Contrary to EU law, the Swedish Data Protection Authority (IMY) regularly refuses to properly handle complaints from data subjects. Even after a ruling by the Supreme Administrative Court of Sweden, the IMY frequently just forwards a complaint to the company that illegally processes personal data - and then immediately closes the case without investigating. However, the GDPR clearly stipulates that authorities must not only process each and every complaint, but also remedy the situation. noyb is now taking the IMY to court to ensure that it finally complies with its obligations.
IMY is not an “ombudsman”. Sweden is the country that gave the world the word “ombudsman”. The Swedish ombudsmen, however, come with a caveat: it is entirely up to them how they deal with a complaint. If they want to throw your complaint in the bin, they can and they will. But according to EU law, a data protection authority (DPA) has a duty to actively enforce the fundamental right to data protection. A DPA must not only process every single complaint, but also remedy the situation. Nevertheless, the Swedish DPA (called “IMY”) continues to act like it is a Swedish ombudsman.
Max Schrems: “6 years after the introduction of the GDPR, we continue to see authorities acting as if they can pick and choose whether citizens have their rights enforced. EU law requires every complaint to be investigated and every GDPR violation to be remedied. The IMY seems to forgets that it’s an enforcement authority.”
The IMY continues to ignore its obligations. In the past, the IMY didn’t even recognise that a complainant has a right to appeal against its decisions. This changed in November 2023, when the Supreme Administrative Court of Sweden (HFD) ruled that people who complain have a right to get a decision and that complaints are not just information for IMY to do with as it pleases, but that everyone has the right to have their complaint dealt with.
IMY’s practice of simply “forwarding” complaints. The IMY’s way of dealing with complaints since the Supreme Administrative Court ruling is to attach an “appeal form” to their (non-)decisions. But it still doesn’t investigate the complaints. Instead, the authority simply forwards the complaint to the entity that illegally processes personal data and then immediately closes the case. This also happened in the case preceding noyb’s current legal action against the IMY. After a data subject filed a complaint regarding a recorded phone call, the authority forwarded it to the respondent without investigating.
Max Schrems: “The IMY seems to confuse it’s role with that of the postal service. The mere forwarding of documents would not require another expensive and independent authority. ”
Clear rulings from the EU’s highest court. In several cases (see C‑311/18, C-26/22 and C-64/22), the European Court of Justice has clearly stated that every data protection authority must handle the complaint with due diligence. In a pending case (see C-768/21), the Advocate General has further clarified these obligations.
Max Schrems: “The EU Court of Justice has clearly stated that every national DPA must fully investigate complaints and take the necessary steps to stop the violation. There is no reason why people in Sweden should not have the same rights as everyone else in the EU.”
noyb appeals. Surprisingly, the Swedish first instance court (Förvaltningsrätten i Stockholm) has agreed with the IMY’s approach. Therefore, noyb has now filed an appeal with the second instance court (Kammarrätten i Stockholm) to ensure that the right to have every complaint properly handled is also enforced in Sweden.
Max Schrems: “If necessary, we will take this issue back to the Court of Justice again, but we expect the Swedish courts to follow EU law and to ensure that the IMY does its job.”