NPA 2023: The European Convention and GDPR enforcement





The Nordic Privacy Arena (NPA) is an annual conference for people working in the field of data protection. The 8th edition of the NPA was held as a semi-digital event on September 25-26, 2023. The conference featured no less than 20 agenda topics on data protection and had more than 300 on-site participants at Münchenbryggeriet in Stockholm. Participants also attended online. This is the third and last article highlighting some of the lectures and discussions that took place.

One of the keynote speakers who provided a breath of fresh air from outside the privacy bubble was Clarence Crafoord, Lawyer and Owner, Crafoord Advokatbyrå. Clarence Crafoord is a prominent figure in the field of human rights and has more than 25 years of experience in constitutional law. Among other things, he has worked with a Swedish non-profit foundation called “Centrum för Rättvisa”, which has taken on litigation on behalf of individuals in several high-profile cases concerning possible violations of fundamental rights. The legal battles have taken place against the Swedish government in the national courts as well as the European Court of human rights in Strasbourg.

The role of data protection authorities
In his presentation Clarence discussed the intersection of data protection law and human rights, particularly based on the European Convention on Human Rights. He started out by explaining that data protection rules are fundamental human rights and referred to Article 8 of the European Convention on human rights. Article 8 guarantees the respect for private and family life.

He went on to say that supervisory authorities like the Swedish Authority for Privacy Protection, IMY, have a crucial role to ensure that personal data is properly protected. He clarified that commercial companies, like people, have rights under human rights conventions. The European Convention has significant implications for how regulators such as the Swedish Authority for Privacy Protection, IMY, carry out their regulatory role. He stressed the importance of respecting the rights of companies and organisations that are monitored for possible breaches of the General Data Protection Regulation (GDPR).

Legal Safeguards
One of the main points was that although a supervisory procedure of a data protection authority is handled under the country’s administrative law system, fines/penalties are considered to be punishments under the European Convention on Human Rights. Therefore, the legal safeguards and protections from the criminal law context also apply to companies in these cases. He also pointed out that any violation of rights under the European Convention entitles the affected party to redress or compensation, which could mean that fines are cancelled, reduced or converted into a warning.

Furthermore Clarence Crafoord, stressed the need for precision and accountability when regulators exercise public authorities against companies. He pointed out the significance of the European Convention being part of Swedish law and the fundamental rights that the state must respect. Crafoord stated that anyone whose rights under the European Convention have been violated is entitled to compensation.

Allegations must be concise
Crafoord then explained the general position of the European Convention in Swedish law, similar to most European countries. He explained the fundamental rights that the state must respect, including the right to a fair trial, the right to be informed promptly and in detail of any allegation, no punishment without law, the right to respect for private and family life, home and correspondence, and the right to protection of property.

Further more he discussed the European Convention and its implications on administrative fines and privacy laws. He explained that Article 6(1) of the Convention, which refers to the right to a fair trial, already applies when a person is formally charged or when he or she is significantly affected by actions of the authorities. But Crafoord stressed that even informal allegations or suspicions of wrongdoing that lead to fines can have a significant impact, especially if they receive media attention.

He also touched on Article 6.3, that states that all allegations must be made promptly and in detail. Then he referred to Article 7, which states that fines must have strict legal safeguards, and Article 8, which can be interpreted to include the right to respect for a company’s premises. Crafoord also mentioned Protocol 1, Article 1 of the Convention, which guarantees the right to peaceful enjoyment of property, and concluded by addressing the consequences of violations of these rights, the state can be liable for damages. Further, he pointed out that such violations could be reprimanded by the Parliamentary Ombudsman.

The Complex Path to the European Court of Human Rights
Crafoord emphasised that anyone whose rights under the European Convention have been violated is entitled to a remedy. If a remedy before the Swedish administrative courts is unsuccessful, the affected person can apply for compensation either to the Chancellor of Justice or to the Court of Human Rights. He emphasised that seeking damages for a violation of rights is a prerequisite for being able to appeal to the European Court of Human Rights in Strasbourg.

Finally, Crawford conceded that the legal path to the Court of Human Rights could be complex and potentially long, with several stages to navigate. He illustrated this with a case flow diagram, starting with the Swedish Authority for Privacy Protection, then moving through the administrative court, the administrative court of appeal, and the Supreme Administrative Court. If these steps are unsuccessful, the individual can then claim damages from either the Swedish Chancellor of Justice or the General Court.