Court files and the shift towards privacy

As explained in our article earlier this year, the Swedish constitution allows for the public to access official documents. The state is expected to maintain open records to enable public scrutiny and informed discourse. Up until now, the ruling principle allowed for anyone (and for no given reason) to obtain information held by authorities. The right to public access has now been set aside for privacy reasons. This prioritisation of privacy over public access has a chilling effect on investigative journalism, procedural justice, and academic research. This shift is particularly concerning in an era of misinformation, where access to reliable data is crucial.

Last week, on 25 February 2025, the Swedish Supreme Court passed down two decisions on the disclosure of public information (GDPR och brottmålsdomarna I och II). Both cases concerned databases used to collect and search for criminal convictions, one intended for use by journalists and another to perform background checks and provide sources to journalists and academics. Neither one of the databases are intended for use by civilians. The databases concerned are protected by the Swedish Fundamental Law on Freedom of Expression. 

The databases had requested large amounts of criminal case files from district courts. The question referred to the Supreme Court was whether the disclosure of large amounts of criminal case files is a violation of the GDPR, in light of the Swedish Act of Public Access to Information and Secrecy and the rule applicable to the disclosure of documents held by the courts, which refers to the GDPR. 

The Supreme Court aligned with the CJEU and noted that journalistic activities should be interpreted broadly, irrespective of technique and purpose of profit. The court found that the legislator's intention, when implementing the GDPR in Sweden, was to exempt actors protected by the constitution, including databases under the Fundamental Law on Freedom of Expression. In other words, the legislator's intention was not to prevent actors under the constitution from obtaining official documents held by authorities. 

Following case law from the CJEU, the Supreme Court concluded that there must be a balance of interest between, on the one hand article 85 and 86 of the GDPR and on the other hand, protection of personal data. The Supreme Court found that although the GDPR shall not apply to the disclosure of public information in the situation at hand, the courts are obliged to take the GDPR into account as a "separate rule of law" for determining if the information is subject to secrecy under the Swedish Act of Public Access to Information and Secrecy. If the courts have reason to believe that the protection of personal data may be compromised, the courts should condition the disclosure of official documents. 

Because the databases requested large amounts of personal data related to criminal convictions, the Supreme Court granted disclosure under the condition that the information may not be (i) commercialised, (ii) offered with search functionalities, or (iii) used to notify the public or paying customers in any way that enables monitoring of an individual mentioned in the documents. The court's decision was handed down with three dissenting opinions.

While recognising the importance of privacy and protection of personal data, the limitation on the disclosure of official documents despite the existence of a justified and legitimate purpose is unsettling. Allowing the right to privacy in court documents to prevail over journalism, research, and effective justice will undoubtedly lead to opacity in governance and corporate affairs. The ability to gather, investigate, deduce, and conclude important information will be much harder if the information cannot be used commercially, nor assembled as easily searchable. Up until now, judicial databases have served a critical role in examining organised crime. 

Only by maintaining access to public records can we trace, reveal and expose misconduct, as well as ensure that institutions act in the public’s best interest. Some argue that the Swedish constitution is not balanced against privacy, and perhaps this view is because privacy is at the heart of modern digital rights. Regardless of whether that is true, the right to information should not be dismissed as an outdated principle. There is a conflict of interests and maybe we cannot settle on the differences. For decades, we have promoted openness, transparency, accountability, and democracy. Overruling this with a vague reference to the GDPR is a question of undermining the rule of law.

More guidance on the matter is expected to come later this year, following the Swedish District Court of Attunda's request for a preliminary ruling from the CJEU (Case C-199/24, Garrapatica). The questions referred will clarify the Union's view on the Swedish implementation of the GDPR and our constitution.