What logs or metadata can Swedish authorities legally compel a VPN like Mullvad to produce?

1. Legal baseline: Sweden doesn’t force VPNs to keep traffic logs

The Electronic Communications Act (LEK) and related Swedish rules implement EU communications law but, according to Mullvad’s analysis of the legislation and legislative history, VPN operators are not classified as services with LEK reporting obligations and therefore are not subject to mandatory traffic or activity logging under that framework ^{[6] [5]}. Mullvad and independent reporting state plainly that “Swedish law doesn’t require VPN services to log either their customers or their traffic,” which frames the domestic legal baseline for what authorities can compel from a provider ^{[1] [5]}.

2. Mullvad’s operational position: no logs, so nothing to hand over

Mullvad asserts it does not collect connection timestamps, browsing activity or subscriber-identifying logs as a matter of policy and business design, and it reported that a 2023 search of its Gothenburg office produced no customer data for police to seize ^{[2] [3]}. Multiple outlets and Mullvad’s own public policies repeat that even if servers were seized, the company says they would not contain usable customer activity logs because the company does not retain them ^{[7] [8]}.

3. Payment and accounting records are a distinct, limited exception

Mullvad’s privacy policy notes that some personal data tied to payments (bank wires, PayPal, Stripe, Swish, etc.) and accounting obligations must be processed or retained in line with the Swedish Accounting Act and other laws, with certain records kept for statutory periods such as seven years where applicable ^[4]. Thus, while traffic logs may not exist, payment-related metadata and bookkeeping entries can be—and by law are—retained and therefore potentially producible in an investigation ^[4].

4. Covert surveillance and device-focused measures remain a route to data

The Swedish Covert Surveillance of Data Act gives law enforcement the power, with a court authorisation, to covertly install technical measures on suspects’ devices to capture communications or read screens before encryption, meaning authorities can target endpoints rather than the VPN operator to obtain content or pre-encryption metadata ^{[6] [5]}. Mullvad emphasizes that the law does not create a duty for VPNs to cooperate under LEK, but acknowledges the practical risk that agencies can exploit vulnerabilities or use covert measures against users themselves ^{[5] [6]}.

5. International cooperation and real-world limits

Mullvad highlights that other countries must go through Swedish legal channels to request information from a Sweden-based provider, and it frames Sweden as a jurisdiction where a no-logs stance is legally tenable ^{[1] [9]}. Critics and reporting note Sweden’s membership in intelligence-sharing alliances like the so-called “14 Eyes,” which raises theoretical concerns about cross-border requests, but Mullvad and reviewers stress that legal process under Swedish law remains the relevant vector and that no-logs practices limit what can actually be shared ^{[10] [11]}.

6. Practical takeaway and reporting limits

In practice, Swedish authorities can lawfully compel Mullvad to produce business records that exist—primarily payment and accounting-related information retained under accounting law—but cannot force the company to hand over traffic or connection logs that Mullvad says it does not collect; authorities can, however, lawfully deploy covert measures or target user devices to obtain pre-VPN or plaintext data if authorised by a court ^{[4] [2] [5]}. This account relies on Mullvad’s public statements, their published legal summaries, and contemporaneous reporting; if records beyond what Mullvad describes exist, those are not covered by the sources provided and cannot be asserted here ^{[2] [3]}.