All internet traffic crossing Sweden's borders is tapped by military intelligence. If your data routes through Sweden, FRA can read it.
The FRA Law allows Sweden's National Defence Radio Establishment (Forsvarets Radioanstalt) to intercept all communications crossing the Swedish border — including emails, calls, and internet traffic.
Passed in 2008 after intense public debate, the law permits cable-based signals intelligence on all traffic crossing Swedish borders. Since Sweden is a major internet transit hub (submarine cables connecting the Nordics, Baltics, and Russia to Western Europe), a huge proportion of Northern European internet traffic passes through Swedish infrastructure. FRA can search this traffic using selectors (keywords, email addresses, phone numbers) related to foreign intelligence priorities.
FRA is military intelligence — not police. Collection requires approval from the Foreign Intelligence Court (Forsvarsunderrattelsedomstolen), but this court approved 100% of applications in its first decade. The law was amended in 2009 to add oversight requirements after public outcry, but critics argue the oversight body (SIN) lacks resources and independence. FRA cannot target Swedish citizens' domestic communications — but 'domestic' is hard to define when Gmail routes through US servers.
Several major privacy tools are Swedish: Mullvad VPN (Gothenburg), OVPN, Safing (partly). Swedish VPN providers are popular because Sweden has no mandatory data retention (exempted from the EU Data Retention Directive). But the FRA Law means traffic leaving Swedish borders is subject to signals intelligence collection. The paradox: no data retention by ISPs, but military intelligence taps the cables. For a VPN user, the encryption protects you from FRA — unless FRA has the capability to compromise the VPN protocol itself.
In 2013, Snowden documents revealed FRA cooperation with the NSA under the programme WINTERLIGHT. Sweden provided the NSA with access to fibre-optic cables carrying Russian communications. The partnership was described as 'extremely productive' by the NSA. Swedish authorities neither confirmed nor denied. In 2020, IMY (Sweden's data protection authority) ruled Google Analytics illegal — partly because data routed through infrastructure accessible to foreign intelligence. The irony of Sweden being both a privacy leader (no data retention, strong DPA) and a signals intelligence operator is central to understanding Nordic privacy.