Sweden won't enforce data retention law against ISP that deleted metadata
The Swedish authorities won’t take action against an ISP that erased all retained communications metadata, even though there is still a law in place compelling providers to retain such data, the Swedish Post and Telecom Authority (PTS) said Friday.
Swedish ISP Bahnhof decided earlier this week to delete retained records and stop collecting data about its customers’ communications in the wake of a ruling from the Court of Justice of the European Union (CJEU).
On Tuesday, the court invalidated the EU’s Data Retention Directive that requires telecommunications and Internet providers to retain their customer’s location and traffic data for investigatory purposes. It found that the directive seriously interferes with fundamental privacy rights. Sweden, like other EU member states, has transposed the directive into national law.
As a result of the CJEU ruling, Bahnhof and other ISPs can stop collecting data and delete records without consequence because PTS stopped enforcing the law, a PTS spokesman said.
“This is a unique situation,” he said. With the EU Directive annulled but the Swedish legislation based on the directive still in place, PTS had to decide if it should enforce the rules on ISPs like Bahnhof. However, after analyzing the CJEU’s verdict, PTS concluded that there would probably be “big problems” if the authority tried to do so, the spokesman said.
The enforcement is not suspended indefinitely though. There could be a situation where the government changes or modifies the rules and PTS has to start enforcing again, the spokesman said. However, this won’t affect ISPs who will erase their data because the PTS cannot impose fines for doing so, the spokesman said. The authority can only demand that a company starts collecting data again, he added.
While the Swedes decided to act quickly after the CJEU ruling, other European countries are still contemplating what to do about it. France, the U.K., Belgium and the Netherlands for instance are still analyzing the ruling. The Dutch Radiocommunications Agency will keep enforcing the law while the Ministry is reviewing the verdict, an agency spokeswoman said Friday.
That analysis could take a while. The Dutch government, for example, will probably need eight weeks, State Secretary of Security and Justice Fred Teeven told the Dutch House of Representatives on Tuesday, emphasizing that data retention is an important tool for law enforcement authorities.
The U.K.’s Home Office took a similar point a view. “The retention of communications data is absolutely fundamental to ensure law enforcement have the powers they need to investigate crime, protect the public and ensure national security,” it said.
Meanwhile, ISP associations in the Netherlands and Belgium called on their governments to speed up the review process and provide clarity.
The ruling created a very uncertain legal situation for ISPs, said a spokeswoman of the Belgian Internet Service Providers Association (ISPA) on Friday. However, things are unlikely to change in Belgium because the government has said the ruling would probably have no impact in Belgium because the Belgian law is better than the European Directive, she said,
More clarity is still needed though, so members do not have to make unnecessary investments in costly systems and fundamental freedoms are guaranteed, ISPA said.