Publishing criminal judgments online – should GDPR or freedom of expression take the lead?

The Swedish Supreme Court (Högsta domstolen) rulings against Panoptes and Trobar have reshaped the framework for publishing public documents containing information about criminal offences online. At the centre is the boundary between data protection under the GDPR and freedom of expression. We have previously noted that the Data Protection Agency has initiated supervisory proceedings against Lexbase and Krimfup and, more recently, against Upplysning.se and Mrkoll, which publish information on finances and family circumstances through search services. The debate increasingly turns on the right to protection of personal data when criminal judgments are made searchable to the public.

The conflict concerns two rights: the constitutionally protected right to disseminate information and the right to protection of personal data under the GDPR. The Supreme Court held that search services may not make judgments with identifying particulars available to the general public, even where a publishing certificate exists. The rulings affect both media operators and other actors who process judgments in searchable databases.

Particularly important is how the Court balanced constitutional protections against EU law requirements. The GDPR takes precedence where safeguards are absent, especially for data on criminal offences. This impacts companies that process such data for purposes broader than strictly journalistic ones and brings the right to protection of personal data into sharp focus.

How may judgments be published under the GDPR?

The Supreme Court’s decisions mean that any processing of personal data in criminal judgments must afford strong protection for personal privacy. Under Article 10 GDPR, specific safeguards established by EU law or national law are required for processing data relating to criminal offences. Where these are absent – for example, where anyone can retrieve documents by searching a name or national identity number – the processing conflicts with EU law.

• Legal basis: There must be support under Article 6 GDPR and a specific exemption under Article 10.
• Restricted access: The database may not be freely searchable by the public where sensitive data appear.
• Purpose limitation: Processing must have a legitimate and defined purpose, which could, for example, be journalism.
• Safeguards: Systems and procedures must ensure privacy protections are sufficiently robust.

The rulings mean that even with a publishing certificate, the controller must demonstrate that the processing does not make the data available to the public; otherwise, the GDPR applies in full. This is particularly significant for services such as Lexbase and Krimfup, which make criminal judgments accessible to the public and are now subject to supervisory cases by the Data Protection Agency.

Two poles – openness vs the right to protection of personal data

Two clear camps have emerged. One advocates continued openness around criminal judgments as part of the rule of law. The other emphasises the individual’s need for protection from digital traces that cannot always be erased.

For defenders of freedom of information, court records are central to journalistic scrutiny. Freely available judgments can, for example, expose systemic failures or abuses of power. But this must be balanced against the GDPR’s requirements – in particular that data about criminal offences may be disseminated only where there is an explicit, statutory exemption.

An argument against open publication is that people who have been convicted, acquitted or otherwise featured in criminal cases may suffer disproportionately. Dissemination can become permanent and potentially harmful – long after proceedings have concluded.

The Supreme Court’s decisions now give primacy to privacy interests in these scenarios. Journalistic use may be permissible – but it requires a concrete link to actual journalistic activity and a strictly limited user base. It remains unclear whether affected businesses will pivot in this direction and, if so, whether such processing will be tested in court for lawfulness.

When may journalistic processing be permitted?

There is scope for journalistic work to be exempt from the GDPR’s main rules. However, the processing must be necessary for journalism – not for commercial operations. A decisive factor will be who has access to the material and for what purpose.

Nyhetsbyrån Sirén, the subject of the Panoptes case, historically limited its search service to journalists. That could potentially satisfy the criteria for an exemption, but as the customer base expanded to security firms and other actors, the argument weakened. Where a service is open to anyone for a fee, it is no longer viewed as part of journalistic activity. The safeguards and ethical constraints that might justify an Article 10 GDPR exemption are then absent, at least insofar as the service reaches recipients without a journalistic purpose.

How companies publishing sensitive personal data should act

Businesses handling judgments or other sensitive data must reassess their operations in light of the Supreme Court’s rulings. This is especially the case where material is made available to the public through search services – for example, where anyone can download criminal judgments for payment. Holding a publishing certificate is not a free pass to ignore the GDPR.

A key step is to analyse the categories of data being processed – particularly criminal-offence data. The purpose of processing must then be clarified and a legal basis established that satisfies both Articles 6 and 10 GDPR. If a lawful basis can be established, new disclosure procedures must be implemented, together with processes for erasure and complaints. This typically requires both legal analysis and technical adjustments – particularly for operators whose business models rely on public documents.

Morling Consulting’s GDPR lawyers assist with identifying lawful bases, drafting policies and adapting the processing of public documents to comply with the GDPR.