The Swedish Data Protection Authority (IMY) is facing legal action from the privacy advocacy group noyb for its alleged failure to properly investigate and address complaints from data subjects, in violation of EU law. According to the complaint filed by noyb, the IMY is accused of routinely refusing to fully process complaints, instead simply forwarding them to the companies accused of illegally processing personal data and then immediately closing the cases without further investigation.
The General Data Protection Regulation (GDPR) is clear in stating that data protection authorities have a duty to actively enforce the fundamental right to data protection, investigate every complaint, and take measures to remedy the situation. However, noyb alleges that the IMY seems to be operating under a different set of rules, prioritizing its own convenience over the rights of citizens. The advocacy group cited an instance where the Supreme Administrative Court of Sweden had ruled that individuals have the right to appeal IMY’s decisions.
The case at the center of the dispute involves a data subject who filed a complaint regarding a recorded phone call, only to have the IMY forward the issue to the respondent without conducting a thorough investigation. Max Schrems, a prominent figure in the data protection community, criticized the IMY for acting more like a postal service than an enforcement authority, simply forwarding documents without taking meaningful action.
Schrems emphasized the importance of every complaint being investigated and every GDPR violation being remedied, as required by EU law. The noyb appeal challenges the IMY’s interpretation of EU law and aims to draw attention to the authority’s alleged failure to follow EU regulations consistently reaffirmed by the European Court of Justice.
The court has previously emphasized the importance of data protection authorities investigating complaints diligently and taking corrective measures to address violations. The IMY’s practice of sending information letters instead of conducting thorough investigations is seen as a disregard for these guidelines. In its appeal, noyb is asking the Administrative Court of Appeal to clarify the importance of Swedish preparatory works and supervisory tradition when interpreting EU regulations, arguing that EU law should take precedence over national traditions.
The outcome of this case could have significant implications for data protection in Sweden and beyond, serving as a test of whether EU law will be uniformly enforced. It highlights the importance of data protection authorities fulfilling their obligations under the GDPR to protect the rights of individuals and hold companies accountable for illegal data processing practices.
