Swedish ISP Bahnhof threatened with fine for not storing customer data for law enforcement

When Europe’s top court struck down the EU-wide Data Retention Directive in April for being excessive and against privacy rights, many communications providers breathed a sigh of relief. Among them was Swedish ISP Bahnhof, which said it would immediately stop keeping records of its customers’ communications for law enforcement purposes.

However, this week the Swedish telecoms regulator PTS ordered Bahnhof to start retaining communications data again, for six-month periods. Bahnhof has been ordered to do so by November 24 or pay a five million krona ($680,000) fine.

Sweden only started enforcing the EU Data Retention Directive locally in 2012, and in the wake of the EU ruling PTS told Bahnhof and other ISPs that they could stop retaining call records and internet metadata without fear of punishment.

In June, though, the Swedish government insisted that the country’s data retention law still applied. It appointed a commission to study the issue, which reported back that Sweden’s law didn’t conflict with the Court of Justice of the European Union (CJEU) ruling.

PTS succeeded in getting most of the country’s ISPs to start retaining records for law enforcement purposes again, although major provider Tele2 appealed. This week’s PTS order followed an October 13 ruling in which a Stockholm administrative court rejected that appeal, proclaiming that Sweden’s data retention laws carried sufficient safeguards and were acceptable.

Bahnhof – the proprietor of a nuclear bunker data center under a mountain, as used by Wikileaks — is now the sole holdout, having complained to the European Commission last month with, as yet, no meaningful response.

CEO Jon Karlung told IDG that he has a “Plan B” to avoid having to give up customer data as the government and regulator desire, butdidn’t provide details. However, he did say he would fight the latest order in court.

Sweden isn’t the only country to try forging on with data retention despite the CJEU ruling. The U.K. went so far as to use the ruling as an excuse to expand its data retention laws, rather than get rid of them.