Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

II. Surveillance policies

National security, government surveillance and law enforcement

Wiretapping, access to, and interception of communications

Secret camera surveillance, communications surveillance, and wiretapping require a court order according to the Act on Measures to Investigate Certain Serious Crimes1 and Chapter 27 of the Code of Judicial Procedure. Communications surveillance and wiretapping used to be regulated by an act from 1952, which had to be extended on a yearly basis; covert camera surveillance was regulated in a similar way, albeit separately, by the Act on Secret Camera Surveillance.2 In 2003, the scope of the 1952 Act was extended to terrorist crimes referred to in the legislation that implements the EU Framework decision 2002/475/JHA of 13 June 2002 on combating terrorism.3 As of 1 January 2009, the limited regulations on covert camera surveillance were made permanent and moved into the Code of Judicial Procedure. The 1952 Act was abolished and replaced by the new legislation on "Certain Serious Crimes" (vissa samhällsfarliga brott) mentioned above. This law extends the competences of the secret services, as well as the scope of applicable crimes, to use wire tapping, wire surveillance, postal communications interference and secret camera surveillance. Suspects that have been monitored have to be informed about the surveillance after its termination.4

Together with the recent introduction in Sweden of covert audio surveillance (buggning),5 which has been a highly controversial issue for around 30 years, the Swedish secret services have gained unprecedented competences. Already demands from the Swedish Security Service have been made to extend these powers further, for example to avoid the mandatory court procedure before using such covert means of surveillance.6 Parallel to the introduction of these new regulations, the above-mentioned Commission on Security and Integrity Protection (SÄKINT) was created in order to monitor the usage of the most repressive means of surveillance.7

The Government has submitted a report to Parliament every year with details of all surveillance conducted. According to the 2003 government report8 to the Parliament, the use of secret surveillance had already increased "considerably" by 2002.9 In 2008, the number of instances of communications surveillance had almost doubled. The instances of wiretapping have increased by 500 percent since 1999. Both measures are conducted for an average period of 50 days and in about 40-50 percent of the cases, useful evidence can be gathered.10 Human rights organisations, including the International Helsinki Federation for Human Rights, expressed concern in 2006 over increased use of surveillance techniques by the police and insufficient protection of the individual's right to privacy. This development has not gone unnoticed. The Swedish Helsinki Committee (SHC, now Civil Rights Defenders or CRD), a non-governmental organisation that monitors human rights compliance with the Helsinki agreement of 1975, has concluded that the state authorities' right to interfere in the private life of citizens, as allowed in certain instances by Swedish law, continued to lack both the necessary legality and transparency.11 The CRD has called for an independent assessment of the necessity and effectiveness of secret surveillance methods used in Sweden. However, in connection with the legislation's becoming permanent, the Government stated that combating crimes related to national security have been given increased priority and that secret camera surveillance, wire surveillance, and wiretapping are all efficient tools for investigating terrorist and other serious crimes.12

There were a number of government bills in 2006 that extended the use of secret surveillance, including inter alia a bill to allow telephone tapping for preventive reasons as well as bugging of conversations with the help of hidden microphones. On 31 May 2006 the Parliament decided to postpone discussion on the bill for at least a year and "insisted that safeguards against abuse of power be introduced into the bill, including an obligation for police to inform those subject to secret surveillance whenever this is considered safe for investigative reasons."13 In 2007, a proposed bill would allow the National Defence Radio Establishment (Försvarets Radioanstalt, FRA) permission to use data mining software to search for sensitive keywords in all phone and email communications passing through cables or wires across the country's borders without a court order.14Until then the FRA could only listen to radio transmissions and did not have the authority to monitor and analyse Internet data traffic.15 The FRA would need approval from a parliamentary committee on military intelligence affairs and would only be permitted to "tap into communications through pattern analysis and key word searches, and would not be entitled to target specific individuals."16 Before this bill was approved on 18 June 2008, such traffic could only be monitored with court approval if police suspected a crime, although the agency was free to spy on airborne signals, such as radio and satellite traffic. The new legislation became widely controversial and has posed a threat to cross-border communications.17It allows for the interception of e-mail, telephone and faxes, and is therefore a threat to anyone dealing with a Swedish organisation.18 Even where domestic Internet communication is intended for two persons residing in Sweden, the same information may cross national borders through Germany, Denmark, and the USA.19 The implication is that people residing outside of Sweden, as well as Swedes, may be subject to the surveillance of FRA.20

The FRA wiretapping law adopted on 18 June 2008 consists of four statutes: a newly adopted statute on signals intelligence and changes in three other statutes.21 "FRA has a mandate to search for 'external threats’, which involves everything from military threats, terrorism, IT security, supply problems, ecological imbalances, ethnic and religious conflicts, and migration to economic challenges in the form of currency and interest speculation."22 Causing further controversy is the lack of any requirement that the FRA should have a reason to suspect crime or need a court order before being allowed to conduct surveillance of Swedish residents.23 After criticism by privacy groups and a massive public debate about such sweeping powers, the Act was amended.24 In addition, "a legal complaint has been made to the EU in July about this Act's possible breach of the EU's privacy and discrimination law with regard to cross-border legal consultations."25 The European Commission, who would have to bring formal infringement procedures against Sweden, has not yet made any such action.26

The law was supposed to enter into force by January 2009 but after the massive debacle surrounding the issue in Sweden, the government proposed a modified bill that included a number of privacy improvements to the original legislation. Among other aspects, the details of FRA monitoring are now subject to political scrutiny and the FRA must seek permissions for every search made. The amendment was approved by the Parliament on 14 October 2009 and the new, restricted competences of the FRA came into force on 1 December of the same year.27 As of September 2010, the FRA has still to initiate its surveillance scheme. Technical problems regarding access points as well as resistance from some Internet service providers have allegedly delayed the actual surveillance from starting.

National security legislation

In 2002, the Swedish Parliament approved two anti-terrorism laws in order to implement the UN Convention for the Suppression of the Financing of Terrorism28 and the EU Council Framework Decision on Combating Terrorism.29 Sweden signed, but has not ratified, the Council of Europe Convention on the Prevention of Terrorism.30 The Act on Criminal Responsibility for Terrorist Crimes entered into force in July 2003 and classifies certain crimes -- such as murder or kidnapping -- as terrorist acts when committed against countries, their institutions, or their citizens with the aim of intimidating, altering. or destroying political, economic. or social structures.31 Strict punishments apply. The Swedish Helsinki Committee noted, in addressing an appeal to the Swedish Government, that the definition of terrorist crimes in the Act is unclear, and that neither the Act nor the EU Decision addresses the issue of how to draw the line between politically motivated violence and terrorism.32 In July 2003, the Parliament also adopted an Act on surrender from Sweden33 in accordance with the EU Council Framework Decision 2002/584/JHA of 13 June 2002 on the European arrest warrant.34 The Act came into force in January 2004. At the same time, a new Act on Joint Investigation Teams for Criminal Investigations came into force.35 The Act applies to joint investigation teams for criminal investigations set up between authorities in Sweden and those in one or more EU Member States. The Act implements the EU Council Framework decision 2002/465/JHA of 13 June 2002 on joint investigation teams.36 The Act contains rules on, for example, conditions for the use of information received through a joint investigation team.37

Data retention

In March 2006, the EU enacted Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks.38 The Directive aims to harmonise the rules on retention of traffic data throughout the EU in order to facilitate judicial cooperation in criminal matters. All traffic data generated in publicly available electronic communications, such as telephony or the Internet, would have to be retained by service providers for law enforcement purposes. The data would have to be kept for a minimum period of six months and a maximum period of two years.39 Member States had until 15 September 2007 to transpose the requirements of the Directive into national laws; however, the issue became controversial in Sweden after the FRA debate and the application of this Directive has been postponed even though it meant facing an infringement procedure commenced by the European Commission and a fine.40 The Swedish debate on privacy and surveillance cooled off during 2010, but the introduction of Directive 2006/24/EC is still debated in government circles. The liberal wing wants to postpone implementation even longer, to the price of paying another fine to the Commission, while other fractions of the ruling conservative/liberal coalition aim at implementing the Directive during the next legislative period. In any case, the issue was too sensitive to bring up before the September elections, especially with the FRA experience from 2008, and the Directive has not been debated publicly at all.41

National databases for law enforcement and security purposes

The question of collecting and storing DNA information about all Swedish citizens has been subject to public debate. In June 2004, proposals were made to widen the scope of DNA use in law enforcement.42 According to current legislation, DNA samples fall under the rules in Chapter 28 of the Code of Judicial Procedure and rules in the Police Data Act of 1998. The inquiry tasked with reviewing the current legislation suggested introducing specific rules regarding DNA samples in law enforcement and allowing such samples to be taken from persons who are arrested, taken into custody, or suspected of crimes that can lead to imprisonment, but also from other persons if it is required in the investigation of such crimes. According to the inquiry's report, results from DNA analyses should be put into the DNA register kept by the National Police Board regarding persons who are suspected of, or sentenced for, crimes where the penalty includes imprisonment. The current rules on the DNA register only allow registration of those who have been convicted of a crime that involves a penalty of more than two years' imprisonment. According to Section 24 of the Police Data Act, registration must be limited to such data that provides information about identity -- other DNA information must not be registered. The inquiry suggested that information in the register should be deleted when the preliminary investigation is withdrawn or when charges against the individual in question have been withdrawn or rejected. Information regarding persons who have been convicted should continue to be retained until the person is deleted from the register of convicted persons in accordance with the specific rules in the Act of 1998.

In November 2007, the Ministry of Justice presented a report with a proposal for a new act on the processing of personal data by the police in crime combating activities replacing the Police Data Act of 1998.43 The proposed new act regulates all processing by the police in their crime combating activities and will apply to the National Police Board, the police authorities and the Swedish National Economic Crimes Bureau.44 The new act grants law enforcement agencies longer periods of record keeping (five instead of three years, see Chapter 3 paragraphs 9-15) as well as extended scope of records such as DNA. The new Police Data Act also emphasises the general accessibility of records across institutional boundaries (Chapter 3). In the case of specific crimes such as terrorism, records can now be kept for up to 70 years. A declared aim of the new act is to make preventive policing possible.45 Another important development from the 1998 act is that records that used to be treated as separate are now subjects of common regulation to a certain extent. The aim was to enable and regulate data sharing between law enforcement agencies. The act, and especially the problematic process of its development between 2007 and 2010 has been criticised by the Data Protection Agency for being vague, opaque, and determined to grant law enforcement agencies with new rights rather than to ensure citizens' privacy.46

National and international data disclosure agreements

In 2004, Sweden put forth a proposal for new EU Framework rules on the exchange of information between law enforcement authorities; two years later it was approved by the Council as Framework Decision 2006/960/JHA.47 The proposal required law enforcement authorities in EU Member States to supply certain information and intelligence to similar authorities in other EU Member States, upon request, for the purpose of investigating crimes, particularly serious offences and terrorist acts. The proposal has been criticised by privacy groups as being too broad and going far beyond the relatively narrow range of offences covered by other EU instruments, such as the Europol Convention.48

Cybercrime

In June 2007, the Administrative Court of Appeal in Stockholm passed its judgment in the Anti-Piracy Bureau case.49 The case dealt with the issue of whether IP numbers are to be considered personal data.50 The Anti-Piracy Bureau, which is a cooperative economic association, "had collected scattered pieces of information, in particular IP numbers, in connection with file-sharing of copyrighted material on the Internet."51 The Data Inspection Board stated in its decision that "IP numbers were to be considered personal data and that the processing carried out by the Anti-Piracy Bureau was in breach of the Personal Data Act (PDA), since it implied processing of offences within the meaning of Section 21 of the PDA."52 The law remains that "only public authorities may process personal data concerning legal offences involving crime, unless the Board has granted an exemption from that prohibition."53 In its decision of June 2005, the Board ordered the Anti-Piracy Bureau to stop the processing. The Anti-Piracy Bureau claimed that the IP numbers could not be considered as personal data since the Bureau did not have access to the personal data identifying the owner of a subscription that uses a certain IP address and appealed the decision.54 As a result, both the County Administrative Court and the Administrative Court of Appeal upheld the Data Inspection Board's decision.55 Subsequent to the 2005 decision, the Anti-Piracy Bureau applied for an exemption from the prohibition of Section 21 of the PDA for the purpose of "processing IP numbers so that it could report, for instance, to the police and inform Internet service providers of subscribers' copyright infringements."56 The Data Inspection Board granted an exemption, and the Bureau was allowed to process personal data relating to offences until the end of 2008.57

There was a debate in Sweden over whether police can access Internet records to fine file-sharers. A Swedish court of appeals upheld the country's first conviction of file-sharing.58 This case is of note because the conviction was based on supporting evidence consisting of an IP address linked to a file-sharing network. Previously, in October 2006, a Swedish judge ruled that evidence insufficient to prove guilt.59 This case could continue to the Swedish Supreme Court and shows that "electronic evidence, such as traffic, location, and time data, can originate, be scattered, and end on different formats and different coordinates in time and space, and may easily be manipulated and hard to identify, due to services offering anonymity or pseudonymity."60

In 2009 the Swedish Parliament agreed to the implementation of Directive 2004/48/EC, commonly named the Intellectual Property Rights Enforcement Directive (IPRED). The Swedish implementing act (IPRED Act) has been much debated, as it was introduced in the wake of the above-mentioned FRA debate. It is intended to protect property rights and has been used by the Swedish Anti-Piracy Bureau to access copyrighted material and open process against the server administrators. Since then, a number of cases have been brought to court by the music and publishing industries.

The first case that tried using IPRED concerned alleged file-sharing of audio books from a customer of the service provider E-Phone. The publishers wanted E-Phone to hand out information regarding the identity of the person behind an IP address, but E-Phone refused. The case went to the highest instance in Sweden, but was referred to the Court of Justice of the European Union in order to get a prejudicating verdict. The Swedish court wanted the relationship with the Directive 2006/24/EC -- the data retention directive mentioned above -- clarified. Even though Sweden has yet to implement the Directive, there are uncertainties as to whether the IPRED act is illegal. In the meantime, many other cases were brought but none has been completed. IPRED is celebrated as a failure among file-sharers and entertainment industries alike.61

One of the most important and internationally known legal cases in Sweden occurred in 2008-2009 and concerned one of the world's biggest torrent trackers, The Pirate Bay. The case originated from a controversial raid in March 2006 by the Swedish police on the premises of the Web farm hosting The Pirate Bay, PRQ. Suspicions were aired that the raid was a result of pressure by the US government and the Motion Picture Association of America. Large demonstrations against the raid were held in Sweden by the youth organisations of both the Green and Left political parties as well as the newly formed Pirate Party. The entertainment industry, as represented by the Swedish Anti-Piracy Bureau, the International Federation of the Phonographic Industry (IFPI), and lawyer Monique Wadsted, finally won the case on 17 April 2009. The four proprietors of Pirate Bay were sentenced to pay one of the highest fines in Swedish history -- over SEK100 million, roughly equivalent to €10 million. However, due to the circumstances, the sum was reduced to €3 million Euro, still disproportionate in the Swedish context. Critics claimed that the courts were partisan and had accepted too many of the entertainment industry's arguments.62 The Pirate Bay proprietors were accused of having sought personal gain from the tracker activity through the advertisements on the site, in addition to the violation of copyright law.63

Critical infrastructure

No specific information has been provided under this section.

Territorial privacy

Video surveillance

The 1998 Public Camera Surveillance Act64 and the Public Camera Surveillance Ordinance65 restrict the use of such surveillance. In principle, video surveillance in places to which the public has access requires a permit from the County Administrative Board. In certain situations, it is sufficient to notify the County Administrative Board about the surveillance. The notification duty applies to post offices, banks, and stores where the surveillance only covers entrances, exits, and cash points. In a few other situations neither a permit nor notification is required. In all cases, the Act requires that clearly visible notices about the video surveillance are posted. Image and audio material may be stored for up to a month. The police and courts are able to store material for longer if it comprises part of an investigation of a crime. Penalties for breach of the law include fines or a maximum imprisonment of one year.

The 1998 Act was a significant liberalisation of the earlier regulations and a sharp increase in CCTV surveillance followed during the 2000s.66 The Act has been subject to review by an inquiry that presented its report in November 2002.67 The Act underwent reviews in 2002 and again in 2009, and a new act is expected to be enacted after the elections in September 2010. The new regulation marks an even larger liberalisation, foremost in two areas: first, private CCTV surveillance is de facto completely deregulated. This is the result of the inability of state agencies to control private CCTV applications. Secondly, video material can be stored for up to three months instead of the current 30-day period.68 Rhetorically, the new act is legitimised by a need to make regulations more comprehensive, and it combines regulations from the old act and the Personal Data Act. This results in a more prominent role for the Data Protection Agency, which controls the implementation of the Personal Data Act. The proposed new law sees the DPA as the main inspection authority in the area of CCTV surveillance. It remains to be seen if the DPA will be granted additional budget and manpower to adequately fulfil this responsibility.

In 2008, the Data Inspection Board sent out a Web questionnaire to schools and one of the issues was if and to what extent schools used video surveillance on their premises.69 The result showed that video surveillance had increased by 150 percent compared to 2005, when a similar investigation was made. The Data Inspection Board then inspected seven schools and found that the video surveillance of students during daytime in many respects infringed against the Personal Data Act. The inspections also showed that there was a considerable lack of knowledge of the legislation on data protection and the Board therefore issued a checklist to make it easier for schools to decide when video surveillance is permitted. Appeals were lodged against the Board's decisions of 1 October 2008.70

Location privacy (gps, mobile phones, location based services, etc.)

No specific information has been provided under this section.

Travel privacy (travel identification documents, biometrics, etc.) And border surveillance

Sweden implemented Council Regulation No. 2252/2004 on Standards for Security Features and Biometrics in Passports and Travel Documents Issued by Member States. The Swedish passport contains a digital facial image that is stored in a chip included in the passport.71 The biometric data that can be retrieved from the facial image is to be destroyed immediately after the delivery of the passport to the applicant or after a passport check. No other kinds of data than those already registered will be entered into the centralised register of passports.72

Between 2006 and 2008, the Data Inspection Board carried out inspections regarding public transport companies' new ticket systems with smart cards that leave electronic traces (systems based on RFID technology).73 When the passenger uses his electronic ticket the following data is recorded: card number, date, time, and stop/gate. If the card holder has registered his smart card with the transport company the card number is connected with the passenger's personal identification number, name, and address. In this way, the electronic traces from the card can be connected to a specific person. The Data Inspection Board decided that such traces could only be stored for 60 days and thereafter must be de-identified. One of the transport companies concerned appealed against the Data Inspection Board's decision to the County Administrative Court, which in January 2009 repealed the Board's decision and remitted the case for a new review.74

National ID and smart cards

Identification of individuals within public administration is based on the system of national identification numbers.75 Such numbers have been used in Sweden since the 1940s. Since 1994, the data protection legislation includes restrictions on the use of identification numbers. Under Section 22 of the PDA, national identification numbers may only be processed without consent if the processing is clearly justified with regard to the purpose of the processing, the importance of secure identification, or some other substantial reason.

On 1 October 2005, the Swedish Government introduced the "official" electronic ID card containing biometric data. The new "national identity card" (nationellt identitetskort) is not compulsory and does not replace previous paper ID cards. It can be used as a proof of identity and citizenship and as a valid travel document within the Schengen area. It complies with ICAO standards for biometric travel documents; it is issued by the passport offices and manufactured by the same supplier as the biometric passport.76 In addition to the contactless chip containing a digital picture of the holder, it also has a traditional chip which may be used to securely access e-Government services in the future.77

Rfid tags

RFID technology is used by public transport companies' new ticket systems.78

Bodily privacy

No specific information has been provided under this section.

Footnotes