A Swedish ISP has deleted all retained customer data after European Union laws that require communications providers to retain metadata were invalidated by the EU’s supreme court earlier this week. The ISP on Thursday called on other providers to do the same.
Under EU rules, telecommunications and Internet providers are required to retain data necessary to identify the subscriber, as well as traffic and location data, in order to help investigations of serious crimes and terrorism. However, the EU’s Data Retention Directive was invalidated on Tuesday by the Court of Justice of the EU (CJEU), which ruled that the directive seriously interferes with fundamental privacy rights.
The Swedish law implementing the directive is still in place, but despite that Jon Karlung, CEO of Swedish ISP Bahnhof, said he deleted all retained records and stopped collecting customer information on Wednesday after consulting his lawyers.
The verdict is clear, and means that since the directive came into force in 2006, data was wrongly collected and should be deleted, Karlung said.
“We have followed this verdict and from our point of view it is more important to protect the privacy and integrity of our customers,” Karlung said. “I strongly suggest that other ISPs and service providers would follow our example,” he said, adding that he thought the verdict was clear enough to do this.
The Swedish Post and Telecom Authority (PTS) that monitors the electronic communications and postal sectors in Sweden has no plans to act against Bahnhof, a spokesman said. The authority is analyzing the ruling to see if national legislation is still applicable, he said.
The Swedish Prosecution Authority also has no plans yet to start an investigation, although it has the power to do so even in the absence of a police report, a spokeswoman said.
Karlung is confident that he would ultimately win any legal dispute with the authorities because the case would eventually end up at the Court of Justice of the EU, he said, adding that European law is above Swedish law.
“For the first time in a very long time there is some common sense in the European Union regarding these matters,” Karlung said. “There is finally hope again.”
Sweden was one of the last EU member states to transpose the Data Retention Directive into national law. In May 2013, the CJEU fined Sweden €3 million (around US$4 million) for the delay.
Asked Tuesday whether the Commission would consider paying back that fine, EU Home Affairs Commissioner Cecilia Malmström said that was a possibility she would look into.