Swedish ISP deletes all retained customer data in wake of EU court ruling

Other ISPs should also delete communications metadata following the Court of Justice's ruling, Swedish ISP Bahnhof said

A Swedish ISP has deleted all retained customer data after European Union laws that require communications providers to retain metadata were invalidated by the EU's supreme court earlier this week. The ISP on Thursday called on other providers to do the same.

Under EU rules, telecommunications and Internet providers are required to retain data necessary to identify the subscriber, as well as traffic and location data, in order to help investigations of serious crimes and terrorism. However, the EU's Data Retention Directive was invalidated on Tuesday by the Court of Justice of the EU (CJEU), which ruled that the directive seriously interferes with fundamental privacy rights.

The Swedish law implementing the directive is still in place, but despite that Jon Karlung, CEO of Swedish ISP Bahnhof, said he deleted all retained records and stopped collecting customer information on Wednesday after consulting his lawyers.

The verdict is clear, and means that since the directive came into force in 2006, data was wrongly collected and should be deleted, Karlung said.

"We have followed this verdict and from our point of view it is more important to protect the privacy and integrity of our customers," Karlung said. "I strongly suggest that other ISPs and service providers would follow our example," he said, adding that he thought the verdict was clear enough to do this.

The Swedish Post and Telecom Authority (PTS) that monitors the electronic communications and postal sectors in Sweden has no plans to act against Bahnhof, a spokesman said. The authority is analyzing the ruling to see if national legislation is still applicable, he said.

The Swedish Prosecution Authority also has no plans yet to start an investigation, although it has the power to do so even in the absence of a police report, a spokeswoman said.

Karlung is confident that he would ultimately win any legal dispute with the authorities because the case would eventually end up at the Court of Justice of the EU, he said, adding that European law is above Swedish law.

"For the first time in a very long time there is some common sense in the European Union regarding these matters," Karlung said. "There is finally hope again."

Sweden was one of the last EU member states to transpose the Data Retention Directive into national law. In May 2013, the CJEU fined Sweden €3 million (around US$4 million) for the delay.

Asked Tuesday whether the Commission would consider paying back that fine, EU Home Affairs Commissioner Cecilia Malmström said that was a possibility she would look into.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags Bahnhofsecurityeuropean commissionlegalCourt of Justice of the European Unionprivacy

More about EUIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place