Blogs

Denmark: Government postpones the data retention law evaluation

By EDRi · February 13, 2013

This article is also available in:
Deutsch: [Dänemark: Regierung verschiebt Evaluierung des VDS-Gesetzes | https://www.unwatched.org/EDRigram_11.3_Daenemark_Regierung_verschiebt_Evaluierung_des_VDS-Gesetzes?pk_campaign=edri&pk_kwd=20130224]

In the coming months, the Danish Parliament will conduct an evaluation
and revision of the Danish data retention law which implements directive
2006/24/EC. The review process has been postponed twice on earlier
occasions (2010 and 2012), and the Danish government wants another
two-year extension, officially in order to coordinate with any changes
in the directive at the EU level.

The Danish law exceeds the requirements of the data retention directive
in several respects, especially as far as Internet logging is concerned.
The Danish law contains a requirement for session logging which includes
data about every Internet packet being transmitted.

Specifically, the following information must be retained: source and
destination IP address, source and destination port number, transmission
protocol (like TCP and UDP) and timestamps. The contents of the
Internet packets are not being logged, but the IP addresses will contain
information about visits to websites of political parties (that is, in
effect, registration of political preferences) and the online news
services that the citizen reads. Last year in the Danish Parliament,
there was considerable debate about the Danish over-implementation of
the data retention directive, in particular Internet session logging.

The Parliament instructed the Danish government to produce an evaluation
report with special focus on session logging. The Danish Ministry of
Justice published this report in December 2012.

The evaluation report contains detailed descriptions of nine police
cases where telephone logging was useful, or maybe even critical, to the
Danish police. These cases are taken from an earlier report submitted to
the EU Commission. All nine cases are about serious and violent crimes
such as murder, armed robbery and organized narcotics smuggling.

For Internet logging there are only three police cases. Moreover, one of
the three cases is really about telephone logging since location data
from a mobile device is used by the police. The location registration
just happens to be triggered by “data calls” from a smartphone. This
leaves two police cases to demonstrate the value of internet logging,
and only one case uses session logging. Both cases involve economic
crimes (fraud) on a relatively minor scale. There is a huge discrepancy
between the nature of the police cases involving telephone and Internet
logging.

The report confirms the EDRi member IT-Pol suspicion that Internet
logging, and especially Internet session logging, is rarely used by the
Danish police. Quite interestingly, the Ministry of Justice formally
states in their own evaluation report that session logging was
implemented in a way that made it useless for the police (the
implementation is according to the requirements of the law). Before
September 2007, the Danish Internet service providers repeatedly warned
the Ministry of Justice that session logging would be useless for the
police.

The Danish Ministry of Justice report (only in Danish, 12.2012)
http://www.ft.dk/samling/20121/lovforslag/l142/bilag/2/1213533.pdf

Danish government wants to postpone the evaluation of the data retention
law for the third time (12.02.2013)
http://www.itpol.dk/notater/Danish-data-retention-evaluation-Feb13

EDRi-gram: Key privacy concerns in Denmark 2007 (30.01.2008)
http://www.edri.org/edrigram/number6.2/privacy-denmark-2007

(Contribution by Jesper Lund, EDRi member IT-Pol Denmark)