A draft law to amend the data protection provisions of the law on the oversight of the Danish Security and Intelligence Service (PET) was submitted for public consultation in September 2016. In their consultation responses, several NGOs including EDRi member IT-Pol Denmark, as well as the Danish Intelligence Oversight Board (TET) criticised the proposal. The amendments would legalise PET’s existing data processing practices, removing any obligation to regularly assess whether the information collected on citizens is still necessary, as well as the obligation to delete personal data, in some circumstances.
The Danish Security and Intelligence Service (PET) is part of the Danish National Police. The main responsibility of PET is prevention and prosecution of offences under chapters 12 and 13 of the Danish Penal Code, which cover national security and terrorism. Compared to the rest of the Danish National Police service, PET is subject to much weaker data protection standards. For data collection, the main rule is that PET can collect information on citizens, unless it can be ruled out beforehand that the information is relevant. Upon request, all Danish public authorities are required to provide information on citizens to PET without a court order, if PET believes that the information can be assumed to be relevant for PET’s tasks in connection with chapters 12 and 13 of the Penal Code. Furthermore, most of the provisions of the Data Protection Act do not apply to PET. Denmark is currently transposing the Law Enforcement Data Protection (LEDP) Directive 2016/680 into national law. In the draft law, PET is completely exempted based on the national security exemption in Article 2(3)(a) and recital 14 of the LEDP Directive, even though PET regularly exchanges information with police authorities in other EU Member States.
Since 2014, independent oversight of PET is provided by the Danish Intelligence Oversight Board (TET). The oversight of PET covers the provisions in the special PET law on data collection and internal information processing, including the rules for deletion of personal data when it is no longer necessary or when the statutory retention period of 10-15 years is exceeded. All citizens can ask TET to investigate whether PET processes information about them unlawfully. If the investigation shows that information is processed unlawfully, TET can order PET to delete the information, but the citizen will not be notified of this decision. TET can also investigate the data processing practices of PET on its own initiative. Last but not least, TET publishes an annual report about its oversight of PET.
The annual TET reports for 2014 and 2015 contained substantial criticism of PET. Even though the legal standards for processing personal data on citizens are very weak, PET apparently has severe problems living up to these standards. For the 2014 report, TET looked at a sample of persons registered by PET and found that information about roughly half of them should have been deleted because retention periods were exceeded or because the information was no longer necessary. For the 2015 report, TET conducted a more detailed investigation of PET’s data processing practices which confirmed the conclusions of the 2014 report. The databases of PET contained a substantial amount of personal data which should have been deleted, at least under the interpretation of the PET law used by TET.
The TET report for the year 2015 also revealed that TET and PET did not agree on the interpretation of the law governing the operations of PET. The main controversy was related to personal data which was part of another document. TET interpreted the PET law as saying that if information about a citizen was no longer necessary, the information should be deleted, irrespective of whether the personal data in question was a full document or part of another document. PET interpreted the law differently and refused to delete the personal data if it was part of another document which was still necessary for PET’s tasks.
For oversight investigations that are not linked to complaints from citizens, TET can only make recommendations to PET and the Ministry of Justice. In May 2015, TET informed the Ministry of Justice of the disagreement with PET, but despite several requests to the Ministry of Justice for a reply to the letter, TET had not received a reply by May 2016. Shortly after the TET report for 2015 with the substantial criticism of PET was published in May 2016, the Minister of Justice announced that he would propose amendments to the PET law in the next parliamentary year to clarify to legal issues raised by TET.
A draft law amending the PET law was submitted for public consultation in September 2016. Two specific amendments “clarified” the legal situation for PET by simply removing the two specific data protection obligations which had given rise to the criticism in the 2014 and 2015 annual reports from TET. The first amendment removes any obligation on PET to regularly assess whether the information collected on citizens is still necessary. Under the amendment, PET is only required to delete documents and cases that are no longer necessary, if PET discovers this during other information processing tasks. The second amendment provides that PET has no obligation to delete personal data which is no longer necessary if this personal data is part of another document which is still necessary for PET’s tasks. Only full documents and cases must be deleted if they are no longer necessary, not partial elements of documents.
In essence, the two amendments legalise the existing data processing practices of PET which TET had concluded were unlawful in the annual report for 2015. The Danish government justified the amendments on grounds that following the interpretation by TET of the existing law would require too many resources and reduce PET’s counterterrorism capabilities. Apparently, the IT systems used by PET do not support partial removal of information from documents unless it is done as a manual, time-consuming task. By the end of December 2016, the amendments of the PET law were passed with an overwhelming majority in the Danish Parliament, and there was almost no mention of the political debate (or rather, lack thereof) in Danish media.
Consultation responses from several NGOs including EDRi member IT-Pol Denmark were quite critical of the government’s proposal. However, TET provided the by far most serious criticism in its consultation response. First, TET pointed out that the concept of “document” in the systems used by PET to an increasing extent meant whole databases or electronic files with considerable amounts of information, rather than single documents in the traditional sense. This would severely limit the number of situations where personal data that was no longer necessary for PET would actually be deleted. Secondly, TET stated somewhat cryptically that the existing oversight activities of TET would have limited relevance in the future since the only task left for TET will be to assess whether full documents and cases are deleted when they are no longer necessary for PET.
The oversight of the Danish intelligence services was further weakened in February 2017 when the Minister of Defence proposed the same data protection amendments for the law governing the Danish Defence Intelligence Service (DDIS). TET is also responsible for the oversight of DDIS, but the annual reports on data processing by DDIS for 2014 and 2015 do not contain any noticeable critical remarks. Nonetheless, the Minister of Defence proposed to weaken the data protection provisions and, indirectly, the oversight of DDIS. The amendments of the DDIS law have not yet been passed by the Danish Parliament, but there was no real opposition to the proposal during the initial public debate.
Homepage of the Danish Intelligence Oversight Board, annual reports (only in Danish)
Law to amend the data protection provisions of the PET law (only in Danish, 09.11.2016)
IT-Pol consultation response on law to amend the data protection provisions of the PET law (only in Danish, 21.10.2016)
IT-Pol consultation response on law to amend the data protection provisions of the DDIS law (only in Danish, 30.01.2017)
(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)