Swedish data brokers claim journalists’ legal protection to evade EU law

Would you like a license to break the law? Sweden may be your dream destination: Thanks to a loophole in national law, large data brokers like MrKoll can simply obtain a “media licence”, exempting their entire business from all obligations under the EU’s strict privacy laws. This deprives millions of Swedes of their fundamental right to privacy. noyb has now filed a complaint against MrKoll in Sweden that challenges this practice.

Person standing on a press badge with the Swedish flag. In One hand he holds a briefcase with personal data, in the other hand a symbolic representation for personal data. To the right, there are hands offering money for said data.

A highly problematic loophole in Swedish law. In Sweden, anyone can get a media license and get exempt from the GDPR. While Article 85 of the GDPR allows member states to limit the application of some elements of the GDPR in the area of journalism (to e.g. protect sources or undercover investigations), Sweden took a brute force approach to this exception. Swedish national legislation makes it extremely easy to obtain a “media licence”, even if a company's activities are not even remotely related to those of a news outlet and clearly just focused on sharing and selling personal data. Even data brokers, meaning privately operated companies that buy and sell the personal data of millions of people without their knowledge, can use this loophole to exempt themselves from any obligations under the GDPR. This deprives the people of their fundamental right to privacy and exposes their most intimate data to the internet.

Your most personal data, available to everyone. One of Sweden’s largest data brokers, MrKoll (“koll” is Swedish for “checking” on other people), illustrates this issue very well. The company has data on almost the entire Swedish population and makes a profit by selling it to anyone who’s interested without a single safeguard or restriction. The data sold includes not only people’s names, surnames, dates of birth, telephone numbers, home and work addresses. The company also has data on real estate values, the car they drive, pending civil proceedings, penalties, criminal records and detailed case records. Almost all of the information is provided directly by the Swedish authorities. There is even a list of the most searched for people on the data broker’s website.

Stefano Rossetti, data protection lawyer at noyb: “The business model of data brokers such as MrKoll has nothing to do with journalism. On the contrary, the company puts people at risk by offering their personal data for sale online to anyone who is interested. The Swedish authorities must finally put an end to this abuse of a law originally intended to protect journalists.”

Personal data used by gangs and criminals. One example of what the public sale of data by companies like MrKoll can lead to is illustrated by a “Guardian” report about rival gangs using data brokers to learn the geographical location of their opponents to carry out attacks. According to the article, these bombings and attacks did not spare innocent lives. Just last year, the 24-year old Soha Saad, an aspiring teacher, was mistakenly killed by an explosive. This is just one of many examples. Information about people’s addresses, their income, the value of their homes or possible room mates enables stalking and makes life much easier for robbers. This is made worse by the fact that, contrary to Article 17 GDPR, which usually gives everyone a right to object to the use of their personal data, there is currently no way to have your data deleted from MrKoll’s website. The complainant’s request to have his data deleted was rejected on the grounds that "the database is not affected by the General Data Protection Regulation (GDPR)" because of MrKoll’s media license

Sophia Hassel, trainee lawyer at noyb: The MrKoll case highlights why there are strict limitations when Member States want to deviate from the GDPR. Giving data brokers carte blanche to ignore EU law should be clearly seen as a step too far.”

Complaint filed with Swedish authority. noyb has now filed a complaint with the Swedish data protection authority (IMY). MrKoll has refused the complainant’s request to delete his data, thereby violating his rights under Article 17 GDPR. noyb requests that MrKoll delete the complainant’s data and notify all recipients of the deletion. noyb also requests that the DPA orders an absolute prohibition of any further processing of the complainant’s data. If the Swedish authority should reject this complaint on the basis of the above-mentioned national law, noyb is fully prepared to take the next step and appeal to the Stockholm Court in order to stop the misuse of media licenses by data brokers in general.