The Attunda District Court (Attunda tingsrätt) of Sweden, in greater Stockholm, has made a reference for a preliminary ruling to the Court of Justice of the European Union (CJEU) on whether regulated media companies able to be sued for criminal liability when they have defamed persons, and thus liable to pay appropriate damages under the General Data Protection Regulation (GDPR).
The facts of the case are that a company in Sweden, Garrapatica AB, runs a database called ‘Lexbase’, and with that database, published the personal details of persons involving in criminal proceedings. The national authority in this field, the Swedish Agency for the Media (Mediemyndigheten) published a ‘certificate of no legal impediment to publication conferring constitutional protection’ (utgivningsbevis) to Garrapatica. With this certificate, Garrapatica enjoys a status in Swedish law under the freedom of expression.
Lexbase primarily makes legal information about people and companies in Sweden to its clients that it gathers from Swedish public bodies.
At issue is an individual who was convicted and sentenced for a crime had that information published on Garrapatica’s database between January 2011 and February 2024, when it was removed. The decision on that individual’s sentencing was subsequently removed from the public register of criminal records, but, as is apparent, still appears on the database of Garrapatica.
Garrapatica acknowledges that it refused to remove the individual’s personal data in accordance with his request that they do so before the personal data were removed. The applicant in seeking personal damages of 300,000 SEK (€26,000 approx.) for the defamatory breach, but the company is only willing to pay 20,000 SEK (€1,750 approx.).
Article 85(1) GDPR (Processing and freedom of expression and information):
Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.
Other relevant provisions includes, Article 10 GDPR, which states that the processing of personal data relating to criminal convictions and offences is to be carried out only under the control of official authority or when the processing is authorised by EU or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. That processing of data however is compensated by Article 17 GDPR, in that there is a right to obtain from the controller the erasure of personal data concerning him or her without undue delay inter alia if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. Furthermore, Article 82 GDPR states that material or non-material damages are to be received by persons from the control as a result of infringements of the GDPR.
The questions referred to the CJEU was by the Attunda District Court are:
Does Article 85(1) GDPR make it possible for the Member States to adopt legislative measures in addition to those which they must adopt under Article 85(2) GDPR relating to the processing of personal data for purposes other than journalistic ones or the purposes of academic, artistic or literary expression?
In other words, the referring court is asking whether Article 85(1) GDPR a case of ‘maximum harmonisation’, or not (‘minimum harmonisation’)?
If so, then,
Does Article 85(1) GDPR allow a reconciliation of the right to the protection of personal data pursuant to that regulation with the freedom of expression and of information which means that the only legal remedy available to a person whose personal data are processed by making criminal convictions involving that person available to the public on the internet in return for payment is the initiation of criminal proceedings for defamation or the claiming of damages for defamation?
If no to both these questions, then,
Can an activity which consists of making available to the public on the internet in return for payment, without any processing or editing, public documents in the form of criminal convictions constitute processing of personal data for the purposes set out in Article 85(2) GDPR?
The case will be decided in 2025 by the CJEU.
A copy of the referral to the CJEU made by the Attunda District Court (Attunda tingsrätt) in Case C-199/24, Garrapatica, is available here.