Danish government plans to re-introduce session logging

By EDRi · January 14, 2015

The Danish response to the ruling of the Court of Justice of the European Union (CJEU) on the Data Retention Directive was fairly limited. On 2 June 2014, the Ministry of Justice produced a legal analysis saying that there was no reason to believe that the Danish data retention law was in conflict with the Charter of Fundamental Rights and the CJEU judgment.

The Ministry of Justice did, however, repeal the so-called session logging obligation, which was a Danish extension of the requirements of the now annulled Data Retention Directive, whereby session information (source and destination IP addresses, port numbers, session type e.g. TCP or UDP, and timestamp) is retained for every 500th internet packet. The official reason given for repealing session logging was not the CJEU ruling, but the fact that the Danish police had been unable to use the massive amount of data collected. A government evaluation report from December 2012 could only point to a single case, involving web banking fraud on a minor scale, where Danish police had been able to use the data collected with session logging.

After the decision on 2 June 2014 to repeal session logging, data retention in Denmark essentially consists of the elements from the now invalid Data Retention Directive (call detail records for outgoing and incoming calls, cellular location data, and the IP address assigned to the customer for internet access). Before the summer of 2015, the Danish Parliament is supposed to evaluate and possibly revise the Danish data retention law.

On 7 January 2015, the Danish newspaper Berlingske reported, very surprisingly, that the Danish Ministry of Justice apparently plans to re-introduce session logging. Even though session logging has failed miserably for seven years (2007-2014), the Danish Police simply cannot give up on the phantom idea that it is possible to map every internet connection with the same level of precision as a telephone call (who has called whom, where, when, and for what duration). This is the stated purpose of session logging, in previous documents from the Ministry of Justice (going back to 1999), as well as in the newly leaked documents from the Danish Police as seen by Berlingske and IT-Pol Denmark. The changes proposed to session logging are minimal, and they are not going to address the inherent problems – mainly because they cannot be addressed in a meaningful way.

If the Danish Minister of Justice really puts this proposal before Parliament, the Danish data retention policy will have taken an absurd zig-zag course over the last three years. For several years, the Danish Police and the Ministry of Justice told Parliament that session logging was a useful instrument for law enforcement, even though it was rarely used. Then, on 2 June 2014, the Danish Minister of Justice suddenly decided to repeal session logging, to the great astonishment and protest of the politicians who had supported data retention in previous votes. And now, apparently, the Minister of Justice seems to be planning to re-introduce session logging in Danish data retention.

The Danish Minister of Justice has, so far, declined to comment on the leaked plans to re-introduce session logging. According to the Danish newspaper Information, the Minister of Justice has said that the final model for the revision of the data retention law is yet to be determined.

EDRi-gram: Denmark: Data retention is here to stay despite the CJEU ruling (04.06.2014)

Police wants to reintroduce surveillance of Danes on the internet, Berlingske (only in Danish, 07.01.2015)

The internet surveillance that refuses to die, Information (only in Danish, 13.01.2015)

EDRi-gram: Denmark: Government postpones the data retention law evaluation (13.02.2013)

(Contribution by Jesper Lund, EDRi-member IT-Pol, Denmark)