The Swedish Data Protection Authority (IMY) is being taken to court by the privacy advocacy group noyb for its alleged failure to properly investigate and address complaints from data subjects, in violation of EU law.
According to the complaint filed by noyb, the IMY allegedly routinely refuses to fully process complaints, instead simply forwarding them to the companies accused of illegally processing personal data and then immediately closing the cases without further investigation.
Swedish Data Protection Authority Alleged to Improperly Implement GDPR
noyb states that the General Data Protection Regulation (GDPR) is clear: data protection authorities have a duty to actively enforce the fundamental right to data protection, investigate every complaint, and take measures to remedy the situation.
However, the privacy advocacy group alleges that the IMY seems to be operating under a different set of rules, one that prioritizes its own convenience over the rights of citizens. The noyb cited an instance where the Supreme Administrative Court of Sweden had previously ruled that individuals have the right to appeal IMY’s decisions.
The case in question revolves around a data subject who filed a complaint regarding a recorded phone call, only to have the IMY forward the issue to the respondent without conducting a thorough investigation. Max Schrems, a recognized figure in the data protection community, weighed in with his personal statement on the matter, claiming that the IMY seems to confuse its role with that of a postal service, simply forwarding documents without taking any meaningful action.
“Six years after the introduction of the GDPR, we continue to see authorities acting as if they can pick and choose whether citizens have their rights enforced,” said Schrems, founder of noyb. “EU law requires every complaint to be investigated and every GDPR violation to be remedied. The IMY seems to forget that it’s an enforcement authority.”
Challenging the IMY’s Interpretation of EU Law
The noyb appeal could draw significant attention toward IMY’s alleged failure to follow EU law, which the advocacy group feels has been consistently reaffirmed by the European Court of Justice.
“The EU Court of Justice has clearly stated that every national DPA must fully investigate complaints and take the necessary steps to stop the violation. There is no reason why people in Sweden should not have the same rights as everyone else in the EU.” – Max Schrems
In several cases, the court has emphasized the importance of data protection authorities investigating complaints with due diligence and taking corrective measures to address any violations. The IMY’s practice of sending information letters, rather than conducting a thorough investigation, is seen as a clear disregard for these guidelines.
In its appeal, noyb is asking the Administrative Court of Appeal to clarify the importance of Swedish preparatory works and supervisory tradition when interpreting EU regulations. The group argues that while Swedish preparatory works may provide context, they should not take precedence over EU law. The principle of autonomous interpretation of EU law, established in several case law judgments, emphasizes that EU regulations should be interpreted within the context of EU law, not national tradition.
The outcome of this case could have significant implications for data protection in Sweden and beyond, serving as a test of whether EU law will be enforced uniformly.