Swedish banks may share IP addresses used for internet fraud

09 September 2008

Ida Smed Sorensen

The Swedish Personal Data Act (“PDA”) prohibits non-public bodies from processing personal data relating to criminal offences. However, in a recent decision, the Swedish Data Inspection Board (“DIB”) has granted an exemption from this general prohibition for a number of Swedish banks. This will mean that Swedish banks will be allowed to share IP addresses used in internet fraud, between themselves and also with banks in Norway and Denmark.

The decision stems from a project by which the Swedish, Danish and Norwegian Bankers’ Associations (and their members) exchange IP addresses used in internet bank frauds. The participants use the exchanged IP addresses to prevent further attacks against the banks or their customers from IP addresses, which are often hijacked. The Bankers’ Associations will receive IP addresses via email and distribute them to the other banks participating in the project.

The participating banks collect the following information:

  • the IP addresses of computers from which a fraud or attempted fraud has been launched; 

  • the date and time of the incident; and 

  • whether the attack successfully accomplished a fraud or was merely an attempt to defraud.

The information collected will be used to prevent future attacks against the banks and their clients. The information will also be given to the police to be used in both civil and criminal cases as evidence.  If the IP addresses provided are incorrect the banks will swiftly issue a correction notification telling the banks of the error.  The banks will, however, not be able to inform the holders of the IP addresses that they are processing their information, since this information will be confidential information belonging to the internet service providers.

The DIB considered that the data handling regulations in the PDA applied to any bank that processed personal data forming part of a structured collection. However, in order to decide whether an exemption from this general principle applied, all the circumstances of the case had to be considered. The factors that were considered significant included the fact that internet bank frauds can have serious consequences for banks and their customers. Additionally fraud could affect confidence in the payment systems and the DIB felt that it had a role in protecting banks and their customers.
The exception which has been granted is valid until March 2009 when it will be re-evaluated.