Go to content

10. Sweden

10.1 Introduction

Following the Tele2-judgement
Joined cases C-203/15 and C-698/15.
 the Swedish data retention rules were revised, with effect from 1 October 2019. The law prior to the revision provided for general undifferentiated retention of data related to telephony, messaging, and broadband services. The data were to be stored for a period of 6 months. The data could be accessed both for the purpose of criminal investigation pursuant to rules set out in the Procedural Code (Rättegångsbalken (“RB”)), and intelligence gathering by law enforcement authorities pursuant to rules set out in the Electronic Intelligence Act (“EIA”) (Lag om innhämntning av uppgifter om elektronisk kommunikation i de brottsbekämpande myndigheternas underrättelsesvärksamhet). In the Tele2 judgment, the European Court of Justice concluded that the regulation exceeded the limits of strict necessity and could not be justified in a democratic society.
The current data retention provisions are laid down in SECA.

10.2 The data to be registered and stored

The data to be registered and stored are broadly specified in SECA 9:19, and the data must at the outset be such “as referred to in 9:31 first para., no. 1 and 3”. No. 1 concerns “data about subscription” (en uppgift om abonnemang); no. 3 concerns “other data that concern a specific electronic communication” (en annan uppgift som angår ett särskilt elektroniskt meddelande).
“Elektroniskt meddelande” could be translated to “electronic message,” but the definition set out in SECA 1:7 rather suggests “electronic communication” to be more suitable, as the definition includes interpersonal communication no matter the form (message, audio/video communication, etc.): “Elektroniskt meddelande” means “all information exchanged or transmitted between a delimited number of persons through a publicly available electronic communications service, except for information transmitted as part of transmissions of audio radio or TV-program directed towards the general public through an electronic communications network, unless the information may be connected to (sättes i samband med) a specific subscriber or user of the information.”
 No. 2 concerning content data is not relevant to the present context.
SECA 9:19 further specifies that the data are such as are
necessary to trace and identify the source of the communication, the final destination of the communication, date, time, and duration of the communication, type of communication, communication equipment, as well as the location of mobile communication devices at the time of the communications’ beginning and end.
Second paragraph of the provision clarifies that the obligation to register and store data concerns data “generated or processed” at
  1. a telephone service, or the processing of messages (meddelandehandtering)
    “meddelandehandtering” means “exchange or transmission of an electronic message which is not a real-time voice communication nor is information transmitted as part of radio- or TV-transmission” (SECA 1:7).
     through a mobile network termination point,
    nätanslutningspunkt”, (SECA 1:7) and “network termination point” (e-kodex Art. 2 point 9).
     or
  2. internet access.
Data shall be retained also in respect of communications that reach the end-point without reaching the recipient (misslyckad uppringning)
misslyckad uppringning” (SECA 1:7).
 (9:19 third paragraph).
The data are described in more detail in Government Regulation on Electronic Communications (2022:511) 9:7 and 9:8.

A. Telephony services and messaging; only communications via a mobile access point:

  1. calling and called numbers or equivalent address;
  2. for telephony services: callers and called subscriber- and equipment identity;
  3. data on subscriber and registered user connected to 1 and 2;
  4. date and time when the communication was initiated and terminated, or a message was sent and received;
  5. data on location at the beginning and end of the communication;
  6. date, time and location of first activation of pre-paid, anonymous services. 

B. Internet access:

  1. Users IP-addresses and other data necessary to identify a subscriber and registered user*;
  2. data on subscribers and registered users;
  3. date and time regarding logging on and off the service that provides internet access;
  4. data that identify the equipment that finally seclude the communication from the service provider to the subscriber.
* Carrier Grade NAT 
Re: A, Telephony: The heading specifies that the obligation concerns “only” mobile communication. This leaves out fixed telephony and IP-telephony, thus a reduced scope compared to the regulation in Denmark.
Section 6.4.1.
Re: B, Internet access: B no. 1 deals with the situation where one IP-address is shared by several users. In addition to users’ IP-addresses “other data necessary to identify a subscriber and registered user” shall be registered. A similar wording is used in B no. 4. A corresponding situation is dealt with in NECA § 2–8 a point b, however here the data are specified (“source port” and “time of the communication”). The general wording in the Swedish regulation might make it more resilient to changes caused by technical development, as it encompasses the data that are relevant for the stated purpose under any given technical solution.
The Post and Telecom Authority may specify in a delegated regulation which data shall be retained according to Chapter 9:7 and 9:8 of the Government Regulation. This is relevant in relation to the retention of data for the purpose of identifying subscribers and registered users in connection with the use of Carrier Grade NAT-technology. On this issue, the Post and Telecom Authority has laid down a specific retention obligation that entered into force 1 April 2020. The obligation entails retention of data on public IP-address and appurtenant UDP or TCP port numbers linked to the users’ IP-address and traceable time for the connection.
E-mail 21 March 2023.
The persons whose data are registered are referred to as “subscriber”, “registered user” and “user”. “User” is “a natural or legal person using or intending to use an electronic communications service.” “End-user” is a sub-category, meaning “a user not providing a publicly available electronic communications service” (SECA 1:7). The obligation to retain data concerning internet access thus encompasses both users and end-users.
It has not been possible to clarify how far down the service chain the obligation is applied.

10.3 Storage period

The storage period is set out in SECA 9:22 as follows:
  • Data related to telephony or the processing of messages through a mobile termination point: 6 months. However, location data may be stored for 2 months only.
  • Data related to internet access shall be stored for 10 months. However, data that identify the equipment that finally secludes the communication from the service provider to the subscriber shall be stored only for 6 months.
The storage period commences on the date when the communication ended.
Regarding internet access, the meaning must rather be when use of the IP-address ended. This also corresponds to Government Regulation B no. 3 “date and time regarding logging on and off the service that provides internet access.” See similar comment to the Norwegian regulation in Section 9.3.
The data shall be deleted upon expiration of the storage period (9:22 third para.). Exception is made in respect of data comprised by a request of access based on
    • SECA 9:33 first para., point 2 and 5; (access to subscriber data)
      See Section 5.2.5.
    • RB 27:19; (secret surveillance in the investigation of serious crime)
      See Section 5.4.5.
    • EIA (lag 2012: 278), (secret surveillance in intelligence activities),
      See Section 5.4.5.
       or,
      the data are subject to a preservation order as per RB 27:16.
      See Section 5.3.5.
    In such case, the provider shall continue to store the data until they have been disclosed as per the request or the preservation period has expired. Then the data shall immediately be deleted (9:22 third para.). 

    10.4 The person obliged to register and store data

    The obligation to register and store data comprises “anyone who conducts activities that must be notified” to the Post and Telecom Authority (SECA 9:19). The Post and Telecom Authority shall be notified when the activity concerns “public communications networks that are usually provided against compensation or publicly available electronic communications services” (SECA 2: 1). Pursuant to SECA 1:7 an “electronic communications service” is a service that is “usually provided against compensation.” The regulation corresponds prima facie to the regulation in Denmark and Norway. Whether the application is the same a different question. As noticed, especially regarding internet access, the interpretation may vary despite similarities in the wording of the legal provisions. Differences in interpretation have thus resulted in different data retention regimes for internet hot spots in Denmark and Norway.  

    10.5 Access to data

    Pursuant to SECA 9:21, retained data may be accessed with legal basis in
    • SECA 9:33 first para., points 2 and 5;
    • RB 27:19; or
    • EIA (lag 2012: 278).
    As noted in Section 5.2.5, SECA 9:33 applies to providers of electronic communications networks or -services, excluding providers of NI-ICS. The provision must be read in conjunction with SECA 9:31, laying down the duty of confidentiality in respect of:
    1. Subscriber data,
    2. The content of the communication, and
    3. Data related to the communication.
    SECA 9:33 first para no. 2: Access to subscriber data was dealt with in Section 5.2.5, reiterated here: The provision is applicable to requests concerning “criminal activity or suspicion about a crime”, put forward by Ekobrottsmyndigheten, Polismyndigheten, Säkerhetspolisen, Tullverket, Åklagarmyndigheten or «any other authority tasked with such intervention.” The data that may be made accessible by the provider are “data about a subscription agreement” (as per § 31 first para., no. 1).
    SECA 9:33 first para no. 5: Access to data related to an electronic message preserved in accordance with RB 27:16.
    See Section 5.3.5.
     The data necessary to disclose the providers involved in the transmission of the message, shall be disclosed to the public authority who ordered that the data be preserved. The same must apply if the data have also been retained.
    RB 27:19 (in force from 1 October 2023): The provision concerns “secret surveillance”, i.e., the secret collection of
    1. data related to electronic messages
      If “messages” (meddelanden) shall be interpreted to have the meaning used in SECA, the meaning is “electronic communication”, see the comment made in this regard in Section 10.2.
       under transmission or that have been transmitted to or from a telephone number or other address,
    2. data disclosing the electronic communications equipment that have been present in a specific geographic area, or
    3. data disclosing in which geographic area a specific electronic communications equipment is or has been located.
    Retained data of the kind mentioned above may be disclosed to the police in the investigation of an offence (including attempt and preparatory acts)
    • punishable with imprisonment for a minimum period of 6 months or more,
    • other offences as specified (hacking, child sexual abuse material, drugs), and
    • and offences that may incur secret interception of electronic communication pursuant to RB 27:18 a second paragraph. This follows from RB 27:19 a (into force 1 October 2023).  
    The Electronic Intelligence Act (“EIA”): This act provides for the collection of the same data as mentioned in RB 27:19 when necessary for intelligence activities aimed at preventing, intervening against, or uncovering criminal activities as further specified in that act.
    Data related to number-independent interpersonal communications services are not included.
     The reference to the EIA in SECA 9:21 entails that retained data may be accessed for intelligence purposes. The activity must concern an offence with a prescribed penalty of imprisonment for at least 2 years or other offences as specified in EIA § 2. The authorities that may access retained data for intelligence purposes are the Police Authority, the Police Security Service, and the Customs Authority.

    10.6 SOU 2023:22: Proposal for a law revision

    10.6.1 Introduction

    SOU 2023: 22 Datalagring och åtkomst till elektronisk information (data retention and access to electronic information) (“the Expert Report”) proposes a law revision resembling the regulation in Denmark. The proposal concerns general, undifferentiated data retention to protect national security, and targeted data retention to combat serious crime. Data related to NI-ICS are included. The Expert Report was publicly distributed for feedback (remiss) 7 July 2023, with deadline 1 November 2023.

    10.6.2 Proposed amendments to SECA

    The revision requires the passing of new laws that shall refer to SECA, to Chapter 9 in particular. The material amendments to SECA Chapter 9 are as follows:
    Expert Report p. 60 ff.
    Also providers of NI-ICS shall retain data (supplement to SECA 9:19).
    The data to be retained are categorized in §§ 19 a to 19 e. The storage time is set out in § 22.
    • § 19 a: Subscriber data. To be stored 1 year from termination of the subscription or of a temporary assignment of a service (§ 22).
    • § 19 b: Data retained for the purpose of protecting national security. To be stored for 2 years (§ 22).
    • § 19 c: Data related to geographic area. To be stored for 1 year (§ 22).
    • § 19 d: Data necessary to combat serious crime (extended targeted data retention). To be stored for 1 year (§ 22).
    • § 19 e: The data to be retained pursuant to § 19 b shall include data related to unsuccessful calls. The data to be retained pursuant to §§ 19 c and 19 d may include data related to unsuccessful calls.
    Providers have a duty to ensure that their services are arranged so that data retention obligations become effective. Moreover, they shall ensure that data retention is not disclosed (§ 29). Access to retained data shall be facilitated in a manner that maintains secrecy of the measure (§ 29 b).

    10.6.3 General, undifferentiated data retention to protect national security

     “Proposal of an Act (2025:000) concerning retention of and access to data related to electronic communication for the purpose of protecting national security.”
    Förslag till lag (2025:000) om lagring av och åtkomst till uppgifter om elektronisk kommunikation i syfte att skydda Sveriges säkerhet, Expert report p. 42 ff.
     The act has a counterpart in the Danish rpl. § 786 e.
    A data retention order may be issued if there is a “serious threat against Swedish security that is real and present or foreseeable.” Pursuant to § 3, an order may be issued only if deemed “strictly necessary” (“absolut nödvändigt”) to protect national security. The order shall be limited only to concern that which is strictly necessary for the purpose, concerning,
    1. The providers that should retain data,
    2. The duration of the data retention period, and
    3. The data comprised by the order.
    The order may be made by the Police Security Service (Säkerhetspolisen). Prior to making the decision the Service shall seek advice from the Military Defence (§ 2).
    The order may be issued for 1 year as a maximum (§ 2 second para.) and be prolonged if the threat against Sweden persists. An order must generally not exceed what is necessary for the purpose (§ 3 no. 2) and shall be repealed once the reason for the order ceases to exist (§ 2 second para.).
    There is an oversight mechanism provided by a national public authority to be designated by the Government (§§ 4 and 7).

    10.6.4 Targeted data retention to combat serious crime

    “Proposal of an Act (2025:000) concerning retention of data related to electronic communication for the purpose of combating serious crime.”
    Förslag till lag (2025:000) om lagring av uppgifter om elektronisk kommunikation i syfte att bekämpa grov brottslighet, Expert report p. 47 ff.
    Data retention in a specific geographic area. (Danish counterpart in rpl. § 786 c).
    Data retention shall be performed in “specific municipalities” (vissa kommuner), where the level of reported crime is on par with or exceeds the aggregate national crime rate (§§ 2 and 3). The Post and Telecom Authority shall determine the municipalities that shall have to retain data, and do this on an annual basis not later than 1 June (§ 4).
    Extended targeted data retention. (The provisions do roughly correspond to the Danish rpl. §§ 786 b to 786 d).
    Data retention in a specific area may be supplemented with a decision about extended targeted data retention by the Police Authority, the Police Security Service or the Customs Authority. The decision is not subject to complaint (§ 11).
    The decision may concern:
    1. A delimited geographical area where offences as mentioned in RB 27:19 third para., is committed, or is likely to be committed;
      The offences were described in Section 10.5.
       Maximum retention period: 1 year.
    2. A place worthy of protection (Danish counterpart: rpl. § 786 c second para.). Maximum retention period: 3 years.
    3. A person who is or has been subject to (Maximum retention period: 1 year)
      1. secret coercive measures as set out in RB,
      2. secret computer surveillance, as per law (2020:62) about secret computer surveillance 
      3. a decision pursuant to EIA (collection of data for intelligence purposes),
    4. a person who has been sentenced or accepted punishment regarding an offence as mentioned in no. 1 (Maximum retention period: 1 year).
    5. Communications equipment or subscriber identity used or likely to be used in the commitment of an offence as mentioned in no, 1, or in criminal activity (brottslig verksamhet) involving such offences. Maximum retention period: 1 year.
    The data retention periods are specified in § 8.
    The Swedish provisions do not require a court decision to retain data. The Danish rpl. § 786 d stands out in this regard. However, decisions about extended targeted data retention shall be subject to oversight by the Committee for the Protection of Security and Integrity (Säkerhets- och integritetsskyddsnämnden) (Law (2007:980).
    Expert Report p. 50-51.

    10.6.5 Access to data

    Retained data may be accessed pursuant § 11, according to a decision about secret interception or secret electronic surveillance pursuant to RB 27:18 and 27:19, or a permission issued pursuant to the EIA. Data retained for the sake of protecting national security may be accessed solely for that purpose (§ 21 second para.).
    Nordic Council of Ministers I www.norden.org/publications I pub@norden.org