Significant fine imposed for non-compliance with the Swedish security protection framework

The following briefly outlines the legal context of the decision.

The Swedish Security Protection Act (SSPA) provides that an operator of security sensitive operations (SSO) – e.g., the handling of security protection classified information (SPCI) – must take all necessary security protective measures. These measures are divided into three main categories: information security, physical security, and staff security. The PTS decision concerned the latter category.

Staff are only authorised to participate in an SSO if they, inter alia, have been assessed to be reliable from a security perspective. This assessment must be performed by the SSO based on certain information which is to be gathered under a mandatory security clearance procedure, which aims e.g., to prevent staff who are not reliable from a security perspective from participating in an operation where they can access SPCI. The required information essentially depends on the staff member's level of access to SPCI, as well as how greatly an unauthorised disclosure of such SPCI could damage Swedish national security.

In some cases, the required information is not available to the SSO, in which case it must be collected from the authorities. However, the authorities are only permitted to gather and share such information if, inter alia, the individual under review holds a position which has been placed in the adequate security class. It is the SSO who is responsible for assessing the need for placing a position in a security class and for applying to the relevant authority for such placement. An example of such information is that which can be obtained from a records check, where the relevant authority gathers information from e.g., the criminal record and the register of criminal suspects. Needless to say, the relevant authority will neither gather nor share the information for the security clearance with the SSO if it is not asked to do so.

The PTS stated that Telenor, according to its own security protection analysis, was an SSO and that it had identified a need for some of its staff positions to be placed in a security class. Security clearance for these security classes required, inter alia, information to be obtained from a records check. However, Telenor had not actually filed an application for these positions to be placed in a security class. As a result, Telenor had not taken into account the required information when performing its security clearance. Therefore, PTS found that Telenor had breached the security clearance rules and that these Telenor staff were not authorised to access the SPCI which they, in fact, had access to.

While considering the imposition of an administrative fine, ranging from the minimum amount of 25,000 SEK to the maximum amount of 50,000,000 SEK, the PTS found that Telenor had unintentionally – although negligently – let 24 of its executives, including its head of security, participate in its SSO for at least eight months without authorisation, causing a serious vulnerability to Swedish national security. In Telenor's favour, the PTS took into account that Telenor had taken steps to remedy the breaches and that there was no evidence that Telenor had made any profits as a result.

Against this background, and as mentioned above, the PTS ultimately decided to impose an administrative fine of 12,500,000 SEK on Telenor Sverige AB.