On 4 September 2025, Advocate General Szpunar delivered his opinion in Case C-199/24, ND v Legal Newsdesk Sweden AB (Lexbase) - a case that goes to the heart of how Sweden’s media constitutions interact with the GDPR, especially via publication certificates and the implementation of GDPR Article 85.

Before I unpack what the AG says and what it likely means for Swedish courts, the data protection authority (IMY - Integritetsskyddsmyndigheten), and certificate-based services, I’m going to set the stage: the Swedish constitutional framework, how Article 85 GDPR was implemented in the Swedish Data Protection Act, how the database rule works in practice, the 2019 carve-outs, the 2024 case law and IMY’s shift, and the Government’s SOU 2024:75 inquiry. With that context in place, I’ll then walk through the questions referred, the AG’s answers and reasoning, and what happens next.

This is a long article, so here are it's sections, for easier navigation:

1. Sweden’s Publication Certificates (Utgivningsbevis) And GDPR Article 85

1.1. Swedish media law in brief

1.2. Real-life Consequences

2. In 2024 Things Started to Change in Sweden

2.1. The Prolegia Case (March 2024)

2.2. IMY’s shift in position (March 2024)

2.3. The Verifiera Case (June 2024)

2.4. The Government Inquiry (2023–2024)

3. The CJEU Reference (Case C-199/24, ND v Legal Newsdesk Sweden AB) and the AG Opinion (4 Sept 2025)

3.1. Factual Background

3.2. The Preliminary Questions Referred to CJEU by Attunda District Court

3.3. The Advocate General’s proposed answers

4. What this means

5. What will happen next

6. A Final Note About LexBase’s Statement

1. Sweden’s Publication Certificates (Utgivningsbevis) And GDPR Article 85

1.1. Swedish media law in brief

Sweden protects freedom of expression through two dedicated constitutional acts:

• the Freedom of the Press Act (Tryckfrihetsförordningen - TF), and

• the Fundamental Law on Freedom of Expression (Yttrandefrihetsgrundlagen - YGL).

TF governs printed matter and embeds the principle of openness (public access to official documents). YGL extends constitutional protection to broadcast and certain online services.

A key feature of YGL is the database rule: operators can obtain a publication certificate (utgivningsbevis) by registering a responsible editor. The issuance is formal (no assessment of content or purpose). Once granted, the service is treated as constitutionally protected media. Consequences follow from that status: no prior restraint by public bodies based on content; liability channelled through a narrow catalogue of freedom-of-expression offences; and disputes handled under the media-law regime rather than ordinary civil / administrative law.

Sweden implemented Article 85 GDPR via the Data Protection Act (2018:218) ch. 1 §7 in two parts.

• §7(1): the GDPR does not apply to the extent it would conflict with TF/YGL.

• §7(2): for processing for journalistic, academic, artistic or literary purposes, most provisions of the GDPR and the Data Protection Act (Art. 5–30 and 35–50 of the GDPR, and Chapters 2–5 of the DPA) are disapplied, only limited rules on security/supervision remain.

Because publication-certificate databases fall under YGL, this structure has long meant that certificate-based services publishing personal data were largely outside ordinary GDPR supervision in Sweden: complaints were often dismissed on the view that the GDPR did not apply in the constitutionally protected field.

There are targeted constitutional exceptions. Since 2019, TF 1:13 and YGL 1:20 allow ordinary law (including EU regulations) to prohibit publication of special-category data (GDPR art. 9) in searchable/compilable collections where publication entails particular risks. That carve-out did not extend to criminal-offence data (GDPR art. 10), which created a well-known gap for person-search services.

You can find a more detailed overview of relevant Swedish law in section 2.4 (The Government Inquiry) below.

Scandinavian “openness” has deep roots in Sweden’s 1766 Freedom of the Press Act, which embedded the principle of public access to official records in the constitution - the world’s first such law. Over time that ethos spread across the Nordics, including tax transparency: the idea that citizens should be able to see what their neighbours earn and pay in order to check fair taxation. Norway still operationalises this today with its searchable tax lists (you log in to view others’ income/tax, and they can see you looked), a practice justified for more than two centuries as fostering accountability. Finland likewise treats individual tax assessments as public information, though access is limited to on-site viewing at tax offices rather than online publication.

But Sweden’s “openness” has drifted far from democratic scrutiny and into retail voyeurism. Nothing illustrates this better than Ratsit.se turning tax returns into a creepy consumer product: roadside billboards and tram ads announcing “new income data,” member emails touting fresh tax statements, and digital ads inviting you to “check anyone’s salary completely anonymously”, for less than the price of two coffees (SEK 39, which on the date of writing is less than 4 Euro).

1.2. Real-life Consequences

This legal choice has had profound consequences:

• Mass publication of personal data. Sites such as Ratsit, Hitta, Eniro and Lexbase publish names, addresses, dates of birth, family links, phone numbers, property values, cars, incomes, debts and even criminal records.

• Identity hijacking. Fraudsters can easily combine data from these sites with the publicly available personal identity number (personnummer), facilitating large-scale identity theft.

• Harassment and abuse risks. Victims of stalking or domestic violence can be tracked through constantly updated address and phone details.

• Risk of physical harm. In 2024 The Guardian reported that the Swedish rules on publication of personal data make people scared due to risk of deadly bombings.

• International astonishment. Visitors from other EU states “drop their jaws” when told how easily Swedes can access salary and credit details of neighbours. A service like Ratsit “doesn't sound like it would be compliant with UK data protection laws”, a spokeswoman for the Information Commissioner's Office said, while a lawyer at the Swedish data protection authority said “This type of access to financial information is in no way available in other countries like it is here” (source).

• Regulatory impotence. The Swedish data protection authority (IMY) has repeatedly expressed frustration: “Our authority constantly receives a lot of complaints … which we cannot intervene against” (this was said many times, here is just one source).

2. In 2024 Things Started to Change in Sweden

2.1. The Prolegia Case (March 2024)

On 13 March 2024, the Administrative Court of Appeal in Stockholm (Kammarrätten, Case 6027-23) ruled in a case concerning Prolegia Research AB, a company primarily engaged in background checks and recruitment consultancy.

Prolegia had requested access to two criminal case files. The Swedish Prosecution Authority refused, citing that after disclosure the data would likely be processed in violation of the GDPR and the Data Protection Act, and that secrecy under Chapter 21, §7 of the Public Access to Information and Secrecy Act (OSL) therefore applied. Prolegia argued that its publication certificate excluded the application of the GDPR and secrecy rules, since its database was constitutionally protected under the YGL.

Despite these arguments, the appeal was dismissed and access to the criminal case files was denied. Court’s reasoning:

• The court acknowledged that under Swedish law holders of publication certificates enjoy the same constitutional protection as traditional media.

• However, it found that an automatic rule giving constitutional protection unconditional priority over the GDPR was not compatible with the primacy of EU law.

• Referring to Latvijkas Republikas Saeima (C-439/19), the court held that the GDPR requires a case-by-case proportionality assessment between the right to data protection and freedom of expression, which is not compatible with a blanket exclusion of GDPR.

• The court highlighted that the issuing of publication certificates is a purely formal process and does not require any actual journalistic activity.

• Since Prolegia had not shown evidence of genuine journalistic work and the data concerned criminal offences (covered by Article 10 GDPR), the rights of the individuals concerned weighed more heavily.

On the following day, 14 March 2024, the Court of Appeal issued a press release explicitly noting that the GDPR may be applicable despite voluntary publication certificates.

2.2. IMY’s shift in position (March 2024)

Following the Prolegia judgment, the Swedish Authority for Privacy Protection (IMY) reviewed its approach. On 15 March 2024, IMY published a statement acknowledging that its earlier practice to dismiss complaints against holders of publication certificates on the grounds that the GDPR did not apply at all could no longer be maintained. IMY recognised that, in light of the Prolegia judgment, complaints must now be assessed more substantively, and parts of the GDPR could apply even to constitutionally protected databases. Later in May 2024 IMY issued a new legal position stating that it “has the authority to review search services with a publication certificate”. They note that “the complaints [received] show that the extensive publication and dissemination of personal data is perceived as very offensive and causes great concern”.

IMY frames this as a shift prompted by “recent” EU and Swedish case law, which  implies there had been some new legal revelation when, in truth, the primacy of EU law and the limits of Article 85 GDPR have been clear for years, and IMY could and should have recognised that earlier and acted accordingly. The issue of Sweden having wrongly implemented GDPR had already been raised by legal scholars at least in 2022.

2.3. The Verifiera Case (June 2024)

On 20 June 2024, the Swedish Supreme Administrative Court (Högsta förvaltningsdomstolen, Case 4588-23) gave judgment in proceedings concerning Verifiera AB, which operates a database including court rulings on compulsory psychiatric care and care of addicts.

Verifiera held a publication certificate and argued that its activities were constitutionally protected under YGL. IMY had reprimanded the company and ordered measures, holding that the GDPR applied because the database processed sensitive health data. Lower courts upheld IMY’s decision.

The court found that the GDPR is a law prohibiting the publication of personal data as referred to in YGL 1:20. This provision allows the legislature to adopt prohibitions on the publication of certain sensitive data, including health data. The court therefore confirmed that the GDPR applies to such constitutionally protected databases when they process health-related personal data.

This judgment clarified that constitutional protection under YGL is not absolute and that the GDPR can apply, but via the exception clause in YGL itself.

In other words, instead of recognizing the supremacy of EU law and that this means national law cannot be given preference (especially not an absolute one), the court found a way to conclude the GDPR is the lex specialis with reference to YGL 1:20. So, while the result may achieve a good outcome, the reasoning is actually wrong, as the rest of this article shows.

2.4. The Government Inquiry (2023–2024)

In parallel, the Swedish government launched an inquiry in October 2023 which tasked a special investigator to review whether constitutional protections for search services (that publish personal data such as criminal records, addresses, phone numbers, civil status, etc.) should be narrowed.

The final report, SOU 2024:75 – Personuppgifter och mediegrundlagarna (link for html), was published in November 2024 (press release here).

The report found that under the existing framework, actors covered by the media constitutions (TF/YGL) are essentially free to publish personal data, because data-protection rules do not apply. The “database rule” allows online services to obtain publication certificates that confer constitutional protection without any assessment of the service’s purpose or content; the criteria are formal and protection can extend to databases with no mass-media character. The risk that even “rena personregister” (pure personal data registers) receive constitutional protection was flagged by the Constitutional Committee of the Swedish Parliament already in 2001/02.

The types of data made available vary, but include address and phone number, age, home size and household composition, income, company involvements, vehicle ownership, and (via person-based queries) whether an individual appears in court cases or other official documents, and in that case details on such appearance.

The inquiry also quantified the landscape. As of 1 January 2024, there were 1,560 databases with publication certificates; 1,391 were examined. Of these, 61 databases (≈4%) were assessed as providing search services that publish personal data about large numbers of people (distinct from sites that merely include search functions for editorial content).

The Report discusses how Sweden implemented Art. 85 of the GDPR through the Data Protection Act (DPA) Chapter 1, § 7:

• § 7(1) (implementing Art. 85(1)): the GDPR does not apply to the extent it would conflict with the Freedom of the Press Act (TF) or the Fundamental Law on Freedom of Expression (YGL). This provision has often been read as giving TF/YGL priority in the constitutionally protected field (p. 61).

• § 7(2) (implementing Art. 85(2)): for processing for journalistic / academic / artistic / literary purposes, most GDPR provisions and the core chapters of the DPA do not apply. What remains is essentially security/supervision and related enforcement; remedies/liability under GDPR apply only insofar as they concern security of processing (p. 91, 92).

On the “journalistic purposes” side of Article 85 GDPR, the report frames it broadly and medium-neutral: the test is whether the purpose of the processing is to disseminate information, opinions, or ideas to the public; the identity of the speaker and the medium are not decisive (pp. 86–89).

At the same time, the report states that not all online disclosure is journalism; in particular, search-service publication of personal data generally does not aim to disseminate information / opinions / ideas in the Article 85 sense, and thus will “in most cases” fall outside that exception (p. 200).

The Report notes that as far as the implementation of Article 85(2) GDPR goes, per §7(2) DPA most GDPR provisions don’t apply for journalistic processing; remedies/penalties apply only as to security-breach rules, but also notes that §7(1) DPA can already remove GDPR where it “conflicts” with TF/YGL (p. 92.), without explicitly saying this is against EU law.

The inquiry explains why the present constitutional carve-outs have not contained the problem: since 2019, TF 1:13 and YGL 1:20 allow ordinary law (including EU regulations) to prohibit publication of certain “sensitive” personal data (aligned with Article 9 GDPR) where the data are in a searchable/compilable collection and publication entails particular risks - a description that “as a rule” fits search services. But that exception does not cover criminal-offence data (Article 10 GDPR), and proposals to introduce a corresponding offence-data exception were not adopted by the parliament, leaving a significant gap. In short, the general priority rule for TF/YGL plus the limited scope of existing exceptions means broad person-searchable publication persists outside ordinary GDPR controls.

The Report does not go as far as to say that Article 85(1) GDPR does not give Member States the right to exclude entire chapters of GDPR, or the GDPR as a whole, from application when another fundamental right would apply, and does not go into discussing how the “reconciliation” between different fundamental rights should actually look.

The Report also includes a helpful analysis of supremacy of EU law. It notes that EU law prevails over national law including constitutions, with classic case-law references (Costa/ENEL, Internationale Handelsgesellschaft, Melloni). The implication drawn is that the meaning of terms is entirely determined by EU law, and EU acts cannot be reviewed against national rules, “not even against Member State constitutions” (p. 74) – something which has been debated in Sweden in the past. The Report captures that absolute priority for TF/YGL under §7(1) DPA has been questioned as incompatible with EU-law primacy, citing 2024 case-law like the one mentioned in the previous chapter (pp. 61, 90, 135).

The report also notes that the European Commission has questioned Sweden’s implementation on TF/YGL in light of CJEU case-law, and the Commission expressed doubt that Sweden has struck the right balance because TF/YGL are given precedence over the GDPR (Annex 1, p. 246).

The report records concrete risks: criminals using search services to pick and map victims (often older people); heightened threats/harassment against public officials; broader privacy harms from large, easily searchable compilations. It warns that the current arrangement may undermine long-term confidence in the special constitutional regime for press/expression.

In the investigator’s words, this sits “far from the core” of what TF/YGL are meant to protect - namely free news coverage, uncensored political debate and related activities, since their foremost purpose appears to be to make already-public personal data generally available in compiled, person-searchable form (p. 183).

Despite a shared Nordic “openness” culture, the inquiry shows that Norway and Denmark did not choose Sweden’s path. In Norway (where EU law applies by virtue of the European Economic Area Treaty), the GDPR applies as national law and any exemption for unregulated media requires that processing be for journalistic / academic / artistic  /literary purposes and necessary for exercising freedom of expression, with explicit factors guiding that necessity test; even media covered by the Media Responsibility Act are exempt only when processing is exclusively for those purposes. There are no publication certificates or a similar procedure. Public access rules are narrower (e.g., personal identity numbers are generally restricted; anyone can directly request access to criminal judgments not older than five years), there are only a few basic people-search services (name / phone / address – not even birth date), individuals can get their entries removed (via operators), and “ there is no search service that publishes information about violations of the law” (p. 122). Moreover, remedies are not limited to a small set of offences like the one in TF and YGL.

Denmark regulates “information databases” in statute: publicly available databases face content standards (e.g., no material that would be unlawful to publish in mass media, adherence to press ethics) and time limits on storing certain private/offence data (typically three years, subject to a public-interest override). Similar to Sweden, Denmark’s GDPR implementation rules exempt databases covered by the media-information law, but in practice only a small number of people-search services operate, generally on consent with opt-out/removal. Anyone can directly request access to any court judgments, but for criminal judgements they cannot be older than one year – a limit that does not apply for journalists. Search services publish name / phone / address – again, not even birth date, and “there are no search services that publish information on violations of the law” (p. 126).

The report’s headline conclusion is clear: far fewer and much more limited search services exist in Norway and Denmark, people there can usually have their data removed, and none of the surveyed Nordic neighbors allow search services that publish criminal-offence information.

Therefore, the inquiry concludes that constitutional protection should be limited for search services that publish personal data. This would also clarify compliance with EU-law requirements in the personal-data field.

The inquiry proposes inserting general “delegation” exceptions into TF and YGL, i.e., constitutional clauses authorising ordinary legislation (and directly applicable EU law) to apply to certain personal-data publications by search services. The report reasons that data-protection law is purpose-built for personal-data processing and therefore “more suitable” for search services; applying it would address most of the problems identified.

It proposed introducing constitutional exceptions into both TF and YGL to limit immunity for search services. The inquiry recommended that GDPR should fully apply where:

• the character of the personal data is particularly sensitive,

• the extent of disclosure creates risks, and

• the purpose of publication is not justified in terms of public interest.

This “delegation” fix might let the GDPR and Sweden’s Data Protection Act bite in some cases, but it starts from the wrong baseline. Under EU law, the default is that the GDPR applies to all processing, and any limits must be created inside the Member State’s Article 85 implementing act and only to the extent the GDPR itself permits. Supremacy means you can’t invert that logic by making TF/YGL the starting point and then “letting in” EU law by reference (the Verifiera-style move). The gatekeeper has to be the Article 85 framework, not the constitution: national law may open narrow, necessary derogations, but it cannot switch the GDPR off and then selectively opt back in.

3. The CJEU Reference (Case C-199/24, ND v Legal Newsdesk Sweden AB) and the AG Opinion (4 Sept 2025)

3.1. Factual Background

[This summary of the facts is based on the Opinion of the Advocate General]

Legal Newsdesk Sweden AB (formerly Garrapatica) operates Lexbase.se, a database that allows person-based searches for individuals involved in criminal proceedings (NB: not to be confused with the French portal lexbase.fr). The Swedish media regulator issued a publication certificate to Lexbase, which brings it under constitutional media protection of TF and YGL. The claimant ND was convicted on 17 January 2011; the sentencing decision remained available on Lexbase until February 2024. ND asked for erasure - it is unclear when from the Advocate General’s presentation of the facts, but it is implied it was after the sentencing decision has been removed from the public register of criminal records (par. 8 of AG Opinion). Legal Newsdesk did not delete immediately, but removed the data later (again unclear when) as part of a routine clean-up.

ND sued for SEK 300,000 in damages for GDPR infringement. Legal Newsdesk argued the GDPR does not apply because of the publication certificate, while acknowledging SEK 20,000 would be reasonable per se.

3.2. The Preliminary Questions Referred to CJEU by Attunda District Court

TL;DR - Can Member States adopt additional legislative measures (beyond Art. 85(2)) covering purposes other than journalistic/academic/artistic/literary expression?

TL;DR - can national law make defamation (criminal or damages) the only remedy for a person whose criminal-conviction data are made available online for payment?

TL;DR - can paywalled, unedited online availability of criminal convictions be processing for “journalistic purposes” within Art. 85(2)?

3.3. The Advocate General’s proposed answers

AG Szpunar issued his opinion in this case on 4 September 2025.

Q1 (and Q2 in part): What Member States may do under Article 85(1) GDPR

• Answer: Article 85(1) GDPR does not allow Member States to declare the GDPR inapplicable to categories of processing, nor to create derogations from whole GDPR chapters outside the mechanism in Article 85(2). At most, Article 85(1) can justify specific restrictions of rights in particular circumstances; it is not a parallel gateway for chapter-wide carve-outs.

• Reasoning:

  • Structure: Article 85(2) is the lex specialis that expressly lists which GDPR chapters can be derogated from for the specified expressive purposes.

  • Notification (Article 85(3)): Reading 85(1) as a second, unnotified derogations channel would undermine the Commission notification scheme.

  • Legislative history: Broader wording proposed during GDPR negotiations was not adopted; using Art. 85(1) to replicate Art. 85(2) would resurrect that rejected approach.

Unlike the Government Investigation Report,  the AG provides a final and decisive solution to the debate:

Q2 (remaining): Can Member States curtail Chapter VIII (complaints, judicial remedies, damages)?

• Answer: No. Neither Article 85(1) nor any other GDPR rule permits Member States to restrict Chapter VIII. A national model that leaves only defamation (criminal or civil) as the remedy precludes the GDPR remedies in Articles 77, 79 and 82 and is not allowed.

• Reasoning:

  • Text of the article: Chapter VIII is not among the chapters that Article 85(2) allows Member States to derogate from; and 85(1) cannot be used to do so either.

  • Effect of the provision: Limiting individuals to defamation avenues blocks access to GDPR-specific complaints, injunctions and damages (no complaint to the DPA under Art. 77, no judicial injunction under Art. 79(1), no GDPR damages under Art. 82).

Unlike the Government Investigation Report,  the AG is clear that Chapter VIII GDPR cannot be touched at all.

Q3: Is paywalled, unedited reposting of public documents in the form of criminal convictions done for “journalistic purposes”?

• Answer: No. Making such public documents available online for payment, without processing or editing, does not amount to processing for “journalistic purposes” under Article 85(2) GDPR.

• Reasoning:

  • The concept of journalism is broad and medium-neutral and profit motive doesn’t exclude journalism; however, not all online publication counts. The touchstone is whether the sole purpose is disclosure to the public of information / opinions / ideas. National courts have leeway in application.

  • In the case at hand the file, the website merely provides access to criminal judgments behind a paywall with no editorial processing; there is no indication the activity aims to inform the public in the journalistic sense.

There is no divergence from the Report here.

4. What this means

Sweden’s model of issuing publication certificates on purely formal criteria - no inquiry into purpose or content - then wrapping the resulting databases in constitutional immunity from ordinary supervision, was a wild choice. It was even engineered to prevent content-based gatekeeping by authorities: the legislature “eliminated” the risk that an agency might deny protection based on expected content by hard-coding the eligibility conditions into YGL itself (today’s Ch. 1 §5), so anyone who asks for the certificate gets constitutional cover and is almost entirely un-supervisable.

That’s because there is no general, content-based mechanism to claw back that protection once granted: public bodies may not prohibit or obstruct publication on account of content (YGL Ch. 1 §§11, 14), and liability is channeled only to a narrow freedom-of-expression offences track like defamation. That architecture is precisely what has kept Sweden’s data-protection authorities and courts from supervising these services, and has made the Swedish residents flood the data protection authority with complaints every year (IMY has admitted a large proportion of the complaints received yearly are about certificate holders).

More specifically, the domestic “priority” clause in DPA 1:7(1) - under which GDPR simply does not apply where TF/YGL would be contradicted - cannot stand, and not just for health data or criminal convictions, but in general. Article 85 GDPR does not authorize Member States to switch the GDPR off wholesale, and it certainly does not let them erase Chapter VIII rights (complaints, judicial remedies, damages). What they must do is actually provide rules that can be applied on a case by case basis to decide which of the fundamental rights prevails.

The Advocate General is unambiguous on this: Article 85(1) is a mandate to reconcile rights, not a blank cheque to disapply the Regulation; exemptions belong in 85(2) and, by design, do not reach Chapter VIII (remedies). EU-law primacy means national law - even constitutional law - must yield where it conflicts.

Swedish courts have already started to say the quiet part out loud. In Prolegia, the court held that treating TF/YGL as always trumping GDPR for holders of a publication certificate is incompatible with EU-law primacy and requires a case-by-case balancing, explicitly noting how purely formal the certificate examination is.

So yes: handing out unconditional shields that put vast, person-searchable databases beyond ordinary GDPR scrutiny was always going to collide with EU law. The AG has now made that collision point crystal clear; national constitutional rules do not outrank the GDPR, and Member States cannot legislate away core GDPR remedies.

5. What will happen next

The Advocate General’s opinion is advisory. The Court of Justice (CJEU) will now deliberate and issue its preliminary ruling. The CJEU can come to a different conclusion than the AG, but I highly doubt that will be the case here given how clear the issue is under EU law. The judgment will likely be issued in the next 4-6 months.

It is worth clarifying that this case is a reference under Article 267 TFEU, whereby a national court asks the CJEU to interpret EU law. The CJEU does not decide who wins the national dispute; it provides the authoritative interpretation of the GDPR. That interpretation:

• has the same legal force as the GDPR itself (it is the Court’s binding reading of the Regulation);

• is binding on the referring court when it resumes the case (after the CJEU decision);

• must be applied by all courts and authorities in every Member State in future, not just Sweden (uniform application of EU law);

• applies retroactively (from when the GDPR has applied), unless the Court expressly limits effects (which I see no reason for).

After the CJEU issues its decision:

• the Attunda District Court must apply the CJEU’s interpretation to ND v Legal Newsdesk and decide the actual dispute accordingly (damages sought).

• Swedish courts and IMY must align immediately: GDPR cannot be disapplied by TF/YGL where the Court says it cannot; Chapter VIII remedies (complaints, judicial relief, damages) must be available.

• Services relying on publication certificates (e.g., person-search/conviction portals) will need to conform to GDPR where the ruling says it applies; non-compliance exposes them to enforcement and liability.

• The Government’s constitutional reform track (following the SOU 2024:75 investigation report) becomes urgent: if Swedish primary law conflicts with the CJEU’s reading, EU law prevails and legislation will need to be brought into line. However, courts do not need to wait for this legislative change – they can and must set aside any national law that conflicts with EU law as interpreted by the CJEU, immediately and on their own motion. This has already happened in the Prolegia case in 2024.

• Persistent divergence could trigger infringement proceedings by the Commission or state-liability damages claims by individuals harmed by non-compliance.

Once delivered, the CJEU’s interpretation binds Sweden and the rest of the EU for all intents and purposes. The national court will finalise the case using that interpretation, and Swedish regulators, courts, and certificate-based services will have to change practice to match it. This will be a significant, long-awaited turning point for personal data in Sweden, which will actually start to be protected.

But what will need to change concretely in Swedish law if the CJEU follows the AG Opinion?

• Concrete rules on how to reconcile the right to protection of personal data with the freedom of expression will need to be introduced in the law, allowing for case by case decisions. The necessity and proportionality of processing should play a major role here, with highly intrusive publication not being allowed.

• GDPR must apply, at least in part, to search services – for example, while the right to provide information to the individual may be excluded, there is no reason to exclude the right to deletion.

• Search services cannot keep publishing criminal-conviction data just because judgments are obtainable from authorities. They need a clear legal authorization with safeguards under GDPR Art. 10, or they must cease that processing. This is not “journalism”.

• If a service claims journalism, it must show an editorial purpose to inform the public, not just provide person-search access.

• Publication certificates, if kept, must stop meaning immunity. Regulators must open and decide complaints against certificate-based services on the merits.

• People must be able to file complaints with the authority, seek court orders (e.g., to stop unlawful processing), and claim damages for GDPR infringements.

Simply put, the operating model must change from “constitutional shield first, GDPR maybe later” to “GDPR applies by default; narrowly tailored derogations only where truly justified based on a reasoned decision”.

6. A Final Note About LexBase’s Statement

On 9 September 2025 Lexbase posted a statement claiming the AG’s proposal in C-199/24 does not concern “News Service Lexbase”. They say they are a constitutionally protected news agency that does not publish public documents but “editorially processed” material, and therefore GDPR erasure does not apply under YGL. The post warns of weakened constitutional protections, “censorship” via takedown demands, threats to journalism and public debate, obstacles to corruption scrutiny, risks to historical archives, legal uncertainty for media, and a precedent for further EU encroachment.

And to that I say – nice try, but no.

“It doesn’t apply to Lexbase.”

It is literally about Lexbase. The national case is ND v Legal Newsdesk Sweden AB (Lexbase). The AG’s opinion addresses the scenario referred by the Swedish court in this case. When the CJEU rules, that interpretation will bind the referring court in ND v Lexbase - and it binds courts and authorities across the EU.

“We don’t publish documents; we publish editorially processed material”

The referring court framed the factual scenario for the CJEU as making available - for payment, without processing or editing - public documents in the form of criminal convictions, i.e. the actual court decisions, and that’s why the third question referred is worded exactly like that. In preliminary ruling proceedings, the CJEU takes the facts from the national court, and only uses them to frame the legal interpretation.

If Lexbase wants to claim the facts are different, it has to do that before the Swedish court - but that won’t change the EU-law interpretation the CJEU gives for this scenario, and that it will affect LexBase nonetheless. Assuming, for the sake of argument, that the Swedish court would somehow find that the facts are different, they can decide based on that (and even refer another preliminary ruling!), but the CJEU decision in this case will still apply and it will still need to be complied with.

Might be worth noting that in a past data breach that affected LexBase, the full court decisions became available publicly to anyone, so this indeed seems to be part of their business.

“YGL means GDPR doesn’t apply and there’s no right to erasure”

This is the precise aspect the AG says is wrong: Article 85(1) doesn’t let a Member State switch the GDPR off, and Chapter VIII rights (complaints, judicial remedies, damages) cannot be stripped. EU-law primacy means Swedish courts and the data protection authority must set aside any conflicting national rule - including constitutional provisions - and apply the GDPR as interpreted by the CJEU.

“This weakens press freedom / is censorship”

No. Article 85 is about reconciling the fundamental right to protection of personal data with other fundamental rights, like freedom of expression. Neither of them is absolute! Lawful journalism remains protected. But journalism means that “the sole purpose of a publication is the disclosure to the public of information, opinions or ideas” (AG’s words),  not paywalled, unedited reposting of criminal convictions. That’s what the AG proposes, and if the Court agrees, publication-certificate databases can’t launder non-journalistic bulk disclosure behind a “press freedom” label. (And for the record, the government inquiry also says this kind of search-service publication is in most cases not journalism.)

Bottom line: you don’t get to memo your way out of EU law. A publication certificate isn’t an immunity badge, and “we’re a news agency” isn’t a magic phrase. If the Court follows the AG, Sweden’s “switch off the GDPR when YGL applies” model is done - and Lexbase’s business model has to live under the same GDPR everyone else does.