Swedish ISP Bahnhof is being forced to hand over customer traffic data regardless of the potential penalty of the crime in question

The Swedish ISP Bahnhof has received an order from PTS, the Swedish equivalent of FCC, commanding Bahnhof to, among other things, answer all requests from the police to hand over stored customer traffic data regardless of the penalty for the crime in question. If they don't do so within a week they will face a penalty of 5 million SEK which is equivalent to about 616 000 USD.

I've translated an article from ComputerSweden:

The ISP Bahnhof has at several occasions refused to hand out subscription information even though the police has requested it. PTS now states that Bahnhof has to hand out the information within week, otherwise waits a penalty of five million crowns.

The Mail- and Telecom Agency, PTS, has been looking at four cases between the middle of december and the beginning of February where Bahnhof has not handed out information about subscriptions that the Police Agency has requested.

Bahnhof has motivated its refusal with the fact that they solely hand out information about subscriptions if there is a suspicion of a more serious crime and has referred to the EU court.

The ISP has introduced a routine where the Police Agency has had to fill in the suspected crime the case is about and not processed it if the penalty is below six months of prison.

But Bahnhofs interpretation of the legal situation does not hold up according to PTS. The EU court has commented on the requirements regarding data storage and how it should be formed. But here it is, according to PTS, about whether Bahnhofs obligation to hand out information that exists at the company, and not about Bahnhofs obligation to store traffic data.

The provision in the law about electronic communication is namely "not directly connected to the obligation to store traffic data and more but statutes an obligation to ISPs to hand out the information about subscriptions that the ISP actually has, regardless if the ISP possesses these due to the storage obligation or due to other reason", writes PTS in their order.

Now Bahnhof has to hand out the information by the 7th of april or otherwise waits a penalty of five million crowns.

Translation of the first page of the order:

PTS

Network security department

Order to on request hand out data about subscriptions.

Re
Order to at penalty according to 7 kap. 5 § law (2003:389) about electronic communication (LEK); question about obligation to on request hand out information about subscriptions in conjunction with suspected crime.

The Mail- and Telecom Agency's decision
The Mail- and Telecom Agency (PTS) orders Bahnhof AB (Bahnhof) to, at a penalty of 5 million (5000 000) crowns, at latest by the 7th of april 2016,

• hand out the information about subscriptions that the Police Agency requested the 15th of december 2015, the 26th of januari 2016, the 2 of February 2016, the 5th of February 2016 and the 8th of February 2016, see appendix 6 and 15, and
• make sure that information about subscriptions that has been requested by the Police Agency or other agency that will intervene against the crime in the cases where it is a question about suspicion of crime henceforth will be handed out, regardless of the crimes potential penalty.

This order is valid according to 8 kap. 22 § LEK immediately.

Note that I am not used to translating legal terms...

Seems fair. Regardless of the underlying laws, the ISP cannot be judge of what is or is not a serious crime, since the crime has not been brought to conclusion the seriousness of it defined by the punishment handed out has not been determined.

So, hand over the data according to the law.

The discussion of the data its self and what there asking for is different from what this case is concluding. In the case of data, maybe they should stop keeping it except for what is required.

right — "seriousness" of the crime is irrelevant. What is relevant is whether it is a request or a lawful order. If it's a request, they can (IMO should) refuse. If it's a lawful order (whatever the Swedish equivalent of a Search Warrant or Subpoena is), then they should comply.

Bahnhof has always been trying to store and hand out as little data as possible, they previously didn't store any data with reference to the EU court. PTS then did an investigation that supposedly came to the conclusion that ISPs still have to store data and that the Swedish legislation should be above the EU legislation. The investigation became marked as secret and could not be reviewed.

I have tried to summarize the events based on the press releases from Bahnhof, all the press releases are in Swedish except for the first one.

In april 2014 the Swedish data storage legislation was deemed invalid by the EU court since it violates human rights and Bahnhof immediately stopped storing traffic data.

https://www.bahnhof.se/press/press-releases/2014/07/08/anmaler-sig-sjalv-for-utebliven-datalagring
In July 2014 Bahnhofs CEO Jon Karlung reports himself for crime against the law about electronic communication. He wants to take it all the way to EU court and win.

https://www.bahnhof.se/press/press-releases/2014/09/04/svar-till-pts-angaende-datalagring
Bahnhof continuously repports that they are not storing data and in september 2014 PTS officially asks Bahnhof if they are storing traffic data and Jon Karlung confirms that they are not.

https://www.bahnhof.se/press/press-releases/2014/09/12/vi-anmaler-sveriges-datalagring-till-eu-kommissionen
Later in september Bahnhof reports the Swedish legislation to the European Commission.

https://www.bahnhof.se/press/press-releases/2014/10/01/vad-forsoker-ni-dolja-pts
In October 2014 Bahnhof publishes a press release, asking why PTS has decided that the investigation of the matter should be secret.

https://www.bahnhof.se/press/press-releases/2014/10/27/braket-om-datalagringen-pts-hotar-bahnhof-med-miljonbelopp
Later in October PTS threatens Bahnhof with a penalty of five million SEK if they don't begin storing traffic data.

https://www.bahnhof.se/press/press-releases/2014/12/19/kammarratten-ger-bahnhof-ratt-mot-pts
In december the court decides that the investigation by PTS should be a public document. In the now public investigation the PTS has actually agreed with the EU court and deemed the Swedish legislation invalid, partially because the Swedish legislation does not take to account how serious the crime is, but nothing happens and Bahnhof still has to store traffic data.

https://www.bahnhof.se/press/press-releases/2016/02/24/bahnhof-bade-rattighet-och-skyldighet-att-neka-polisen-uppgifter
In February 2016 Bahnhof creates a form for the police to use were they have to fill in whether the suspected crime is specified in 27 kap. 19 § rättegångsbalken. E.g. terror crime, arson, spying, child pornography and more with the minimum penalty of six months prison.

In March PTS demands that Bahnhof should hand out customer data on all requests, and now they are threatening with a fine just like they did before. PTS is saying that the EU legislation does not matter since it's not about data storage but at the same time they are forced to store regardless of what the European Commission has stated.