Swedish public-record privacy

Swedish public-record privacy

Sweden does not literally make everything public, and a personnummer is not literally immutable. The underlying privacy concern is nevertheless well founded. Sweden combines unusually accessible official records, a state-supported population-data distribution system, a persistent cross-sector identifier, and a constitutional publication regime that people-search services have used to resist ordinary data rights.

The result is not one privacy rule but a composition failure. Each component has a defensible institutional purpose. Together they make it cheap to turn scattered facts into an address-linked, relationship-linked, financial, property, and legal profile of a named person. The person usually cannot obtain a general opt-out.

The system is cumulative

flowchart LR
  A[Authority records] --> B[Public access requests]
  A --> C[Population and SPAR distribution]
  B --> D[Private acquisition]
  C --> D
  E[Other lawful copies] --> D
  D --> F[Join on personnummer]
  F --> G[Searchable personal dossier]
  H[Publication certificate] --> G
  I[GDPR and secrecy limits] --> B
  I --> G
%% note-link A Offentlighetsprincipen and personal privacy
%% note-link F Swedish personal identity number
%% note-link H Utgivningsbevis and people-search services
%% note-link I EU and Swedish data removal rights

The layers are legally distinct:

Layer Legitimate purpose Privacy failure mode
Offentlighetsprincipen and personal privacy Scrutiny of authorities and equal access to official documents Personal attributes in separate records can be obtained without a general purpose test.
Population registration and SPAR Accurate administration, address updating, research, and defined commercial selection A broad, current identity-and-address backbone is available for reuse and enrichment.
Swedish personal identity number Reliable matching of people across records A stable, visible join key collapses contextual separation between sectors and databases.
Utgivningsbevis and people-search services Freedom of expression, editorial responsibility, and protection of journalism A non-traditional database can claim media protection while offering person-centred search with little editorial transformation.
Digital aggregation Fast research and convenient verification Search, alerts, maps, and bulk correlation remove the friction that once limited practical exposure.

No single row proves that Sweden has “no privacy.” The combined architecture explains why a resident can experience it that way.

Public access supplies records, but not an unlimited data feed

The principle of public access applies to official documents held by authorities after they have been received or drawn up. Secrecy law protects interests including national security, law enforcement, and individuals’ personal and economic circumstances. Authorities must apply those rules to a request.1

The requester is normally entitled to anonymity. An authority may investigate identity and purpose only when needed for the secrecy assessment. That is a safeguard against retaliation and an important condition for investigative journalism. It also means a broad rule of “release only to benign requesters” would conflict with a central feature of the transparency system.

The better distinction is between access to a document and industrial reuse of personal data. A journalist reading judgments to report on court practice, a litigant obtaining their file, and a service indexing every named person for public lookup all touch public documents, but their scale, purpose, and effect differ.

The population register is a distribution backbone

Skatteverket’s population database contains more than a number and address. Depending on the record and legal conditions, it includes names, birth details, citizenship, civil status, spouse, children, parents, guardianship, adoption, immigration or deregistration, address, property, apartment, and other registration facts.2

Authorities, municipalities, regions, and the Church of Sweden receive regular population updates. The state personal address register, SPAR, exists for defined purposes including updating customer registers, selection for direct marketing, and some research. Its services can combine population data with income totals and property-assessment information under applicable access rules and fees.3

SPAR is not an unrestricted anonymous raw download. Applications, purpose rules, and service conditions matter. But it demonstrates that dissemination is not limited to one-off constitutional document requests. Sweden maintains infrastructure for propagating authoritative identity and address data into other organizations’ systems.

The personnummer turns exposure into linkage

The personnummer usually remains with a person for life, with narrow exceptions for corrected birth date, change of legal sex, or a fictitious identity in severe danger. Its date-based structure is predictable, and directories or public documents may reveal the complete value.

The main risk is not that an attacker can solve a checksum. It is that one long-lived key is reused across government, finance, healthcare, telecommunications, housing, commerce, and credit. Once obtained, it makes record linkage deterministic where name, address, or birth date alone might be ambiguous.

Knowledge of a personnummer should not authenticate anyone. Vem där - fastställande av identitet vid statliga myndigheter shows why identity retrieval and identity proof are separate tasks. Strong workflows require an identity document, electronic identification, or another robust check. Weak workflows turn public biographical data into answers to security questions and create an avoidable identity-fraud channel.

The privacy defect remains even when authentication is strong. A universal public identifier lets observers correlate contexts that were collected for different reasons. Administrative accuracy and personal unlinkability are being purchased with the same design choice.

Publication certificates changed the scale of republication

An utgivningsbevis gives an eligible database constitutional publication protection under YGL and assigns responsibility to an editor. It does not make a document public or create a special right to acquire it from an authority.

The 2024 inquiry Personuppgifter och mediegrundlagarna SOU 2024 75 found 61 large personal-data search services among 1,391 inspected certificate-bearing databases. At roughly 4 percent, they were a small minority of certificate holders but a large-scale privacy surface.

The services could expose name, age, personnummer, phone, present and former addresses, apartment and door location, cohabitants, neighbours, vehicles, companies, property values, dogs, income indicators, judgments, and search popularity. Some added paid monitoring alerts when another person’s circumstances changed.

This is where a protection designed around publishing became difficult to reconcile with data protection. If the certificate alone removed GDPR rights, the subject could have less control over a searchable dossier than over the same data in an ordinary commercial database.

The documented harms are more specific than identity theft

Public data does not cause every fraud, burglary, threat, or case of stalking. The strongest evidence supports a narrower causal claim: searchable aggregation reduces the cost of selecting a target, finding their home and relationships, and making a deception or threat credible.

The 2024 inquiry identified about 50 judgments in which one major search service was described as a tool for mapping victims or reinforcing threats. It reported burglary cases where offenders used vehicle information to identify homes whose occupants were away, and fraud cases where older people and their relatives were mapped before impersonation. National police material found search-service extracts listing actual or potential victims during house searches. Brå described how telephone fraudsters collect personal information to establish trust, often targeting people aged 70 to 80.4

The evidence does not support attributing every reported offence to public records. It supports treating joined personal-data services as risk multipliers for:

  • targeted fraud and social engineering;
  • burglary and asset selection;
  • stalking, coercive control, and unwanted monitoring;
  • threats against public employees and witnesses;
  • reputational harm from stale or contextless court material;
  • employment, housing, and relationship decisions based on incomplete or inaccurate profiles;
  • chilling effects when officials, sources, or ordinary residents expect instant personal exposure.

Accuracy does not remove these harms. A correct home address can be dangerous; a correct old judgment can be misleading outside its procedural context; and a correct family relationship can strengthen an impersonation attempt. The issue is appropriateness, purpose, and audience as well as truth.

Threat-based protection is not a general privacy right

Protected personal data in Sweden provides three escalating protections: confidentiality marking, protected population registration, and fictitious personal data. They respond to demonstrated threats or serious harm. Skatteverket states that a preference not to appear online or identity theft alone is not sufficient.5

The 2023 study Att leva med skyddade personuppgifter shows the cost of relying on an exceptional remedy. Among 875 respondents, 37 percent said protected information had been disclosed at least once; the figure was 42 percent for those protected because of relationship violence. The sample does not establish a population-wide leak rate, but it documents recurrent disclosures and disruption to healthcare, work, post, and ordinary commercial life.

The system therefore asks threatened people to carry much of the burden of maintaining secrecy across services designed for routine data propagation. It intervenes after risk becomes serious enough to prove, not when a person merely wants to prevent a dossier from forming.

The counter-case for openness is substantial

The strongest opposing explanation is not that privacy does not matter. It is that restricting access and research tools can protect corruption, discriminatory administration, police misconduct, unsafe courts, and conflicts of interest from scrutiny.

Professional research databases are not interchangeable with retail people-search products. The 2024 inquiry found them important for locating sources and investigating organized crime, money laundering, tax fraud, and corruption. Smaller newsrooms may be unable to reproduce those systems. Anonymous access to official documents also protects sources and prevents authorities from deciding who deserves scrutiny.

There are further benefits:

  • the personnummer reduces mistaken identity in administration;
  • authoritative address updates reduce undelivered notices and fraud;
  • researchers can study institutions and population outcomes;
  • public judgments make legal reasoning inspectable;
  • responsible reporting can reveal patterns invisible in one case.

The reform problem is therefore not “privacy versus transparency” as two indivisible blocks. It is how to preserve institutional accountability while limiting purpose-free population surveillance.

The older practical assumption was that YGL protection largely displaced ordinary GDPR rights for a certificate-bearing database. That position has fractured.

HFD held in 2024 that IMY could supervise a search service’s sensitive-data processing. HD held in 2025 that an authority could refuse bulk criminal judgments under secrecy law when the intended processing would violate GDPR. In June 2026, HD restricted a large Qura request for criminal-offence material and allowed a journalistic component to receive documents under a reservation against further searchable distribution.

Those HD rulings concern disclosure by authorities. They do not abolish an utgivningsbevis, make every copy of a judgment secret, or prevent a publisher from obtaining a lawful copy elsewhere.

The 9 July 2026 CJEU judgment Legal Newsdesk Sweden C-199 24 concerns the publisher’s separate processing. It held that Sweden cannot displace GDPR for purposes outside journalism and the other Article 85 expressions, and cannot leave a person only defamation remedies. Making criminal judgments available to any paying user is not journalistic unless its purpose and practice satisfy the broad but substantive journalistic test.

The national court must now apply the CJEU test. IMY is analyzing it in ongoing investigations into two criminal-record services and two general people-search services.6 The ruling is decisive against a blanket exemption, but it does not automatically settle every directory, data category, or mixed journalistic service.

Dumpen illustrates a harder comparator. It selects subjects and creates original edited reports, video, and commentary, so a journalistic purpose is more plausible than for Lexbase. Naming convicted people in Swedish media shows why editorial court reporting, full-document distribution, and the decision to identify a convicted person must still be assessed separately. That status is not supplied by the certificate alone, and a district court has convicted its responsible publisher of gross defamation over one identifying publication, subject to appeal.

The 2024 inquiry proposed a constitutional exception for searchable compilations posing a special privacy risk. The government declined in November 2025 to proceed with that proposal and indicated that ordinary-law alternatives needed further inquiry.7 As of July 2026, the judicial line is moving faster than the legislative one.

A defensible reform package

The useful objective is to preserve access needed to inspect institutions while making indiscriminate person indexing exceptional. That points to controls at several layers rather than one ban.

Separate document access from data-product reuse

Public access should continue to support case-specific scrutiny, research, litigation, and journalism. Bulk structured release, automated scraping, and person-indexed republication should receive a separate necessity and safeguard analysis. The mode, scale, purpose, and audience of processing matter.

Give GDPR remedies practical effect

A certificate should not by itself defeat access, correction, objection, erasure, restriction, supervision, and judicial review. Derogations should attach to actual journalistic processing, not merely to organizational form. Mixed services may need separate access tiers for newsroom research and unrestricted public search.

Reduce public correlation

Authorities and firms should mask full personnummer values unless the purpose requires them, avoid displaying birth date and address together, and stop using biographical facts for authentication. Longer-term identity infrastructure should use sector-specific or pairwise identifiers and selective attribute proofs.

Make safety preventive rather than exceptional

Residents should have a practical suppression route for retail people-search indexing without first proving a qualifying threat. High-risk data such as precise door location, family links, monitoring alerts, and criminal-history search should receive stronger defaults. Protected people need interoperable controls that do not make ordinary healthcare, banking, education, or delivery unreliable.

Preserve accountable research

Journalists and qualifying researchers need workable access, security duties, audit trails, and protection against source identification. Publication of findings should be distinguished from universal access to the underlying named database. Ethical rules, correction channels, retention limits, and editorial responsibility should be operational requirements rather than labels.

What an individual can do now

EU and Swedish data removal rights describes controller requests, search-engine delisting, and escalation to IMY. These remedies remain service-specific and cannot promise complete disappearance.

Practical defensive measures include:

  • request erasure or suppression from each search service and preserve its response;
  • request name-search delisting from general search engines where the legal criteria are met;
  • enable strong electronic identification and never accept personnummer knowledge as identity proof;
  • use credit-agency blocks and address-change controls after suspected identity misuse;
  • minimize voluntary publication of address, family, vehicle, and travel patterns;
  • seek protected-personal-data guidance when there is a concrete threat rather than ordinary privacy concern.

These steps reduce exposure and fraud risk. They do not repair the structural linkage system.

Research and policy watch

  • Track the Swedish application of C-199/24 and distinguish remedies for criminal judgments from general directory data.
  • Track IMY’s Lexbase, krimfup, Upplysning.se, and Mrkoll decisions.
  • Identify whether the government launches the promised ordinary-law inquiry.
  • Quantify which public attributes are obtainable from authorities, SPAR, and private sources without conflating their different legal routes.
  • Compare pairwise identity architectures that could coexist with Swedish population administration.

The unsettled court proceedings and reform path keep this synthesis at working status.

Sources

  1. regeringen.se
  2. skatteverket.se
  3. skatteverket.se
  4. mediemyndigheten.se
  5. regeringen.se
  6. eur-lex.europa.eu
  7. skatteverket.se