CENTRUM FÖR RÄTTVISA v. SWEDEN JUDGMENT
aspects of the FRA’s activities, there is no reason to consider that detailed
logs and records are not kept in practice or that the FRA could proceed to
changing its internal instructions arbitrarily and removing its obligation in
that regard. While it is true that in 2010 and 2016 the Swedish Data
Protection Authority criticised an aspect of the FRA’s practices of keeping
logs, this only concerned the manner in which the FRA monitored logs used
to detect unwarranted use of personal data (see paragraph 76 above).
Furthermore, the Government clarified that since 1 January 2018 logs which
were previously kept by separate “system owners” within the FRA are being
sent to a central function, thus improving their monitoring. This change had
been reported to the Swedish Data Protection Authority, which had not
requested further action and had closed the file.
312. Swedish law affords specific protection of personal data, including
data that may reveal aspects of natural persons’ private life or
communications. In the context of signals intelligence, the FRA Personal
Data Processing Act imposes on the FRA the obligation to ensure that
personal data is collected only for the authorised purposes expressly
determined through tasking directives and within the limits of the permit
issued by the Foreign Intelligence Court. As noted by the Chamber, the
personal data treated also has to be adequate and relevant in relation to the
purpose of the treatment. No more personal data than what is necessary for
that purpose may be processed. All reasonable efforts have to be made to
correct, block and obliterate personal data which is incorrect or incomplete
in relation to the purpose (see paragraph 40 above). The FRA staff treating
personal data are security cleared, subject to confidentiality and under an
obligation to handle the personal data in a safe manner. Also, they could
face criminal sanctions if tasks relating to the treatment of personal data are
mismanaged (see paragraph 42 above).
313. The applicant criticised the fact that the safeguards mentioned in
the preceding paragraph only apply to intercepted material containing
“information that is directly or indirectly related to a natural living person”.
The applicant deduced from this fact that legal persons were left
unprotected.
314. The Court observes, however, that there is nothing to suggest that
the protection guaranteed by the FRA Personal Data Processing Act and the
FRA Personal Data Processing Ordinance does not apply to the content of
communications exchanged by legal persons such as the applicant whenever
those include “information that is directly or indirectly related to a natural
living person”. Furthermore, it must be noted that most legal requirements
and safeguards provided for in the above-mentioned legislation would
normally be of value to natural persons only. For example, the Act in
question prohibits processing of personal data solely because of what is
known of a person’s race or ethnicity, political, religious or philosophical
views, membership of a union, health or sexual life. It provides for a special