One of Sweden's ISPs is facing a SEK 5m ($685m) fine if it doesn't resume storing data on its users.
With the backing of a Swedish administrative court ruling this month, the Swedish Post and Telecom Authority (PTS) has ordered the ISP Bahnhof to resume storing its customer metadata for the mandatory six month period or face a hefty fine.
The ISP and hosting provider is now the last operator in Sweden still holding out against local data retention requirements that appeared would vanish after the European Court of Justice this April declared the EU directive invalid. The court found the data retention directive interfered with Europeans' fundamental right to privacy and undermined the protection of personal data.
Shortly after the ECJ's decision, and under pressure from operators to clarify whether or not retention was still mandatory in the country, PTS essentially gave ISPs the all clear to stop holding the data: the law was still in place but PTS wouldn't enforce it.
Bahnhof, a vocal opponent of data retention, stopped retaining data before PTS' gave its tacit approval. After the regulator issued its statement, the rest of the industry followed suit, including Sweden's largest telco Telia, as well as Tele2, Three, and ComHem.
But the pause on data retention in Sweden was to be brief. Sweden's then justice minister Beatrice Ask subsequently tasked a special investigator with assessing whether Sweden's version of data retention broke its obligations to the European Convention on the Protection of Human Rights and Fundamental Freedoms. In June, the investigator's assessment was that it didn't. PTS concurrently conducted its own analysis and in a u-turn on its earlier advice, came to the same conclusion as Ask's investigator.
Sweden's efforts to uphold its existing law follow lengthy delays first version of the law which prompted the ECJ to issue a €3m fine last year. Sweden's also not alone in attempting to uphold data renetion following the April ruling. The UK introduced a new data retention law in July in order to prevent UK ISPs from stopping gathering data on their users.
So, with the view that eforcement of Sweden's data retention law was legal in the EU framework, PTS in June ordered the operator Tele2 to resume data retention. Tele2 complied with the order while appealing the decision at a Swedish administrative court but lost its case earlier this month.
Telia resumed collecting data after the Tele 2 ruling, according to a PTS spokesman. Meanwhile ComHem has resumed retention after an order from the regulator this month. Bahnhof on the other hand has resisted on multiple occasions, which explains the unusual threat of a fine. However, the penalty is a distant prospect, since PTS would have to gain separate court approval to issue the fine.
In a statement on Monday, Bahnhof's CEO Jon Karlung said the company would appeal PTS' order and in any case had a "plan B" up its sleeve to protect customers against mass surveillance.
The details of plan B for Bahnhof's 130,000 customers haven't been revealed because the company is still working out details. Though it wouldn't be the workaround Bahnhof's suggested. In 2011, ahead of Sweden transposing the EU directive, Karlung announced he would run all customer traffic through an encrypted VPN, with the idea that if it didn't log anything there'd be nothing to store or hand over to law enforcement. Customers that did want their data to be retained would face a fee of $8 a month.
But if Bahnhof wants to escape ongoing pressure from PTS, its biggest hope is pushing the question over Sweden's law up to the EU again. To that end, Karlung and others are raising awareness of Swedish data retention laws under the the 5th of July Foundation campaign.
"The court must turn to the EU. There is no shortcut for us to use. If none of the lower courts turn to the EU and asks for guidance we must go all way. We must go the same way as Tele2 and then higher and higher," said a Bahnhof spokesman.