Stockholm Administrative Court orders ISP to provide customers’ details to Swedish police


Over time Swedish internet service provider (ISP) Bahnhof has dismissed several requests for disclosure of customers’ data, making it a matter of principle to protect the privacy of its users.

However, in 2016 Bahnhof received a request from the Swedish Post and Telecom Authority (PTS) to hand over details of its customers in a criminal matter.

Further to an appeal brought before the Stockholm Administrative Court and a ruling in favour of PTS, Bahnhof was forced to submit the details of its customers to the authority pursuant to Chapter 7, 5 § of the Swedish Electronic Communications Act (ECA) or risk paying an administrative fine of SEK 5 million.

The ISP chose to challenge the decision again following the decision of the Court of Justice of the European Union (CJEU) in Joined Cases C-203/15 and C-698/15 (Tele Sverige AB v Post- och telestyrelsen) (Tele2). There, it was held that national legislation – which for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers relating to all means of electronic communication – is precluded in light of Articles 7 (respect for private life), 8 (protection of personal data) and 11 (freedom of expression and information) and Article 52(1) (proportionality) of the Charter of Fundamental Rights of the European Union.

Furthermore, the CJEU in Joined Cases C-293/12 and C-594/12, (Digital Rights Ireland) evaluated the compatibility of (the no longer in force) Directive 2006/24/EC (The Data Retention Directive) with Articles 7, 8 and 52 (1) of the EU Charter and declared that directive invalid. According to the CJEU, the implementation of the Data Retention Directive could potentially interfere with the fundamental rights of EU citizens for an unspecified length of time. In this regard, the Directive should have been more specific about the conditions of data storage and the obligation of ISPs. Hence the Directive’s lack of guarantees of how data would be kept, managed and accessed – was found incompatible with fundamental rights.

In Bahnhof’s view Chapter 6, 22 § of the ECA (according to which an ISP is compelled to provide subscription details to police and other authorities), by not requiring that the information to be disclosed is in relation to a serious crime or of serious nature or subject to the control of an authority, would not meet the requirements laid down by the CJEU in those cases and would be therefore incompatible with EU law.

The judgment

With a judgment issued a few days ago the Stockholm Administrative Court held that it is not possible to conclude whether the ECA is incompatible with EU law on the basis of the decisions in Tele2 and Digital Rights Ireland. The Administrative Court then examined whether the conditions for disclosure are compliant with proportionality. In this regard, the need to access the information in question outbalanced the interference with personal integrity.

i) Is there an obligation to store?

The Stockholm Administrative first had to take a position on whether the data was stored on a voluntary basis or because there was an obligation to do so. This point was raised because PTS had argued that the Tele2 decision refers to an obligation to store data and is therefore not applicable in the present case. Bahnhof had on the other hand argued that 6 Chapter 22 § of the ECA is contrary to EU law following the Tele2 decision because the provision does not require the information to be of serious nature – or subject to scrutiny by relevant authority – prior to being handed out to the police.

The Administrative Court stated that it does not matter if an obligation exists or not because the data is equally sensitive and hence deserving of the same scope of protection. According to the Administrative Court, it is not apparent from the CJEU’s statements in Tele2, whether they merely refer to data stored on the grounds of an obligation to do so or not. Nonetheless, data stored by an operator is integrity-sensitive and deserving of a high degree of protection, no matter if there exists an obligation or not. Accordingly, the Tele2 decision should not be interpreted in a way which limits its scope of application – but rather entail all sorts of data even if not stored on a volunteering basis.

The Administrative Court then went on to look at whether any criteria can be extracted from the Tele2 decision in light of Chapter 6, 22 § of the ECA.

Hand over those data!
Criteria for derogation under domestic law

An ISP is upon request, according to Chapter 6, 22 § ECA, obliged to provide stored information to the police and other law enforcement authorities on suspicion of crime. The provision does not require that the information which is subject to disclosure is serious in nature or crime, nor is it checked by an authority prior to disclosure. The provision distinguishes three types of categories, including information relating to users with subscription. According to the preparatory works, information relating to IP addresses is understood to fall under the scope of a subscription.

Because the current case involved data regarding users with subscription, the Administrative Court did not deem it correct to apply the criteria in the Tele2 decision. The CJEU in that case did not specifically acknowledge the issue of law enforcement agencies’ access to only a limited amount of data (i.e. information relating to subscriptions). In this regard, the Tele2 decision takes aim at a far more extensive amount of sensitive data (e.g. privacy-sensitive and localisation data) – as opposed to merely data relating user-subscription. Hence, on the basis of EU case law it cannot be established that Chapter 6, 22 § ECA is in violation of EU law.

However, because disclosure of subscription information may interfere with personal integrity/respect for private life, the Administrative Court went on to examine whether a disclosure is proportionate.

Proportionality in light of personal integrity and individual security

In assessing whether the provision in Chapter 6, 22 § ECA complies with the requirement of proportionality, the Administrative Law held that consideration must be given to the fact that a state has a responsibility to protect individuals' privacy and personal integrity against interference. A prerequisite to for the state to live up to the requirement of maintaining individual security, is through an efficient law enforcement strategy. In addition, subscription information may typically be regarded as less integrity-sensitive than traffic and location data.

By balancing the interest of efficient law enforcement on the one hand, and personal integrity on the other hand, the Administrative Court found that the need to access relevant data outweighs the need for personal integrity. Therefore, when considering the purpose of Chapter 6, 22 § ECA – it would not appear to exceed what may be considered proportionate in light of the EU Charter.

Thanks to Daniel Westman for his feedback and comments.