The Austrian-based privacy group noyb has filed a lawsuit against Sweden's Tax Agency, accusing it of illegally selling citizens' personal information to data brokers, a practice it says violates both national and EU data protection laws.
Earlier this year, a Swedish resident asked the Swedish Tax Agency (Skatteverket) to stop sharing his data with private companies. His request was backed by a recent decision from Sweden's Supreme Court, which ruled that data must be treated as confidential if there is a significant risk that it will be processed in violation of the General Data Protection Regulation (GDPR). However, the agency dismissed the request, citing Sweden's constitutional principle of public access to official records. In response, the privacy rights organization noyb — European Center for Digital Rights has taken the matter to Stockholm's Administrative Court.
According to noyb's appeal document, Skatteverket operates the Statens personadressregister (SPAR), a central population registry containing sensitive data on all Swedish residents. This includes names, personal identity numbers, addresses, income levels, and even information about real estate ownership. Under current national laws, this data can be accessed by companies for purposes ranging from marketing to verification. However, the appeal argues that the agency has not properly assessed whether recipients will comply with the GDPR, which it is required to do under a recent ruling by the Swedish Supreme Court.
The Supreme Court's February 2025 decision clarified that authorities must balance Sweden's freedom of information principles with individuals' privacy rights as enshrined in EU law. It established that government agencies must deny access to public data if it's likely to be misused. Specifically, it found that constitutional protections such as freedom of expression do not exempt data-sharing from GDPR obligations when misuse is foreseeable.
Sending taxpayer data to marketers and advertisers
noyb's legal brief identifies three major recipients of SPAR data as examples of misuse: Dun & Bradstreet, Kalenderförlaget, and The Intelligence Company. Dun & Bradstreet, a global data analytics firm, uses the information to power its “MIA” database, which is offered to marketers and credit check services. Kalenderförlaget publishes annual taxation calendars that openly list incomes of Swedish citizens. The Intelligence Company markets itself as holding data on every Swede over the age of 15. These uses, noyb argues, clearly contradict the purpose limitation principle of the GDPR, which mandates that personal data be used only for the specific purposes it was originally collected for.
The complainant, represented by noyb under Article 80(1) of the GDPR, is not challenging Sweden's general transparency laws, but rather the Tax Agency's specific handling of personal data. The appeal highlights that Swedish law must be interpreted in light of EU obligations, particularly the Charter of Fundamental Rights and the European Convention on Human Rights. It emphasizes that Skatteverket's practices enable data exploitation for profit, with no mechanisms for user consent or GDPR safeguards.
In their court filing, noyb requests that Skatteverket immediately mark personal data as confidential when recipients cannot guarantee GDPR-compliant handling. They also demand that data sharing with Dun & Bradstreet and Kalenderförlaget be stopped outright, arguing that their commercial motivations inherently conflict with data protection laws.
As the case proceeds, the outcome could significantly influence how Sweden — and potentially other EU states — manage the balance between transparency and privacy. Meanwhile, potentially impacted citizens in Sweden are recommended to submit a GDPR access or objection request to Skatteverket regarding the processing of their personal data, and use a digital identity (e-ID) to check which companies have accessed their data in SPAR.
Swiss Surveillance Ordinance Sparks Backlash from Privacy Tech Firms
Leave a Reply