Loophole enables data brokers to bypass GDPR

A loophole in Swedish law allows data brokers to obtain a media license and bypass GDPR, the EU’s strict privacy law, digital rights non-profit noyb claims.

One of Sweden’s largest data brokers, MrKoll, employs a locally issued “media license” to exempt itself from EU privacy laws’ strict regulations.

“The company has data on almost the entire Swedish population and makes a profit by selling it to anyone who’s interested without a single safeguard or restriction,” noyb said.

According to the Vienna-based non-profit, the sold data includes many details, from names and surnames to real-estate value and criminal records. The wholesale of sensitive data is enabled by lax Swedish laws that allow GDPR exemptions for media companies.

“Swedish national legislation makes it extremely easy to obtain a “media license,” even if a company’s activities are not even remotely related to those of a news outlet and clearly just focused on sharing and selling personal data,” noyb said.

The non-profit filed a complaint with the Swedish data protection authority (IMY) since MrKoll refused one complainant’s request to delete his data, violating the EU’s General Data Protection Regulation (GDPR).

According to noyb, Sweden’s lax position on data can have devastating consequences as criminal gangs are known to have used data brokers to learn the geographical location of their rivals to carry out attacks. In one such attack, explosives killed an innocent bystander.

“The MrKoll case highlights why there are strict limitations when Member States want to deviate from the GDPR. Giving data brokers carte blanche to ignore EU law should be clearly seen as a step too far,” Sophia Hassel, trainee lawyer at noyb said.

Under GDPR, organizations must obtain consent from users to sell their data. Moreover, individuals have the right to ask organizations to delete data stored about them.