Recently, we have seen a very disconcerting development in the world regarding how information of different kinds is valued and used. As “truth” is being increasingly questioned, one possible remedy is the right of access to official documents. This is the subject studied in this article. Such access constitutes an important element in our democratic society by providing citizens and the media the means to control their government. In Sweden, this right of access might also bring about detrimental effects for privacy, or personal integrity, however, due to the stipulations of the constitutional law, the Freedom of the Press Act.

As will be outlined in this study, the meanings attributed to various expressions related to the right of access are unclear, so too are the boundaries that regulate the creation of official documents that may be requested as per the Freedom of the Press Act. This uncertainty could carry implications for personal integrity. The meanings and creation of official documents are thus at the heart of this investigation.

The purpose of the study is to enhance our knowledge of enablers of, and obstacles to, individuals’ awareness of how information about them in Swedish public authorities was handled and might be accessed by others. The concept self-information awareness developed for the study was therefore at the core of the linguistic–historical analysis that was carried out on twelve Swedish Government Official Reports on large public registers and personal integrity published 1987–2017.

The main conclusion from the investigation is that the possibility of individuals being aware of how information about them was handled by the Swedish authorities and might be accessed by others seemed very limited. The linguistic analysis carried out in the study therefore needs to be supplemented by research into the material legal possibilities for individuals to gain such awareness.

Google Inc has received 54,038 requests to dereference Swedish URLs since the judgement of the Court of Justice of the European Union, C-131/12 Costeja. After examining these requests, Google removed 43.7% of the search results (i.e. 23,613 URLs) but refused to dereference in 56.3% of cases (i.e. 30,425 URLs). In other words, Google refused to grant the dereferencing requests in a little over half of the cases, which corresponds to the average recorded by the American Internet search engine across all European countries.3What kind of help from public authorities may individuals to whom a request for delisting has been denied by the operator of a search engine have at their disposal? In other words, how do the Swedish authorities apply the Google ruling? These are the questions tackled in this paper, first focusing on the manner the Data Protection Authority, the Datainspektion (DI), deals with the issue, then looking at how the courts handle complaints against a search engine operator’s decision not to delist an incriminated URL.

According to the landmark judgement Google Spain of 13 May 2014 of the European Court of Justice, search engines have under certain conditions the obligation to de-index search results (URLs) containing personal information. This obligation to execute the so-called right to be forgotten does not apply however when the interest of the public of having access to the information at issue overrides the right of privacy of the data subject, which emphasises the question of the balancing between the right to privacy and the freedom of expression. The paper first contains a succinct analysis of the criteria referred to by the European bodies, the EJC and the Article 29 Data Protection Working Party, for achieving the balancing between the right to privacy and the freedom of expression. Second, the paper examines the actors involved in the balancing of interests when the right to be forgotten is applied, i.e. the actors whose freedom of expression is potentially restricted by the application of the right to be forgotten and the actors in charge of the balancing of interests.

* This paper mirrors an introductory presentation for a workshop on The Right to Be Forgotten: The Balance between the Right to Privacy and Freedom of Expression, that took place on September 9, 2017 at the Legraina EPLO premises, Sounion, Greece.

Conformément à l’arrêt clé rendu par la Cour de justice de l’Union européenne le 13 mai 2014 dans l’affaire Google Spain, les moteurs de recherche ont sous certaines conditions l’obligation de supprimer les résultats (URL) contenant des informations personnelles. Cette obligation de mettre en œuvre le “droit à l’oubli” ne s’applique toutefois pas quand l’intérêt du public à avoir accès à l’information en cause prime le droit à la vie privée de la personne concernée, ce qui met en exergue la question de l’équilibre entre le droit à la vie privée et la liberté d’expression. Cet article contient, premièrement, une analyse succincte des critères mentionnés par les organes européens, la CJUE et le G29 afin de parvenir à un équilibre entre le droit à la vie privée et la liberté d’expression. En second lieu, il examine les acteurs impliqués dans la balance des intérêts quand le droit à l’oubli est appliqué, à savoir les acteurs dont la liberté d’expression est potentiellement limitée par la mise en œuvre du droit à l’oubli et les acteurs chargés de procéder à la balance des intérêts en présence.

Right to be Forgotten in Sweden 

Google has received about 15,000 requests for delisting regarding Swedish websites. Yet, in more than half of the cases the American search engine operator refused to remove the disputed websites from their results.

What kind of help may individuals to whom a request for delisting has been denied expect from public authorities expect from public authorities? In other words, how do the Swedish authorities apply the Google ruling? These are the questions we tackle in this paper, first by focusing on the manner in which the Data Protection Authority, the Datainspektion (DI), deals with the issue; then by looking on how the courts – in the current case, the ordinary judge – handle complaints against search engine operators’ decisions not to delist incriminated URLs.

The first section, dedicated to the theme of the right to be delisted and the data protection authority, begins with a brief review of the information provided by the Data Protection Authority’s website on the right to be forgotten and the manner to exercise it. We notice that there is a need for clearer information but that some improvements seem to be underway, not least concerning the right to erasure laid down in the General Data Protection Regulation.

The next two parts of Section 1 deal with the twofold procedure initiated in May 2015 by the DI towards Google, following complaints submitted to the Swedish authority. One part of the procedure concerns thirteen individual complaints selected by the DI that the Swedish supervisory authority required Google to review. The second part of the procedure consists of a general investigation of the way the American search engine operator complies with the European case law on the right to be forgotten. In a decision closing these two procedures on May 2nd 2017, the Data Protection Authority, assesses that in five of these cases Google’s reiterated refusal to delist websites from the search results were in breach of the Swedish data protection legislation and requires Google to delist the incriminated websites by August 2nd 2017. Moreover, the Swedish Data Protection Authority makes two recommendations to Google with regard to the procedure its removals-team follows when receiving a request from an individual to remove links. Additionally the DI requires Google to apply the right to be forgotten not only for search results on Google’s Swedish pages, but also on Google’s search engine for other countries that ”have such a relationship to Sweden and to the data subject that they cause an infringement in the privacy of the data subject”. The American search engine operator has three weeks from the date of reception of the decision for lodging an appeal to the administrative court.

The second section, entitled The right to be delisted and the ordinary judge, provides an analysis of the first Swedish judgment in the field. The court of first instance of Stockholm, in its decision from May 9^th 2016, made upon the appeal of a businessman in the construction sector complaining about the refusal of Google to remove links to webpages publishing critical articles regarding the plaintiff, decided in favor of the search engine operator. We analyse this judgement with a particular focus, first, on the balancing of the interests the judge makes in the present case, as well as on the legality of the data processing, and, second, on the question raised by the defendant on the competence of the ordinary judge to prohibit the continued processing of data. On the first issue, the Swedish authority, taking inter alia into account the role of public figure of the plaintiff and the seriousness of the news outlets which published the incriminated articles, concluded that the interests of Google and third persons to diffuse and access information contained in the articles outweight the right to protection of privacy and the right of data protection of the plaintiff. Consequently, the judge assessed that the data processing wasn’t illegal. On the second issue of the competence of the ordinary judge to order the cessation of the listing of websites, we first review the different opinions on that issue before raising the question of the compliance of the Swedish legal framework in terms of the effectiveness of the application of the European ruling on the right to be delisted.

Our general conclusion is that it is too early to give a straightforward appreciation on the way the Swedish authorities apply the right to be forgotten. Indeed, we don’t know how the legally robust decision taken by the DI in May 2017 will impact its policy in the field of the right to be forgotten; will the DI, for instance, endorse more individuals’ complaints? Furthermore, to this date, there has been no decision on the right to be forgotten by the administrative court and only one by an ordinary court. In any case, the absence of obligation for the Datainspektion to forward individual complaints to search engine operators, if combined with a lack of power for the ordinary judge to order a delisting, would raise questions on the effectivness in Sweden of the application of the right to be forgotten.

La société Google a été saisie de quelques 15 000 demandes de déréférencement concernant des sites suédois. Dans un peu plus de la moitié des cas Google a refusé de faire droit à de telles demandes. La question qui nous occupe est celle de savoir quel concours les autorités suédoises peuvent apporter et apportent en pratique aux individus déboutés de leur demande de déréférencement par un exploitant de moteur de recherche. Autrement dit, nous nous intéressons à la manière dont les autorités suédoises mettent en œuvre le droit européen en matière de droit à l’oubli numérique.

Nous examinons dans un premier temps la façon dont l’autorité de contrôle suédoise de protection des données personnelles, la Datainspektion (DI), s’acquitte de sa tâche de protection des individus face au référencement. Pour ce faire nous nous intéressons à l’information mise par la DI à la disposition de potentiels plaignants sur les droits dont ils disposent et les démarches à effectuer. Puis nous examinons, au travers de l’étude de la première procédure initiée par la DI à l’encontre de Google, au sujet de treize plaintes par elle sélectionnées, comment l’autorité de contrôle suédoise donne suite dans des cas concrets aux refus de Google de désindexer des sites mis en cause. Pour finir, nous nous intéressons à la procédure d’inspection générale mise en oeuvre par la DI sur la façon dont la Googles removal-team traite les plaintes qu’elle reçoit ainsi qu’aux recommandations et à l’injonction émises par la Datainspektion à l’encontre de l’exploitant de moteur de recherche américain dans le cadre de cette procédure.

Nous examinons dans un deuxième temps comment le juge judiciaire s’est positionné dans la première affaire de droit au déréférencement traitée par une juridiction suédoise. Pour ce faire nous analysons la manière dont le juge a effectué la pondération des intérêts en présence, ceux du plaignant, un homme d’affaires de la branche du bâtiment, d’un coté, et ceux de Google et des tiers, de l’autre. L’examen de cette affaire nous donne également l’occasion d’examiner la question de la compétence du juge judiciaire suédois d’enjoindre à un exploitant de moteur de supprimer des sites de résultats de recherche, question controversée et soulevée par la partie défenderesse.

Cette interrogation sur les pouvoirs du juge face au référencement, combinée à l’absence d’obligation de la Datainspektion de donner suite aux plaintes dont elle est saisie, nous amène en conclusion à poser la question de l’effectivité en Suède de la mise en oeuvre du droit au déréférencement tel que posé par le droit européen.

The paper examines the balancing between the right of access to information and the right to privacy in the context of online proactive disclosure of personal data. Proactive disclosure is understood as disclosure of information made by public authorities without a request having previously been made for such disclosure. Interestingly, the release upon request of official documents containing personal data normally does not activate data protection legis-lation in Sweden. In the case of proactive disclosure of official documents containing personal data, however, the data protection legislation must be followed. Jonason presents and analyses the legal framework, and shows how it has evolved over time. She illustrates the legal framework through the analysis of cases on proactive disclosure handled by the Swedish Data Protection Authority. In addition, guidelines concerning online proactive disclosure, drafted by the same authority for the benefit of local authorities, are taken into consideration. Jonason is especially interested in the balance-ing between the interest to protect privacy of the data subject and the interest of ensuring openness and transparency, and how this balancing is conveyed in the letter of the law, the preparatory works, as well as in the concrete implementation made by the Data Protection Authority. The conclusion reached by Jonason is that the current legal framework, constituted by different “layers”, is intricate. Changes on data processing made by public authorities should be expected, however, due to the General Regulation on Data Protection that will enter into force in 2018. This might constitute an opportunity for the legislator to rationalise the current legal framework.