GDPR lawyer insight: the Advocate General’s assessment in the Lexbase case

In his Opinion in Case C-199/24, the Advocate General has taken a clear position: legal databases that make criminal judgments available for a fee – such as Lexbase – do not fall within the exemption for journalistic purposes under Article 85 GDPR.

For businesses that handle public information on crimes and judgments, this may signal material changes to the conditions for operating lawfully. Understanding the boundary between journalism and commercial publication is now more important than ever. A GDPR lawyer or a GDPR compliance consultant can support organisations whose business model may be affected by ongoing legal developments in this area.

Lexbase, GDPR and the journalistic exemption

The case concerns the Swedish service Lexbase, which publishes criminal court judgments online. Lexbase has previously argued that it operates under the so-called media exemption, namely that GDPR does not apply where personal data are processed for journalistic purposes pursuant to Article 85 GDPR.

According to the Advocate General, this is incorrect. At paragraph 48 of the Opinion, he clarifies that a service which merely re-distributes judgments for payment does not constitute journalistic activity within the meaning of the GDPR. Instead, it is commercial activity that must comply with data protection rules – including the right to erasure, the right to rectification under GDPR and potential damages.

GDPR lawyer guidance: Article 85 GDPR is not a free pass

Article 85 allows Member States, through national law, to restrict certain GDPR rights to safeguard freedom of expression and information. However, as noted at paragraph 33, this may only occur under “specific circumstances”, and the exemptions must not neutralise the Regulation in its entirety – which Sweden is said to have partly done through Chapter 1, Section 7 of the Data Protection Act. The Swedish rule is specifically criticised at paragraph 26.

Furthermore, remedies, liability and sanctions (Chapter VIII GDPR) cannot be disapplied via Article 85; this is underscored at paragraph 35.

What does this mean for GDPR compliance?

If the Court of Justice follows the Advocate General’s line (which is often the case), the implications would extend beyond Lexbase. Other services such as Hitta.se, Mrkoll and Ratsit could face similar scrutiny – especially where their business model relies on providing sensitive information about individuals for purposes that do not meet the criteria for journalistic activity. This means organisations processing public personal data must be able to justify their processing against GDPR’s requirements of lawfulness, transparency and accountability. In many cases this will also touch on processing of sensitive personal data and require a focused GDPR compliance review.

Practical recommendations for GDPR compliance services

From a compliance perspective, organisations that disclose information on crimes, judgments or other sensitive information should:

• Assess whether the activity truly falls within Article 85 GDPR – or whether full application of the GDPR is required.
• Re-examine the lawful basis for the processing and seek targeted GDPR compliance guidance where needed.
• Evaluate risks of privacy intrusions and damages claims, supported by a structured GDPR risk analysis.
• Establish internal policies and clear documentation to demonstrate accountability, with periodic GDPR compliance review.
• Ensure rights to erasure, rectification and objection are respected where required, including the right to rectification under GDPR.

Where publication is profit-driven and lacks editorial content, the risk increases that GDPR applies in full and that the exemption for journalistic activity does not apply. In such scenarios, engaging GDPR consulting services or broader GDPR legal services can provide practical GDPR compliance support.

What happens next in Case C-199/24? The role of the Court of Justice of the European Union

It is now for the Court of Justice of the European Union to decide. Although the Advocate General’s Opinion is not binding, it is frequently followed in the final judgment. This may necessitate broader changes in Swedish law – particularly concerning the media exemption in the Data Protection Act. It will be especially important to monitor the Data Protection Agency’s ongoing investigations into Lexbase, Krimfup, Mrkoll and Upplysning.se, and how they are affected by legal developments.

Morling Consulting’s expertise: GDPR compliance consultant support across Europe

At Morling Consulting, our GDPR lawyers and consultants help organisations ensure compliance with the GDPR – from legal assessment and GDPR compliance guidance to policy development and risk analysis. We operate and support clients across Europe. Contact a GDPR lawyer for assistance in interpreting the evolving case law and implementing proportionate GDPR consulting services.