Sweden

Overview

EU Member State: Sweden is subject to the GDPR, the Law Enforcement Directive, and the ePrivacy Directive. For the EU framework, see the EU Framework page. This page covers national laws, intelligence and surveillance, and Sweden’s role in international data sharing.

Sweden operates one of Europe’s most extensive bulk cable interception programmes, granting its signals intelligence agency (FRA) direct access to fibre-optic cables crossing its borders. The European Court of Human Rights ruled in Centrum för Rättvisa v. Sweden (2021) that this regime violated Article 8 of the ECHR.^[1]

Despite two centuries of official political neutrality, Sweden maintained a secret SIGINT-sharing treaty with the Five Eyes nations from 1954, and the Snowden disclosures confirmed that Sweden provided the NSA with cable access yielding “unique collection on high-priority Russian targets.” The NSA classified the relationship as top-secret “because of the country’s political neutrality.”^[2][3] Sweden is a member of the Fourteen Eyes (SIGINT Seniors Europe), a founding member of the secret Maximator SIGINT partnership (1976), and is now establishing a new civilian foreign intelligence agency by January 2027.^[4]

Privacy Framework

The Integritetsskyddsmyndigheten (IMY) is Sweden’s data protection authority, renamed from Datainspektionen in January 2021. In 2024, IMY closed 326 supervisory matters and imposed fines totalling SEK 60.6 million (~EUR 5.5M), including SEK 37M against Apotek Hjärtat and SEK 15M against Avanza Bank for Meta Pixel transmitting health and financial data to Meta Platforms.^[5][6]

The Swedish Data Protection Act (Dataskyddslagen, SFS 2018:218) supplements the GDPR with national provisions: age of digital consent set at 13, public authorities subject to fines (capped at SEK 5M for government agencies), and specific rules on sensitive data processing. The Electronic Communications Act (LEK, SFS 2022:482) implements the ePrivacy Directive and contains data retention provisions. The Camera Surveillance Act regulates surveillance camera deployment.^[7][8]

Surveillance and Intelligence

FRA (Försvarets radioanstalt) – National Defence Radio Establishment

Sweden’s signals intelligence agency, responsible for collecting foreign intelligence through interception of electronic communications.^[9]

The FRA Law (2008): Cable-Tapping Sweden’s Borders

The Signals Intelligence Act (SFS 2008:717) extended FRA’s interception authority from radio signals to cable-bound communications, granting access to all fibre-optic traffic crossing Swedish borders. Providers must transfer cable communications to designated “interaction points” for FRA access. Though framed as cross-border only, internet routing means significant domestic Swedish traffic crosses borders and returns, rendering the distinction largely meaningless. The bill passed by a single vote (143-138) after critics called it “much worse than the Stasi.”^[9][10]

2009 Amendments added safeguards: all cable interception requires prior authorisation from a Foreign Intelligence Court, a privacy protection representative advocates for affected individuals, the Foreign Intelligence Inspectorate (SIUN) provides independent oversight, permits are limited to six months, and irrelevant material must be destroyed.^[9]

Centrum för Rättvisa v. Sweden: The ECtHR Strikes Down the Regime

On May 25, 2021, the Grand Chamber ruled Sweden’s bulk interception regime violated Article 8 ECHR, finding three specific deficiencies: absence of clear rules on destroying non-content intercepted data, absence of privacy safeguards when transmitting intelligence to foreign partners (a direct rebuke of FRA-NSA sharing), and absence of effective after-the-fact review. The Court did not hold bulk interception per se incompatible with the Convention. As of early 2026, reforms to address these deficiencies remain in progress.^[1][11]

Säpo (Säkerhetspolisen) – Swedish Security Service

Domestic security and civilian counterintelligence, separated from the National Police as an independent agency on January 1, 2015. Responsible for counterterrorism, counterespionage, and dignitary protection. Budget increased 114% between 2015 and 2024. A January 2025 National Audit Office report identified weaknesses in internal management and background investigation procedures.^[12][13]

MUST – Military Intelligence and Security Service

Foreign military intelligence and counterintelligence within the Swedish Armed Forces. Legally prohibited from gathering intelligence on domestic affairs except for threats directly against the armed forces.^[14]

Oversight

The Foreign Intelligence Court issues warrants for FRA cable interception (six-month permits with privacy representative participation). SIUN (Foreign Intelligence Inspectorate) oversees FRA, MUST, and FOI, with power to stop collection and order data deletion. The Commission on Security and Integrity Protection supervises law enforcement surveillance and Säpo data processing. Critics note the Foreign Intelligence Court operates in total secrecy with no published statistics.^[15][16][17]

Data Retention

In Tele2 Sverige AB v. Post- och telestyrelsen (C-203/15, December 2016), the CJEU ruled that general and indiscriminate retention of all traffic and location data is incompatible with EU law — a landmark case that originated in Sweden when Tele2 stopped retaining data after Digital Rights Ireland. The Court held that targeted retention is permitted for serious crime, but only if limited by data categories, persons, and retention period, with prior judicial review.^[18]

The current LEK (2022:482) requires retention of certain traffic and location data for up to one year. Access does not require a court decision, a point civil liberties organisations have flagged as non-compliant with CJEU requirements. New proposals include general retention for national security (justified by the Ukraine threat environment and NATO membership) and geographically targeted retention for municipalities exceeding national crime rates.^[19]

International Data Sharing Agreements

Mutual Legal Assistance: Layered Framework

EU Member States (26 countries): The EU Convention on Mutual Assistance in Criminal Matters (2000) and the Schengen Convention provide the primary MLA framework. The European Investigation Order (EIO) enables binding cross-border evidence requests. Direct communication between judicial authorities is the default for EU-convention requests.^[20]

Council of Europe (50 signatory states): Sweden has acceded to the European Convention on Mutual Assistance in Criminal Matters (1959) and its 1978 Additional Protocol, providing MLA coverage across all Council of Europe members.

Bilateral MLATs: Sweden maintains bilateral mutual legal assistance treaties with the United States (signed December 17, 2001), Hungary (1986), Poland (1990), France, and the United Kingdom (asset confiscation). The bilateral treaties with EU states are seldom applied since the EU MLA Convention and Council of Europe Convention provide more comprehensive frameworks. The Ministry of Justice serves as Sweden’s Central Authority for MLA requests.^[21][22]

Fourteen Eyes, Maximator, and Sweden’s Intelligence Alliance History

The 1954 Secret Treaty: A classified SIGINT-sharing treaty placed the FRA within the UKUSA “third party” framework, binding FRA to share signals intelligence with the NSA and GCHQ while Sweden maintained its public neutrality. The treaty was wound up in 2004 and replaced by bilateral agreements drawing FRA even closer to the NSA.^[2]

Snowden Revelations (2013): FRA provided the NSA with cable access yielding “unique collection on high-priority Russian targets such as leadership, internal politics, and energy.” The NSA granted FRA access to XKeyscore, its global search and analysis system. Sweden’s strategic position — approximately 80% of Russian internet traffic passes through Swedish cables — makes FRA’s cable-tapping capabilities particularly valuable to Five Eyes partners.^[3][23]

SIGINT Seniors Europe (Fourteen Eyes): Sweden is a formal member alongside the Five Eyes nations plus Belgium, Denmark, France, Germany, Italy, the Netherlands, Norway, and Spain. Formed 1982, expanded post-9/11.^[24]

Maximator Alliance: Sweden is a founding member of Maximator (1976), a secret European SIGINT partnership co-founded with Denmark, focused on intercepting and decrypting diplomatic communications. Germany joined at founding, Netherlands in 1978, France in 1985. Publicly revealed in 2020 after nearly fifty years of secret operation.^[4]

EU Law Enforcement Data Sharing

SIS II: Swedish police query and contribute to the EU’s largest law enforcement database in real time. Prüm: Automated DNA, fingerprint, and vehicle registration data exchange; Prüm II (2024) adds facial images and police records.

EU-US Data Sharing

EU-US Umbrella Agreement: Entered into force February 2017, granting Swedish citizens judicial redress before US courts. SWIFT/TFTP: International wire transfers subject to US Treasury subpoena. PNR: Passenger data transferred to US CBP.

Multilateral Frameworks

Interpol I-24/7: Sweden participates in the global police network (195 countries). Egmont Group: Swedish FIU shares financial intelligence across 164+ FIUs. Europol: Major contributor, including FBI cooperation channel.

The Privacy Backdoor Effect

Despite the Foreign Intelligence Court, SIUN oversight, and IMY GDPR enforcement, international agreements create alternative access pathways:

• FRA-NSA Sharing: FRA provides NSA with cable intercepts; NSA queries shared XKeyscore database for Swedish communications
• 80% Russian Traffic: FRA cable-tapping captures Russian traffic passing through Sweden, shared with Five Eyes partners
• ECtHR-Identified Gap: Grand Chamber found no privacy safeguards when transmitting intelligence to foreign partners
• EU Framework Sharing: Swedish person data in SIS II, Prüm, or EIO channels accessible to 27 EU states and through Europol to US FBI
• MLAT/CoE Convention: US and 50+ states can request data through MLA channels
• SWIFT/PNR: Financial transactions and air travel data subject to US access

Recent Developments

Encryption Backdoor Bill Postponed (2025)

The proposed “Data Storage and Access to Electronic Information” legislation would have compelled messaging services to store and provide law enforcement with access to all communications, including end-to-end encrypted content. Signal president Meredith Whittaker stated Signal would “rather leave the Swedish market completely.” 237 organisations (Mozilla, Proton, Wire, Tuta Mail, Signal) signed a joint letter urging rejection. The Swedish Armed Forces warned the requirement would introduce critical security vulnerabilities. The bill was postponed in May 2025 and is expected to be revised to remove the encryption backdoor requirement.^[25][26]

Surveillance Expansion (2025)

Camera surveillance (April 2025): Public sector actors no longer require IMY permits for camera surveillance in public spaces. Law enforcement received expanded powers and nationwide automatic number plate recognition (ANPR) authorisation.^[27]

Biometrics in law enforcement (July 2025): Police granted facial recognition against Migration Agency registers and authorisation for DNA forensic investigative genetic genealogy (FIGG) for murder and aggravated rape investigations.^[28]

AI real-time facial recognition proposal (DS 2025:7, March 2025): Proposed law allowing police to deploy AI-powered real-time facial recognition in public spaces for crimes carrying four-year minimum sentences. The government’s own investigator acknowledged the systems could enable “constant monitoring of the public.”^[29]

New Civilian Intelligence Agency by January 2027

Following Sweden’s 2024 NATO accession, the government confirmed plans for a civilian foreign intelligence service (a Swedish counterpart to CIA/MI6), led by a National Intelligence Chief, with investments in cloud infrastructure, OSINT, and cross-sector cooperation. Special investigator Annika Brändström appointed to prepare the agency, operational by January 1, 2027.^[30]

NCSC Reorganised Under FRA (November 2024)

The National Cybersecurity Centre was brought under FRA control after failing to achieve expected results as a multi-agency collaboration, concentrating offensive SIGINT and defensive cybersecurity within a single organisation.^[31]

Chat Control: Sweden Shifts to Undecided (October 2025)

Sweden moved from supporting to undecided on the EU’s proposed CSA Regulation (“Chat Control”), a shift influenced by the concurrent domestic encryption backdoor controversy and opposition from the Swedish Armed Forces and cybersecurity community.^[32]

Post-ECtHR Reform Still Pending

Reforms to address the Grand Chamber’s three identified deficiencies (data destruction, foreign sharing safeguards, after-the-fact review) remain ongoing. FRA continues operating under the existing framework.^[1]

Sources