Privacy & Information Security Law Blog

On May 30, 2013, the European Court of Justice held that Sweden failed to fulfill its obligations under EU law when it delayed complying with the Court’s 2010 ruling regarding the country’s implementation of the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”). The Court ordered Sweden to pay a lump sum of €3,000,000.

The Data Retention Directive requires EU Member States to ensure that telecommunications service providers retain certain types of data (identifying information and other details about phone calls and emails, excluding the substantive content of those communications) for purposes of investigating, detecting and prosecuting serious crimes as defined by national law. The data must be retained for a minimum of six months and a maximum of two years. The requirement should have been transposed into Sweden’s national law by September 15, 2007.

In its initial judgment in 2010, the Court found that Sweden failed to transpose the Directive into its national law by the deadline. When Sweden still did not transpose the Data Protection Directive despite the judgment, the European Commission asked the Court to order Sweden to pay a fixed daily amount for each day the country failed to comply. Sweden finally adopted the requisite measures in 2012, two years after the Court’s initial ruling. The Court ordered Sweden to pay a €3,000,000 penalty, finding that internal difficulties, including extensive political debate and difficulties balancing the protection of privacy against the need to combat crime effectively, cannot justify a member state’s failure to comply with obligations under EU law.