Supreme Court decisions on the disclosure of public documents – what do they mean for employers’ background checks?

Earlier this year, the Supreme Court (HD) issued decisions in two cases concerning the disclosure of public documents. In both cases, the issue was the release of criminal judgments to entities operating databases that, in various ways, further disseminate the information. The activities of both entities are protected by constitutional law, and in these cases, the Supreme Court weighed freedom of expression and information, and the public’s right of access to public documents, against the right to protection of personal data. The Supreme Court found that the documents in question could be disclosed, but with conditions regarding their further use. In the long run, these decisions may have practical consequences for employers and their ability to conduct background checks.

In February 2025, the Supreme Court examined how each entity’s request for the release of a large number of criminal judgments should be handled in light of Sweden’s obligation to comply with the EU General Data Protection Regulation (GDPR). The entities in question held publishing certificates for their respective databases and were subject to the so-called media constitutional laws (the Freedom of the Press Act and the Fundamental Law on Freedom of Expression). Holding a publishing certificate means, among other things, that there are limited possibilities to prosecute publications in the database.

Swedish law contains supplementary provisions to the GDPR. Among other things, these provide that the GDPR should not be applied to the extent that it would conflict with the Freedom of the Press Act or the Fundamental Law on Freedom of Expression. The Supreme Court stated that the legislator’s intention with this provision was that the GDPR should not apply at all in the constitutionally protected area. This would mean that activities covered by the Freedom of the Press Act or the Fundamental Law on Freedom of Expression would not need to comply with the GDPR. It would also mean that criminal judgments should be disclosed, even when the request concerns a large number of documents, and that there are very limited possibilities to intervene against subsequent processing.

The Supreme Court found that such an arrangement cannot be considered compatible with the GDPR. The Court held that it is not consistent with EU law to have a system where criminal judgments are disclosed on a large scale, resulting in a significant amount of personal data relating to criminal offenses being processed in a database and made available to others. The Supreme Court stated that, in principle, there would then be no other protection for privacy interests than what could be provided by interventions under the media constitutional laws and the Penal Code. According to the Supreme Court, such an arrangement would almost entirely undermine the protection that the GDPR is intended to provide.

The Supreme Court then examined the issue of confidentiality. The general rule is that criminal judgments are public, but confidentiality for personal data applies if it can be assumed that the data, at a later stage (i.e., after disclosure), will be used in violation of the GDPR. The Supreme Court, taking the above into account, made the overall assessment that the GDPR can also be considered within the constitutionally protected area.

If an authority, in connection with a confidentiality assessment, finds that there is a risk of harm, detriment, or other inconvenience, the authority must attach a condition to the disclosure. Such a condition restricts the right to further disclose or use the confidential information. For example, a condition may prohibit personal data from being made available to the public or to paying customers if this would provide access to individuals’ names, personal identity numbers, or addresses.

The Supreme Court ultimately found that the documents in both cases should be disclosed with conditions, i.e., with limitations on how the documents and the information therein may be used.

The decisions and the Supreme Court’s press release can be read in full here.

Setterwalls’ comments

The outcome of these cases means that authorities (such as courts) must assess whether the information in a public document, after disclosure, may be processed in violation of the GDPR. This may result in more judgments being disclosed with conditions, which in the long term means that databases containing information about, for example, criminal offenses may no longer be able to share information from judgments in their databases to the same extent as before. This may, in turn, affect employers who conduct background checks using such databases and lead to increased use of background check companies licensed by the Swedish Authority for Privacy Protection. Such a development may be beneficial from a privacy perspective, as the Swedish Authority for Privacy Protection conducts a thorough review before granting permission to process data on criminal offenses.

Many employers conduct background checks today. In some cases, the employer has its own interest in carrying them out, while in other cases, it is a legal requirement, for example, when hiring new staff in the education sector. However, our experience is that some employers conduct background checks without predetermined routines and policies. Such an approach carries risks that background checks are conducted more extensively than necessary, that inadequate sources/databases are used as the basis for the check, that more data than necessary is processed, or that the results of the check are not handled correctly and, for example, are stored for longer than necessary. We are happy to help you develop routines or review existing processes to ensure that the background checks you conduct comply with the applicable legal framework.

It is also worth noting that, at the time of writing, the Swedish Authority for Privacy Protection has initiated supervisory cases against four entities with publishing certificates that provide searchable databases. It remains to be seen what these supervisory cases will result in and whether they will provide further guidance from the Swedish Authority for Privacy Protection. You can find the Swedish Authority for Privacy Protection’s press releases here and here. In parallel with the supervisory cases, a preliminary ruling from the CJEU is awaited regarding clarification of whether constitutional protection for databases is compatible with the GDPR. According to the Advocate General’s opinion, the activities of legal databases do not constitute journalistic activity, which means that they should not be exempt from the GDPR. Furthermore, the GDPR does not permit national legislation under which the only legal remedy available to a person whose personal data is processed – by making criminal convictions concerning that person available to the public – is to initiate criminal proceedings for defamation or to claim damages for defamation.

Finally, it should also be noted that previous proposals have been made to better balance the interests of freedom of expression and information with the protection of personal data, but these have not resulted in legislation. A new proposal has again been put forward (SOU 2024:75), which is proposed to enter into force on 1 January 2027. In addition, the government has recently announced that an inquiry has been launched to analyse the need for and conditions for conducting background checks in both the public and private sectors. The purpose is, among other things, to propose an appropriate, proportionate, and legally secure regulatory framework for background checks. The assignment is to be reported no later than 11 March 2027.

In summary, there is a lot happening in this area, and we are closely and actively following legal developments. If you have questions about background checks or other related issues, you are always welcome to contact us at Setterwalls.