As large ISPs become more closely aligned with the entertainment industries, the days of providers strongly standing up to blocking and disclosure requests appear to be on the decline. For Swedish ISP Bahnhof, however, customer privacy has become a business model.
In recent years the company has been a major opponent of data retention requirement, launched a free VPN to protect its users’ privacy, and put on a determined front against the threat of copyright trolls.
Back in May 2016, Bahnhof reiterated its stance that it doesn’t hand over the personal details of alleged pirates to anyone, not even the police. This, despite the fact that the greatest number of disclosure requests from the authorities relate to copyright infringement.
Bahnhof insisted that European privacy regulations mean that it only has to hand over information to the police if the complaint relates to a serious crime. But that went against a recommendation from the Swedish Post and Telecom Authority (PTS).
Now, however, the battle to protect customer privacy has received a significant setback after the Administrative Court in Stockholm found that Swedish provisions on disclosure of subscription data to law enforcement agencies do not contravene EU law.
“PTS asked Bahnhof to provide information on subscribers to law enforcement agencies. Bahnhof appealed against the order, claiming that the Swedish rules on disclosure of subscription information are incompatible with EU law,” the Court said in a statement.
“In support of its view, Bahnhof referred to two rulings of the European Court of Justice. The Administrative Court has held that it is not possible to state that the Swedish rules on law enforcement agencies’ access to subscription data are incompatible with EU law.”
The Court also looked at whether Swedish rules on disclosure of subscriber data meet the requirement of proportionality under EU law. In common with many other copyright-related cases, the Court found that law enforcement’s need to access subscriber data was more important than the individual’s right to privacy.
“In light of this, the Administrative Court has made the assessment that PTS’s decision to impose on Bahnhof a requirement to provide information about subscribers to law enforcement authorities is correct,” the Court adds.
PTS will now be able to instruct Bahnhof to disclose subscriber information in accordance with the provisions of the Electronic Communications Act and the ISP will be required to comply.
But as far as Bahnhof is concerned, the show isn’t over yet.
“We believe the sentence is incorrect, but it is also difficult to take PTS seriously when they can not even interpret the laws behind the decision in a consistent manner. We are of course going to appeal,” the company said in a statement.
To illustrate its point, Bahnhof says that PTS has changed its opinion on the importance of IP addresses in a matter of months. In October 2017, PTS lawyer Staffan Lindmark said he believed that IP addresses are to be regarded as privacy-sensitive data. In January 2018, however, PTS is said to have spoken of the same data in more trivial terms.
“That a supervisory authority pivots so much in its opinions is remarkable,” says Jon Karlung, President of the Bahnhof.
“Bahnhof is not in any way against law enforcement agencies, but we believe that sensitive data should only be released after judicial review and suspected crime.”
Bahnhof says it will save as little data on its customers as it can and IP addresses will be deleted within 24 hours, a practice that has been in place for some time.
In 2016, 27.5% of all disclosure requests sent to Bahnhof were related to online file-sharing, more than any other crime including grooming minors, harassment, sex crimes, forgery, and fraud.