If (and only if) the API is authenticated can you publish things that fall under various secrecy laws (sekretesslagar), the chief one I am familiar with is medical secrecy, where a person has access to all their medical records, medical staff have access to records that are relevant to ongoing treatment, and no one else has.
This can, in principle, be solved with a permission system that makes suitable decisions based on the identity of the API user (well, the identity on whose behalf the API queries are done).
For medical secrecy, should you stumble over information that you should not have, you are then legally obliged to not disclose the information, but I cannot recall to what extent you have an obligation to tell relevant document owners about the possible breach, it's simply been too long since I was working in medical IT (where, by necessity, I would occasionally stumble over secret things doing things like DB repairs or helping users with application problems).
This can, in principle, be solved with a permission system that makes suitable decisions based on the identity of the API user (well, the identity on whose behalf the API queries are done).
For medical secrecy, should you stumble over information that you should not have, you are then legally obliged to not disclose the information, but I cannot recall to what extent you have an obligation to tell relevant document owners about the possible breach, it's simply been too long since I was working in medical IT (where, by necessity, I would occasionally stumble over secret things doing things like DB repairs or helping users with application problems).