By EDRi

According to a series of articles in the Danish edition of Computerworld
on 6 May 2013, a Danish mobile phone provider has kept telephone call
records since the company started its operations in 2000. The company,
Telmore, currently has about 700 000 subscribers and a 10% market share
in Denmark. Since 2004, Telmore has been a subsidiary of TDC, the
largest Danish telecommunications company.

A 10-year retention period of telephone call records is a blatant
violation of the Danish law that transposes the e-privacy directive
2002/58/EC. Article 6 of the directive states that traffic data (which
includes call records) must be deleted or anonymized when they are no
longer needed for business purposes such as subscriber billing or
accounting documentation.

The e-privacy directive is, of course, modified by the data retention
directive 2006/24/EC which requires storage of, among other things,
telephone call records for 6-24 months. In Denmark, the mandatory
retention period is 12 months. However, telephone call records are, in
practice, kept for a longer period for billing or accounting purposes.

Judging from the articles in Computerworld, there appears to be some
uncertainty about the precise interpretation of the maximum retention
period that is allowed under the Danish law that transposes article 6 of
the e-privacy directive.

The Danish Business Authority, which is the regulatory agency for
telecommunications in Denmark, told Computerworld that the retention of
call records for more than five years was illegal. The Danish accounting
law requires that bookkeeping documentation is kept for a minimum of
five years. However, the official guidelines for the bookkeeping also
state that itemized telephone call records are not required for
retention once the customer has been presented with an invoice for the
calls, and the dispute resolution period has expired.

In response to the Computerworld article and the statements by the
Danish Business Authority, Telmore told Computerworld that they would
limit the retention of call records to three years, as soon as
technically possible. Three years is the general statutory limitation
period for simple claims in Denmark. However, the dispute resolution
period for telephone customers in Denmark is about one year after the
invoice has been received, so it could be argued that the allowed
retention period should really be shorter than three years (or five years).

A recent parliamentary question to the Danish government focused on the
interplay between mandatory data retention and the e-privacy rules. The
minister responsible for the Danish Business Authority was asked whether
she could guarantee that telecommunication data was deleted when
required by law, and whether the agency had sufficient resources to
supervise industry practices in this area. The question has not been
answered yet.

Danish telephone company in violation of the law: your data is retained
too long (only in Danish 06.05.2013)
http://www.computerworld.dk/art/226413/dansk-telefirma-bryder-loven-opbevarer-dine-data-for-laenge

This is the problem which causes a Danish telephone company to break the
law (only in Danish 06.05.2013)
http://www.computerworld.dk/art/226414/her-er-det-gaaet-galt-for-dansk-telefirma-i-lovbrud

Telmore admits: the reason why we have broken the law (only in Danish
06.05.2013)
http://www.computerworld.dk/art/226417/telmore-erkender-derfor-har-vi-brudt-loven

E-privacy directive 2002/58/EC
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML

Website of the Danish Business Authority (in English)
http://www.dba.erhvervsstyrelsen.dk/home/0/2

Parliamentary question about deletion of telecommunication data (only in
Danish, not answered yet as of 06.05.2013)
http://www.ft.dk/samling/20121/lovforslag/l142/spm/13/index.htm

(Contribution by Jesper Lund, EDRi member IT-Pol Denmark)