Stuck between a rock and a hard place? The Swedish Data Protection Authority rejects American company’s request to process workers’ criminal records

18 March 2008

Jim Runsten, Josefine Jonsson

Standard & Poors AB is the Swedish subsidiary of the American company McGraw-Hill Companies Inc. The company provides financial market information, such as credit ratings, investment research and risk evaluations.

Standard & Poors AB Rating Services is required to register with the US Security and Exchange Commission (“SEC”) in order to become a “Nationally Recognized Statistical Rating Organisation” under American law. The registration requires production of information about the company’s employees. This includes providing details of employee’s criminal convictions where they have been subject to sentences of imprisonment for a year or more. The SEC does not require information that would identify any of the individuals convicted.

Standard & Poors AB applied for approval to collect information from its workers in Sweden and to retain this information on the parent company’s system for a maximum of three years.

Under Section 21 of the Swedish Personal Data Act (“PDA”), non public bodies are prohibited from processing data relating to certain offences[1]. In July 2007 Standard & Poors AB applied for an exemption from this. Processing in breach of this section result in a fine or imprisonment.

The prohibition in Section 21 cannot be revoked by consent and an exception can only be based on:

  1. the Data Inspection Board’s Regulation 1998:3, which contains five exemptions including “…a right to process personal data concerning legal offences if the processing relates only to a single item of information that is necessary to make it possible to determine, enforce or defend claims in individual cases”; or

  2. an individual decision by the Data Inspection Board.

In its decision of 18 December 2007, the Data Inspection Board concluded that an individual exemption requires that:

  1. the information processed must constitute personal data as well as information concerning legal offences;

  2. the information must form (or be intended to form) part of a set of personal data that has been structured in order to significantly facilitate searches for or compilations of personal data, otherwise Section 21 of the PDA does not apply;

  3. none of the exemptions under the regulation 1998:3 are applicable; and

  4. in the individual case, the circumstances are such as to justify an exception.

The preamble to the PDA states that even though information concerning legal offences is not included in the definition of sensitive personal data, it is of a very sensitive nature. Parties other than public authorities will only be allowed to process this data in exceptional cases and exemptions will be granted restrictively.

The Data Inspection Board found that the criteria in (i) and (ii) set out above were fulfilled. This is because the information would be collected by e-mail or intranet and kept on a document management system. The information would be sufficiently structured to facilitate searches for the data. The exemptions in Regulation 1998:3 were not applicable as the information would be collected systematically and not for any purpose set out in the Regulation. However, looking at the circumstances, the Data Inspection Board found that processing the information was not proportionate to the violation of the workers’ privacy. The Data Inspection Board considered that it was significant that information on all offences were collected, not just data on criminal offences relevant to Standard & Poors AB’s business. The Board referred to Article 6.5 of the International Labour Organization’s code of practice on the protection of worker’s personal data. This states that an employer should not collect personal data concerning a worker’s criminal convictions. The application for an exemption from Section 21 of the PDA was therefore rejected. The decision has not been appealed.

The decision shows that the Data Inspection Board takes a restrictive view on the applicability of the exemption. In doing so it took into account the sensitivity of information concerning criminal offences. Difficult situations can therefore arise when Swedish data protection law conflicts with legal obligations in other jurisdictions, Companies may find themselves stuck between a rock and a hard place as they risk being subject to sanctions and penalties regardless of their actions. They will either fail to comply with the PDA or with the applicable foreign legislation. A similar example is the obligation for publicly held US companies and their EU-based affiliates[2], to implement internal whistleblowing schemes under the Sarbanes-Oxley Act. Whistleblowing schemes involve processing personal data concerning criminal offences when an employee reports possible misconduct and criminal behaviour to their employer.

The Data Inspection Board has not taken an official position on this. Instead, it has stated that where the scheme involves processing of information concerning criminal offences an individual exemption should be sought. A few applications of this nature have been filed with the Data Inspection Board but as yet no decision has been reached. Whether the implementation of a whistleblowing scheme can justify an exemption from Section 21 of the DPA remains to be seen.

[1] Criminal offences, judgments in criminal cases, coercive penal procedural measures and administrative deprivation of liberty.

[2] as well as non-US companies listed on the US stock markets