Swedish legislation relevant to us as a VPN provider
An important criterion to consider when choosing a VPN service provider is where the company is based. This is because the provider is subject to that particular country's laws on inter alia privacy, data sharing, and other VPN-relevant issues.
Mullvad's legal entity, Amagicom AB, is based in Sweden which means that we are subject to Swedish laws and regulations. We are transparent on how we handle data and it is important that all processing is carried out in accordance with applicable laws.
Key in operating a VPN service is to store as little data (any kind) as possible. Data that you don’t have can’t be handed over to anyone.
Relevant laws in Sweden
Below is a list of some of the laws that are particularly relevant for Mullvad. We retain lawyers to help us monitor the legal landscape in Sweden and keep us up-to-date of any developments.
General Data Protection Regulation (2016:679) (GDPR)
The GDPR is a regulation which harmonizes the rules throughout the EU relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. The regulation applies to processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Companies established within the EU are subject to the regulation even if they are not processing personal data relating to persons within the EU. Thus, the regulation applies to Amagicom’s processing of personal data regardless of which country the users are based.
Act (2008:717) on Signal Surveillance for Defense Intelligence Activities
This piece of legislation gives Sweden's National Defence Radio Establishment the authority to carry out surveillance on cross-border communications (for example phone calls and internet traffic). Other countries do so similarly. To protect electronic communications crossing the Swedish border, consumers can use a VPN service to protect their user activity.
The Electronic Communications Act (2003:389) (LEK)
LEK is the Swedish law that implements the EU Directive (2002:58) on Privacy and Electronic Communications. LEK covers all electronic communications networks and electronic communications services. According to LEK’s definitions, LEK does not apply to us, since we as a VPN service provider are not regarded as an electronic communications network nor an electronic communications service (see more information below).
Act (2012:278) on Collection of Data in Electronic Communication in the Crime Combating Authorities’ Intelligence Service (IHL)
This law can only be used to request user data from businesses having the LEK reporting obligation. This means authorities can not use LEK nor IHL to request information from us.
The Swedish Code of Judicial Procedure (1942:740) (RB)
According to this, a search of premises may be instigated not just on the individual who is suspected on reasonable grounds but on anyone, provided that there is a factual circumstance and that it can be tangibly demonstrated that there is a reasonable expectation of finding items subject to seizure, or other evidence of the offense in question. Objects may also be seized if they are believed to have importance for the investigation.
Storage and disclosure of information according to the GDPR
Amagicom AB (Mullvad) is as a VPN-provider not considered as a communications provider according to LEK and are therefore not subject to any requirement related to the storage of information under the same regulation. However, other legislation such as GDPR and the Accounting Act may result in a requirement for the storage of data for a certain period of time.
Should persons whose personal data are processed by us request access to their personal data, we are obliged, according to GDPR, to do this. However, in general, we have no obligation to release such information to anyone other than the individual to whom the information pertains.
Requests by the Swedish or foreign authorities
In situations where we receive communication from the Swedish or foreign authorities requesting disclosure of information, we will never disclose any information before we have investigated the request. The requesting party shall state the legal grounds (applicable to Amagicom) for such disclosure. After we have received the request an investigation must take place into whether there are adequate grounds for the reasons stated (a foreign authority has generally no jurisdiction here and cannot access any information without, for example, the support of international agreements on mutual assistance, a Swedish court order or an European investigation order etc.).
Coercive Measures used in criminal procedures
According to Swedish law, a police authority may request access to personal data through a coercive measure in criminal procedures.
Such a practice is a type of violation of a person’s sphere of law where the individual has not given consent to the release of such data. Examples of coercive measures are search of premises, seizure, apprehension, and detention.
There are also coercive measures that are taken covertly, and these have a particular status. Examples of these types of coercive measures may be secret interception of electronic communications, secret electronic communications monitoring, secret camera surveillance, retention of mail and secret room interception (retrieval of subscription data according to LEK is not to be classified as a secret coercive measure).
Disclosure of information according to LEK
A business with a reporting obligation according to LEK, Chapter 2, Section 1, is in general subject to a duty of confidentiality (in certain respects).
There is an exception to this duty of confidentiality which allows, for example, police, courts, and other authorities to request information about subscriptions (e.g. name, address, and telephone number) if any suspicion of criminal activity exists (according to LEK, Chapter 6, sections 20-23).
In case of a serious suspicion of a crime, certain traffic data may also be requested, cf. the Code of Procedure (RB) and IHL. An operator may not disclose the content of a message except in cases where a court has handed down a ruling on secret interception (see LEK, Chapter 6, Sections 19-19a and RB, Chapter 27).
Coercive measures not covered by LEK
Since Amagicom is not to be regarded as an electronic communications service and is therefore not covered by LEK, Chapter 2, Section 1, an authority may not request information from Amagicom in accordance with LEK or IHL.
The Swedish National Defense Radio Establishment (FRA) may also not access information through signal intelligence since the information is encrypted. However, the Swedish police authority may have access to information by way of coercive measures such as seizure and search of premises.
According to RB, Chapter 28, Section 1, a search of premises may be instigated of anyone other than the individual who is suspected on reasonable grounds, provided that there is a factual circumstance and that it can be tangibly demonstrated that there is a reasonable expectation of finding items subject to seizure, or other evidence of the offence in question.
Objects may also be seized if they are believed to have importance for the investigation, which may be used as evidence of the suspect’s guilt, for example a surveillance film or the like.