Swedish law requiring network operators to retain communications metadata continues to breach European Union rules, according to Swedish ISP Bahnhof, which has asked the European Commission to intervene.
Together with the 5th of July Foundation, a Swedish organization that aims to protect online rights, Bahnhof sent an official complaint to the Commission. They want the Commission to initiate proceedings against the Swedish government "for blatantly ignoring" a judgment of the Court of Justice of the European Union (CJEU), they said in a news release.
The EU's Data Retention Directive had previously required telecommunications and Internet service providers to retain their customer's location and traffic metadata for investigatory purposes, but in May the CJEU invalidated the directive because it seriously interferes with fundamental privacy rights.
Bahnhof stopped retaining customer data and deleted all its records a few days after the ruling. It did so with the permission of the Swedish Post and Telecom Authority (PTS), which said at the time that ISPs could stop collecting data and delete records without consequence. After analyzing the verdict, the authority concluded that there would probably be "big problems" if it tried to enforce the Swedish data retention law that is still in place.
However, in mid-August the PTS ordered Bahnhof to start retaining data again, Bahnhof CEO Jon Karlung said. The PTS has made a 180-degree turn in policy by ordering Bahnhof -- and Tele2, which also stopped retaining data for a while -- to resume doing so.
According to a PTS spokesman, it was the government that ordered the PTS to start enforcing the Swedish data retention law again. "They appointed a commissioner to investigate if the Swedish national legislation could still be applied" despite the CJEU's ruling, he said. The commissioner came to the conclusion that the national legislation stands, and from that point on, the PTS has been enforcing the law again, he said.
"It is a crazy situation," said Karlung, who added that Sweden clearly violates European rights if it keeps ignoring the verdict. "Since we are a member state we have to comply with the European justice system. We cannot have laws that contradict what happens in the European Union," he said, adding that the Swedish government should be fined by the EU if it keeps enforcing the data retention law.
Bahnhof said it would also fight the retention law in Swedish courts, but urged the Commission to swiftly investigate the matter to speed things along. In the meantime, Bahnhof refuses to start retaining data again because it follows EU law, Karlung said.
By doing this, Bahnhof chose a different option to Tele2. The latter started retaining data again in response to an order from the PTS pending the outcome of a legal challenge of the order, the PTS spokesman said. So far, the authority has not threatened to fine Bahnhof for ignoring the order. "We will have to see what the next step against Bahnhof is," he said.
The Commission takes whatever action it deems appropriate in response to either a complaint or indications of infringements which it detects itself, according to a Commission website. "Non-compliance means failure by a Member State to fulfil its obligations under EU law. It may consist either of action or omission," it said.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to [email protected]