access doctrine by making the access to official documents easier or freer. When free access to official documents is justified in different Swedish official sources, the democratic aspect of free access is one of three aspects usually emphasized; the other two aspects are legal certainty and efficiency in the public administration (Axberger 2014: 188-189; Strömberg & Lundell 2013: 141-142).

The question arises in the context of Lexbase, whether more information implies more democracy or whether there is a point where more information becomes undemocratic. It is true, that if not for the Swedish constitutional rule on the certificate of publication, Lexbase would have encountered obstacles in the form of the Personal Data Act. The logic to the Swedish rule on certificate of publication, however, is to ensure the largest possible freedom of expression and information, which potentially compromises personal privacy.

Those who argue against Lexbase claim that Lexbase’s commercial use of information is wrong and constitutes an abuse of free access to official documents, even if it may not be illegal under Swedish law. Arguments have also been raised based on the database contents, such as the publication of criminal convictions (making the rehabilitation of criminals more difficult) or of medical mishaps in individual, although anonymized, cases (limiting systematic efforts at achieving better security for patients on a more institutional level in Swedish health care).

The Swedish Data Inspection Board was unable to intervene against Lexbase since the database was, and still is, legal under Swedish law. In practice, there is no legal basis for taking any measures against Lexbase except through private prosecution, which is quite a risky business. However, a company by the name of Bahnhof, which initially provided Lexbase with server space, decided to break its contract with Lexbase soon after the debate broke out upon introduction of the database. Lexbase was thus closed down, but only temporarily.

Different institutional perspectives

A representative of Bahnhof, the Internet provider, explained and justified their closing of the server space to Lexbase in an article in a leading Swedish newspaper (Karlung 2014). The article is entitled “We raise the demands on our customers in order to ensure free speech” (“Vi höjer kraven på kunderna för att säkra det fria ordet”). The article contains several interesting arguments of principle relating to the regulation of the Internet and the question of who is supposed to enforce the regulation, in this case the private companies or the state.

The Bahnhof representative argued that since updates to the law are not keeping pace with rapid digitalization, Bahnhof has decided to begin placing demands of its own on its customers. Therefore, Bahnhof chose to drop Lexbase despite the fact that Lexbase was legal. Previously, according to the article, Bahnhof’s policy was to let customers continue their activities until the law stopped them. Bahnhof sees its main task as keeping the servers connected to the Internet in Bahnhof’s subterranean halls.

So, why – in contrast to its previous policy – did Bahnhof decide to drop Lexbase?

It appears that Bahnhof considered the general content of the database to be the problem. The article states that Lexbase did not differentiate the types or severity of crimes when it assigned geographic markers to them. A dispute relating to heritage, a fight at the pub or a murder all resulted in the same kind of red marker on Lexbase’s map for anyone having gone to trial. The boundary between the private sphere and public gossip disappeared, Bahnhof said. Furthermore, Bahnhof maintained, Lexbase contained many errors, and its security was so poor that it was hacked immediately. And above all: Lexbase’s responsible editor was gone. Since Lexbase representatives went into hiding, Bahnhof was left to answer the many questions that arose due to the errors in Lexbase’s data. These errors included innocent persons who had been mistakenly identified as criminals. In Ch. 4 Art. 3 of the Fundamental Law on Freedom of Expression, the provisions concerning the powers of the responsible editor imply that he or she should play an active role in guaranteeing the quality of the contents being transmitted.

“In our toughest decision ever,” Bahnhof writes, “we chose to stop Lexbase, despite the fact that Lexbase did have a certificate of publication and despite the fact that the ‘almost industrial publication of names’ had not yet been considered illegal.” It is still not considered illegal.

The system – and here Bahnhof is probably referring to the system of free access to official documents as it is interpreted in Sweden – is constructed for inertia and the slow handling of papers, Bahnhof finds. Today, with digitalization, data is available in large amounts and very quickly. Bahnhof wants to make clear that from now on, it will require actors using a certificate of publication to publish names, as Lexbase did.

In one of the most interesting passages in its article, Bahnhof claims that the law as it stands is obviously not sufficient, but that this does not imply that Bahnhof is demanding stricter laws. Bahnhof argues that the case of Lexbase shows that the Internet provider, in extreme cases, can step in and protect personal privacy in cases where the responsible editor does not.

This raises a number of questions. According to what criteria should Internet providers protect privacy? In Swedish law, as mentioned above, there is a very weak protection of privacy generally.

What regulatory instruments should be used with respect to the Internet or the digital world? The law is not sufficient, Bahnhof argues, yet it opposes regulation by legal instruments. Bahnhof argues that revised or new legislation would constitute a threat to freedom of information and expression – a threat to “the free word”. Also, Bahnhof argues, due to the rapid pace of technical development, legislation has turned out to be an ineffective tool in the digital world. Legislation also risks having unintended, or even counterproductive, effects, as well as slowing down technical development. Internet freedom, i.e. the lack of regulation, has promoted the creativity and development of new ideas for businesses since its introduction to the general public, Bahnhof argues.

The practical and technical inadequacy of traditional legislation is not difficult to understand. More difficult to grasp is why the regulation of privacy versus freedom of expression by private commercial actors in the digital world would be less threatening in principle to “the free word” than legislation.⁴ Private law-making and private law enforcement would lack any of the traditional democratic or institutional guarantees relating to the rule of law. This raises the further question as to what basis exists for claiming that private law enforcement would be more beneficial to the freedom of expression than law enforcement by the state.

Bahnhof continues its argument in the newspaper article:

Previously, Bahnhof has unilaterally promoted freedom.⁵ Bahnhof will continue to strive for an uncensored Internet and continue to take on all sites that follow applicable laws. Bahnhof will continue not to concern itself with the contents of the information spread through its nets and will continue to apply net neutrality. However, against the background of the Lexbase affair, Bahnhof will from now on introduce particular conditions for customers who possess a certificate of publication and whose idea is to publish names of individuals. Bahnhof will require that such server customers answer criticism, correct mistakes in the database and in that way behave like a serious actor.

Thus, Bahnhof could be said to add conditions to the certificate of publication that do not exist in the constitutional regulation. According to media reporting, Lexbase did correct at least some of the mistakes occurring in its database on lower court outcomes.

Providing searchable name registers demands responsibility, Bahnhof goes on to write. If potential or actual customers evade that responsibility, they cannot count on our support, Bahnhof states. Bahnhof will apply this clause if someone “in an uncontrolled way dumps databases on citizens” – databases in which errors abound – and then goes into hiding. This is presumably what Lexbase did. It can be noted that there was no such clause as the one described above when Lexbase entered into relations with Bahnhof, but Bahnhof still decided to “pull the plug,” as the representative of Bahnhof writes in the article.

The Director-General of the Swedish authority overseeing the processing of personal data in Sweden – the Data Inspection Board – also took part in the public debate following the Lexbase affair (Svahn Starrsjö 2014). In fact, the article by the Director-General of the Swedish Data Inspection Board appeared before the Bahnhof article described above. The Bahnhof article was to some extent a reaction to the argument made by the Director-General in the same leading Swedish newspaper.

The Director-General argues that the Fundamental Law on Freedom of Expression must be changed so that websites like Lexbase can no longer be granted a certificate of publication in order to circumvent the law on the protection of personal data, in this case relating to information on participation in trials before Swedish lower courts. If Lexbase had not had a certificate of publication, its website would have been unlawful, the Director–General writes, and the Data Inspection Board would have been able to close the website and to report the crimes against the law on the protection of personal data to the police.

With the certificate of publication, “our hands are tied”, writes the Director-General of the Data Inspection Board. She explains that it is not uncommon for people to try to make the Data Inspection Board take action against websites holding such a certificate, and it is not easy for the Data Inspection Board to convincingly explain that it cannot take any measures at all against such websites. The Director-General writes that Lexbase is far from being the only website abusing the certificate of publication in order to commit systematic violations of individuals’ integrity.

The Director-General points out that a website enjoying the protection of a certificate of publication is allowed to handle personal data relating to criminal activities in ways which not even the police are allowed to do, since the handling of personal data on crime is circumscribed by particularly strict rules.

The Director-General adds that under the Swedish law on the protection of personal data (i.e. originally the EU Directive), individuals enjoy the right to have their incorrectly registered data corrected. If a website possesses a certificate of publication, however, it does not need to worry about that rule. Of course, as far as Lexbase is concerned, the central issue is not whether the data it contains is correct or not. Irrespective of whether the data is correct, if the Fundamental Law on Freedom of Expression is amended with a view to limiting what kind of databases may be granted certificates of publication, Lexbase will most certainly become unlawful.

Constitutional change considered

The government established the Committee on the fundamental media laws in the summer of 2014 (En kommitté på det tryck- och yttrandefrihetsrättsliga området (Ju 2014:17) (A committee in the area of the freedom of the press and the freedom of expression (Ju 2014:17)), usually called Mediegrundlagskommittén (The committee on the fundamental media laws) as a direct answer to the dilemma for the Swedish regulatory model caused by the Lexbase affair, among other things. Several previous official inquiries have grappled with the challenges to the traditional Swedish way of regulating freedom of speech and information, which have arisen from the rapid and sweeping technical developments in combination with Swedish membership in the EU and the increasing importance in Swedish law of the European Convention of Human Rights.⁶ The more radical suggestions to adapt the Swedish fundamental media laws to the current technical and (international) legal environment, however, have not gained political acceptance. No fewer than three other official committees were appointed to investigate issues of some relevance to the legal problems raised by Lexbase, more or less simultaneously with the current Committee on the fundamental media laws (Den personliga integriteten (Ju 2014:09) (Personal integrity (Ju 2014:09)); Ett modernt och starkt straffrättsligt skydd för den personliga integriteten (Ju 2014:10) (A modern and strong criminal legal protection of personal integrity (Ju 2014:10)); and En myndighet med ett samlat ansvar för tillsyn över den personliga integriteten (Ju 2015:02) (A public authority with overall responsibility for overseeing personal integrity (Ju 2015:02)).⁷ All the Committees will deliver their reports in 2016. The Committee on a modern and strong criminal legal protection of personal integrity presented their report in February 2016.

The mandate of the current Committee on the fundamental media laws is broad (Direktiv (Directive) dir. 2014:97). In this article we will focus on the part of the mandate that is relevant to the discussion above on the protection of personal data versus the publication of personal data in easily available databases.

The mandate is limited to solving a number of legal technical issues which have arisen in practice and which have to be solved, but which are not framed in terms of principle. Several of the issues that the Committee has been tasked to solve, however, arguably cannot be solved without serious consideration of principle. Advertently or inadvertently, the big issues of principle that do underlie the seemingly limited technical issues listed in the Committee’s mandate have been hidden or at least toned down, and the more practical aspects of the particular problems to be solved have been brought to the fore. Avoiding direct confrontation of big issues of principle, and thus not unnecessarily arousing the political sensibilities of the Committee members who represent all the political parties in parliament, might be considered the better way of moving forward with issues that urgently need to be solved.

The mandate of the Committee on the fundamental media laws amounts to the following as far as the immediate issues raised by the Lexbase affair are concerned (dir. 2014:97). In the mandate it is observed that the provisions in the Personal Data Act – ultimately the provisions in the EU Directive on the protection of personal data – are not applied to the extent that their application would conflict with the provisions on the freedom of speech and information in the fundamental laws (dir. 2014:97: 14). In practice, this means that the provisions contained in the Personal Data Act with the purpose of protecting personal integrity do not apply with respect to the mass media that are protected by the fundamental laws (dir. 2014:97: 14).

In the Committee mandate it is further observed that by applying for a certificate of publication with the Swedish Broadcasting Authority, anyone may acquire constitutional protection of their database (dir. 2014:97: 14). The Committee mandate notes that the possibility to acquire constitutional protection through a certificate of publication was introduced in 2003 in order to adapt the law to the technical developments and the fact that the transmission of news, information and ideas is increasingly carried out by other actors than traditional mass media companies (dir. 2014:97: 14). The intention behind the change in the Fundamental Law of Freedom of Expression was primarily to protect new forms of mass media activities (dir. 2014:97: 14). On the application for a certificate of publication there will be no investigation into the content or purpose of the database, the Committee mandate further finds (dir. 2014:97: 14). Therefore, it is possible also for databases that are not of a mass media character to acquire constitutional protection, the mandate concludes (dir. 2014:97: 14).

The Committee mandate further observed that once web pages have been accorded a certificate of publication, personal data – such as people’s income or criminal sentencing – may be made public without the provisions of the Personal Data Act being applicable (dir. 2014:97: 14). It is questionable whether these web pages carry out the type of mass media activities that the certificate of publication is intended to protect, the Committee mandate finds (dir. 2014:97: 14). The web pages rather tend to consist of registries of personal data (dir. 2014:97: 14).⁸ It is questionable, the Committee mandate continues, whether such registries of personal data are compatible with the need to protect personal privacy (dir. 2014:97: 15). Therefore, there are reasons to consider anew whether the protection of personal privacy is reasonably fulfilled with respect to databases having a certificate of publication or whether the law should be changed (dir. 2014:97: 15).

It is quite obvious that the protection of personal privacy is absent from the databases referred to by the Committee mandate, such as Lexbase. It is far from easy to say how the law could be changed, however, without disturbing the careful balancing of the different components that make up the intricate Swedish system of protecting the freedom of speech and information. Any amendment to the law, including a reference to the content of the database being considered for the award of a certificate of publication, must be considered foreign to the current Swedish regulatory model.

If Swedish members of parliament wish to keep up the traditional Swedish policy of favouring access to documents over the protection of personal data, despite any EU legislation to the contrary, the Committee might suggest that the provision on the granting of certificates of publication remain as it is. Since the mandate of the Committee encompasses a great number of other issues than the database rule versus personal privacy, it is conceivable that some form of package solution may be sought which will somehow make possible a conditional granting of certificates of publication.

Even if Sweden manages to amend its constitutional protection of freedom of speech and information in a way that skillfully adapts the constitutional provisions to the current technical and European realities, the EU Regulation on the protection of personal data (Interinstitutional file 2012/0011 (COD), Council of the European Union, 8 July 2015) is impending. An explicit reference is made to the ongoing negotiations on a new EU regulation in the mandate of the Committee on fundamental media laws, saying that the Committee shall follow and, if necessary, take into account the ongoing negotiations (dir. 2014:97: 16). The question is to what extent the Committee can take the negotiations into account without compromising the traditional Swedish emphasis on freedom of speech and information, possibly to the detriment of the protection of personal privacy.

EU regulation

Currently, the Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) is in its final stages of negotiation (Interinstitutional file 2012/0011 (COD), Council of the European Union, 8 July 2015). The former Directive has been turned into a Regulation and simultaneously modernized and updated; when the Directive was adopted in 1995, the widespread use of the Internet had hardly begun. No details concerning the content of the Regulation being negotiated will be accounted for here, but the Swedish stakes in the negotiations will be discussed. The Swedish attitude is already ambivalent towards the Directive, which has been implemented in a way that circumvents the direct challenges to the Swedish right of access to documents inherent in the Directive. The Regulation risks making it considerably harder to circumvent its provisions, since they are directly applicable and may not be transformed into national law. Add to this fact that the Swedish right of access to documents is an area of central political significance, and clearly a great deal is at stake for Sweden in the ongoing negotiations.

The outcome of the negotiations could mean the difference between Sweden being able to maintain its much-cherished principle of openness or not. The most likely outcome is one that will allow some room for manoeuvre for Sweden, as well as for any other member state who may wish to modify the protection of personal data somewhat for the benefit of the right of access to information. Sweden will also face the constitutional issue of how to handle the relationship between the EU Regulation and the Swedish Freedom of the Press Act and Fundamental Law on Freedom of Expression. It is difficult to imagine that Sweden would accept the superiority of the adopted Regulation to its constitutional laws, should a direct conflict arise between the Swedish law on access to documents and the Regulation. Sweden can hardly recognize the superiority of the Regulation in principle without giving up its constitutional presumption of a public right to access to documents. Since the Regulation will not be implemented by Swedish legislation, the issue of any potential conflict between Swedish constitutional law and the Regulation will in practice only arise in a particular case. Until that potential scenario occurs, Sweden does not need to make any statement of principle on the matter (as it did in the legislation implementing the Directive).

With respect to the right of access to documents in Sweden, the following four issues in the final negotiation of the Regulation should be the most crucial ones. Article 80a of the Council’s version of the draft Regulation – entitled “Processing of personal data and public access to official documents” – states that

[p]ersonal data in official documents held by a public authority or a public body or a private body for the performance of a task carried out in the public interest may be disclosed by the authority or body in accordance with Union law or Member State law to which the public authority or body is subject in order to reconcile public access to official documents with the right to the protection of personal data pursuant to this Regulation.

Such a provision would undoubtedly facilitate the reconciliation of the Regulation with Swedish constitutional law on the public access to documents.

On a more general level, Article 80 of the Council’s draft proposal is central to Swedish interests of transparency, with some of its contents recognizable from the Directive. Article 80 is entitled “Processing of personal data and freedom of expression and information” and states that

[t]he national law of the Member States shall reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including the processing of personal data for journalistic purposes and the purposes of academic, artistic or literary expression.

Such a provision would also facilitate the coexistence of the EU Regulation and the Swedish constitutional protection of the right of access to documents, including documents containing personal data, as well as a very extensive freedom of expression.

Article 83 of the Council’s draft proposal concerns “Derogations applying to processing of personal data for archiving purposes in the public interest or for scientific, statistical or historical purposes”. Sweden has long maintained very thorough public archives which are widely used, e.g. for research and statistical investigations. In medical research, large registries of personal data are often used in Sweden and elsewhere. The Swedish position is that research based on registries of personal data should not be made more difficult due to the strict requirements potentially contained in the EU Regulation. Thus, Sweden supports the possibility of making derogations from the protection of personal data for the benefit of the purposes enumerated above.

Finally, Sweden hopes for what might be labelled a general exception from the rules regarding the processing of personal data in the Regulation for the benefit of the public administration, or at least a general possibility to draft the law according to the particular wishes of every country. Article 1(2a) in the Council’s draft is supposed to cater to this interest:

Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to the processing of personal data for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or for other specific processing situations as provided for in Article 6(1)(c) and (e) by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX (emphasis added).

Such a provision would also considerably ease the cohabitation of the EU Regulation and the Swedish system for regulating the processing of personal data in the public sector – as well as other national systems potentially. The provision also seems to be an interesting grafting of a provision reminiscent of a directive onto a regulation. Normally, a regulation is directly applicable and does not even allow implementing legislation. Here, we have a provision which invites the member states to maintain or introduce implementing legislation. The final negotiation of this Regulation will in any case impact strong Swedish interests, and the most important provision to maintain in the Regulation should reasonably be Article 80a, which would – perhaps – save the Swedish-style right of access to documents.

Conclusion

It is not often that legal and technical developments, and the resulting dilemmas, are so clearly illustrated as in the case of the protection of personal data versus the principle of openness in Sweden. Interesting legal developments are unfolding before our eyes and the outcome remains still a largely open question: Will Sweden voluntarily change its constitutional law, effectively protecting Internet databases containing large amounts of easily accessible personal data? Will the coming EU Regulation on the protection of personal data force Sweden to prioritize privacy over openness and thus to protect personal data where the centuries-old Swedish tradition would point to publication? It is equally easy (or difficult) to answer these questions in the affirmative or in the negative. An “in-between” or compromise solution is difficult to picture as well, although in reality it is perhaps the most likely answer. The fate of the Swedish openness principle – as far as its competition with the protection of personal data is concerned – will now depend on the legal technical ingenuity and negotiating cleverness of the lawyers informing the Committee on the fundamental media laws at home and of the Swedish negotiators on the homestretch in Brussels.⁹ Add to this the possible political complications of any outcome – either vis-à-vis the EU or vis-à-vis the Swedish public that is deeply attached to the principle of openness – and the stage is set for new information techniques to meet the old law. 2016 will bring many of the answers, but many problems remain to be solved.

Notes

¹ The Freedom of the Press Act concerns printed media whereas the Fundamental Law on Freedom of Expression concerns all other media, including “new” media and the Internet.
² In Bodil Lindqvist, EC Court of Justice (ECJ), case C-101/01, judgment of 6 November 2003 trouble could have arisen, but Swedish interests were catered for.
^³Cf. Lag (2010:1073) om ändring i kreditupplysningslagen (1973:1173) (Law (2010:1073) amending the Credit Report Act (1973:1173)) and the ensuing Lag (2014:1360) om ändring i tryckfrihetsförordningen (Law (2014:1360) amending the Freedom of the Press Act) in order to strengthen individuals’ personal integrity when information on anyone’s creditworthiness suddenly became easily available on the Internet in constitutionally protected databases.
⁴ Cf. the case of Google Spain SL and Google Inc., EU Court of Justice (EUJ), case C-131/12, judgment of 13 May 2014 and its consequences in the form, among other things, of proactive enforcement activities by Google. See also the equivalent to the “Google case” in the European Court of Human Rights, Delfi AS v Estonia, Application no. 64569/09, Grand Chamber, judgment of 16 June 2015.
⁵ Bahnhof for instance kept a high profile on the issue of the retention of traffic data after the judgment in Digital Rights Ireland Ltd and Kärntner Landesregierung et al., EUJ, joined cases C-293/12 and C-594/12, judgment of 8 April 2014.
⁶ See their respective reports: Ett nytt grundlagsskydd för tryck- och yttrandefriheten? (A new constitutional protection of freedom of the press and freedom of expression?) Statens offentliga utredningar (Official inquiries of the state) SOU 2006:96; En översyn av tryck- och yttrandefriheten (A review of the freedom of the press and the freedom of expression) SOU 2012:55; Olovlig fotografering (Unlawful photographing) Departementsserien (Departmental series) (Ds) 2011:1.
⁷ See also the report of the official inquiry into Personal integrity, efficiency and openness in a modern e-administration (Inquiry into the handling of information) (Integritet, effektivitet och öppenhet i en modern e-förvaltning (Informationshanteringsutredningen)): Myndighetsdatalagen (The public authority data act) SOU 2015:39; and the new Court Data Act (2015:728).
⁸ This is exactly what the sceptics of the new database rule were arguing in the early 2000s; the mandate of the new committee explicitly refers to these fears (dir. 2014:97: 14); cf. Konstitutionsutskottets betänkande (Report of the constitutional committee) 2001/02:KU21: 32.
⁹ A political agreement on the Regulation was reached on Dec. 15, 2015. Judging from preliminary reports, the Swedish negotiators were quite successful (Interinstitutional file 2012/0011 (COD), Council of the European Union, 15 December 2015).

References

Axberger, H-G. (2014). Yttrandefrihetsgrundlagarna (The Fundamental Laws on Freedom of Expression) 2nd ed. Stockholm: Norstedts Juridik.

Bodil Lindqvist, EC Court of Justice (ECJ), case C-101/01, judgment of Nov. 6, 2003.

Bohlin, A. (2015). Offentlighetsprincipen (Principle of openness) 9th ed. Stockholm: Norstedts Juridik.

Brottsbalk (Criminal law) (1962:700).

Delfi AS v Estonia, European Court of Human Rights, Application no. 64569/09, Grand Chamber, judgment of 16 June 2015.

Den personliga integriteten (Ju 2014:09) (Personal integrity (Ju 2014:09)).

Digital Rights Ireland Ltd and Kärntner Landesregierung et al., EUJ, joined cases

C-293/12 and C-594/12, judgment of 8 April 2014.

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, O.J. 95/L 281/31, Nov. 23, 1995.

Direktiv (directive) 2014:97 En kommitté på det tryck- och yttrandefrihetsrättsliga området (A committee in the area of the freedom of the freedom of the press and the freedom of expression).

Domstolsdatalagen (Court Data Act) (2015:728).

En kommitté på det tryck- och yttrandefrihetsrättsliga området (Ju 2014:17) (A committee in the area of the freedom of the press and the freedom of expression (Ju 2014:17)), usually called Mediegrundlagskommittén (The committee on the fundamental media laws).

En myndighet med ett samlat ansvar för tillsyn över den personliga integriteten (Ju 2015:02) (A public authority with overall responsibility for overseeing personal integrity (Ju 2015:02)).

En översyn av tryck- och yttrandefriheten (A review of the freedom of the press and the freedom of expression) SOU 2012:55.

Ett modernt och starkt straffrättsligt skydd för den personliga integriteten (Ju 2014:10) (A modern and strong criminal legal protection of personal integrity (Ju 2014:10)).

Ett nytt grundlagsskydd för tryck- och yttrandefriheten? (A new constitutional protection of freedom of the press and freedom of expression?) Statens offentliga utredningar (Official inquiries of the state) (SOU) 2006:96.

Funcke, N. (2014). Offentlighetsprincipen: praktik och teori (Principle of openness: practice and theory). Lund: Studentlitteratur, 2014.

Google Spain SL and Google Inc., EU Court of Justice (EUJ), case C-131/12, judgment of 13 May 2014.

Hirschfeldt, J. 1766 års Tryckfrihetsförordning och offentlighetsprincipen (Freedom of the Press Act of 1766 and the development of the principle of openness). Förvaltningsrättslig tidskrift (Journal of public administration) 61(1-2): 1-28.

Interinstitutional file 2012/0011 (COD), Council of the European Union, 15 December 2015, Doc. No. 15039/15. Retrieved February 07, 2016, from http://www.statewatch.org/news/2015/dec/eu-council-dp-reg-draft-final-compromise-15039-15.pdf.

Interinstitutional file 2012/0011 (COD), Council of the European Union, 8 July 2015, Doc. No. 10391/15. Retrieved February 08, 2016, from http://data.consilium.europa.eu/doc/document/ST-10391-2015-INIT/en/pdf.

Karlung, J. (2014, Feb. 9). Vi höjer kraven på kunderna för att säkra det fria ordet (We raise the demands on our customers in order to ensure free speech). Dagens Nyheter. Retrieved February 07, 2016, from http://www.dn.se/debatt/ vi-hojer-kraven-pa-kunderna-for-att-sakra-det-fria-ordet/.

Konstitutionsutskottets betänkande (Report of the constitutional committee) 1993/94:KU21 Grundlagsändringar inför ett svenskt medlemskap i Europeiska unionen (Amendments to the fundamental laws at the prospect of a Swedish membership in the European Union).

Konstitutionsutskottets betänkande (Report of the constitutional committee) 2001/02:KU21 Yttrandefrihetsgrundlagen och Internet, m.m. (Fundamental Law on Freedom of Expression and Internet, among other things).

Lag (1991:1559) med föreskrifter på tryckfrihetsförordningens och yttrandefrihetsgrundlagens område (Law (1991:1559) with regulations in the area of the Freedom of the Press Act and the Fundamental Law on Freedom of Expression).

Lag (2002:909) om ändring i yttrandefrihetsgrundlagen (Law (2002:909) amending the Fundamental Law on Freedom of Expression).

Lag (2006:398) om ändring i personuppgiftslagen (1998:204) (Law (2006:398) amending the Personal Data Act (1998:204)).
Lag (2010:1073) om ändring i kreditupplysningslagen (1973:1173) (Law (2010:1073) amending the Credit Report Act (1973:1173).

Lag (2014:1360) om ändring i tryckfrihetsförordningen (Law(2014:1360) amending the Freedom of the Press Act).
Lag (2014:222) om ändring i brottsbalken (Law (2014:222) amending the criminal law).

Mediegrundlagskommittén (The committee on the fundamental media laws): En kommitté på det tryck- och yttrandefrihetsrättsliga området (Ju 2014:17) (A committee in the area of the freedom of the press and the freedom of expression (Ju 2014:17)).

Myndighetsdatalagen (The public authority data act) SOU 2015:39.
Offentlighets- och sekretesslag (2009:400) (Public Access to Information and Secrecy Act).

Olovlig fotografering (Unlawful photographing) Departementsserien (Deparmental series) (Ds) 2011:1.

Personuppgiftslag (1998:204) (Personal Data Act).

Proposition (Government bill) 2005/06:173 Översyn av personuppgiftslagen (Review of the Personal Data Act).

Regeringsform (Instrument of Government) (1974:152).

Strömberg, H., Lundell, B. (2013). Grundlagsskyddad yttrandefrihet (Constitu-tionally protected freedom of speech) 15th ed. Lund: Studentlitteratur.

Svahn Starrsjö, K. (2014, Jan. 28). Grundlagen missbrukas och måste ändras snarast (The Fundamental Law is abused and must be amended as soon as possible). Dagens Nyheter. Retrieved February 07, 2016, from http://www.dn.se/debatt/ grundlagen-missbrukas-och-maste-andras-snarast/.

Treaty concerning the accession of the Kingdom of Norway, the Republic of Austria, the Republic of Finland and the Kingdom of Sweden to the European Union, June 24, 1994, Official Journal of the European Communities (O.J.) 94/C 241/07, 397, Declaration No. 47: Declaration by the Kingdom of Sweden on open government and Declaration made by the Union in response.

Tryckfrihetsförordning (Freedom of the Press Act) (1949:105).

Yttrandefrihetsgrundlag (Fundamental Law on Freedom of Expression) (1991:1469).