Did the new data retention directive equate file sharing with child pornography and murder?
On Wednesday, Minister of Justice and Home Affairs Morgan Johansson, together with Sigurd Heuman, presented the new data retention directive, which will take effect on December 1, 2018.
The new proposal on the data retention directive is intended to comply with the EU directives and laws that Sweden's previous data retention directive was considered to breach (in the previously noted judgment against Tele2). It differs in several respects from the previous directive:
- Subscription data storage time increases from 6 to 10 months (e.g., who has which IP address at a particular time)
- Location data is lowered from 6 months to 2 months (e.g. where a mobile phone was found during a phone call)
- All communications within the fixed network are excluded (i.e. calls made via home telephony are no longer stored)
- Information that enables subscribers to be identified should always be stored in correlation with Internet access - regardless of the technology used by the operators (does not apply to VPN services, but Internet service providers must save customer information)
- The data should only be stored in Sweden
Access to location data should be limited to serious crime, while subscription information - which they believe is compatible with EU regulations - only requires suspicion of crime to be requested.
What is interesting about this investigation, however, is not only that just a suspicion of crime is needed to obtain subscription information, but what the investigation classifies as serious crimes.
There is no general definition of a serious crime within EU or Swedish law. However, in various contexts, both in EU and Swedish law, enumerations of crimes which - in the context of enumeration - are to be equated with serious crimes or which are otherwise to be dealt with separately, occur. An example of such enumeration is the annex to the Act (2003: 1156) on surrender from Sweden under a European arrest warrant. That appendix lists crimes that span a large part of the penalty range; from murder and rape to counterfeiting, piracy and child pornography. It is precisely this enumeration that the Council has urged Member States to take due account of when introducing the now repealed Data Storage Directive.
An interpretation of the above is that the Data Retention Directive would classify piracy as a more serious crime.
Storage in Sweden
According to Morgan Johansson, some Internet operators - specifically Bahnhof and Tele2 - have refused to cooperate with police when requesting information. In Bahnhof's case, they have interpreted the Data Retention Directive as a proposal that need not be followed as it directly violates previous EU court judgments. In Tele2's case, they have instead claimed that the subscriber information belongs to a subsidiary and is not stored in Sweden. Thus, they also cannot disclose the information since they do not have access to it.
The new directive has solved this in two ways:
During the course of the investigation, they have emphasized in many places that the storage of subscriber information (such as IP addresses) is compatible with EU directives as the EU requires countries to have effective law enforcement. The investigation's interpretation is that subscription data may be stored since this is not a violation of privacy in that it's linked to a person and not to what the person in question does. In doing so, they have determined that Bahnhof's decision to not store this is not in accordance with Swedish law.
They have decided that everything companies are required by law to store about Swedish citizens must be stored within Sweden, since it is about the security of the state. This means that, among other things, Tele2 can no longer protect itself with subsidiaries in other countries to avoid disclosure of subscription information.
Moreover, since the central interests of the State are not covered by EU law, EU law does not constitute an obstacle to such an arrangement. According to the report, a ban should therefore be imposed on the operators to store the data outside Sweden. In this context, it should be mentioned that storage outside Sweden should not occur at all or only to a very small extent. 
What does all this mean?
If a crime is suspected, regardless of the scale of the sentence, a prosecutor may ask who had an IP address at a specific time.
If the crime is classified as serious - which, for example, it is proposed to happen with piracy - then the prosecutor may also request to obtain location information on this person.
If the government decides to follow the investigation's proposal, we believe at OVPN that Swedes will soon see a significant increase in cases from companies such as Njord.
We find it difficult to see how Bahnhof & Tele2 will succeed in avoiding storing identifiable information about its customers as the investigation is very focused on ensuring that these gaps are closed again for Internet providers. The solution to protect their online privacy remains to use secure VPN services with strict policies that don't log anything.
How is OVPN affected?
At present, OVPN is not affected at all by the Data Retention Directive. There is a special point in the investigation under Special Opinions which specifically mentions that the storage obligation does not include VPN services. OVPN can continue to operate without logs.
However, it may be worth mentioning that the report recommends a new investigation regarding regulations on the information that VPN providers may have to store. If such an investigation is done and requires that VPN services log information within Sweden, we are prepared to move abroad - despite our earlier promise that the business will always be located in Sweden - since the integrity of our users is the focus for us.