Swedish legislation relevant to us as a VPN provider
Sidst opdateret:
An important criterion to consider when choosing a VPN service provider is where the company is based. This is because the provider is subject to that particular country's laws on inter alia privacy, data sharing, and other VPN-relevant issues.
All of our policies regarding data and its storage
- No logging of user activity policy
- Cookie policy
- Privacy policy (including GDPR)
- Swedish legislation relevant to us as a VPN provider
- Terms of service
How we operate
Mullvad's legal entity, Mullvad VPN AB, is based in Sweden which means that we are subject to Swedish laws and regulations. We are transparent on how we handle data and it is important that all processing is carried out in accordance with applicable laws.
We do not store user traffic logs of any kind. Some storing of data is required by law (e.g. accounting and payment records). If you would like to find out more regarding how we are processing personal data, please read our privacy policy to learn more.
The key in operating a VPN service is to store as little data (any kind) as possible. Data that you don’t have can’t be handed over to anyone.
Relevant laws in Sweden
Below is a list of some of the laws that are particularly relevant for Mullvad VPN. We retain lawyers to help us monitor the legal landscape in Sweden and keep us up-to-date of any developments.
General Data Protection Regulation (2016:679) (GDPR)
The GDPR is a regulation which harmonizes the rules throughout the EU relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. The regulation applies to processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Companies established within the EU are subject to the regulation even if they are not processing personal data relating to persons within the EU. Thus, the regulation applies to Mullvad VPN’s processing of personal data regardless of which country the users are based.
Act (2008:717) on Signal Surveillance for Defence Intelligence Activities
This piece of legislation gives Sweden's National Defence Radio Establishment the authority to carry out surveillance on cross-border communications (for example phone calls and internet traffic). Other countries do so similarly. To protect electronic communications crossing the Swedish border, consumers can use a VPN service to protect their user activity.
The Electronic Communications Act (2022:482) (LEK)
LEK is the Swedish law that implements the EU Directive (EU) 2018/1972 of the European Parliament and of the Council establishing the European Electronic Communications Code. The act applies to electronic communications networks and electronic communications services with associated facilities as well as services and other radio use. According to LEK’s definitions, LEK does not apply to us, since we as a VPN service provider are not regarded as an electronic communications network nor an electronic communications service (see more information below).
Act (2012:278) on Collection of Data in Electronic Communication in the Crime Combating Authorities’ Intelligence Service (IHL)
This law can only be used to request user data from businesses having the LEK reporting obligation. This means authorities can not use LEK nor IHL to request information from us.
During 2019, this act was complemented with act on amendments to act (2012:278) on Collection of Data in Electronic Communication in the Crime Combating Authorities’ Intelligence Service (SFS 2019:499). This new law does not affect our business.
The Swedish Code of Judicial Procedure (1942:740) (RB)
According to this, a search of premises may be instigated not just on the individual who is suspected on reasonable grounds but on anyone, provided that there is a factual circumstance and that it can be tangibly demonstrated that there is a reasonable expectation of finding items subject to seizure, or other evidence of the offense in question. Objects may also be seized if they are believed to have importance for the investigation.
Covert Surveillance of Data Act (2020:62) (the act is short-term legislation and entered into force on 1 April 2020)
Since Mullvad VPN is not to be regarded as an electronic communications service with a reporting obligation according to LEK, Chapter 2, Section 1, Mullvad VPN cannot be subject to a duty to cooperate in connection with the enforcement of a decision authorising covert surveillance of data in accordance with the new Covert Surveillance of Data Act.
For users (of computers and other electronic devices), the new Covert Surveillance of Data Act grants law enforcement agencies the authority, upon a special permit (in each specific case) from a competent Swedish court, to secretly install software or hardware on suspect users' devices or devices which the suspect in special cases have or will most likely contact. This implies that law enforcement agencies may access a suspect user's information before it is encrypted by VPN-services such as Mullvad VPN.
Read more: Swedish Covert Surveillance of Data Act
or: Lagen om hemlig dataavläsning
Digital Services Act ((EU) 2022/2065) (DSA)
DSA regulates online intermediaries and platforms such as marketplaces, social networks, content-sharing platforms and app stores. Its main goal is to prevent illegal and harmful activities online and the spread of disinformation. Mullvad, in its capacity as a provider of VPN services, is subject to certain provisions of the DSA but is not imposed with any monitoring obligation. Instead, it is stipulated by the DSA that Mullvad, for instance, should provide transparent terms and contact information. Mullvad asserts that it fulfils the requirements of the DSA.
Storage and disclosure of information according to the GDPR
Mullvad VPN AB is as a VPN-provider not considered as a communications provider according to LEK and are therefore not subject to any requirement related to the storage of information under the same regulation. However, other legislation such as GDPR and the Accounting Act may result in a requirement for the storage of data for a certain period of time.
Should persons whose personal data are processed by us request access to their personal data, we are obliged, according to GDPR, to do this. However, in general, we have no obligation to release such information to anyone other than the individual to whom the information pertains.
Requests by the Swedish or foreign authorities
In situations where we receive communication from the Swedish or foreign authorities requesting disclosure of information, we will never disclose any information before we have investigated the request. The requesting party shall state the legal grounds (applicable to Mullvad VPN) for such disclosure. After we have received the request an investigation must take place into whether there are adequate grounds for the reasons stated (a foreign authority has generally no jurisdiction here and cannot access any information without, for example, the support of international agreements on mutual assistance, a Swedish court order or an European investigation order etc.).
Coercive Measures used in criminal procedures
According to Swedish law, a police authority may request access to personal data through a coercive measure in criminal procedures.
Such a practice is a type of violation of a person’s sphere of law where the individual has not given consent to the release of such data. Examples of coercive measures are search of premises, seizure, apprehension and detention.
There are also coercive measures that are taken covertly, and these have a particular status. Examples of these types of coercive measures may be secret interception of electronic communications, secret electronic communications monitoring, secret camera surveillance, retention of mail and secret room interception (retrieval of subscription data according to LEK is not to be classified as a secret coercive measure).
Disclosure of information according to LEK
A business with a reporting obligation according to LEK, Chapter 2, Section 1, is in general subject to a duty of confidentiality (in certain respects).
There is an exception to this duty of confidentiality which allows, for example, police, courts, and other authorities to request information about subscriptions (e.g. name, address, and telephone number) if any suspicion of criminal activity exists (according to LEK, Chapter 9, sections 19-23).
In case of a serious suspicion of a crime, certain traffic data may also be requested, cf. the Code of Procedure (RB) and IHL. An operator may not disclose the content of a message except in cases where a court has handed down a ruling on secret interception.
Coercive measures not covered by LEK
Since Mullvad VPN is not to be regarded as an electronic communications service and is therefore not covered by LEK, Chapter 2, Section 1, an authority may not request information from Mullvad VPN in accordance with LEK or IHL.
The Swedish National Defence Radio Establishment (FRA) may also not access information through signal intelligence since the information is encrypted. However, the Swedish police authority may have access to information by way of coercive measures such as seizure and search of premises.
According to RB, Chapter 28, Section 1, a search of premises may be instigated of anyone other than the individual who is suspected on reasonable grounds, provided that there is a factual circumstance and that it can be tangibly demonstrated that there is a reasonable expectation of finding items subject to seizure, or other evidence of the offence in question.
Objects may also be seized if they are believed to have importance for the investigation, which may be used as evidence of the suspect’s guilt, for example a surveillance film or the like.