CENTRUM FÖR RÄTTVISA v. SWEDEN JUDGMENT
15
56. According to the Act, secrecy also generally applies to foreign
intelligence activities in regard to information concerning another State,
international organisation, authority, citizen or legal person in another State,
if it can be presumed that a disclosure will interfere with Sweden’s
international relations or otherwise harm the country (Chapter 15,
section 1).
57. Secrecy further applies to information on activities related to the
defence of the country or the planning of such activities or to information
that is otherwise related to the country’s comprehensive defence strategy, if
it can be presumed that a disclosure will harm the country’s defence or
otherwise endanger national security (Chapter 15, section 2).
58. Information which is protected by secrecy under the Public Access
to Information and Secrecy Act may not be disclosed to a foreign authority
or an international organisation unless 1) such disclosure is permitted by an
express legal provision (cf. section 7 of the FRA Personal Data Processing
Ordinance, paragraph 34 above), or 2) the information in an analogous
situation may be communicated to a Swedish authority and the disclosing
authority finds it evident that the communication of the information to the
foreign authority or the international organisation is consistent with Swedish
interests (Chapter 8, section 3 of the Act).
K. The reports of the Data Protection Authority
59. On 12 February 2009 the Government ordered the Data Protection
Authority to examine the handling of personal data at the FRA from an
integrity perspective. In its report, published on 6 December 2010, the
Authority stated that its conclusions were overall positive. Issues relating to
the processing of personal data and to personal integrity were given serious
consideration by the FRA and a considerable amount of time and resources
were spent on creating routines and educating its personnel in order to
minimise the risk of unwarranted interferences with personal integrity.
Moreover, no evidence had been found which indicated that the FRA was
handling personal data for purposes not authorised by the legislation in
force (see paragraphs 12-14 and 28 above). However, the Authority noted,
inter alia, that there was a need to improve the methods for separating
domestic and cross-border communications. Even if the FRA had
implemented mechanisms in that area, there was no guarantee that domestic
communications were never intercepted, and, although the occasions had
been very few, such communications had in fact been intercepted. The
Authority further noted that the procedure for notification to individuals
(paragraphs 44-45 above) had never been used by the FRA, due to secrecy.
60. A second report was issued by the Authority on 24 October 2016.
Again, the Authority found no evidence that personal data had been
collected for other purposes than those stipulated for the signals intelligence