After the terrorist attack in Copenhagen in February 2015, the Danish government presented an action plan to strengthen the data analysis capacity of the police and the Danish Security and Intelligence Service (PET). The action plan, called “A Strong Guard against Terror”, specifically mentions monitoring of social media posts in order to discover possible terrorist attacks being planned.
Social media monitoring will involve massive processing of personal data about citizens that are not suspected of a crime. Under Danish law, PET already has wide powers to collect personal data for the purpose of prevention and prosecution of terrorist offences. For the ordinary police, the Danish Data Protection Act based on the Data Protection Directive currently applies, except that the police is generally exempted from the provisions on data subject rights and profiling. Specific rules for processing of personal data by the police are typically laid down in administrative orders pursuant to the Data Protection Act. This includes the Danish system for Automatic Number Plate Recognition (ANPR).
Together with the General Data Protection Regulation (GDPR), the European Union has recently adopted the Law Enforcement Data Protection (LEDP) Directive, which, when transposed into Danish national law, will apply to the ANPR system and other police data processing in connection with criminal investigations. Denmark must implement this directive by 1 May 2017 in order to secure an operational arrangement with Europol which Denmark would otherwise have to leave completely because of the Danish opt-out from the Justice and Home Affairs (JHA) area of the European Union.
In October 2016, the Danish newspaper Information reported that the Danish police and PET had purchased an intelligence-led policing platform from Palantir Technologies, a highly controversial company that specialises in big data analytics for private companies, military agencies, intelligence services and police authorities. Palantir was selected among three companies in a public tender. A summary of the requirements for the two intelligence systems (called PET-INTEL and POL-INTEL, respectively) is publicly available, and it mentions capabilities for accessing existing police and intelligence databases, information exchange with Europol, open source collection of new information, as well as algorithms for pattern recognition, hotspot analysis, and social network analysis. In short, the public tender document describes a system for predictive policing, which was subsequently confirmed by the Danish Minister of Justice when answering a written question from a Member of Parliament.
On 10 February 2017, the Danish Ministry of Justice presented a draft law for public consultation on amending the Police Act with new data analysis provisions. The main purpose of the draft law is to create a legal basis for processing personal data in the POL-INTEL system. The draft law uses the legal framework of the existing Data Protection Act as a reference, even though this act must be replaced by the Danish LEDP transposition before 1 May 2017. A complete LEDP implementation by 1 May 2017, which is a condition for continued Danish access to Europol databases, will require a lot of work by the Danish Parliament and the Legal Affairs Committee. It would seem prudent to complete the LEDP implementation first, but the Danish government ostensibly has different priorities.
The draft law provides a very general legal basis for combining existing police databases for information analysis in the POL-INTEL system, irrespective of the purpose limitations of these databases, and for collection and processing of information, including personal data, from open sources. The definition of open sources is very broad as it includes any information source which does not require a court order for evidence seizure or interception of electronic communications. The most obvious open data sources are information from the internet and surveillance in public spaces like ANPR, and perhaps facial recognition in the future. However, information that can be purchased from commercial vendors is also specifically mentioned as an open source. This means that the police can buy information on individual citizens from data brokers in Europe, or maybe even the United States, for predictive policing purposes in the POL-INTEL system.
The new powers are described in very broad terms, and according to the comments of the draft law, more specific provisions will be laid down in future administrative orders. Presumably, the administrative orders are also expected to provide the necessary data protection safeguards to ensure compliance with the LEDP Directive (when it applies in Denmark), and the rights to privacy and data protection under the Charter of Fundamental Rights of the European Union and the European Convention of Human Rights. One of the safeguards mentioned in the comments of the draft law is that access to POL-INTEL will be restricted to specially authorised police officers, and that the use of POL-INTEL will be limited to necessary data analysis purposes, some of which can only use aggregated or non-personally identifiable data as output. This does not change the fact that POL-INTEL will become a huge database with potentially massive amounts of personal data on individual citizens.
For open source collection, the comments of the draft law claim that no new legal basis for data collection is created by the proposal. This is confusing and in conflict with other parts of the comments of the draft law. However, it could be the case that the draft law only particularises a legal basis for mass or targeted data collection from open sources that either exists in the current legislation or will be provided for in future legislation or administrative orders within the general data protection framework for law enforcement. A legal basis for the Danish ANPR system was created in this way, so there are certain precedents.
The issue of data subject rights is not mentioned in the comments of the draft law. Under the current Danish legal framework for law enforcement data processing, there is a complete exemption from the information requirements and the data subject rights to access, rectification and erasure. The LEDP Directive does not allow for such a blanket limitation of all data subjects rights. Under the LEDP Directive, the specific limitations of data subject rights must constitute necessary and proportionate measures in a democratic society with due regard for the fundamental rights and legitimate interests of the persons concerned. It remains to be seen what implications this might have for the data processing in the POL-INTEL system and in particular right to access for citizens.
EDRi-gram: Denmark about to implement a nationwide ANPR system (02.07.2014)
Declaration to minimise the negative effects of the Danish departure from Europol, following the referendum in Denmark on 3 December 2015 (15.12.2016)
Denmark buys surveillance system for millions from NSA vendor, Information (only in Danish, 28.10.2016)
Public tender summary for PET-INTEL and POL-INTEL (only in Danish, 16.09.2015)
Draft law on amending the Police Act with data analysis provisions (only in Danish, 10.02.2017)
(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)