How do swedish data-retention laws affect mullvad users in 2025?
This fact-check may be outdated. Consider refreshing it to get the most current information.
Executive summary
Swedish law changed the temporary Covert Surveillance of Data Act (2020:62) so that, as Mullvad reports, covert surveillance powers that can access data on devices could apply indefinitely from 1 April 2025, and Sweden has proposals in 2025 to introduce targeted data‑retention statutes for national security and serious crime (Mullvad guidance; Nordic report) [1] [2] [3]. Mullvad’s public position: Sweden does not require VPNs to log customer traffic and Swedish rules cannot force Mullvad to secretly collect traffic-related data — Mullvad points to its no‑logs design and past police searches that found no data to seize (Mullvad pages; blog; Wikipedia) [4] [5] [6].
1. What changed in Swedish law and why it matters
A temporary act enabling covert installation of hardware or software on suspects’ devices — the Covert Surveillance of Data Act — was enacted in 2020; Mullvad’s help pages note it will apply indefinitely as of 1 April 2025, meaning law enforcement can seek court authorisation to reach data before it’s encrypted by a VPN on a targeted device [1] [2]. Separately, reporting on a 2025 legislative agenda shows government proposals to introduce retention and access rules for electronic communication data for national security and fighting serious crime, with strict necessity tests described in the expert report [3].
2. What Mullvad says and how its design interacts with the law
Mullvad repeatedly states Swedish law does not require VPN providers to log users’ traffic and “none of the Swedish regulations can force VPN providers to secretly collect traffic-related data,” and it emphasizes operational choices (no servers/staff in some jurisdictions, anonymous account numbers) to minimise harvestable material [7] [4]. Mullvad’s public blog documents a 2023 police search in which officers with a warrant found no customer data to seize — a practical demonstration the company points to when explaining how its no‑logs design limits what authorities can obtain [5] [6].
3. Limits of Mullvad’s protections under the new surveillance powers
Mullvad warns the covert‑surveillance law grants courts the authority to authorise installation of software/hardware on specific suspects or devices they may contact, which “implies that law enforcement agencies may access a suspect user's information before it is encrypted by VPN‑services such as Mullvad VPN” — an explicit caveat from Mullvad’s legal guidance [1]. In short: Mullvad’s servers may hold minimal or no traffic logs, but the Swedish statute targets endpoints (user devices) and can capture data prior to VPN encryption when narrowly authorised by the courts [1] [2].
4. Emerging data‑retention proposals and where uncertainty lies
A Nordic policy review documents a 2025 Proposal of an Act concerning retention and access to electronic‑communication data for national security and for combating serious crime; it frames retention orders as subject to “strict necessity” and geographic targeting, but it signals lawmakers are considering formal retention powers that could change the legal landscape for communications metadata [3]. Available sources do not mention the final text, scope, technical retention periods, or to what extent VPNs versus ISPs would be covered in those 2025 proposals [3].
5. Competing perspectives in the coverage
Independent reviewers and outlets cited here generally echo Mullvad’s central claim that Swedish law does not mandate VPN logging and that Mullvad’s no‑logs posture is legally plausible and operationally demonstrated by the 2023 search [8] [9] [5] [6]. Mullvad itself stresses it cannot be compelled to secretly start logging [7]. The Nordic review and Mullvad’s own help pages introduce the counterpoint: statutes now empower covert endpoint access and proposed retention laws could introduce new obligations — creating a gap between Mullvad’s operational privacy assurances and legal tools that can access pre‑encryption data or compel retention in some contexts [1] [2] [3].
6. Practical takeaways for Mullvad users in 2025
- If you rely on Mullvad to prevent server‑side logging and third‑party access to historical traffic, Mullvad’s no‑logs design and prior police search support that protection in practice [5] [6].
- If you are a targeted suspect in a Swedish court process, authorities may seek authorisation to covertly access data on devices before VPN encryption — a threat that no server‑side no‑logs policy can eliminate [1] [2].
- Proposed 2025 retention laws indicate potential future regimes for metadata retention and access (primarily discussed in expert reports), but available sources do not set out concrete operational rules or which providers would be covered [3].
7. Transparency, incentives and hidden agendas
Mullvad’s messaging emphasises privacy credentials and operational transparency (no logs, audits, public statements about searches) to build trust and to frame Sweden as a favourable jurisdiction [4] [7]. The Nordic report reflects government priorities on national security and serious crime as drivers for retention proposals; those proposals are framed as narrowly necessary but carry an implicit agenda of expanding state access to communication data in defined circumstances [3]. Readers should weigh Mullvad’s commercial and reputational incentives to stress no‑logs against the state’s interest in investigative powers.
Limitations: this analysis uses only the provided sources and therefore cannot confirm the final content of 2025 retention legislation or any classified practices not mentioned in the cited materials; where sources do not mention details, that is noted [3] [1].