CLFR - Sweden

Monday, January 8, 2018 - 12:36

PROVISION OF REAL-TIME LAWFUL INTERCEPTION ASSISTANCE

ELECTRONIC COMMUNICATIONS ACT 2003 (2003:389) (LAG (2003:389) OM ELEKTRONISK KOMMUNIKATION) (THE “ECA”)

According to chapter 6, section 17, it is prohibited to intercept content data or monitor metadata associated with an electronic message.

However, under chapter 6, sections 19 and 21, network operators and service providers are subject to obligations to:

  • conduct their business, and adapt and construct their network, in a manner that enables the execution of court orders for secret interception of electronic communications messages; and
  • conduct their business in a manner that enables the execution of such court orders for secret interception without disclosure of such interceptions.

The content of an intercepted message must be made available in a form that can be easily processed by the government agency requesting the interception.

Chapter 6, section 19(a), requires network operators and service providers that own cables through which electronic signals are transmitted over the Swedish border, to transmit such signals to certain interaction points chosen by the network operator or service provider. The network operator or service provider must notify the National Defence Radio Establishment (Försvarets radioanstalt) (the “NDRE”) of the location of the interaction points. This serves the purpose of allowing the Inspection of Defence Intelligence (the “IDI”) to gain technical access to the electronic signals at the interaction points, in accordance with the Defence Signals Intelligence Act (2008:717) (lag (2008:717) om signalspaning i försvarsunderrättelseverksamhet) (the “DSIA”).The IDI then transmits some of the signals on to the NDRE, in accordance with the DSIA.

In accordance with sections 5, 5(a) and 12 DSIA, the NDRE must present a court order from the Defence Intelligence Court mandating the monitoring of the electronic signals in question. The IDI does not, however, need to present a court order to require access to all the electronic signals passing through the interaction points. Consequently, the relevant network operator or service provider is obliged to give the IDI access to the cable based electronic signals that pass through an interaction point, without court orders or warrants.

The NDRE is responsible for the actual construction of the interaction point, as well as for securing technical access to the signals at the interaction point and further transmitting them to its own systems. While the network operator or service provider is obliged to bear the costs associated with the transmission of the signals to the interaction point, the NDRE bears the costs associated with the operation of the interaction point.

These requirements fall under the remit of defence intelligence conducted to support the Swedish foreign, security and defence policies and for mapping external threats to the country.

Chapter 6, section 19(a) also obliges any network operator or service provider that carries signals over the Swedish borders through cables to disclose to the NDRE any information in its possession that makes it easier for the NDRE to manage and intercept the signals accessed at an interaction point, for example, the title, architecture, bandwidth, or direction of the connections and the type of signalling. The obligation applies to all network operators or service providers that carry cross-border signals, and not only to the network operators and service providers that own the cables. 

CODE (1942:740) OF JUDICIAL PROCEDURE (RÄTTEGÅNGSBALK (1942:740) (THE “CJP”)

Pursuant to chapter 27, section 21, the general obligation for network operators and service providers to provide interception assistance is qualified by the requirement that the requesting government agency obtains and presents a court order authorising interception. The request must be submitted to the competent court by a public prosecutor. According to chapter 27, section 18, a request for interception may only be granted in investigations relating to certain serious crimes. In this context, “serious crimes” include crimes for which the prescribed minimum penalty is imprisonment for two years or more, and offences such as sabotage, arson, espionage, and terrorism.

In addition, a court order will only be granted if the conditions set out in chapter 27, section 20 are fulfilled. Section 20 states that the use of interception must be of exceptional importance for the purpose of facilitating the criminal investigation in question.  The court order may only concern a particular number, address or the electronic communications equipment possessed by an individual who can reasonably be suspected of committing the crime under investigation.  It may concern another individual, if there are particular reasons to believe that they will be contacted by the suspect.

According to chapter 27, section 21(a), if the public prosecutor responsible for the investigation deems that awaiting the court order would result in a delay of material importance to the investigation, the public prosecutor may himself, without first obtaining a court order, render an interim order regarding secret interception. In such cases, the public prosecutor should inform the court of its decision following which the court must promptly evaluate the interim order. If the court does not find reasons to support the decision, it must revoke the earlier decision, in which case no information collected under the interim order may be used in the investigation, if such information is detrimental to the person concerned.

Under chapter 27, section 22, it is prohibited to intercept communications involving information entrusted to certain individuals in their professional capacity.  Such individuals are those who, according to chapter 36, section 5, are prohibited from disclosing information mentioned in the conversation. Examples of such individuals include advocates, physicians and freelance journalists, in relation to their sources.

DISCLOSURE OF COMMUNICATIONS DATA

ELECTRONIC COMMUNICATIONS ACT 2003 (2003:389) (LAG (2003:389) OM ELEKTRONISK KOMMUNIKATION) (THE “ECA”)

According to chapter 6, section 20, all data relating to customer communications, including metadata and content data, are confidential and may not be disclosed to anyone other than the participants of the relevant communication. 

However, according to chapter 6, section 22, confidentiality does not apply in the following situations, where the network operator or service provider must disclose:

  • customer subscription details, upon request from any government agency, where they are needed for serving a person in accordance with the Service of Process Act (2010:1932) (delgivningslag (2010:1932)), if it could be expected that the person sought to be served is hiding or if there otherwise are exceptional reasons for such disclosure;
  • customer subscription details, which relate to a suspected crime, upon request from the Public Prosecution Authority (Åklagarmyndigheten), the Police Authority (Polismyndigheten), the Swedish Security Service (Säkerhetspolisen) or any other government agency investigating a suspected crime;
  • customer subscription details relating to a customer and other information relating to a specific electronic message, including information about the geographic area in which the relevant communication equipment is or has been situated, upon request from the Police Authority. The Police Authority can only make such a request to assist in the search for a person who has gone missing in circumstances which suggest their life is in danger or that they are at serious risk of harm;
  • customer subscription details, upon request by the Enforcement Authority (Kronofogdemyndigheten), if needed in an enforcement process (meaning collection of debts or actions related to such enforcement) and the Enforcement Authority deems such information to be of material importance to the processing of a certain matter;
  • customer subscription details, upon request by the Tax Agency (Skatteverket), in the event such information is of material importance to the processing of any matter relating to the calculation of tax owed, payment of tax-related charges or any matter relating to correct registration of address or domicile in accordance with the National Registration Act (1991:481) (folkbokföringslag (1991:481));
  • customer subscription details, upon request from the Police Authority, if such information is needed for providing notification, obtaining information or identifying persons in relation to accidents or casualties, or when investigating such accidents or casualties, or when the Police Authority leave a person aged under 18 to the social services in accordance with section 12 of the Police Act (1984:387) (polislag (1984:387));
  • customer subscription details, upon request by the Police Authority or the Public Prosecution Authority, if such authority determines such information is necessary in order for the authority to be able to inform a guardian in accordance with Section 33, of the Act (1964:167) on Juvenile Criminals (lagen (1964:167) om särskilda bestämmelser om unga lagöverträdare); and
  • customer subscription details and other information relating to a specific electronic message, upon request by a regional emergency service centre (regional alarmeringscentral) in accordance with the Act (1981:1104) on Regional Emergency Service Centres (lagen (1981:1104) om verksamheten hos vissa regionala alarmeringscentraler).

A request under section 22 of the ECA does not require a court order or any particular decision by the relevant government agency.  This is in contrast to when requests are made pursuant to the Act on Collection of Data in Electronic Communication in the Crime Combatting Authorities’ Intelligence Services (as described below).

Under chapter 6, section 16(c) ECA, a government agency may only request metadata retained by a network operator or service provider under chapter 6, section 16(a), in the following situations:

  • a network operator or service provider must, upon request from the Public Prosecution Authority, the Police Authority, the Swedish Security Service or any other government agency, in connection with an investigation of a crime, disclose customer subscription details pursuant to chapter 6, section 22;
  • pursuant to a court order sought by a public prosecutor under chapter 27, section 21 CJP, network operators and service providers are, pursuant to Chapter 27, Section 19 CJP, required to disclose to the Police Authority, the Swedish Security Service or the Customs Agency (Tullverket) the following metadata (as detailed in the court order):
  • information on messages which have been transmitted across an electronic telecommunications network or which have been transmitted to or from a telephone number or other address;
  • what electronic communication devices that have been present within a certain geographic area; and
  • in what geographic area a certain electronic communication device is or has been present.

According to chapter 6, sections 16(a) to 16(f), a network operator or service provider must retain customer subscription details and other information relating to a certain electronic message, which are necessary to track and identify: the source of the communication; the ultimate destination of the communication; date, time and duration of the communication; type of communication; communication equipment; and localisation of mobile communication equipment at the commencement and end of the communication. Network operators and service providers are also obliged to retain data relating to failed calls or connections, in relation to which the network operator or service provider shall retain the data generated or processed.

The specific information which should be retained by the network operator or service provider is clarified further in sections 38 to 43, of the Ordinance (2003:396) on Electronic Communication (förordning (2003:396) om elektronisk kommunikation) (the “OEC”).  In addition, under section 44 OEC, the Swedish Post and Telecommunication Authority (Sw. Post- och telestyrelsen) (the “PTA”) may stipulate more detailed requirements relating to stored data.

The PTA, under exceptional circumstances, may also create exemptions from the obligation to retain data (chapter 6, section 16(b) ECA). In such event, the PTA will consult with the Public Prosecution Authority, the Police Authority and the Swedish Security Service (section 45 OEC).

According to chapter 6, section 16(d) ECA, data retained in accordance with chapter 6, section 16(a) ECA, must be retained for six months from the date the communication ended. After this period the network operator or service provider must permanently delete the retained data. 

It should be noted that chapter 6, sections 16(a) to 16(f), implement Directive 2006/24/EC of the European Parliament and of the Council (the “Data Retention Directive”), which on 8 April 2014 was declared invalid by the Court of Justice of the European Union. The validity of the data retention obligations of network operators and service providers described above has, as a consequence, been contested by certain network operators and service providers operating in Sweden. The validity of the Swedish implementation of the Data Retention Directive is currently being tried in Swedish courts.

On 13 October 2014, the Administrative Court of Stockholm held that the Swedish implementation of the Data Retention Directive is lawful and does not contravene any of the principles outlined by the European Court of Justice in its judgment. This judgment has been appealed and is being examined by the Administrative Court of Appeals in Stockholm. Hence, currently, the Swedish data retention obligations remain valid, but there is an uncertainty as to whether the obligations will remain in their present form. 

According to page 27 of the legislative preparatory works to the Telecommunications Act ((telelag) (1993:597) (replaced by the ECA) and (prop. 1995/96:180 – teleoperatörernas skyldigheter vid hemlig teleavlyssning och hemlig teleövervakning)),  the network operator or service provider’s obligations in relation to secret telecommunication interception and secret telecommunication supervision include a responsibility to decrypt data that has been encrypted by the network operator or service provider.  According to the subsequent legislative preparatory works (drafted in relation to the ECA), the legislator did not intend for a factual change in relation to these provisions, and therefore, the specific obligation to decrypt data is most likely still in force.

Moreover, although not a formal requirement, the opinion of the Swedish Security Service is that the information must be processed automatically and made available in a standardised form, namely ITS27, in order for the network operator or service provider to conform to the requirements in ECA.

CODE (1942:740) OF JUDICIAL PROCEDURE (RÄTTEGÅNGSBALK (1942:740) (THE “CJP”)

According to chapter 27, section 21(a), if the public prosecutor deems that awaiting the court order would result in a delay of material importance for the investigation, the public prosecutor may permit the disclosure of information. In such a scenario, the public prosecutor must inform the court of its decision, following which the court must promptly evaluate the interim order permitting the disclosure. If that the court does not find reasons to uphold the decision, it must revoke the decision, and no information collected under the initial interim order may be used in the investigation, if such information is detrimental to the person concerned.

ACT (2012:278) ON COLLECTION OF DATA IN ELECTRONIC COMMUNICATION IN THE CRIME COMBATTING AUTHORITIES’ INTELLIGENCE SERVICES (LAG (2012:278) OM INHÄMTNING AV UPPGIFTER OM ELEKTRONISK KOMMUNIKATION I DE BROTTSBEKÄMPANDE MYNDIGHETERNAS UNDERRÄTTELSEVERKSAMHET) (THE “IEUK”)

Following a decision from the Police Authority, the Swedish Security Service or the Customs Agency, made by a duly authorized representative (meaning the head of the agency or a person to which the head of the agency has delegated the right), a network operator or service provider must, in accordance with section 1, disclose the metadata outlined under chapter 27 of the CJP summarised in paragraph 2.1 (b) above. 

According to section 2, information may only be collected if:

  • the collection is of particular importance in order to prevent or discover criminal activities which involve any crime which is sanctioned with no less than two years imprisonment; and
  • the reasons for the collection outweigh the interests of the person in relation to which the measure is targeted. A court order will be required in accordance with chapter 27, section 21 CJP (as described above).

NATIONAL SECURITY AND EMERGENCY POWERS

ELECTRONIC COMMUNICATIONS ACT 2003 (2003:389) (LAG (2003:389) OM ELEKTRONISK KOMMUNIKATION) (THE “ECA”)

Under chapter 7, section 8 if a network operator or service provider does not fulfil its obligations under the ECA, and such breach severely threatens public order, national security or public health or could otherwise be deemed to cause severe economic or operational problems for the supplier or a user of electronic communication networks or services, then the Swedish Post and Telecommunication Authority  (the “PTA“) may, with immediate effect, order an injunction against the relevant network operator or service provider.

Such decision may be valid for a maximum of three months. If any correction measures are not taken by the network operator or service provider, the period may be extended by a further three months.

The PTA may also revoke a network operator or service provider’s authorisation to use a certain radio transmitter or to use radio transmitters within certain radio frequencies in its business.  It may change the terms and conditions of such authorisations.

In accordance with chapter 1, section 8, if Sweden is (or has recently been) at war or under the threat of war, or if there are extraordinary conditions that are caused by a war outside of Sweden, the government may issue regulations governing electronic communications networks and associated facilities and services, and other radio usage as necessary with regard to national defence or security in general. This may result in additional emergency powers for the relevant authorities.

PROPOSED SWEDISH GOVERNMENT OFFICIAL REPORT (SOU 2013:33 – EN MYNDIGHET FÖR ALARMERING) (THE “REPORT“)

The Report provides that certain government agencies will be able to send text messages alerting citizens in emergency situations. The Report defines which government agencies are to have the right and who is responsible for the costs they entail. 

Further legislative discussion

There are theoretical discussions indicating that the government, under exceptional circumstances (for instance severe threats against national security), would have the right to invoke a constitutional privilege of self-defence (konstitutionell nödrätt) that may entail a wider scope of governmental power than otherwise described in this report. In accordance with page 95 of the preparatory works (SOU 2003:32 – Vår beredskap efter den 11 september: betänkande), the right to act in emergency situations is covered by Chapter 1-12 of the Swedish Form of Government (Regeringsformen (1974:152)), where the parliament’s functions are delegated to the government. In situations where delegation powers under the aforementioned chapters do not exist, one option to act is through the constitutional privilege of self-defence. 

The constitutional privilege of self-defence has never been exercised, thus making it difficult to properly assess its scope in this context. It is, however, not unlikely that the government may take control of a network operator or service provider’s network if necessary to uphold national security.

CENSORSHIP RELATED POWERS

FREEDOM OF PRESS REGULATION (TRYCKFRIHETSFÖRORDNING (1949:105)) AND THE FREEDOM OF SPEECH CONSTITUTION (YTTRANDEFRIHETSGRUNDLAG (1991:1469))

Under the Freedom of Press Regulation and the Freedom of Speech Constitution, there is a prohibition against censorship. The right to express an opinion, without it being censored, is thus a constitutional right in Sweden. 

CODE (1942:740) OF JUDICIAL PROCEDURE (RÄTTEGÅNGSBALK (1942:740) (THE “CJP”)

As described above, under chapter 27, section 19, data may be secretly intercepted via real-time interception of electronic communications.

Government agencies have the right to prevent the customer communications detailed in this section (described above) from reaching its recipient in an investigation for offences such as hacking, child pornography and drug offences.

Government agencies also have the right to switch off a phone number in critical situations to prevent a suspect from connecting his or her accomplices or receiving warning calls.

ELECTRONIC COMMUNICATIONS ACT 2003 (2003:389) (LAG (2003:389) OM ELEKTRONISK KOMMUNIKATION) (THE “ECA”)

Under chapter 7, section 9, the Consumer Ombudsman (Konsumentombudsmannen) may order a network operator or service provider to prevent user access to a number whose digit structure lacks a geographical sense, if the marketing of the number or the service related to it is improper or if material information is omitted in the marketing material. This means that it may become impossible for users to reach the number or service.

Certain Internet Service Providers have entered into voluntary cooperation agreements with the Police Authority to block IP addresses that contain child pornography material. The content and scope of such agreements are confidential.

Moreover, an internet service provider has recently been sued for assisting an IP-infringement when refusing to block illegal streaming sites’ IP addresses. The outcome of this case should make it clearer whether or not a government agency may require a network operator or service provider to block IP addresses in certain circumstances.

OVERSIGHT OF THE USE OF THESE POWERS

JUDICIAL OVERSIGHT

Where a court order is required for interception or the collection of information pursuant to a court under chapter 27, section 21 CJP, the competent court and the relevant public prosecutor have a supervisory role in the use of these measures. 

THE SWEDISH POST AND TELECOMMUNICATION AUTHORITY (POST- OCH TELESTYRELSEN) (THE “PTA”)

The PTA generally supervises network operators’ and service providers’ compliance with their respective obligations.  According to chapter 7 of the ECA, the PTA is entitled to order a network operator or service provider to disclose information and documentation needed in order to ensure that the network operator or service provider complies with its obligations. Such order may be combined with a conditional fine. The PTA is also entitled to gain access to any facilities (excluding residences) where a network operator or service provider’s business is conducted in order to perform an audit. 

If the PTA deems that a network operator or service provider has breached its obligations, then the PTA may order the network operator or service provider to rectify its breach. Such order may be combined with a conditional fine.

INSPECTION OF DEFENCE INTELLIGENCE (THE “IDI”)

The IDI supervises the secret defence intelligence activities performed by the (National Defence Radio Establishment) (the “NDRE“), for instance by only permitting the NDRE to intercept signals which are covered by a court order from the Defence Intelligence Court (Försvarsunderrättelsedomstolen).

COMMISSION ON SECURITY AND INTEGRITY PROTECTION (SÄKERHETS- OCH INTEGRITETSSKYDDSNÄMNDEN) (THE “SIN”)

All decisions on the collection of data under the Act on Collection of Data in Electronic Communication in the crime combatting Authorities Intelligence Services (“IEUK“) shall be communicated to SIN, which supervises the relevant government agencies’ compliance with the IEUK.

PUBLICATION OF LAWS AND AGGREGATE DATA RELATING TO LAWFUL INTERCEPT AND COMMUNICATIONS DATA REQUESTS

RESTRICTIONS ON NETWORK OPERATORS AND SERVICE PROVIDERS

PUBLICITY AND SECRECY ACT (OFFENTLIGHETS- OCH SEKRETESSLAGEN (2009:400)) (THE “PSA”)

Under the PSA, the government has the legal authority to prevent a network operator or service provider from publishing aggregate data relating to intercept requests or acquisitions of metadata when, for example, secrecy under a current investigation applies to the aggregate data and publication of the information may jeopardise or impair an investigation.  Confidentiality will apply to activities such as those which aim to prevent, detect, investigate or prosecute crime, conducted by prosecutors, the police and the Swedish Security Service among others.

Neither the public prosecutor nor the Police Authority need obtain any authority or court order for the information to be considered confidential.

Confidentiality may also apply to data relating to preliminary investigations in criminal cases or a matter relating to the use of coercive measures, if the purpose of the measures is undermined by disclosure, or if future operations may be damaged by disclosure.

The government does not have the legal authority to prevent a network operator or service provider from publishing descriptions of, or information relating to, the laws described in this report.

Aggregate data published by government agencies.       

The Public Prosecution Authority annually publishes a report of the use of secret surveillance-related laws which is available here: http://www.riksdagen.se/sv/Dokument-Lagar/Forslag/Propositioner-och-skri...

Law stated as at 19 January 2015.

This information was originally published in the Legal Overview to the Telenor Group report on Authority Requests for Access to Electronic Communication in May of 2015.