Sweden

EU Member State: Sweden is a member of the European Union and is therefore subject to the General Data Protection Regulation (GDPR), the Law Enforcement Directive, the ePrivacy Directive, and other EU-level data protection instruments. For a detailed treatment of the EU framework, see the EU Framework page. This page covers Sweden’s national implementing legislation, domestic enforcement record, intelligence and surveillance laws, and its role in the Fourteen Eyes intelligence alliance.

Overview

Sweden operates a data protection authority (the Integritetsskyddsmyndigheten (IMY)) that has increased its enforcement activity since 2021, issuing tens of millions of kronor in fines against pharmacies, banks, and technology companies for GDPR violations. Sweden also operates one of Europe’s most extensive bulk cable interception programmes, granting its signals intelligence agency (FRA) direct access to fiber-optic cables crossing its borders. The European Court of Human Rights ruled in Centrum för Rättvisa v. Sweden (2021) that this regime violated Article 8 of the European Convention on Human Rights.^[1]

The central tension in Swedish privacy law is the FRA Law, the 2008 legislation that authorized the Försvarets radioanstalt (FRA), Sweden’s signals intelligence agency, to intercept all cable-bound communications crossing Swedish borders. The law triggered large public protests and prompted the legal challenge that culminated in the Centrum för Rättvisa ruling, with the Grand Chamber finding critical deficiencies in oversight, particularly regarding the transmission of intercepted intelligence to foreign partners and the absence of effective review mechanisms.^[1]

Beneath these headline controversies lies a deeper story about Sweden’s place in the global intelligence architecture. Despite two centuries of official political neutrality, Sweden maintained a secret SIGINT-sharing treaty with the Five Eyes nations from 1954, and the Snowden disclosures in 2013 confirmed that Sweden provided the NSA with cable access yielding “unique collection on high-priority Russian targets,” with the NSA classifying the relationship as top-secret precisely because of Sweden’s public posture of neutrality.^[2][3] Sweden is a member of the Fourteen Eyes (SIGINT Seniors Europe) alliance, a fourteen-nation signals intelligence partnership comprising the Five Eyes plus nine European nations, and a founding member of the secret Maximator European SIGINT partnership established in 1976.^[4]

Data Protection Authority: IMY (Integritetsskyddsmyndigheten)

The Integritetsskyddsmyndigheten (IMY) is Sweden’s independent data protection authority, responsible for supervising and enforcing the GDPR, the Swedish Data Protection Act, and related legislation. IMY was renamed from Datainspektionen in January 2021, reflecting a broadened mandate that extends beyond traditional data protection into broader privacy oversight including camera surveillance, credit reporting, and criminal records.^[5]

Enforcement Record

IMY has significantly escalated its enforcement posture in recent years. In 2024, the authority closed 326 supervisory matters and initiated 421 new ones, imposing fines in six cases totaling SEK 60.6 million (approximately EUR 5.5 million).^[6]

Notable Enforcement Actions

The 2024 pharmacy and banking cases are particularly significant because they demonstrate IMY’s willingness to pursue large fines against companies that deployed Meta Pixel tracking technology without understanding (or caring) that it was transmitting sensitive personal data to a third-party advertising platform. The Avanza Bank case was notable: a financial institution sent customers’ securities portfolios and account identifiers to Meta, data that could reveal individuals’ wealth, investment strategies, and financial vulnerabilities.

2025 Priorities

IMY announced its supervisory priorities for 2025, focusing on three areas:^[10]

• Healthcare and social care digitalization: Examining how digital tools in the healthcare sector process patient data, with particular attention to AI-driven diagnostic and treatment systems
• Camera surveillance: Continued oversight of the expanding use of surveillance cameras in public and semi-public spaces, regulated under the Camera Surveillance Act
• Children and young people’s data: How platforms and services process minors’ personal data, including age verification mechanisms and consent frameworks

National Framework

Swedish Data Protection Act (Dataskyddslagen, SFS 2018:218)

The Dataskyddslagen entered into force on May 25, 2018, simultaneously with the GDPR, and serves as Sweden’s national supplementary legislation. Rather than replacing the GDPR, it provides additional provisions in areas where the regulation permits member state flexibility:^[11]

• Legal basis for “legal obligation” processing: Legal obligations that serve as a basis for data processing must stem from a law, a regulation, a collective agreement, or a decision issued pursuant to law. This specificity requirement narrows the scope of the GDPR’s “legal obligation” basis under Article 6(1)(c)
• Age of digital consent: Sweden set the age at which a child can independently consent to information society services at 13 years, below the GDPR default of 16
• Sensitive data derogations: The Act provides specific rules on the processing of sensitive personal data by public authorities, including for research, statistics, and archiving in the public interest
• Administrative fines against public authorities: Unlike several EU member states that exempt public bodies from GDPR fines, Sweden permits IMY to fine public authorities, though the maximum is capped at SEK 5 million for government agencies^[12]

Camera Surveillance Act (Kamerabevakningslag, SFS 2018:1200)

The Camera Surveillance Act replaced the older Camera Monitoring Act (2013:460) and aims to strike a balance between increasing surveillance possibilities and protecting individual privacy. The act requires a permit for camera surveillance in places to which the public has access, issued by a county administrative board that must weigh the surveillance interest against the privacy intrusion. Permit requirements vary based on the operator: public authorities generally require permits, while private actors operating in their own premises may not.^[12]

Electronic Communications Act (LEK, SFS 2022:482)

The new Electronic Communications Act entered into force on June 3, 2022, replacing the previous LEK from 2003. It implements both the European Electronic Communications Code (EECC) and the ePrivacy Directive into Swedish law. The act contains provisions on data retention (discussed below), cookie consent, confidentiality of communications, and network security obligations. Notably, a privacy advocacy analysis identified that the new LEK maintained data retention provisions that civil liberties organizations viewed as incompatible with CJEU case law.^[13]

Patient Data Act (Patientdatalag, SFS 2008:355)

Sweden maintains sector-specific legislation for health data processing. The Patient Data Act regulates processing of personal data in healthcare, establishing rules for electronic health records, patient access to records, and the sharing of medical data between healthcare providers. Given IMY’s 2025 focus on healthcare digitalization, this act is expected to receive increased enforcement attention.

Surveillance and Intelligence

Sweden’s intelligence architecture encompasses three principal agencies with distinct mandates, a specialized court for authorizing signals intelligence, and two oversight bodies. The system is complicated by Sweden’s deep (and for decades, secret) integration into the Western signals intelligence alliance structure, which sits in fundamental tension with the country’s historical claim of political neutrality.

FRA (Försvarets radioanstalt) – National Defence Radio Establishment

The FRA is Sweden’s signals intelligence agency, responsible for collecting foreign intelligence through the interception of electronic communications. Originally established to intercept radio signals during the Cold War, the FRA’s mandate was significantly expanded in 2008 when the Swedish Parliament (Riksdag) passed highly debated surveillance legislation.^[14]

The FRA Law (2008): Cable-Tapping Sweden’s Borders

On June 18, 2008, the Riksdag adopted the Signals Intelligence Act (Lag om signalspaning i försvarsunderrättelseverksamhet, SFS 2008:717), commonly known as the FRA Law. The legislation extended FRA’s interception authority from radio signals to cable-bound communications, granting it access to all fiber-optic traffic crossing Swedish borders. Telecommunications and internet service providers were required to transfer cable communications at Swedish border-crossing points to designated “interaction points” (samverkanspunkter) where FRA could access them pursuant to court authorization.^[14]

The law was framed as applying only to cross-border communications; purely domestic Swedish traffic was formally excluded. However, critics immediately identified a fatal flaw in this distinction: internet routing is determined by network topology, not geography. A significant volume of nominally domestic Swedish internet traffic is routed through servers in neighboring countries (Germany, Denmark, the United States) before returning to Sweden. This means that communications between two Swedes could cross the border and become subject to FRA interception, rendering the “cross-border only” limitation largely meaningless in practice.^[14]

The FRA Law triggered massive public backlash. Critics called it “much worse than the Stasi”, a comparison to the East German secret police that reflected the depth of public anger.^[15] Ahead of the vote, leaked internal FRA documents contradicted the government’s public characterizations of the scope and nature of Swedish signals intelligence operations, intensifying opposition. The bill passed by only a single vote (143 to 138, with 69 abstentions), after several members of the governing coalition broke ranks.^[14]

Under intense public pressure, the government enacted amendments in 2009 that added safeguards to the original law:

• All cable interception required prior authorization from a newly established Foreign Intelligence Court (Försvarsunderrättelsedomstolen)
• A privacy protection representative (integritetsskyddsombud) was stationed at the court to advocate for the privacy interests of affected individuals during warrant proceedings
• The Foreign Intelligence Inspectorate (SIUN) was created to provide independent oversight of FRA activities
• Permits were limited to a maximum of six months, renewable only after fresh judicial examination
• FRA was required to destroy intercepted material not relevant to its intelligence mission

These amendments improved the original legislation, but the fundamental architecture remained intact: the FRA retained the legal authority to intercept bulk cable communications at the border, and telecommunications providers remained legally obligated to provide access.

Centrum för Rättvisa v. Sweden: The ECtHR Strikes Down the Regime

The legal challenge to the FRA Law culminated in a significant surveillance judgment in European human rights law. In 2008, the Swedish civil liberties organization Centrum för rättvisa (Centre for Justice) filed an application with the European Court of Human Rights, arguing that the FRA’s bulk interception regime violated Article 8 (right to respect for private and family life) and Article 13 (right to an effective remedy) of the European Convention on Human Rights.^[16]

In a Chamber judgment of June 19, 2018, the Court initially found no violation of Article 8, concluding that the Swedish regime contained adequate safeguards. Centrum för rättvisa requested referral to the Grand Chamber, which was granted.

On May 25, 2021, the Grand Chamber delivered its judgment, reversing the Chamber’s finding and ruling that Sweden’s bulk interception regime violated Article 8 ECHR. The Grand Chamber did not hold that bulk interception was per se incompatible with the Convention (a significant doctrinal point) but found that the Swedish regime suffered from three specific deficiencies:^[1]

1. Destruction of intercepted material: The absence of a clear rule on destroying intercepted material that did not contain personal data (i.e., metadata and other non-content data was not adequately covered by destruction obligations)
2. Transmission to foreign partners: The absence of a requirement that, when transmitting intelligence material to foreign partners, consideration be given to the privacy interests of the individuals whose data was being shared. This was a direct rebuke of the FRA’s intelligence-sharing arrangements with the NSA and GCHQ
3. Ex post facto review: The absence of an effective after-the-fact review mechanism by which individuals could challenge whether their communications had been intercepted and, if so, whether the interception was lawful

The judgment was delivered on the same day as the companion case Big Brother Watch v. United Kingdom, and together the two rulings established the framework for evaluating bulk surveillance under the Convention. The practical consequence for Sweden is that legislative reforms are required to address the identified deficiencies, reforms that, as of early 2026, are still in progress.^[17]

Säpo (Säkerhetspolisen) – Swedish Security Service

Säpo is Sweden’s domestic security and civilian counterintelligence service, responsible for counterterrorism, counterespionage, dignitary protection, and the safeguarding of the constitutional order. Säpo became a separate agency on January 1, 2015, having previously operated as a division of the Swedish Police Authority. It operates under the Ministry of Justice but is essentially autonomous in its operational decisions: under the 1974 Instrument of Government, no minister may direct or influence the handling of individual cases.^[18]

Säpo’s intelligence-gathering activities include interrogations, wiretapping, covert listening devices, and hidden surveillance. Since its separation from the police, Säpo has expanded significantly in both budget and personnel, with appropriations increasing by 114 percent between 2015 and 2024.^[19] In January 2025, the Swedish National Audit Office published an audit of Säpo’s activities that identified weaknesses in internal management, resource allocation, supervision of security protection, and inconsistent application of background investigation procedures.^[20]

MUST (Militära underrättelse- och säkerhetstjänsten) – Military Intelligence and Security Service

MUST is Sweden’s military intelligence and security service, responsible for foreign military intelligence and counterintelligence within the Swedish Armed Forces. MUST is legally prohibited from gathering intelligence on Swedish domestic affairs, with a narrow exception for counterintelligence activities directly related to threats against the armed forces. This prohibition distinguishes MUST from Säpo, which operates within Swedish territory, and from FRA, whose collection is border-focused.^[21]

The Foreign Intelligence Court (Försvarsunderrättelsedomstolen)

The Foreign Intelligence Court was established following the 2009 amendments to the FRA Law and is the sole authority empowered to issue warrants for FRA signals intelligence collection on cable-bound communications. The court is composed of a chairman, one or two vice-chairmen, and two to six special members, all appointed by the government for four-year terms. It has a quorum of a chairman and two special members.^[22]

FRA applications for interception permits must specify the intelligence mission, the communications bearers to be accessed, the selectors or categories of selectors to be used, and the requested duration. Permits are granted for a maximum of six months and may be renewed only after a fresh examination. A privacy protection representative participates in all proceedings to advocate for the privacy interests of individuals whose communications may be intercepted.^[22]

Critics have noted that the court operates entirely in secret, publishes no statistics on the number or proportion of applications approved or denied, and that the privacy protection representative (while a structural improvement) cannot meaningfully represent the interests of individuals who do not know they are being surveilled.

SIUN (Statens inspektion för försvarsunderrättelseverksamheten) – Foreign Intelligence Inspectorate

SIUN is the independent oversight body for Sweden’s defence intelligence activities, consisting of two components:^[23]

• The Board: Oversees compliance by FRA, MUST, and the Swedish Defence Research Agency (FOI) with applicable laws and regulations, including permit conditions imposed by the Foreign Intelligence Court. The Board has the power to demand that information collection be stopped and that intercepted data be deleted
• The Delegation for Control on Request: Allows individuals to request a check on whether their communications have been intercepted by FRA’s signals intelligence activities. However, the delegation does not disclose whether interception has actually occurred; it only informs the individual that the check has been completed and that no irregularities were found (or, if irregularities were found, that corrective action has been taken)

The chair and deputy chair of SIUN are required to have legal backgrounds, while the five other members are chosen for their political backgrounds as current or former members of the Riksdag. SIUN oversees the defence intelligence agencies, while a separate body, the Commission on Security and Integrity Protection (Säkerhets- och integritetsskyddsnämnden), supervises law enforcement use of secret surveillance measures and personal data processing by the Police Authority and Säpo.^[24]

Fourteen Eyes and Sweden's Intelligence History

For two centuries, Sweden maintained a public policy of neutrality and non-alignment. It remained formally neutral through both World Wars and the Cold War, and its neutrality became a cornerstone of Scandinavian identity politics. Leaked documents and declassified records, however, reveal a different picture.

The 1954 Secret Treaty

The secret SIGINT-sharing treaty referenced above was formally part of the UKUSA agreement’s “third party” framework, binding the FRA to share signals intelligence with the NSA and GCHQ while Sweden maintained its public policy of neutrality. The treaty covered the United States, United Kingdom, Canada, Australia, and New Zealand, the core Five Eyes nations. It remained classified for fifty years and was wound up in 2004, only to be replaced by bilateral agreements that drew the FRA even closer to the NSA and GCHQ.^[2]

The Snowden Revelations: Sweden as NSA Cable Collector

The 2013 Snowden disclosures exposed the depth of Sweden’s intelligence cooperation with the NSA. Key revelations included:

• Cable access provided to NSA: In 2011, the FRA provided the NSA with access to its cable collection infrastructure, enabling the interception of fiber-optic communications transiting Swedish territory. An NSA internal document described the resulting intelligence as providing “unique collection on high-priority Russian targets such as leadership, internal politics, and energy.”^[3]
• XKeyscore access: The NSA granted the FRA access to XKeyscore, the NSA’s powerful search and analysis system for intercepted communications, allowing Swedish analysts to query the NSA’s global collection databases^[25]
• Top-secret classification: A 2006 NSA document classified the relationship with FRA as top-secret specifically “because of the country’s political neutrality”, an explicit acknowledgment that disclosure would undermine Sweden’s public posture^[3]
• Strategic geography: Sweden’s Baltic Sea position gives it strategic access to east-west fiber-optic cables carrying Russian and Eastern European communications to Western Europe, making it a strategically significant SIGINT collection point for the Western alliance^[26]

SIGINT Seniors Europe (Fourteen Eyes)

Sweden is a member of SIGINT Seniors Europe, commonly known as the Fourteen Eyes, alongside the Five Eyes nations plus Belgium, Denmark, France, Germany, Italy, the Netherlands, Norway, and Spain. The alliance was formed in 1982 during the Cold War and expanded to fourteen members after the September 2001 attacks, when its focus shifted to include counterterrorism. As a third-party SIGINT partner, Sweden contributes cable intercept intelligence and receives access to the broader alliance’s collection capabilities in return.^[27]

Maximator Alliance

Sweden is also a founding member of Maximator, a secret European SIGINT alliance established at Denmark’s initiative in 1976. The alliance initially comprised Denmark, Sweden, and Germany, with the Netherlands joining in 1978 and France in 1985. Maximator focused on intercepting and decrypting diplomatic communications via HF radio and SHF satellite links. Its existence was not publicly revealed until a 2020 academic paper by Dutch intelligence historian Bart Jacobs, after nearly fifty years of secret operation.^[4]

The combined picture reveals that Sweden has been deeply embedded in the Western signals intelligence architecture for over seventy years, all while maintaining a public identity as a neutral, non-aligned nation. These intelligence relationships are relevant to assessments of data transiting Swedish infrastructure.

Data Retention

Sweden’s data retention framework has been shaped by a landmark CJEU case that originated in Sweden itself.

Tele2 Sverige: The CJEU Invalidates Blanket Retention

In Tele2 Sverige AB v. Post- och telestyrelsen (Case C-203/15), decided by the CJEU on December 21, 2016, the Court of Justice ruled that general and indiscriminate retention of all traffic and location data for all subscribers was incompatible with EU law. The case arose when Tele2 Sverige, a major Swedish telecommunications operator, stopped retaining communications data following the CJEU’s earlier Digital Rights Ireland judgment (2014), arguing that Swedish data retention law no longer conformed to EU fundamental rights.^[28]

The CJEU agreed with Tele2, holding that Article 15(1) of the ePrivacy Directive, read in light of Articles 7, 8, and 52(1) of the EU Charter, precludes national legislation requiring blanket retention. The Court specified that targeted retention could be permitted for fighting serious crime, but only if limited by the categories of data retained, the means of communication affected, the persons concerned, and the retention period, and only if access was subject to prior judicial review.^[28]

Current Retention Regime: LEK 2022:482

The Electronic Communications Act of 2022 contains Sweden’s current data retention provisions. Telecommunications providers are obligated to retain certain categories of traffic and location data for a maximum of one year. Access to retained data does not require a court decision, a point that civil liberties organizations have identified as potentially non-compliant with the CJEU’s requirements for prior judicial authorization.^[29]

Proposed Reforms

A Nordic comparative study published in 2024 analyzed proposed reforms to the Swedish data retention regime:^[29]

• Targeted retention: Retention to be limited to data necessary for investigation or prosecution of serious crime
• Maximum period: One year, consistent with the current regime
• Oversight: A dedicated committee to provide independent oversight of retention and access
• Access threshold: Limited to offences punishable by two or more years of imprisonment, ensuring proportionality

Whether these reforms will adequately address the CJEU’s requirements (particularly the need for prior judicial authorization of access) remains an open question. Sweden’s experience illustrates the broader tension across EU member states between law enforcement’s operational reliance on retained communications data and the constitutional limits imposed by EU fundamental rights jurisprudence.

International Data Sharing Agreements

Despite Sweden’s privacy framework (including IMY enforcement (SEK 60.6 million in fines in 2024), the Foreign Intelligence Court authorizing FRA cable-tapping, and SIUN oversight), Sweden participates in extensive international data sharing frameworks that provide foreign agencies with pathways to access Swedish person data, often through processes that operate outside domestic judicial oversight.

Mutual Legal Assistance Treaty with the United States

Sweden signed a bilateral MLAT with the United States in 2001, with the Ministry of Justice serving as Sweden’s Central Authority for processing requests. The MLAT allows Swedish law enforcement to request data on US persons, and US law enforcement to request data on Swedish persons, through diplomatic channels with average processing times of 10 months.^[35]

As an EU member, Sweden also participates in the EU-US MLAT enhancement framework that entered into force in 2010, which either supplemented existing MLATs or created new mutual legal assistance relationships with every EU member state.

Fourteen Eyes (SIGINT Seniors Europe)

As detailed in the Fourteen Eyes section above, Sweden’s membership in the alliance and the FRA-NSA cable-sharing arrangement create significant intelligence data flows.^[36]

Sweden’s geographic position (with approximately 80% of Russian internet traffic passing through Swedish cables) makes FRA’s cable-tapping capabilities particularly valuable to Five Eyes partners. Information flows hierarchically within the Fourteen Eyes: Five Eyes members have access to all Fourteen Eyes intelligence, but Sweden as a member has more limited access.

FRA Access to NSA XKeyscore

As noted in the Snowden revelations section above, the FRA has access to the NSA’s XKeyscore system. In practical terms for data sharing, this means communications intercepted from Swedish cables can be searched not only by Swedish analysts but also by NSA analysts with access to the shared database.^[25]

The New York Review of Books characterized FRA as among “The Swedish Kings of Cyberwar,” noting FRA’s strategic position on Baltic Sea cables and Sweden’s role in Western SIGINT architecture.^[26]

EU Law Enforcement Data Sharing Frameworks

Schengen Information System (SIS II): Sweden participates in the EU’s largest law enforcement database. Swedish police can query SIS II in real time and contribute alerts visible to law enforcement across all Schengen countries.

European Investigation Order (EIO): Sweden participates in the EIO framework, allowing Swedish judges and magistrates to make binding requests to other EU member states for evidence based on mutual recognition.

Prüm Decision: Sweden participates in automated DNA, fingerprint, and vehicle registration data comparison across EU member states. The Prüm II Regulation (2024) expands this to include facial images and police records.

EU-US Data Sharing Frameworks

EU-US Umbrella Agreement: Entered into force February 1, 2017, governing personal data exchanged between EU and US law enforcement. Grants Swedish citizens judicial redress rights before US courts.

SWIFT/TFTP Agreement: US Treasury can subpoena SWIFT for financial transaction data, affecting Swedish persons’ international wire transfers, with Europol verification.

PNR Agreements: Sweden participates in the EU-US PNR agreement, enabling transfer of passenger data from Swedish air carriers to US CBP.

Multilateral Frameworks

Interpol I-24/7: Sweden participates in Interpol’s global network (195 countries, 100,000+ messages daily) for criminal intelligence sharing.

Egmont Group: The Swedish FIU participates in the Egmont Group network of 164+ Financial Intelligence Units, sharing financial intelligence on money laundering and terrorist financing.

Europol: Sweden is a major contributor to Europol data sharing, which includes cooperation agreements with US FBI (intelligence sharing increased 30% recently).

The Privacy Backdoor Effect

Despite the FRA Law requiring Foreign Intelligence Court authorization for cable-tapping, SIUN oversight, and IMY GDPR enforcement (SEK 60.6M in fines in 2024), international data sharing agreements create alternative pathways for accessing Swedish person data:

• Fourteen Eyes / FRA-NSA Sharing: FRA provides NSA with cable intercepts (the “unique collection” arrangement described above); NSA can collect on Swedish persons and share with FRA
• XKeyscore Access: FRA and NSA both query the shared XKeyscore database, allowing NSA analysts to search intercepted Swedish communications
• 80% Russian Traffic: Sweden’s strategic position means FRA cable-tapping affects Russian communications passing through Sweden, shared with Five Eyes partners
• EU Framework Sharing: Swedish person data entered into SIS II, Prüm, or EIO channels becomes accessible to 27 EU member states, and through Europol, to US FBI
• MLAT Bypass: US authorities can request data via MLAT, potentially with lower evidentiary standards than Swedish judicial warrants
• SWIFT/PNR Dragnet: All international financial transactions and air travel subject to US access

For Swedish persons, this means data nominally protected by Sweden’s Personal Data Act, the FRA Law’s Foreign Intelligence Court authorization requirements, and IMY enforcement can be accessed through Fourteen Eyes intelligence sharing, XKeyscore queries, EU law enforcement frameworks (SIS II, EIO, Prüm, Europol), MLAT channels, or SWIFT/TFTP financial surveillance. As the Snowden disclosures confirmed, Sweden’s cable-tapping infrastructure is deeply integrated with NSA operations, making these alternative access pathways especially significant.

Recent Developments

IMY’s Meta Pixel Campaign (2024)

The coordinated enforcement actions against Apotek Hjärtat, Apoteket AB, and Avanza Bank in August 2024 represent IMY’s most significant enforcement campaign to date. The combined SEK 60 million in fines across these cases targeted a single underlying problem: Swedish organizations deploying Meta’s tracking pixel on websites handling sensitive data without understanding that the pixel was transmitting personal data, including health information and financial data, to Meta Platforms. The enforcement established that ignorance of third-party tracking technology is not a defense under the GDPR.^[7]

Dark Patterns Enforcement (April 2025)

In April 2025, IMY issued formal criticisms against three major companies for using dark patterns in their cookie consent banners. The enforcement actions targeted design choices that manipulated users into accepting tracking cookies, such as making the “accept all” button visually prominent while burying the “reject” option behind multiple clicks. This represents Sweden’s first enforcement specifically addressing deceptive consent design and aligns with similar actions taken by CNIL (France), AEPD (Spain), and other EU authorities.^[9]

Proposed Encryption Backdoor Law and Signal’s Threatened Exit (2025)

The Swedish government proposed the “Datalagring och åtkomst till elektronisk information” (Data Storage and Access to Electronic Information) legislation (Ju2024/02286), which would compel messaging services to store and provide law enforcement with access to all user communications, including those protected by end-to-end encryption. The proposed effective date was March 1, 2026. Signal president Meredith Whittaker told Swedish news outlet SVT that the requirement would force providers to break their encryption: “We would rather leave the Swedish market completely.” In April 2025, 237 civil society organizations, companies, and cybersecurity experts, including Mozilla, Proton, Wire, Tuta Mail, and Signal, signed a joint letter to the Riksdag urging rejection of the bill, warning it would “greatly undermine the security and privacy of Swedish citizens, companies, and institutions.” Notably, the Swedish Armed Forces and cybersecurity experts warned the requirement would introduce critical security vulnerabilities, while the Swedish Security Service and National Police supported the measure. Following intense domestic and international pressure, the bill was postponed in May 2025 and is expected to be revised to remove the encryption backdoor requirement.^[37][38]

NIS2 Transposition: Cybersecurity Act (2025:1506) in Force (January 2026)

On December 10, 2025, the Riksdag adopted the Cybersecurity Act (Cybersäkerhetslagen, SFS 2025:1506) and the accompanying Cybersecurity Ordinance (2025:1507), transposing the EU NIS2 Directive into Swedish law. The act entered into force on January 15, 2026, replacing the previous NIS Act (2018:1174). It consolidates requirements on security measures, incident reporting, and supervision for both public and private operators across the 18 sectors specified in NIS2 Annexes I and II, including energy, transport, banking, health, digital infrastructure, and public administration. The act applies to entities with at least 50 employees or annual turnover of EUR 10 million or more, and designates sectoral supervisory authorities with enforcement powers including administrative fines.^[39]

EU AI Act Implementation: SOU 2025:101 (October 2025)

The Swedish government published SOU 2025:101 (“Anpassningar till AI-förordningen”), proposing a new national law and ordinance to supplement the EU AI Act within Sweden’s legal framework. In a notable departure from what many expected, the proposal designates the Swedish Post and Telecom Authority (PTS), not IMY, as the overall coordinating market surveillance authority and national single contact point under the AI Act. Enforcement is distributed across eleven distinct sector-specific market surveillance authorities, including Finansinspektionen (financial services), Läkemedelsverket (medical devices), and others, each responsible for AI oversight within their domain. The proposal addresses the interface between EU mandates and Swedish administrative procedures, particularly regarding secrecy rules, documentation requirements, and the enforcement powers of market surveillance authorities.^[40]

AI Commission Roadmap: EUR 1.5 Billion Investment (November 2024–2025)

In November 2024, the AI Commission, chaired by former Ericsson CEO Carl-Henric Svanberg, presented its Roadmap for Sweden to the government, warning that Sweden risked “irreversible marginalization” in the AI landscape. The report, based on consultations with over 150 organizations, comprises 75 proposals including a recommendation that the state invest an additional EUR 1.5 billion over five years in AI development, innovation, and adoption programs. Priority areas include computing infrastructure, energy, data access, security, research, and the public sector. The Commission recommended the program be overseen by a task force reporting directly to the Prime Minister, and urged adoption of “crisis mode” urgency. The government endorsed the strategic direction in September 2025.^[41]

Extended Video Surveillance Powers (April 2025)

On April 1, 2025, significant amendments to the Camera Surveillance Act (Kamerabevakningslag) entered into force, dramatically expanding surveillance capabilities. The most consequential change: public sector actors no longer require a permit from IMY for camera surveillance in public spaces. The permit requirement, previously a key privacy safeguard requiring a balancing of surveillance interests against privacy intrusion, was eliminated for public bodies and actors performing tasks in the public interest. Law enforcement authorities received expanded powers to conduct video surveillance in more locations and in urgent cases. The amendments also introduced a new exemption from the interest-balancing requirement to enable the Swedish Police Authority and Säpo to deploy automatic number plate recognition (ANPR) technology nationwide. Organizations previously subject to permit requirements must still conduct and document a balancing test and maintain a surveillance register, but without IMY acting as a gatekeeper.^[42]

Biometrics in Law Enforcement (July 2025)

The Riksdag approved legislation in February 2025 granting law enforcement significantly expanded access to biometric tools, with the amendments entering force on July 1, 2025. The law permits police to conduct facial recognition comparisons against the Migration Agency’s registers, allowing biometric matching of suspects’ facial images and fingerprints against immigration databases. It also authorizes DNA-based forensic investigative genetic genealogy (FIGG) for investigations of murder and aggravated rape. Sweden was the first country outside North America to use FIGG in solving a crime (2019), but IMY effectively halted its use in 2021 following a mandatory prior consultation process. The new legislation overrides that restriction, establishing explicit statutory authority for the technique.^[43]

Proposed AI Real-Time Facial Recognition in Public Spaces (DS 2025:7)

On March 20, 2025, the government published memorandum DS 2025:7, proposing a new law to allow police to deploy AI-powered real-time facial recognition systems in public spaces, including streets, train stations, and public squares. Under the proposal, if a suspected criminal’s image is available, it can be entered into the AI system, enabling surveillance cameras to scan crowds for the individual in real time. Use would be restricted to identifying individuals suspected of crimes carrying sentences of at least four years, such as murder, rape, and serious weapons offenses, and would require authorization from a prosecutor or court. The government’s own investigator acknowledged that such systems could represent a “major intervention into personal privacy, enabling constant monitoring of the public,” and civil liberties critics have raised concerns about mission creep and the chilling effect on freedom of assembly and expression.^[44]

Intelligence Reform Confirmed: New Civilian Agency by January 2027

Following the June 2025 review proposing reforms to the intelligence apparatus, the government confirmed plans to establish a civilian foreign intelligence service, a Swedish counterpart to the CIA or MI6, reporting directly to the government and led by a National Intelligence Chief. Special investigator Annika Brändström was appointed to prepare and implement the new agency, which is to be operational by January 1, 2027. The phased transformation includes significant investments in cloud-based infrastructure, open-source intelligence (OSINT), and cross-sector cooperation between the state, academia, and the private sector. The reform is driven in part by Sweden’s 2024 NATO accession and the evolving security environment.^[45]

NCSC Reorganized Under FRA (November 2024)

Sweden’s National Cybersecurity Centre (NCSC), originally established in December 2020 as a voluntary collaboration among several authorities, was brought under the control of the FRA (Försvarets radioanstalt), Sweden’s signals intelligence agency, in November 2024. The reorganization followed a government review that found the NCSC had failed to achieve “expected results” as a multi-agency collaboration. The restructuring aligns Sweden with the model used by the United Kingdom (GCHQ), Norway (NSM), and Denmark (Danish Defence Intelligence Service), where national cybersecurity centres operate under signals intelligence agencies. While the other six participating authorities continue to contribute, the NCSC is now a body wholly owned by FRA, with expanded responsibilities including centralized threat monitoring, advisory services, and coordination of national cybersecurity efforts. The move concentrates both offensive signals intelligence and defensive cybersecurity capabilities within a single organization.^[46]

Chat Control: Sweden Shifts from Supporter to Undecided (October 2025)

In a significant policy shift ahead of the EU Council’s October 2025 meeting on the proposed Child Sexual Abuse Regulation (CSAR), Sweden moved from being a supporter of the “Chat Control” proposal to an undecided position, alongside Italy and Latvia. The regulation would require messaging services operating in Europe to scan users’ communications, including encrypted messages, for child sexual abuse material (CSAM). Sweden’s shift was notable given the country’s concurrent domestic fight over the encryption backdoor bill, which had generated substantial opposition from the Swedish Armed Forces, cybersecurity community, and international technology companies. The change in position contributed to uncertainty about whether the proposal could secure a qualified majority in the Council.^[47]

IMY 2026 Supervisory Priorities

IMY published its supervisory priorities for 2026, identifying three focus areas:^[48]

• AI in the public sector: Monitoring and following up on the use of AI by public authorities, with particular focus on systems involving sensitive personal data and automated decision-making where individuals have limited ability to opt out
• Children and young people: Stepping up efforts to raise awareness of data protection risks affecting minors, extending work beyond young users to include adults who handle children’s data, including parents, schools, and other institutions
• Law enforcement tools: Scrutinizing the use of intrusive law enforcement technologies, including covert measures and biometric data processing, to ensure that data protection safeguards and the right to privacy are upheld

Data Retention Proposals: Geographic and National Security (2025–2026)

Building on the existing data retention framework discussed above, the government advanced two new legislative proposals. The first concerns general data retention for national security purposes, proposing undifferentiated retention of communications metadata to protect national security, justified by the threat environment including the war in Ukraine, Sweden’s NATO membership, and the elevated terrorism threat level (four out of five since August 2023). The second proposal introduces geographically targeted data retention for combating serious crime: retention obligations would apply only in specific municipalities where reported crime levels meet or exceed the national average, with PTS determining the qualifying municipalities annually. Both proposals have been controversial, with civil liberties organizations arguing they conflict with the CJEU’s Tele2 Sverige requirements for targeted rather than blanket retention, and the encryption backdoor component drawing the opposition described above.^[49]

Post-ECtHR Legislative Reform

Following the Grand Chamber’s 2021 ruling in Centrum för Rättvisa v. Sweden, the Swedish government initiated a review of the signals intelligence framework to address the three deficiencies identified by the court. Reforms are expected to strengthen rules on the destruction of intercepted material, impose privacy safeguards on the transmission of intelligence to foreign partners, and establish an effective after-the-fact review mechanism. As of early 2026, the reform process is ongoing, and the FRA continues to operate under the existing legal framework pending legislative changes.^[1]

Sweden’s Position in 2026

Sweden enters 2026 in a state of acute internal contradiction. On one hand, IMY has reached a new level of enforcement maturity (SEK 60 million in Meta Pixel fines, dark patterns enforcement, expanded 2026 priorities covering AI, children, and law enforcement tools), and the postponement of the encryption backdoor bill following the 237-organization joint letter represents a significant civil society victory. On the other hand, the trajectory of surveillance and biometric legislation is unmistakable: the elimination of camera surveillance permits, nationwide ANPR deployment, facial recognition against migration databases, DNA genealogy in criminal investigations, a proposal for real-time AI facial recognition in public spaces, geographically targeted data retention, and the consolidation of the NCSC under FRA. The establishment of a new civilian intelligence agency by 2027 will add another layer to an already dense intelligence architecture. The fundamental tension at the heart of Swedish privacy (between a nation that prides itself on transparency and individual rights, and a security state that maintained secret SIGINT alliances for seven decades while claiming neutrality) is not merely unresolved; the expansion of biometric and AI-powered surveillance capabilities is actively deepening it.

Sources