Have there been recent prosecutions or legal precedents in Sweden involving VPN providers or data-retention compliance?

1. A judicial precedent that bolstered “no‑logs” claims — OVPN’s court win

In 2020 the Patent and Market Court in Stockholm ruled that the Swedish VPN provider OVPN was not legally required to retain data about its users and therefore could not be compelled to hand over logs in a case connected to a Pirate Bay investigation, a decision widely cited as reinforcing Sweden’s attractiveness as a VPN jurisdiction ^[1]. The ruling explicitly found that VPN services are not treated as ISPs under Swedish law for the purpose of retention obligations, and the court concluded OVPN could not comply because of the way its service is operated ^[1].

2. Police action that exposed limits of enforcement — the Mullvad search warrant

In April 2023 Swedish police issued a search warrant for Mullvad’s Gothenburg office but left without seizing customer data after the company and prosecutors concluded the service did not retain the sought information, a sequence reported by multiple outlets and by Mullvad itself as evidence that no‑logs models can thwart certain investigative attempts ^{[2] [3] [7]}. Reporting framed the event less as a conviction and more as a practical test of how enforcement plays out when providers claim not to store traffic‑related data ^{[2] [3]}.

3. Regulatory and legislative developments that could change the terrain

Although historical practice in Sweden did not apply the EU Data Retention Directive to VPN providers, Swedish lawmakers and expert bodies have been preparing new proposals concerning retention for serious crime and national security, and Sweden has been implementing NIS2 and other cyber rules that broaden regulatory attention to digital service providers and essential infrastructure ^{[8] [4] [5]}. Legal commentators and government reports show active policymaking in 2024–25 — including proposals for targeted retention orders and a forthcoming Swedish Cybersecurity Act implementing NIS2 — which could create new compliance obligations or enforcement mechanisms ^{[4] [6] [5]}.

4. Enforcement posture: regulators are more active, but direct VPN prosecutions are absent in recent reporting

Swedish authorities — from the IMY data protection authority to PTS — have increased resources and signalled enforcement priorities across data protection and cybersecurity, and the DPA has the power to impose significant fines under GDPR frameworks; nevertheless, the documented outcomes available in the reporting show regulatory activity focused on typical GDPR and cybersecurity targets rather than public prosecutions of VPN firms for log retention, and no recent criminal convictions of VPN providers for failing to retain logs appear in the sources provided ^{[9] [6] [1]}. Reported incidents instead involve court clarification (OVPN) and operational attempts by police (Mullvad) rather than completed prosecutions.

5. Interpretations, incentives and reporting agendas to watch

VPN companies frame Sweden’s legal environment as protective for privacy and often cite court wins and the Mullvad episode to argue against moving data or adopting logs, but that narrative carries commercial incentive because jurisdictional marketing benefits providers; conversely, prosecutors and security advocates emphasise new retention proposals and NIS2 implementation as steps to give authorities more tools to combat serious crime and protect infrastructure ^{[7] [4] [5]}. The available reporting documents precedent and enforcement attempts but does not show a recent, conclusive shift to routine prosecutions of VPN providers for non‑compliance with retention rules; legislative proposals in 2024–25, however, make the future uncertain ^{[1] [2] [4]}.