Go to content

5. Nordic overview

This section provides the national legal context of the data retention rules. It raises some issues related to national e-com legislation and gives an overview of the rules concerning data preservation, secret coercive measures concerning data related to electronic communication, and police access to subscriber data. The aim is to make it easier to understand similarities and discrepancies of the Nordic data retention rules, addressed in detail in Sections 6 to 10.
Unfortunately, the English translation of the Icelandic Electronic Communications Act (Act. No. 70/2022) that entered into force 1 September 2022, is not yet available (September 2023). Lack of access to the legislative text itself has been an impediment, although the Icelandic contact person has been very helpful. The coverage regarding the Icelandic situation is therefore incomplete.

5.1 E-com regulation

5.1.1 Introduction

Each Nordic country has provided for an Electronic Communications Act (“ECA”), herein referred to as DECA, FECA, IECA, NECA, and SECA respectively. The purpose of the ECAs is first and foremost to provide a framework ensuring fair market conditions in the e-com sector, and public access to effective and secure electronic communications services.
DECA § 1; FECA § 1; IECA ; NECA § 1-1; SECA 1:1.
 The ECAs also implement the provisions of the e-Privacy Directive, thus laying down an obligation of confidentiality on providers of electronic communications networks and services.
DECA § 7; FECA § 136 third para., IECA ; NECA § 2-9; SECA 9:31.
 The obligation comprises both the content of the communication and data related to use of the communications service. The ECAs also specify that data shall be deleted once they are no longer necessary for communications purposes or invoicing, or other purposes set out in law (e.g., data retention).
DECA § 8; FECA § 137 third para.; IECA ; NECA § 2-7 fifth para.; SECA 9:1.
 In terms of data protection law, the rules reflect principles of purpose specificity, data minimalization (data may be processed only when necessary for a lawful purpose), and storage limitation.

5.1.2 National discretion and consequences to data retention

This report shows that each Nordic country has its own take on data retention regulation.
See Sections 6 to 10.
 However, at the outset they have in common that the first component (registration and storage) must specify:
  1. The type of electronic communications services to be comprised by the rules;
  2. The person that shall have a duty to register and store data; and
  3. The person whose data that shall be retained (the data subject).
Relevant to litra a is that the EU regulatory restrictions on data retention concern data related to “electronic communications services”. The EU definition of “electronic communications services” thus sets the perimeter for national data retention rules (the definition is further addressed in Section 5.1.3). The definition encompasses a range of services both on the sides of telephony and the internet. However, there is no obligation to ensure that data retention rules on national level comprise all these services. It clearly follows from the e-Privacy Directive that the rules may not exceed what is “necessary, appropriate and proportionate” (Article 15, cited in Section 2, i.e., the proportionality condition). Thus, within the perimeter set by the EU definition, a country is free to adopt data retention rules with narrower scope. The Norwegian rules which are limited to comprise internet access services only, make for a pertinent example.
The scope of services encompassed by litra a, logically sets the perimeter for the scope of persons mentioned in litra b and c. Taking account of the proportionality condition, it is not a given that national data retention rules encompass everyone eligible within each category, and unsurprisingly, national solutions differ in this respect. For instance, regarding (b) (the providers), Norway has opted for including every internet access provider, large or small. 95 % of the Norwegian market is controlled by 6 large internet access providers, and the remaining 5 % is shared among approximately 300 small providers. No matter the size, each of them must comply with the obligation to retain data.
2018 figures. Prop. L 167 (2020-2021) Ch. 8.1.2 and 8.1.4.
 In contrast, Finland has nominated four providers (lagringsskyldigt företag), selected according to criteria concerning aggregate market share and geographical coverage of the services.
E-mail dated 4 August 2023, referring to teleföretag as defined in FECA § 3 no. 27.
 Finnish regulation makes clear that providers of “small significance” (ringa betydelse) may not be subject to an obligation to retain.
Regarding (c) (the data subject), to find out whose data that have to be retained according to national law, has proved itself to be a bit complicated. The problem is caused by the array of terms provided both on EU level and national level. On EU level the definitions laid down in the e-kodex Directive (2018/1972/EU) that replaced the former EC e-com regulation, apply. The Directive is implemented in Denmark, Finland, and Sweden, but not in Norway (as of November 2023) although EEC-relevant.
Proposal for a new e-com act was publicly announced 2 July 2021, and deadline for feed-back set to 15 October 2021. Information about the preparatory process may be accessed here: Høring - Forslag til ny ekomlov, ny ekomforskrift og endringer i nummerforskriften - regjeringen.no (visited 15 September 2023).
 Differences in implementation result in differences between the definitions on national level. It adds to the variety that countries that have implemented the e-kodex Directive, do not always apply all the definitions, or provide national definitions whose scope may deviate from the Directive. This is the case with respect to the notions “user” and “end-user” that are crucial to data retention rules on the internet side. The fact that they are not quite in alignment with each other across borders, complicates a comparison.
From a police perspective it is important that the obligation to retain, encompasses data that enable the police to identify the person who used an electronic communications service at a specific point in time. Because electronic communications services often are provided in chains running through several service layers, the question arises about how far down the chain the obligation to retain applies. Does it end with data generated by the “user” or go further to include data of the “end-user” as well? To complicate matters, on one level a person may be a “provider” and on another a “user”. This could be a matter of perspective. The problem is predominantly related to data retention regarding internet access services. However, having legal certainty about who that is deemed to be a provider, to be distinguished from the person whose data shall be retained, is important. It makes the meaning of notions such as “user” “end-user”, “subscriber”, “registered user” as well as “provider”, crucial.
Central definitions are provided in the Section “Terms”, see p. 5-9.
 Unfortunately, their meaning is not always easily discerned. As this is a recurring theme the issue will hopefully be clarified over the pages that follow.  
The purpose of e-com regulation is an aspect related to this problem. The purpose was described in the previous section and showed that assisting the police was not included. It is questionable whether the definitions developed for the purpose of the e-com sector are fully suitable for the needs of the police. National data retention law is free to specify the providers and data subjects in more detail, which could be a way to achieve greater legal certainty and make the rules more easily comprehensible.

5.1.3 Electronic communications service

5.1.3.1 The definition set out in the e-kodex Directive

The e-kodex Directive Article 2 no. 4 sets out the following definition of electronic communications service:
a service normally provided for remuneration via electronic communications networks, which encompasses, with the exception of services providing, or exercising editorial control over, content transmitted using electronic communications networks and services, the following types of services:
  1. Internet access service as defined in point (2) of the second paragraph of Article 2 of Regulation (EU) 2015/2120;
  2. Interpersonal communications service; and
  3. Services consisting wholly or mainly in the conveyance of signals such as transmission services for the provision of machine-to-machine services and for broadcasting.
The services mentioned in point c of Article 2 no. 4, do not concern human use of electronic communications services, consequently they are not relevant to data retention rules. This leaves internet access services and interpersonal communications services as the remit of such rules. For a service to qualify, it must “normally [be] provided for remuneration.” The definition does not explicitly require the service to be publicly available.

5.1.3.2 Internet access service

“Internet access service” means:
a publicly available electronic communications service that provides access to the internet, and thereby connectivity to virtually all end points of the internet, irrespective of the network technology or terminal equipment used (cf. e-kodex Directive Article 2 no. 4 point a, referring to Regulation 2015/2120/EU Art. 2 second para., point 2).
This definition requires the service to be “publicly available” and provide “access to the internet.” In addition, following from the general part of Article 2 no. 4, it must “normally [be] provided for remuneration.”
Access to the internet requires an IP-address. For a person to access the internet, s/he must either dispose an IP-address or make use of an internet connection provided by someone disposing an IP-address. An IP-address is a unique number representing the endpoint of an internet connection.  IP-addresses are a limited resource, globally managed by Internet Assigned Numbers Authority (“IANA”). A regionalized system allocates “pools” of IP-addresses to providers, who are then in position to assign IP-addresses to users. The provider may be deemed to be a first level gatekeeper to the internet. A pool of IP-addresses may be split between IP-addresses that are assigned to the same users over time, and IP-addresses assigned to users only when they go online. The latter are withdrawn once users log off. Back in the pool the IP-addresses are available for reassignment to other users. The former are known as “static” IP-addresses, the latter as “dynamic” IP-addresses. There is no qualitative difference between static and dynamic IP-addresses, the classification depends entirely on the provider’s decision about how to manage the pool. Usually, large organisations are assigned static IP-addresses, while private users go online based on dynamically assigned IP-addresses.
An IP-address identifies the communications equipment involved in an internet connection. The provider may have data that identify the owner of the communications equipment. This is certainly the case for static IP-addresses, which thus may be regarded as the internet equivalent to telephone numbers. It could also be the case for dynamic IP-addresses, depending on the set-up. However, as a dynamic IP-address may be reassigned to a new user once freed up from the former, a specific point in time must also be provided (by the police) for the gatekeeper to determine whose communications equipment was in use for the relevant session. Naturally, the possibility to identify the user also requires that the provider keeps a record showing the periods the IP-address was in use and by whom.
A user disposing a static IP-address may share it to enable others to go online. This is something to be seen among users such as universities, private and public corporations and institutions wishing to provide internet to staff and clients. Sharing of an IP-address may be facilitated through a so-called NAT-system (Network Address Translation), which may also be a service of the provider, then known as Carrier-Grade NAT (CGNAT).
Pursuant to the e-kodex Directive “access to number translation” is an “access service”, which then may form part of an internet access service (Article 2 no. 27 read in conjunction with no. 4 point a).
 From the outside, only a single IP-address is observable. The NAT-system however keeps track of internal use of the IP-address, by logging the port number of the computer equipment used to go online by the internal user, and the time it was used. Based on data about time and port number, the computer equipment used in a specific internet session fronted by a static IP-address shared among many users, may thus be identified. In a criminal investigation identification of the communications equipment involved in a specific session, is an important step towards identifying the person who made use of the internet connection at a specific point in time.
Assigning IP-addresses to users is not sufficient per se to fall under the scope of the definition of internet access service. In addition, the definition requires the service to be “publicly available” and “normally provided for remuneration.” On national level the condition “normally provided for remuneration” is found variously in the definition of “electronic communications service” and “provider”. The condition is included in the definition of “electronic communications service” in NECA § 1-5 no. 3, and SECA 1:7, and in the definition of “provider” in DECA § 2 no. 2 (“for a commercial purpose”). It should also be noticed that the condition “normally provided for remuneration” is not uniformly interpreted in the Nordic countries. For instance, in Denmark, hotels and restaurants may have an obligation to retain, while the opposite is the case in Norway. The legal provisions however do not contain words indicating this difference. That said, a natural or legal person who offers a service that fulfils the conditions as interpreted in national law, is an “internet access provider” within the meaning of that law.

5.1.3.3 Internet access offered by other actors

As noted, a person may go online with an IP-address assigned to a different user, as do for instance children using parents’ internet. There are however professional actors who offer their own internet access as a service to others. Such actors may be deemed to be second level gatekeepers to the internet. Some examples illustrate that the motives for offering the service may vary considerably. For instance, the user could be an employer (e.g., a corporation or a public organisation offering internet to the employees), a caretaker (e.g., private or public hospitals, and other public institutions offering internet to patients and clients), a provider of research and education (e.g., universities and schools providing internet to researchers, students and pupils); the internet could be offered for a commercial purpose (e.g., restaurants and hotels offering internet to guests/​clients), or, simply to meet general expectations about internet access (e.g., trains or airports offering internet to travellers).
It varies whether such services are subject to national data retention rules. Seemingly, the issue is sometimes framed as a question concerning interpretation of the criteria “publicly available” and “normally provided for remuneration”. At the outset, “publicly available” could be interpreted as requiring the group of users not to be delimited in advance, in other words to be available to anyone competent to request the service and agree to the terms. The question is how strictly this should be understood. In the abovementioned examples the service is reserved for employees, guests, or clients. While the number of employees may be fixed and regarded as delimited in advance, the number of guests and clients are in principle open-ended, entailing that a service offered to them could be deemed as publicly available. Danish rules thus encompass internet “hot spots” offered by restaurants and hotels. This is the case despite that restaurants and hotels are not first level gatekeepers to the internet, but users of an IP-address assigned to them from such a gatekeeper. It appears that in the Danish view, internet “hot spot” is a “publicly available” service, and the preparatory works explicitly declares that the service also fulfils the condition “to be provided for remuneration.” The rationale is that the service makes the hotel/​restaurant more attractive in the competition for customers, thus is commercially motivated.
LFF-2021, Gen. Comm. Ch. 3.1.1.2 p. 12.
 The Norwegian position is the opposite, concluding that “hot spot” internet service provided by hotels and restaurants are “private networks” not provided for remuneration.
Prop. 167 L (2020-2021), Ch. 8.1.4.
The crucial question is whether an internet access service provided by a second level gatekeeper is an electronic communications service within the meaning of the Directive. The approach of the Nordic countries to this question seems to vary, perhaps the question has not been raised per se. It also varies whether data retention rules refer to “electronic communications services” or “providers.” This matters, because – as previously noted – a “user” may also be a “provider” of an electronic communications service. “Provider” is not a defined term pursuant to the e-kodex Directive Article 2. “User” however, is a person “using … a publicly available electronic communications service” (Article 2 no. 13). “User” shall be distinguished from “end-user”, i.e., a person “not providing … publicly available electronic communications services” (Article 2 no. 14). An end-user is thus a user, and a user as opposed to an end-user, may provide an electronic communications service, for instance access to the internet. Second level gatekeepers may thus provide an “internet access service” within the meaning of the Directive.
The problem of determining the perimeter of the scope of national data retention rules, is important to the police, as exclusion of users providing internet “hot spots” to large groups of people from the remit of these rules, reduces the possibility to track down perpetrators based on data generated by their access to the internet. The concern also relates to large users/providers providing the service for a non-commercial purpose, such as libraries and universities. Just like hotels and restaurants, the number of clients is in principle open-ended, the difference being that the service is a part of the infrastructure necessary for the organisation to fulfil its mandate, as opposed to a commercially motivated add-on service. A commercial motive (if any) is therefore not clearly visible. However, the condition “for remuneration” is not absolute (indicated by “normally”), and this prompts the question whether such users could and should be imposed an obligation to retain data. To address this question is beyond the scope of this study.
To conclude, it is not always clear whether the remit of national data retention rules concerning internet access is determined according to formal considerations grounded in the definitions provided on EU level, or by proportionality considerations stemming from a human rights perspective (cf. the e-Privacy Directive Article 15). The rationale of the rules would be more accessible if the perimeter set by EU e-com regulation was determined first, then supplemented with proportionality considerations that could entail and explain a narrower scope.

5.1.3.4 Interpersonal communications services

“Interpersonal communications service” means:
a service normally provided for remuneration that enables direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s) and does not include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service (e-kodex Directive Article 2 no. 5)
Interpersonal communications services may be number-based or number-independent. Number-based services connect or enable communication with “publicly assigned numbering resources, namely, a number or numbers in national or international numbering plans” (e-kodex Directive Article 2 no. 6). Fixed and mobile telephone services fall into this category.
As indicated by the term itself, “number-independent interpersonal communications services” (“NI-ICS”) are not connected to national or international numbering plans (e-kodex Directive Art. 2 no. 7). They are typically internet-based, thus in a certain sense number-based, as the IP-packets transmitted over the internet contain source and destination numbers (IP-addresses). NI-ICS and internet access service are different electronic communications services. NI-ICS may provide real-time audio/video communication, chat and other forms of messaging. Services such as Messenger, WhatsApp, Signal, Telegram, Snapchat, FaceTime, Discord, Slack, Viber, Google Messages, Kik Messages, Line and Skype are NI-ICS. Use of NI-ICS is ever more common, privately and professionally, gradually overtaking telephony.
By including NI-ICS, the definition of electronic communications service set out in the Directive, is broader than the definition set out in the e-com regulation it replaced. It varies whether the Nordic data retention rules include data related to use of NI-ICS. 

5.2 Access to subscriber data

Telephone numbers and IP-addresses (including port numbers and point in time) identify the communications equipment. From a police perspective it is important also to know the identity of the owner of the communications equipment. Although it might not be the owner who used the equipment at the critical moment, access to the owner opens possibility to ascertain the concrete circumstances in this regard. The questions are, firstly, whether national law requires providers to know the identity of their users, and secondly, whether the police may access the data.

5.2.1 Denmark

With respect to telephony, Danish law provides a system for “targeted person-oriented registration and storage of traffic data” the purpose of which is “to the widest extent possible” perform unambiguous identification of the user/​end user of a specific electronic communications device.
LFF-2021, Spec. Comm. to rpl. 786 h, p. 97.
 Numbering data concerning fixed and mobile telephony are stored in a publicly available directory known as the “118 database.” An end-user may reserve her data from being retrievable from the 118 database (DECA § 31 fourth para.). The police may still get access to the data, pursuant to DECA § 31 sixth para.
The preparatory works to the law revision in 2022 emphasise the importance of the quality of the 118 database. It is paramount to ensure that persons of interest in the fight against serious crime may be identified based on their telephone numbers/SIM cards, and that every telephone used by such a person may be identified. Conversely, one must avoid that data concern the wrong person.
LFF-2021, Spec. Comm. to rpl. 786 h, p. 97.
The Minister of Justice pursuant to negotiations with the Minster of Climate, Energy and Utilities, may lay down rules about registration and verification of “numbering data” (“nummeroplysningsdata”), cf. the Procedural Code (Retsplejeloven (rpl.)) § 786 h. This provision is placed in chapter 71 about interference with private communication in criminal investigations. The rules issued by the Minister may exclude the possibility to acquire and use anonymous tele cards.
LFF-2021, Gen. Comm. Ch. 3.4.2, p. 34-35.
 Numbering data are defined in DECA § 31 second para., as
data about subscriber numbers assigned to end-users, including name, address, job information, subscription number and the category of service for which the subscription number shall be used.
It is proposed to amend § 31 second para., also to include “end-users’ unique ID”.
Spec. Comm. p. 106, and 115. It is unclear if the amendment has become effective, it is not shown on elov.dk (15 September 2023).
The police may also gain access by an order with legal basis in rpl. § 804 b.
Spec. Comm. To § 804 b, p. 103.
 Thus the police may order a “provider” to disclose data identifying an end-user’s “access to electronic communications networks or -services.” The measure is available in a criminal investigation concerning an offence subject to public prosecution (“offentlig påtale”).
In addition, some special other offences are mentioned.
 Based on rpl. § 804 b, the end-user may be identified, and the reverse is possible, namely, to identify the telephone numbers an end-user has connected from his number, as well as the IMEI- and IMSI-number that have been connected to a telephone number.
P. 103.
 On the internet side the police may gain access to fixed IP-addresses and e-mail addresses. Dynamic IP-addresses and port numbers cannot be accessed with basis in this provision, instead rpl. § 804 (edition) apply.
P. 103. See also this Report Section 6.6.

5.2.2 Finland

The police may request subscriber data directly from the provider. This is considered necessary to perform the duties under the Police Act etc.
E-mail 11. August 2023.

5.2.3 Iceland

...

5.2.4 Norway

Telephone numbers are stored in a publicly available database, however subscribers may reserve their data from being included. Unlisted numbers and identity data are protected by the duty of confidentiality set out in NECA § 2-9. Still the police and the prosecuting authority may gain access to unlisted telephone numbers, other subscription information, and electronic communication addresses (including e-mail addresses), cf. § 2-9 third and fourth para. IP-addresses are retained data pursuant to NECA § 2-8 a, and must be accessed pursuant to the procedure set out in § 2-8 b. This procedure however largely corresponds to the one laid down in § 2-9 third and fourth para.
The provider shall comply with the request unless “special circumstances make it undesirable.” The circumstances must concern issues internal to the provider (e.g., uncertainty causing risk of confusion with another person). The provider shall not review the necessity of the data to the police. The request may concern any purpose within the mandate of the police/prosecution. It follows that access to the data may be obtained also for tasks other than criminal investigation. Finally, the provision also provides for data to be handed out to “another authority” “pursuant to law”. This is provided for with respect to owners of intellectual property rights as per the Copyright Act § 87.
Act of 15 June 2018 no. 40 (Åndsverkloven).

5.2.5 Sweden

Pursuant to SECA 9:24-25 providers of prepaid electronic communications services may not activate the service without first having registered the subscriber’s name and address, unique ID and the ID of the agreement related to electronic communications service. Government regulation (2022:51) 9:11 authorises the Postal and Telecom Authority to lay down rules about identity control.
SECA 9:33 first para., no. 2 sets out that “data about a subscription agreement” (as per § 31 first para., no. 1) shall be made available pursuant to requests concerning “criminal activity or suspicion about a crime.” The request may be put forward by the Economic Crime Authority (Ekobrottsmyndigheten), the Police (Polismyndigheten), the Police Security Service (Säkerhetspolisen), the Customs Authority (Tullverket), the Prosecuting Authority (Åklagarmyndigheten), or «any other authority tasked with such intervention.”
The obligation to disclose data concern providers of “electronic communications networks or -services”. NI-ICS are not included.

5.3 Expedited data preservation and partial disclosure of data

5.3.1 Denmark

The police may order “providers” (“udbydere”) to perform expedited preservation of “electronic data” (rpl. § 786 a). An order may be issued if “electronic evidence material (elektronisk bevismateriale) may be of importance” (af betydning) to the investigation. The investigation must concern an offence that qualify for teleoplysning, a coercive measure further explained in Section 5.4.6. By specifically mentioning “providers” the provision seems not to open for use of preservation order against other actors, even if they might be in possession of data important to the investigation. This is different from the rules for instance in Norway and Sweden.
The order must specify the data to be preserved. It may only concern data existing at the time when the order is served and must not exceed the amount of data necessary for the purpose. The preservation period must be as short as possible not exceeding 90 days, with a possibility for renewal.
Preserved “traffic and location data” may be collected by the police under a production order (edition) pursuant to rpl. § 804 a. The condition is that the investigation concerns an offence that could give basis for teleoplysning (see Section 5.4.6). Rpl. § 804 a is further explained in Section 6.6.
Pursuant to rpl. § 786 a third para., “providers of electronic communication networks or -services” shall upon request, as part of the preservation of data, without undue delay disclose source and destination data of a communication. The obligation to preserve and disclose data is criminally sanctioned (rpl. § 786 a fourth para.).

5.3.2 Finland

Preservation order is regulated in the Coercive Measures Act (Tvångsmeddellagen (tvml.)) 8:24-26.
A preservation order may be issued by a police officer “entitled to perform arrest.” The order may be issued “prior to a search of equipment” if there is “reason to believe that data that may be relevant to the investigation get lost or altered.” The order may also apply to data “likely to arrive in the device or information system during the month following the order.” The possibility to order preservation of future data sets the Finnish provisions apart from the data preservation rules of the other Nordic countries, which are limited to concern data existing when the order is served on the provider.
The order may also comprise data related to an electronic message, its source, destination, route and size, and the time and duration of the communications and similar data (traffic data). If the transmission of a message involves several providers, the pre-trial authority is entitled to get sufficient data to identify them. A preservation order may be issued for 3 months at a time (§ 25). It may be renewed if necessary for the investigation. It shall be terminated once preservation of the data is no longer necessary.  The provider or possessor of the data shall keep the preservation order confidential (§ 26).
Access to preserved data follows the procedure applicable to teleövervakning, tvml. Ch. 10.
E-mail 4 August 2023. Se furthermore Section 5.4.2 about teleövervakning.

5.3.3 Iceland
E-mail 28 August 2023.

The Code of Criminal Procedure Article 92, paragraph 3, states that the police can demand expedited data preservation.
For the purpose of the investigation of the case, the police are authorised to instruct an electronic communications undertaking (i.e., an e-com provider) to immediately save digital data, including traffic data related to electronic communications. Police instructions may only apply to data that already exists. The instructions shall state which data shall be saved and the duration for which it should be preserved, which may, however, not be longer than 90 days.

5.3.4 Norway

In the investigation of a crime, the public prosecutor may order the possessor to perform expedited preservation of electronic data (sikringspålegg), and partial disclosure of traffic data (strpl. § 215 a). Concerning an order served on a provider of an electronic communications network or -service, it is also required that there is “reason to believe that a crime has been committed.” The preservation period must “not be longer than necessary” and not exceed 90 days. If the order is issued upon the request of another state the period shall be at least 60 days.
Upon request the provider shall disclose “the traffic data necessary to trace the source of the data comprised by the order, and in case they have been sent, their destination.”
A suspect shall be notified once the data are preserved, and procedural status as criminally charged is achieved. In practice this may entail that notification is given first when use of secret coercive measures is terminated.
Access to preserved data related to electronic communications may be obtained in secret pursuant to strpl. § 216 b (see Section 5.4.4), alternatively with notification to the person whose data are targeted pursuant to strpl. § 210 (production order/​utleveringspålegg). In the latter case it suffices that the data are assumed to be relevant as evidence. Notification may be postponed for 8 weeks with possibility for extension, cf., strpl. § 210 a, provided the investigation concerns an offence with a prescribed maximum penalty of imprisonment for at least 6 months, and notification is assumed to be seriously detrimental to the investigation. 

5.3.5 Sweden

Pursuant to the Procedural Code (Rättegångsbalken (“RB”)) 27:16 – 16 a, the leader of the criminal investigation or the public prosecutor may order “a person in possession of specific electronic data” to preserve the data (bevarandeföreläggande). The phrase “a person in possession…” shows that the measure is not limited solely to concern providers of electronic communications services.
The order must specify the preservation period which must “not be longer than necessary” and not exceed 90 days. Provided there are “special reasons” the preservation period may be renewed with another 90 days as a maximum. The possessor may be instructed to keep the preservation of data confidential. Access may be obtained pursuant to the provisions about seizure (RB 27:1 ff.). 
An obligation to disclose traffic data showing the providers involved in the transmission of a preserved electronic message, is laid down in SECA 9:33 fifth paragraph. Naturally, the obligation is limited to concern providers of electronic communications services.

5.4 Secret coercive measures interfering with private communication

5.4.1 Introduction – the criminality condition

It follows from the very purpose of data retention rules that they are closely related to secret coercive measures targeting use of electronic communications services. Such measures may be applied in the investigation of serious crime, as well as (depending on national law), intelligence activities conducted outside the scope of a criminal investigation, and police interventions to protect national security. Legal basis for police use of such measures is provided in the national (Criminal) Procedural Codes and related acts, including e.g., the Finnish Coercive Measures Act (Tvångsmedellågen “tvml.”), the Swedish Electronic Intelligence Act (“EIA”), and the Norwegian Police Act. All Nordic countries apply a criminality condition of “serious crime” as legal threshold for the application of secret coercive measures targeting electronic communication, and for granting access to retained data.  This section provides an overview of the criminality condition applicable to the secret collection of data related to electronic communications, as context for the description of the national data retention rules set out in Sections 6 to 10.
The ordinary structure of this report is to follow alphabetical order, placing Denmark first and Sweden last. In this section however, Denmark comes last so to be placed in close proximity to Section 6, where the Danish data retention rules are presented first. The Danish approach to data retention rules stands out from the others, by fully integrating them into the comprehensive set of procedural rules whereby the police may interfere with private communication for the purpose of investigating crime or protecting national security. Because of this integration, the Danish criminal procedural rules in explained in more detail than the others.

5.4.2 Finland

Secret coercive surveillance (teleövervakning) is regulated in the Coercive Measures Act (Tvångsmeddellagen (tvml.)) 10:6 ff. The measure concerns data related to electronic communication (förmedlingsuppgifter), processed by a “communication mediator” (kommunikationsförmedlare), i.e., a tele corporation transmitting electronic communications for purposes that are not personal.
Defined in FECA § 3 no. 36.
 “Tele corporation” (teleföretag) means “anyone providing net services or communications services to a group of users not delimited in advance, i.e., operating a public tele service.”
FECA § 3 no. 27.
Put differently, the relevant subject is a commercial provider of a publicly available electronic communications services.
The data must relate to a “user”, i.e. “a physical person who, in the role as subscriber or otherwise, uses electronic communications services or VAS”
FECA § 3 no. 7. “VAS” means Value Added Service (see FECA § 3 no. 10).
 or a “subscriber”, i.e., a legal or physical person […] who has entered into an agreement with a tele corporation about use of the services.
FECA § 3 no. 30.

The criminality condition:

Teleövervakning may be applied in the investigation of the following offences (10:6 second para.):
    1. An offence for which the prescribed maximum penalty is imprisonment for at least 4 years;
    2. an offence committed using a telecommunications address or telecommunications terminal equipment for which the prescribed maximum penalty is imprisonment for at least 2 years;
    3. unlawful use of a computer system committed using a telecommunications address or telecommunications terminal equipment;
    4. exploitation of a person who is the subject of sex trafficking, luring of children for sexual purposes or pandering;
    5. drug offences;
    6. preparation for an offence committed for terrorist purposes, participation in training for a terrorist offence, travelling for the purpose of committing a terrorist offence, promoting travel for the purpose of committing a terrorist offence or public provocation related to terrorist offences;
    7. aggravated customs accounting offence;
    8. gross concealment of illegal proceeds (olagligt byte);
    9. preparation for hostage-taking; or
    10. preparation for aggravatedrobbery.     

    5.4.3 Iceland

    ...

    5.4.4 Norway

    Use of coercive measures is regulated in Part Four of the Criminal Procedural Code (Straffeprosessloven (“strpl.)), where rules concerning secret collection of data related to use of electronic communication services are laid down in Chapter 16 a.
    Pursuant to strpl. § 216 b second para., point d, a provider of an electronic communications network or -service may be compelled to provide data to the police that
    disclose the communication equipment that within a specific period will be or has been in connection with communications equipment possessed by the suspect or the suspect is assumed to be using, and other data related to communication, and the geographical position of such communications equipment.

    The criminality condition:

    The investigation must concern an offence with a prescribed maximum penalty of imprisonment for at least 5 years (strpl. § 216 b first para., point a) or an offence mentioned in point b of the said provision (offences with lower level of punishment).
    Such data may also be provided to the Police Security Service for preventative purposes when there is “reason to investigate whether anyone is preparing” a crime against national security, a terrorist act or the like, cf. the Police Act § 17 d. 

    5.4.5 Sweden

    Use of coercive measures is regulated in the Procedural Code (Rättegångdsbalk (RB)) Chapter 27. The provision RB 27:19 (in force from 1 October 2023) provides legal basis for “secret surveillance”, i.e., secret collection of
      1. data related to electronic messages
        If “messages” (meddelanden) shall be interpreted to have the meaning used in SECA, the meaning is “electronic communication”, see the comment made in this regard in Section 10.2.
         under transmission or that have been transmitted to or from a telephone number or other address,
      2. data disclosing the electronic communications equipment that have been present in a specific geographic area, or
      3. data disclosing in which geographic area a specific electronic communications equipment is or has been located.
      Pursuant to RB 27:19 a (in force 1 October 2023) the data may be secretly collected by the police in the investigation of an offence (including attempt and preparatory acts),
      • punishable with imprisonment for a minimum period of 6 months or more,
        Swedish criminal law sets out minimum penalties in the criminal provisions. This differs from the other Nordic countries which specify the maximum penalty that might be incurred.
      • other offences as specified (hacking, child sexual abuse material, drugs), and
      • offences that may incur secret interception of electronic communication pursuant to RB 27:18 a second para. (offences with lower level of punishment).  
      Secret surveillance may be applied also for intelligence purposes of the Police Authority, the Police Security Service, and the Customs Authority, pursuant to the Electronic Intelligence Act (2012:278) (“EIA”). The purpose must be to prevent, avert or detect an offence with a maximum prescribed penalty of imprisonment for at least 2 years (and some other offences as specified in EIA § 2).

      5.4.6 Denmark

      Provisions of secret collection of data related to electronic communication are set out in the Procedural Code (Retsplejeloven (“rpl.”)) Chapter 71 “Interferences with private communication” § 780 first para., no. 3 (collection of data related to electronic communication (teleoplysning)) and no. 4 (extended collection of traffic data, i.e., traffic data from cell masts in a geographical area (udvidet teleoplysning)). Conditions, procedure, and safeguards are set out in rpl. §§ 782 to 786.

      Re: Conditions (rpl. § 781 first para. no. 1 to 3):

      No. 1: There must be “specific reasons” (“bestemte grunde”) to assume that messages are submitted to or from the suspect by use of the electronic communications service identified by the police.
      No. 2: The measure must be deemed to be “of crucial importance” (“af afgørende betydning”) to the investigation.

      No. 3: The criminality condition: 

      The criminality condition for teleoplysning and udvidet teleoplysning is set out in rpl. § 781 a in conjunction with rpl. § 781 first para., no. 3. Access to “traffic and location data” (rpl. § 781 a) may thus be obtained provided the investigation concerns an offence with a prescribed maximum penalty of imprisonment for at least 3 years. The general criminality condition of 3 years is supplemented with a list of offences with a lower level of punishment (rpl. § 781 first para., no. 3) and offences comprised by § 81 a of the Criminal Code (rpl. § 781 a).
      • Rpl. § 781 first para., no. 3 mentions the following offences of the Criminal Code:
        The list in rpl. § 781 first para., no. 3, includes § 233 first para. (rufferi). This offence is excluded from the list set out here, as its prescribed maximum level of punishment is imprisonment for at least 4 years, thus exceeding the general condition applicable to udvided / teleoplysing.
        • Chapter 12 or 13 (offences against the Constitution and higher central state authorities, terrorism etc.),
        • § 124 second para., (assisting the escape of a detained person),
        • § 125 (assisting a criminal to evade prosecution / obstruction of justice),
        • § 127 first para., (evasion of military service),
        • § 235 (distribution, possession, and acquisition of child sexual abuse material),
        • § 266 (threats suitable to provoke serious fear of one’s life, health etc.),
        • § 281 (extortion),
        • offences set out in the Foreigners Act § 59, eight para., no. 1 to 5 (assistance to unlawful immigration and residence, Denmark as destination or point of transit to a third country).
      • In addition, there are the offences included in the list set out in § 81 a of the Criminal Code (rpl. § 781 a). Concerning the offences on that list, § 81 a determines that the level of punishment may be increased up to a maximum of twice the level set out in the criminal provision, provided the crime originates from or is suitable to spark a conflict between groups, who as measures in the conflict, avail themselves of weapons, explosives etc., which due to their particularly dangerous features are suitable to cause substantial harm, or arson is committed.
      Finally, pursuant to rpl. § 781 second and third para., teleoplysning may also be performed in the investigation of hacking, stalking and breach of a contact restraint order, computer fraud, and unlawful use of a computer system performed by use of an electronic communications service, and offences related to certain EU regulations.
      A general proportionality condition is set out in rpl. § 782.

      Re: Procedure and safeguards:

      Decision of teleoplysning and udvidet teleoplysning shall be made by the court (a decision supported by reasons (kendelse)) (rpl. § 783). The decision shall specify the communication number, location etc., and must determine the period for which the interference may be applied. The period must be “as short as possible, not exceeding 4 weeks”, though with a possibility for renewal, which also must be decided by the court (rpl. § 783 third para.). The police may make the decision should the purpose otherwise be compromised. A court review must be obtained within 24 hours (rpl. § 783 fifth para.).
      A secret defence lawyer shall be appointed (rpl. § 784). The lawyer has a right to be present at court meetings regarding the case and have access to the case documents (rpl. § 785).
      E-com providers have an obligation to assist the police in carrying out the coercive measure (rpl. § 786).
      Nordic Council of Ministers I www.norden.org/publications I pub@norden.org