Advocate General (AG) Szpunar delivered his Opinion in Case C‑199/24, ND v Legal Newsdesk Sweden AB, formerly Garrapatica AB on 4 September 2025, a case that is a reference for a preliminary ruling from the Attunda District Court (Attunda tingsrätt) in Sweden.
The case concerns the compatibility of constitutional protections for media in Sweden with the General Data Protection Regulation (GDPR), particularly in the context of publishing personal data relating to criminal convictions.
The referring court asked the Court of Justice of the European Union (the Court) to clarify the scope of Article 85 GDPR, which governs the reconciliation of data protection with freedom of expression and information.
AG Szpunar concluded that Article 85(1) GDPR does not permit Member States to restrict or eliminate the remedies provided under Chapter VIII of the GDPR, such as the right to lodge complaints, seek judicial redress, or claim compensation. He thus found that national law in Sweden, by limiting recourse to defamation proceedings, failed to provide adequate protection for data subjects.
Furthermore, he held that the activity of Lexbase – publishing unedited criminal judgments online for a fee – does not qualify as processing for ‘journalistic purposes’ under Article 85(2) GDPR. Therefore, the derogations available for journalistic activity cannot apply.
Background and Facts
The Attunda District Court (Attunda tingsrätt) of Sweden, in greater Stockholm, made a reference for a preliminary ruling to the Court of Justice of the European Union (CJEU) on whether regulated media companies able to be sued for criminal liability when they have defamed persons, and thus liable to pay appropriate damages under the General Data Protection Regulation (GDPR).
The facts of the case are that a company in Sweden, Garrapatica AB, runs a database called ‘Lexbase’, and with that database, published the personal details of persons involving in criminal proceedings. The national authority in this field, the Swedish Agency for the Media (Mediemyndigheten) published a ‘certificate of no legal impediment to publication conferring constitutional protection’ (utgivningsbevis) to Garrapatica. With this certificate, Garrapatica enjoys a status in Swedish law under the freedom of expression.
Lexbase primarily makes legal information about people and companies in Sweden to its clients that it gathers from Swedish public bodies.
At issue is an individual who was convicted and sentenced for a crime had that information published on Garrapatica’s database between January 2011 and February 2024, when it was removed. The decision on that individual’s sentencing was subsequently removed from the public register of criminal records, but, as is apparent, still appears on the database of Garrapatica.
Garrapatica acknowledges that it refused to remove the individual’s personal data in accordance with his request that they do so before the personal data were removed. The applicant in seeking personal damages of 300,000 SEK (€26,000 approx.) for the defamatory breach, but the company is only willing to pay 20,000 SEK (€1,750 approx.).
The core legal issue revolves around Article 85 GDPR, which mandates Member States to reconcile data protection with freedom of expression.
Article 85(1) GDPR states:
‘Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.’
Article 85(2) GDPR states:
‘For processing carried out for journalistic purposes or the purpose of academic artistic or literary expression, Member States shall provide for exemptions or derogations from Chapter II (principles), Chapter III (rights of the data subject), Chapter IV (controller and processor), Chapter V (transfer of personal data to third countries or international organisations), Chapter VI (independent supervisory authorities), Chapter VII (cooperation and consistency) and Chapter IX (specific data processing situations) if they are necessary to reconcile the right to the protection of personal data with the freedom of expression and information.’
Other relevant provisions includes, Article 10 GDPR, which states that the processing of personal data relating to criminal convictions and offences is to be carried out only under the control of official authority or when the processing is authorised by EU or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. That processing of data however is compensated by Article 17 GDPR, in that there is a right to obtain from the controller the erasure of personal data concerning him or her without undue delay inter alia if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. Furthermore, Article 82 GDPR states that material or non-material damages are to be received by persons from the control as a result of infringements of the GDPR.
The questions referred to the CJEU was by the Attunda District Court are:
‘Does Article 85(1) GDPR make it possible for the Member States to adopt legislative measures in addition to those which they must adopt under Article 85(2) GDPR relating to the processing of personal data for purposes other than journalistic ones or the purposes of academic, artistic or literary expression?’
In other words, the referring court is asking whether Article 85(1) GDPR a case of ‘maximum harmonisation’, or not (‘minimum harmonisation’)?
If so, then,
‘Does Article 85(1) GDPR allow a reconciliation of the right to the protection of personal data pursuant to that regulation with the freedom of expression and of information which means that the only legal remedy available to a person whose personal data are processed by making criminal convictions involving that person available to the public on the internet in return for payment is the initiation of criminal proceedings for defamation or the claiming of damages for defamation?’
If no to both these questions, then,
‘Can an activity which consists of making available to the public on the internet in return for payment, without any processing or editing, public documents in the form of criminal convictions constitute processing of personal data for the purposes set out in Article 85(2) GDPR?’
Opinion of the Advocate General
The Opinion of Advocate General Szpunar began by dissecting Article 85 GDPR into its two key components, in that Article 85(1) GDPR imposes a general obligation on Member States to reconcile data protection with freedom of expression, whilst Article 85(2) GDPR allows for specific exemptions or derogations from GDPR provisions when processing is carried out for journalistic, academic, artistic, or literary purposes.
The AG emphasised that while Article 85(1) GDPR sets the normative framework, Article 85(2) GDPR provides the operational mechanism. He stated that Member States cannot use Article 85(1) GDPR as a carte blanche to exempt entire areas of data processing from the GDPR. Instead, any derogations must be narrowly tailored and justified under Article 85(2) GDPR.
For him, Article 85 GDPR does not permit Member States to declare the GDPR wholly inapplicable in cases where it conflicts with national constitutional protections for media. Such an approach, according to the AG; would undermine the harmonising intent of the regulation and the primacy of EU law.
Consequently, AG Szpunar was unequivocal: Article 85 GDPR does not allow Member States to restrict or eliminate the remedies provided under Chapter VIII of the GDPR, which includes the right to lodge complaints with supervisory authorities (Article 77 GDPR), the right to judicial remedies (Article 79 GDPR), and the right to compensation (Article 82 GDPR). He notes that the legal framework in Swwden effectively excluded these remedies in cases involving constitutionally protected media, thereby denying data subjects meaningful recourse. This, he argues, was incompatible with the objectives of the GDPR. Therefore, national law that limits remedies to defamation proceedings is precluded by Article 85(1) GDPR.
On the question concerning whether Lexbase’s activity qualifies as processing for journalistic purposes under Article 85(2) GDPR, AG Szpunar acknowledged that the term “journalistic purposes” is not defined in the GDPR, but drawing on prior case law of the CJEU, noted that journalistic activity must involve the disclosure of information, opinions, or ideas to the public, and that the concept should be interpreted broadly to include non-traditional media actors.
However, he distinguished Lexbase’s activity from genuine journalism. He put it that Lexbase merely republishes public documents without any editorial input, commentary, or intent to inform public debate. The platform’s business model of charging users for access further suggested a commercial, rather than journalistic purpose.
He therefore concluded that Lexbase’s activity does not fall within the scope of ‘journalistic purposes’ under Article 85(2) GDPR. This means that the derogations available under that provision cannot be invoked to shield Lexbase from obligations under the GDPR.
In all therefore, AG Szpunar concluded that while freedom of expression is important, it cannot be used to nullify the right to data protection, as the litigant in this case had sought.
He proposed that the Court answer the referred questions as follows:
Article 85(1) GDPR…must be interpreted as precluding a national law under which the only legal remedy available to a person whose personal data are processed by making criminal convictions involving that person available to the public on the internet in return for payment is the initiation of criminal proceedings for defamation or the claiming of damages for defamation.
Article 85(2) GDPR…must be interpreted as meaning that an activity which consists of making available to the public on the internet in return for payment, without any processing or editing, public documents in the form of criminal convictions does not constitute processing of personal data for journalistic purposes.
Read the Opinion
The Opinion of Advocate General Szpunar in Case C-199/24, ND v Legal Newsdesk Sweden AB, formerly Garrapatica AB, delivered on 4 September 2025, pending before the Fifth Chamber of the Court, can be read here.