Sweden: Users are not party to their own privacy rights?
The Swedish DPA (IMY) refuses to take a decision on a GDPR complaint, claiming that the user is not a party to his own rights. In essence, the IMY seems to take the view that the “right to a complaint” under Article 77 GDPR, which should give everyone free access to enforcement, is only a right to “petition” the authority. noyb filed an appeal today to the administrative court in Stockholm.
One month under GDPR turns into three years in reality. Under the GDPR, everyone has a right to access their data, including a copy of all data and an explanation of the data usage. The legal deadline for responding to an access request is one month. In 2019, as part of a project on streaming companies, noyb also filed a complaint against Spotify over an incomplete response to an access request. The complaint, filed in Austria, was forwarded to the Swedish IMY, which is responsible for Spotify. Since then the case has not been decided. Instead, the Swedish DPA is claiming to have a broader investigation into Spotify - for more than three years. The relevant user is however still waiting to get all relevant information.
Request to decide rejected. Under Swedish law, a party can request a decision within four weeks, if an authority has not decided within six months. In June 2022, noyb sent such a request to the Swedish IMY. Surprisingly, the Swedish IMY rejected the request on the grounds that the data subject was not part of the procedure about his right to access.
“Imagine you are not a party in a case about your building permit or your right to free speech. The notion that we have a fundamental right to data protection in the EU, but in Sweden you can’t get it enforced is just mind-blowing. The GDPR is clear that you have a right to file a complaint and a right to appeal if there is no decision.” – Max Schrems, Chairman of noyb.eu
Administrative inactivity becoming arbitrary. The situation the data subject encounters is therefore paradoxical. Both the GDPR and Austrian law assign to the complainant the role of a party to the litigation procedure. However, when the procedure is sent to another lead authority under the GDPR, these guarantees seem to vanish in reality. According to IMY's interpretation of Swedish law, a complainant has no possibility to participate in the procedure or get his or her rights enforced. Therefore, it would be an absolutely arbitrary decision by bureaucrats whether people can get their rights enforced or not – without any recourse if the IMY does not feel like doing its job.
“Bottom line is that the IMY says it can simply ignore the rights of Europeans under the GDPR. This is neither what the GDPR says, nor what the rule of law requires.” – Max Schrems, Chairman of noyb.eu
Appeal against the inaction of the DPA. For these reasons, noyb decided to lodge an appeal against the IMY decision. In summary, the appeal rejects the idea that a data subject is not part of a procedure over his or her own rights. If the case is successful, the IMY will have to enforce users’ rights as foreseen by the GDPR.