Softening the blow? Potential limitations of applying GDPR fines under Swedish constitutional and administrative procedure law

The size of potential administrative fines for non-compliance is a significant driver for companies’ efforts to become compliant with the extensive requirements under the GDPR. These administrative fines also entail a significant risk for any business that involves processing of personal data.

However, recent legal developments have put the application of such fines in potential conflict with Swedish administrative procedure and constitutional law – which potentially could limit the scope and possibility for the Swedish Authority for Privacy Protection (the “IMY”) to apply administrative fines in some cases. In this article, we look into two separate reviews and decisions by the IMY where the potential conflict with the Swedish administrative procedure and constitutional law has come into play and what this could mean for other cases where companies are supervised or reviewed by the data protection authority in Sweden.

First case: IMY recently issued a decision against Verifiera AB[1] (“Verifiera”) in relation Verifiera’s database, which is a search service for court decisions that provides sensitive personal data in a register. The database has a certificate of publication (Sw. utgivningsbevis), which means that it falls under the Fundamental Law on Freedom of Expression (Sw. yttrandefrihetsgrundlagen). For this reason, the database is also exempt from certain obligations under the GDPR[2], under the exception for journalistic purposes[3]. This is the main issue that was examined in the IMY decision. In short, IMY concluded in its decision that Verifiera’s processing of personal data violates the GDPR, and that the exception for journalistic purposes therefore does not apply. This exception has not previously been applied by the IMY or any court, which has resulted in different interpretations of the exemption by practitioners.

To summarize, the decision from IMY contains one main question, whether the GDPR applies on certain companies conducting journalistic business, including companies with a certificate of publication, or if constitutional law takes precedence over the GDPR. This is a fundamentally interesting conflict and balancing act between the Swedish constitution and the GDPR, which will have a decisive significance on the application of the GDPR for companies that conduct journalistic business, or act under a certificate of publication. IMY’s decision has been appealed by Verifiera to the administrative court and we will monitor this closely.

Second case: In December 2020, IMY announced several decisions[4] against eight health care providers and regions that were considered to be in violation of the GDPR[5], among other things, regarding their authorization assignment for medical record systems. The authority concluded that seven of the health care providers did not limit the users’ access authorization to the respective patient journal system to what is strictly necessary for the performance of their tasks. Therefore, the health care providers had not taken appropriate measures to ensure and be able to demonstrate a sufficient level of security for the personal data in the medical record systems, which IMY found to be in breach of the GDPR. The deficiencies and the non-compliance with the GDPR were so serious, according to IMY, that they result in administrative fines of between 2,5 to 30 million SEK.

Five of the decisions were appealed to the Administrative Court of Appeal in Stockholm, which subsequently (and, according to some commentators, surprisingly) overturned the Administrative Court’s ruling and IMY’s decision on administrative fines, as well as the authority’s injunction to remedy the deficiencies regarding the disclosure of competence to the medical record systems.[6]

In its ruling, the Administrative Court of Appeal held that the burden of evidence rests with the supervisory authority in relation to administrative fines, and that such fines under the GDR must be seen as corresponding to a criminal penalty. The supervisory authority’s burden of evidence should therefore, for reasons of legal security, be set high – the court compared it to the burden of evidence required to impose a tax penalty under Swedish tax law, concluding that that the same high burden of evidence also shall apply for fines under the GDPR. The requirement in Swedish cases regarding imposing of fines under the GDPR is therefore that the evidence must clearly provide substantial support that the conditions for deciding on an administrative fine are met. In practice, this means that IMY cannot place the burden of evidence on the specific company according to the documentation obligation for data controllers under the GDPR[7]. The authority has a high burden of evidence in relation to the imposition of fines and must therefore provide substantial and in detail evidence on the non-compliance of the GDPR, which opens to counter arguments and defense by the company. In the ruling, the court thus found that IMY failed to live up to this evidentiary requirement, indicating that IMY has not applied the GDPR in light of Swedish administrative procedure law, e.g. with regard to the evidentiary requirement for the authority’s evidence in supervisory cases.

In our opinion, this ruling entail that the imposition of administrative fines under the GDPR might be narrower under Swedish administrative procedure law, for evidentiary reasons, providing a potentially higher threshold than indicated in the GDPR. This could potentially limit the scope and possibility for IMY to apply administrative fines in some cases and may provide for lower fines in some other cases. It may also provide for an additional defensive argument in any Swedish proceedings regarding administrative fines. Whether this is unique for the Swedish application of GDPR fines remains to be seen.

As mentioned in this article, the two decisions from IMY, and the rulings from the Administrative Court of Appeal indicate that there is a conflict between the GDPR and Swedish administrative procedure and constitutional law, which potentially may narrow the scope and the application of the GDPR, in relation to the imposition of administrative fines by IMY.

However, the significance of the Swedish administrative procedure and constitutional law in relation to application of the requirements and sanctions of the GDPR are still far from settled and further developments are to be expected. Upcoming rulings will likely further expand on whether Swedish specific conditions shall apply, in relation to the requirements and sanctions of the GDPR.

[1] IMY’s decision against Verifiera AB (IMY-2022-1621).

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection).

[3] See Article 85 of the GDPR.

[4] IMY’s decision against Sahlgrenska Universitetssjukhuset (DI-2019-3840), Region Västerbotten (DI-2019-3841), Region Östergötland (DI-2019-3843), Capio S:t Görans Sjukhus AB (DI-2019-3846), Karolinska Universitetssjukhuset (DI-2019-3839), Digital Medical Supply Sweden AB (KRY) (DI-2019-3845), Aleris Sjukvård AB (DI-2019-3844) and Aleris Närsjukvård AB (DI-2019-3842).

[5] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

[6] Case numbers 4471-21, 4511-21, 4540-21, 4548-21 and 4611-21.

[7] See e.g. article 5.2 of the GDPR.