Nordic Countries

PDF Version

The five Nordic countries—Denmark, Finland, Norway, Sweden, and Iceland—have become central players in the European battle between file sharers, rights holders, and ISPs. While each country determines its own destiny, the presence of the European Union (EU) is felt in all legal controversies and court cases. The Internet industry extends across borders, and so do filtering, military surveillance, and the monitoring of users. Privacy issues were formerly a concern of the elite, but with the growth of the information society, the right to privacy is now being discussed more widely in different political contexts. A popular civil rights movement of file sharers and privacy advocates has arisen out of Sweden in response to both national and international trends, and digital rights activism is increasingly directed at the European Parliament. Single-issue political parties concerned with privacy have now also begun to form in countries outside Europe.

Regional ICT Penetration

The World Economic Forum1 ranks the Nordic countries at the very top of information and communication technology (ICT) use in the world. All five countries were listed in the top ten of a 2008–2009 survey prepared in partnership with the international business school INSEAD.2 The Nordic countries each have broadband Internet penetration rates of more than 30 percent of the population. According to a survey by the Organization for Economic Cooperation and Development (OECD) from June 2008, this figure places them in the top eight in comparison with the organization’s 25 other member countries:3

  • 1. Denmark 36.7 percent (1,996,408 subscriptions)
  • 3. Norway 33.4 percent (1,554,993 subscriptions)
  • 5. Iceland 32.3 percent (98,361 subscriptions)
  • 6. Sweden 32.3 percent (2,933,014 subscriptions)
  • 8. Finland 30.7 percent (1,616,200 subscriptions)

Regional Regulation

Norway and Iceland are the only Nordic countries that are not members of the EU. However, they do form a part of the European Economic Area (EEA) and have officially agreed to enact legislation similar to that passed in the EU in areas such as consumer protection and business law. As a result, laws are integrated in Norway4 and Iceland5 differently than in Sweden, Denmark, and Finland.6

Directives passed by the EU Commission and the European Parliament form a framework for lawmakers in the 27 member states to implement their own national laws before a certain deadline. Countries may decide to pass tougher laws than required by a directive. A key to understanding the heated European struggle surrounding intellectual property is an antipiracy directive called the International Property Rights Enforcement Directive (IPRED)7. This directive gives rights holders wide-ranging freedoms to investigate the identities of suspected file sharers and to obtain court orders to force ISPs to share personal information about customers suspected of digital piracy. The IPRED was introduced in 2004 and was repeatedly revised over the following years after complaints that its criminal-sanctions provisions were too wide ranging. An amended proposal (IPRED2) that may reintroduce some criminal sanctions was still being debated in 2009.8 However, the Anti-Counterfeiting Trade Agreement (ACTA) being secretly negotiated9 between the EU, the United States, and other countries seems to have taken over momentum from IPRED2.10

Sweden became the first EU country to put IPRED into effect on April 1, 2009. The BBC reported that Internet traffic in Sweden fell by 33 percent when the law was passed.11 To protect the privacy of their customers following the implementation of IPRED, Swedish ISPs threatened to erase all their IP-number data.12 Broadband operator AllTele offered their customers ‘‘dis-identification’’ services to hide file sharers from investigators.13 Another ISP, ePhone, refused to hand over any data to the courts.14 In early 2009, such actions were not against Swedish law,15 but they may be when another EU data-retention (logging) directive16 is implemented. Swedish lawmakers are working on a proposal for a law that would force ISPs to store data for at least six months.17

File sharing is extremely common in Nordic countries. The Swedish newspaper Svenska Dagbladet reported that 79 percent of Swedish males aged 15 to 29 are against the IPRED law.18 Open wireless local area networks (WLANs) have become an issue under IPRED, as innocent subscribers may be liable for illegal downloads by others. An IPRED-resistance movement started in Sweden encouraging people to open their networks and rename them Ipredia to mask actions by individuals.19


The battles over copyright, private file sharing, and large-scale dissemination of links in the Nordic region are primarily playing out in the courts under the close watch of international organizations like the International Federation of the Phonographic Industry (IFPI). One Swedish court case over a file-sharing site has earned the most notoriety, but there have been several other cases in neighboring countries where copyright disputes ended in Internet filtering.

The Pirate Bay is a Swedish Web site that tracks BitTorrent files.20 The Web site has an estimated 22 million users and is one of the Internet’s largest sources for file sharing. While it is predominantly known for illegal P2P file sharing of music and films, it also handles links to content that can be legally shared. The fate of the Pirate Bay is the subject of a court battle as well as a forceful grassroots Swedish political movement that has resulted in the creation of a new political party called Piratpartiet (The Pirate Party).21

In Denmark, any attempt to access the Pirate Bay using a Danish ISP leads to a block page with links to a January 2008 ruling in a Danish civil court that all access to the Web site should be blocked. Rights holders originally filed the case against the Danish ISP Tele2, which today is owned by the Norwegian telecom Telenor. The Danish national court, Østre Landsret, confirmed the decision on November 26, 2008.22

In April 2009, the Pirate Bay case23 was submitted to the Danish Supreme Court. The basic question for the court to consider is whether an ISP can be charged with blocking access to a Web site, and whether the ISP, as the provider of the connection, can be held responsible for any content transmitted. Thus, the case is about the Danish interpretation of the EU Infosoc24 directive on copyright and related rights, often called the Information Society Directive. Danish and Swedish parliaments and courts disagree on the interpretation of this directive.

This is not the first case of its kind in Denmark. In March 2006, the country’s largest ISP, TDC, was forced to block certain IP addresses used for the transmission of copyrighted material by a Supreme Court decision.25 The court declared that the transmission of copyrighted files was equal to temporary unauthorized copying and thus illegal. Court orders in 2007 forced Danish ISPs to block access to two Russian file-sharing Web sites, Allofmp326 and MP3Sparks.

On April 17, 2009, the four founders of the Pirate Bay were sentenced to one year in prison by a Swedish lower court and a combined fine of 30 million Swedish krona (USD 4 million). The Stockholm District Court determined that the defendants worked as a team in the operation and development of the Web site and that they had been aware that copyrighted material was being shared.

The convicted individuals filed a complaint that the presiding judge was biased, as a member of pro-copyright organizations. To the chagrin of the defendants, the court official charged with deciding whether the first judge was biased was also known to have connections to pro-copyright organizations.27 Furthermore, the judge28 selected for the appeal case was a member of a pro-copyright group until 2005. The Norwegian private law firm Simonsen Advokatfirma DA in 2007 obtained permission28 from the Data Inspectorate (Datatilsynet) to register the IP addresses of users suspected of engaging in illegal file sharing. The firm represents rights holders. After not receiving assistance from the Norwegian police, the law firm attempted to have ISPs hand over the subscriber information associated with these addresses. Simonsen also drafted a cease-and-desist letter, which they requested the ISPs forward to copyright infringing customers. The International Federation of the Phonographic Industry asked Norwegian ISPs to block file-sharing sites, like the Pirate Bay. The ISPs refused to cooperate.

In a May 2009 copyright case regarding the Norwegian movie Max Manus, Simonsen sought a court order to get Norway’s largest ISP, Telenor, to release the subscriber information of a person suspected of sharing the film illegally. The ruling was made in the lowest court (Stavanger Tingrett) on May 5, 2009, but the verdict was kept secret at the request of the film industry.29 In fear of Swedish-style IPRED conditions, attempts are being made in Norway to initiate protests against secrecy.30 The case determined whether private industry (ISPs) or public authorities are the ones responsible for investigating breaches of law on the Internet. Dealing with a basic principle, the case is expected to be pushed into higher courts.

Norwegian telecommunications company and ISP Telenor has said that it is indifferent to preceding Swedish or Danish court decisions. A spokesperson for the ISP said the company would conform exclusively to the rulings of Norwegian courts. At the same time, a spokesperson for the Norwegian activist group FriBit rejected the idea that the Max Manus case had any significance, and said, ‘‘The Pirate Bay will continue and there are lots of other services like theirs ... the ruling gives no cause to automatically use other means, like censorship, to stop pirates.’’31 The fault lines in Norway are similar to the conflicts in other Nordic countries, but the solutions may not be identical.


Internet service providers in all Nordic countries deploy filtering to isolate Web sites distributing child pornography. However, other infringements on freedom of expression and privacy have been controversial. Additionally, suspicions that the filters put in place could eventually be used to filter other sites have resulted in protests from many privacy and advocacy groups.

Nordic ISPs participate in the International Association of Internet Hotlines (INHOPE) project with 35 member countries.32 Suspicious links are reported by organizations and the general public and passed on to relevant authorities for verification. Partners in Denmark and Finland are Save the Children, and in Iceland, Heimili & Skoli. Financing originates from the EU Safer Internet Plus Program fund.33 The Swedish nongovernmental child protection organization ECPAT does a similar job. In Norway, there is no official nongovernmental involvement.

Finland has a law to stop distribution of child pornography.34 According to Section 1, the law was created to protect children and to block access to child pornography sites that are hosted outside of Finland. Finland also has laws against mocking God or religion (Criminal Act, Ch. 17, Sec. 10), but so far no content of this nature has been filtered.

The Finnish National Bureau of Investigation (NBI) compiles a secret list of Web sites containing child pornography and distributes it to ISPs for filtering.35 In February 2008, the Electronic Frontier Finland (EFF) published an analysis of ‘‘Finnish Internet censorship.’’36 According to the report, the NBI filtering list contained about 1,700 Web sites in 2008. The EFF stated that a number of nonpornographic Web sites were found on the list.

In early 2009, the Web site Wikileaks,37 which collects evidence of corporate and government misconduct, published a list of 797 Web sites censored by Finland. These were originally harvested and published by a well-known Finnish ‘‘white hat’’ hacker and activist Matti Nikki.38 The list included his own Web site, where he criticizes secret censorship. Matti Nikki argued that there were several legal Web sites on the blocked list. On February 17, 2008, he stated that ‘‘nearly none of the sites on the child porn list seem to contain child porn.’’39 On March 23, 2009, all charges in a criminal investigation against him were dropped.

The blacklist operated by the Danish child pornography filtering system (3,863 blocked URLs) was leaked40 on December 23, 2008, and made available online. Its publication was a protest41 against secret censorship systems42 and was supported by an activist group, IT-Politisk Forening. All Danish ISPs filter content based on the list. The head of the Telecommunication Industries Association of Denmark43 says the list is of Web sites the authorities deem illegal, and that it should be expected to contain not only child pornography, but also racist, offensive, and libelous material. The Danish police IT investigation unit NITEC insists their list consists of illegal pornography sites only.44 The Danish ISP industry staunchly refuses to filter questionable content (like gambling sites) unless they are contrary to statutory law or unless required to do so by court order. Attempts by politicians have been made in Denmark and other Nordic countries to protect government gambling monopolies from popular online poker.

All Norwegian ISPs operate a voluntary Child Sexual Abuse Anti-Distribution Filter (CSAADF). The filter is a blacklist of DNS addresses maintained and distributed by Kripos, the Norwegian police agency that deals with organized, financial, and other serious crimes. Each ISP implements this blacklist in its DNS servers by redirecting attempts to access blacklisted Web pages to a page with a warning message. The list is generated without judicial or public oversight and is kept secret by the ISPs using it. A list of supposedly blocked addresses was posted to Wikileaks in March 2009, containing 3,518 DNS addresses.45 According to Wikileaks, many of the sites on the (Norwegian) list had no obvious connection to child pornography. The Norwegian and Danish lists had 1,097 URLs in common. Police in Germany raided the owner of the German Wikileaks domain name (a mirror site) in March 200946 because the Web site published copies of Nordic filtering lists.

As a member of the EEA, Norway has enacted legislation in line with the EU directive on electronic commerce,47 which among other things states that ISPs shall not monitor their subscribers’ use of the Internet. However, the general interpretation in Norway of the directive is that ISPs may be responsible for illegal content on their servers (e.g., child pornography, copyrighted material) if the provider, upon obtaining knowledge or awareness that such content is present, does not act expeditiously to remove or disable access to the content.

As a result of this directive, some ISPs have devised user agreements that empower the service provider to remove any controversial content, including content that is not illegal, to protect themselves from being held liable in any controversy surrounding content.

For example, in February 2008 the Norwegian ISP Imbera removed images of the Danish ‘‘Muhammad cartoons’’ from the Web pages of one of their customers, an organization called Human Rights Service, on the grounds that Imbera’s user agreement prohibits users from uploading controversial content to Imbera’s servers.48 In Norway, the police can demand the subscriber information associated with a particular IP address from an ISP without a court order. This authority follows from a Supreme Court decision in 1999, in a case involving an Internet subscriber suspected of distributing child pornography.49 As a result of the ruling, the police can demand personal information in all types of cases. According to press reports, the refusal of the police to get involved in the Max Manus file-sharing case is the reason Simonsen Advokatfirma DA had to go to civil court.


All Nordic countries hold freedom of expression in high regard. Having military intelligence agencies monitor private citizens’ telecommunications in detail and without controls has stimulated emotional debate and antisurveillance movements. The two major forces behind the legal changes in the Nordic countries are fear of terrorism and infringements on copyright. Government surveillance and censorship do not sit well with the Nordic notion of being free and democratic societies, and the introduction of new measures has created an unusually emotional debate in the region.A survey of global surveillance activity by Privacy International in 2007 characterized Denmark as the only Nordic country that is an ‘‘extensive surveillance society,’’ while Finland, Sweden, and Norway were listed as exhibiting ‘‘systematic failure to uphold safeguards.’’50 This classification included areas of privacy outside of digital life like democratic safeguards, visual surveillance, and workplace monitoring. Iceland had ‘‘some safeguards but weakened protection.’’ Denmark was placed in the same category as Bangladesh, France, India, Lithuania, the Philippines, and Romania, and was also the only Nordic country facing a ‘‘deteriorating situation.’’ Privacy International also publishes critical Country Reports Overviews51 of current developments (latest dated December 14, 2007) in each country and wide-ranging in-depth analysis52 (latest December 12, 2007) of each country (except Iceland).

The Danish national police IT-Efterforskningscenteret (NITEC), the center for IT investigations, is in charge of the blacklist for filtering child pornography sites. The unit has reportedly been investigating techniques for monitoring and deciphering conversations on the free online telephony service Skype.53 The Danish police refuse to discuss their investigation methods. At the EU level, the judicial cooperation unit, EuroJust,54 has mentioned Skype’s desire to cooperate with EU authorities, dating back to 2006.

On September 15, 2007, every Danish Internet user came under a comprehensive surveillance system, covering their history of Web sites visited, incoming and outgoing e-mails, and use of cell phones. The Danish implementation of the EU ‘‘data logging directive’’55 forces telecommunications companies, ISPs, hotels, Internet cafés, wireless hotspots, and apartment buildings with private Internet service to log and store information on all personal communication data for at least one year. These logs must be made available to police without a court order. The stated purpose is to fight terrorists. Two former heads of the Danish Security and Intelligence Service (PET)56 are on record as opposing the expanded monitoring as unnecessary, worrisome, and damaging to the public’s basic democratic rights.57

In Sweden, no logging law had yet been implemented in mid-2009, but surveillance of cross-border Internet and telecommunications had. Wiretapping and surveillance measures in Sweden have become a divisive issue in recent years. Those advocating the need for increased surveillance point to the threat from international terrorism and organized crime, and claim that additional measures are necessary to keep pace with changing technology. Opponents claim the measures extending the scope of surveillance pose a threat to civil liberties.

Following a prolonged political battle on privacy in the Swedish parliament, a law known as the ‘‘FRA-law’’ narrowly passed in June 2008, giving the Swedish National Defense Radio Establishment (FRA) the right to monitor all cross-border, cabled communication traffic.58 In practice, all telephone calls, text messages, faxes, and e-mails passing into and out of Sweden became subject to surveillance as of January 1, 2009. Public outrage over the law led to a significant revision in September 2008, and a number of wide-ranging surveillance permits were repealed.59 Among the compromises were requirements that court orders be issued before monitoring individuals, that no communications inside Sweden would be logged, and that the FRA could only work on behalf of the government and the military. The FRA thus monitors all ‘‘external threats,’’ not just ‘‘foreign military threats.’’

Almost all telecommunication from Finland to the rest of the world passes through Sweden, leading to fear of the FRA-law in Finland. Both Swedish and Norwegian legal organizations have filed petitions at the European Court of Human Rights challenging the Swedish wiretapping law.60 In neighboring Denmark, citizens scrambled to assess whether they needed to change ISP and telephone companies in order to avoid being monitored. The Danish Federation of Industries, the largest commercial organization in the country, issued an elevated security warning, fearing commercial espionage by Sweden, and published guidelines on how to avoid surveillance of data by foreign governments at the end of 2008.61

The law regulating the Norwegian intelligence agency establishes the rules for military Internet surveillance in Norway.62 It gives the Intelligence Services under the ministry of defense (Forsvarets Etterretningstjeneste, FO/E) a very broad mandate to collect information that ‘‘serves the interests of Norway in relation to foreign states, organizations and individuals.’’ They must, however, refrain from collecting information about Norwegian citizens or legal entities, but there seem to be no restrictions as far as foreigners are concerned.63

This broad mandate empowers the FO/E to perform electronic surveillance on communications originating from foreign individuals and organizations at the border, in a manner similar to the more explicit Swedish FRA-law. However, it is unknown how the FO/E currently exercises its surveillance mandate.

The legal framework with regard to Internet surveillance by the Norwegian police is the same as for all communications. The existing legal framework64 for telephone wiretapping has simply been extended. To intercept e-mail or to tap an Internet line requires a court order, and a person under surveillance must be suspected of involvement in a serious crime punishable with ten years or more in prison (e.g., espionage).


All over Europe censorship and surveillance initiatives are promoted, like the French ‘‘three strikes’’ HADOPI law against piracy that introduced online snooping on suspected file sharers.65 The law, which has already inspired clones in other EU countries, will be challenged because of a recent declaration by the European Parliament that it is illegal for an EU country to sever Internet access from anyone without the approval of a court. In May 2009, the European Parliament went through a new vote on details in a revision of the telecom rules directive.66 Stemming from a Europewide mass mobilization, the European Parliament, with a large majority, essentially declared Internet access to be a fundamental right in the EU.67 At the time of writing, conciliation between the European Parliament and the Commission was in progress. Nonetheless, six days later the French National Assembly passed the controversial law limiting these rights, and the following day the French Senate voted and confirmed the HADOPI law.68 In April 2008, the Danish parliament’s Council on Technology published a report on IT security that said Danish Internet users seem to prefer the government having direct access to their computers in order to control and update their personal software prior to allowing them onto public Web sites.69 The report stated that users wanted public censorship of undesirable Web sites (e.g., those known for phishing) and preferred government security classification of selected software (like Web browsers). According to the report, there also seemed to be public demand for the introduction of hardware- based ‘‘digital identities,’’ somewhat different from the prevailing secure ‘‘digital signatures.’’ At the same time, fear of surveillance and registration of individual activities online was strong. The people surveyed also preferred that ISPs filter e-mail automatically rather than having the current opt-in solution.

The independent Danish IT-Political Association argued strongly against this vision of centralized control online. An extremely successful initiative of the association has been Polippix,70 a Linux-based privacy protection software, distributed widely on CD and online. The Danish IT-Political Association, like its sister organizations in other Nordic countries, is a member of the European digital rights network EDRI, which tracks EU and national attacks on privacy, introduction of surveillance, and limits on Internet freedom. The work of EDRI is considered especially important because most regulation regarding the Internet, copyright, and privacy originate from European institutions or from international institutions with strong influence in Europe. However, the regulations do not prohibit individual countries from passing their own laws in addition to European ones.

A Swedish public opinion poll71 published on May 18, 2009, showed that 43 percent of the population had no interest in the FRA-law, and among those who were interested, 34 percent were against and 23 percent in favor. The most critical sector of the population belonged to the 15–29 age group. The least worried group was conservatives over 60. The issue of privacy for the online generation has gained significance as a result of the FRA debate and the Pirate Bay file-sharing case. Indeed, a political party by the name Piratpartiet,72 the Pirate Party, founded in 2006, was Sweden’s third-largest party, with more than 48,000 members,73 immediately before the June 7, 2009, elections. At the time of writing, public opinion polls indicated that Piratpartiet would win representation in the European Parliament and in the national parliament, Riksdagen, in the next general elections (expected in 2010).


Because they are at the forefront of ICT use in the world, the Nordic countries understandably have a lively public debate on copyright and privacy issues. New trends concerning online reality will likely originate here. In these countries, rights holders and the telecommunications industries are lobbying politicians in support of their different interests. Recent developments in Sweden offer hints that the general public, apart from indulging in massive pirating activities, is getting involved at the political level. Following the FRA-law revision in Sweden, the governing right-wing alliance is deeply shaken by the unexpected and forceful youth movement that draws its energy from new age issues like privacy and file sharing. The Social Democratic Party, the originator of the antiterror surveillance law proposal a few years ago, has with its Green center-left partner announced that the issue of privacy (and the FRA) will be hot during the next Swedish general elections (expected in 2010). They intend to repeal the bill.

The battle over FRA in Sweden was fought with modern communication technology (e.g., Facebook, Twitter, blogs, texting). The use of new methods for political mobilization has reached critical levels, and activists are entering the political mainstream. Issues are crossing borders.

Political scientists Ulf Bjereld and Henrik Oscarsson at the University of Gothenburg in Sweden ask whether the security interests of the nation-state are colliding with the right to free cross-border communication in international networks. In an article published in the leading Swedish daily Dagens Nyheter on May 18, 2009, they question whether the Swedish state is struggling to retake control of the globally networked society’s most valued raw material, means of influence, and driving force: information. These scholars see the Pirate Party as more than a single-issue platform, rather as a movement of liberal values, individual freedom, and personal integrity, where culture must be set free and patents and private monopolies opposed. Bjereld and Oscarsson believe the party’s adherents favor citizen rights and freedoms, and demand clearer regulation and compliance with the social contract between government and citizens. It is a new civil rights movement of the information society.74

It is obvious that very strong industrial interests are influencing politicians in the Nordic countries and Europe. The controversial decision by the European Parliament to make access to the Internet a ‘‘fundamental right’’ and the strong response, particularly in Sweden, from the predominantly young digital grassroots may be a forewarning of things to come. The EU and increasingly its individual members are struggling to regulate digital life, while activist users are trying to push back industrial dominance. The Nordic countries are historically, legally, technically, and culturally very close to one another, and are all in some way associated with the EU. As more countries achieve the high Internet penetration rates of these five countries, we may see similar cultural and political phenomena spilling over to the region, and maybe globally too.

Already, ‘‘Pirate Parties’’ have formed or are in the process of being established in 22 other countries.75 Certainly, the outcome of the legal battles regarding copyright, surveillance, and filtering in the Nordic countries should not be considered as without bearing on the wider region in the near future.