It is proposed to amend § 31 second para., also to include “end-users’ unique ID”.
The police may also gain access by an order with legal basis in rpl. § 804 b. Thus the police may order a “provider” to disclose data identifying an end-user’s “access to electronic communications networks or -services.” The measure is available in a criminal investigation concerning an offence subject to public prosecution (“offentlig påtale”). Based on rpl. § 804 b, the end-user may be identified, and the reverse is possible, namely, to identify the telephone numbers an end-user has connected from his number, as well as the IMEI- and IMSI-number that have been connected to a telephone number. On the internet side the police may gain access to fixed IP-addresses and e-mail addresses. Dynamic IP-addresses and port numbers cannot be accessed with basis in this provision, instead rpl. § 804 (edition) apply.
5.2.2 Finland
The police may request subscriber data directly from the provider. This is considered necessary to perform the duties under the Police Act etc.
5.2.3 Iceland
...
5.2.4 Norway
Telephone numbers are stored in a publicly available database, however subscribers may reserve their data from being included. Unlisted numbers and identity data are protected by the duty of confidentiality set out in NECA § 2-9. Still the police and the prosecuting authority may gain access to unlisted telephone numbers, other subscription information, and electronic communication addresses (including e-mail addresses), cf. § 2-9 third and fourth para. IP-addresses are retained data pursuant to NECA § 2-8 a, and must be accessed pursuant to the procedure set out in § 2-8 b. This procedure however largely corresponds to the one laid down in § 2-9 third and fourth para.
The provider shall comply with the request unless “special circumstances make it undesirable.” The circumstances must concern issues internal to the provider (e.g., uncertainty causing risk of confusion with another person). The provider shall not review the necessity of the data to the police. The request may concern any purpose within the mandate of the police/prosecution. It follows that access to the data may be obtained also for tasks other than criminal investigation. Finally, the provision also provides for data to be handed out to “another authority” “pursuant to law”. This is provided for with respect to owners of intellectual property rights as per the Copyright Act § 87.
5.2.5 Sweden
Pursuant to SECA 9:24-25 providers of prepaid electronic communications services may not activate the service without first having registered the subscriber’s name and address, unique ID and the ID of the agreement related to electronic communications service. Government regulation (2022:51) 9:11 authorises the Postal and Telecom Authority to lay down rules about identity control.
SECA 9:33 first para., no. 2 sets out that “data about a subscription agreement” (as per § 31 first para., no. 1) shall be made available pursuant to requests concerning “criminal activity or suspicion about a crime.” The request may be put forward by the Economic Crime Authority (Ekobrottsmyndigheten), the Police (Polismyndigheten), the Police Security Service (Säkerhetspolisen), the Customs Authority (Tullverket), the Prosecuting Authority (Åklagarmyndigheten), or «any other authority tasked with such intervention.”
The obligation to disclose data concern providers of “electronic communications networks or -services”. NI-ICS are not included.
5.3 Expedited data preservation and partial disclosure of data
5.3.1 Denmark
The police may order “providers”
(“udbydere”) to perform expedited preservation of “electronic data” (rpl. § 786 a). An order may be issued if “electronic evidence material
(elektronisk bevismateriale) may be of importance”
(af betydning) to the investigation. The investigation must concern an offence that qualify for
teleoplysning, a coercive measure further explained in Section
5.4.6. By specifically mentioning “providers” the provision seems not to open for use of preservation order against other actors, even if they might be in possession of data important to the investigation. This is different from the rules for instance in Norway and Sweden.
The order must specify the data to be preserved. It may only concern data existing at the time when the order is served and must not exceed the amount of data necessary for the purpose. The preservation period must be as short as possible not exceeding 90 days, with a possibility for renewal.
Preserved “traffic and location data” may be collected by the police under a production order
(edition) pursuant to rpl. § 804 a. The condition is that the investigation concerns an offence that could give basis for
teleoplysning (see Section
5.4.6). Rpl. § 804 a is further explained in Section 6.6.
Pursuant to rpl. § 786 a third para., “providers of electronic communication networks or -services” shall upon request, as part of the preservation of data, without undue delay disclose source and destination data of a communication. The obligation to preserve and disclose data is criminally sanctioned (rpl. § 786 a fourth para.).
5.3.2 Finland
Preservation order is regulated in the Coercive Measures Act (Tvångsmeddellagen (tvml.)) 8:24-26.
A preservation order may be issued by a police officer “entitled to perform arrest.” The order may be issued “prior to a search of equipment” if there is “reason to believe that data that may be relevant to the investigation get lost or altered.” The order may also apply to data “likely to arrive in the device or information system during the month following the order.” The possibility to order preservation of future data sets the Finnish provisions apart from the data preservation rules of the other Nordic countries, which are limited to concern data existing when the order is served on the provider.
The order may also comprise data related to an electronic message, its source, destination, route and size, and the time and duration of the communications and similar data (traffic data). If the transmission of a message involves several providers, the pre-trial authority is entitled to get sufficient data to identify them. A preservation order may be issued for 3 months at a time (§ 25). It may be renewed if necessary for the investigation. It shall be terminated once preservation of the data is no longer necessary. The provider or possessor of the data shall keep the preservation order confidential (§ 26).
Access to preserved data follows the procedure applicable to teleövervakning, tvml. Ch. 10.
5.3.3 Iceland
The Code of Criminal Procedure Article 92, paragraph 3, states that the police can demand expedited data preservation.
For the purpose of the investigation of the case, the police are authorised to instruct an electronic communications undertaking (i.e., an e-com provider) to immediately save digital data, including traffic data related to electronic communications. Police instructions may only apply to data that already exists. The instructions shall state which data shall be saved and the duration for which it should be preserved, which may, however, not be longer than 90 days.
5.3.4 Norway
In the investigation of a crime, the public prosecutor may order the possessor to perform expedited preservation of electronic data (sikringspålegg), and partial disclosure of traffic data (strpl. § 215 a). Concerning an order served on a provider of an electronic communications network or -service, it is also required that there is “reason to believe that a crime has been committed.” The preservation period must “not be longer than necessary” and not exceed 90 days. If the order is issued upon the request of another state the period shall be at least 60 days.
Upon request the provider shall disclose “the traffic data necessary to trace the source of the data comprised by the order, and in case they have been sent, their destination.”
A suspect shall be notified once the data are preserved, and procedural status as criminally charged is achieved. In practice this may entail that notification is given first when use of secret coercive measures is terminated.
Access to preserved data related to electronic communications may be obtained in secret pursuant to strpl. § 216 b (see Section
5.4.4), alternatively with notification to the person whose data are targeted pursuant to strpl. § 210 (production order/
utleveringspålegg). In the latter case it suffices that the data are assumed to be relevant as evidence. Notification may be postponed for 8 weeks with possibility for extension, cf., strpl. § 210 a, provided the investigation concerns an offence with a prescribed maximum penalty of imprisonment for at least 6 months, and notification is assumed to be seriously detrimental to the investigation.