Denmark allows massive retention of location data for mobile internet
On 24 May 2017, the Danish telecom regulator announced its decision concluding that the retention of location data for mobile internet usage is lawful. With the decision, the regulator allowed for massive data retention, which seriously undermines citizens’ right to privacy, since it means they can be tracked at all times and the data is being stored.
Under the Danish data retention law, mobile communications service providers must retain location data (cell ID) for telephone calls and SMS/MMS messages. There is no requirement to retain location data in connection with mobile internet usage. Smartphones generate internet traffic more or less constantly even when the device is not actively used, for example with updates from social media services. Therefore, a formal obligation or informal practice to retain location data for internet traffic effectively means that every movement in physical space of the citizen is registered and stored for a long period (12 months in Denmark).
The e-Privacy Directive 2002/58 only allows for providers of electronic communication services to retain traffic data, including location data, without consent from the subscriber if the data is required for billing or if there is a data retention requirement in national law. Location data for mobile internet traffic is not needed for billing, and there is no specific data retention requirement for this data in Denmark. The logical assumption would be that Danish mobile operators are not allowed to retain this information, even if they wanted to do so voluntarily for commercial reasons. However, in a somewhat surprising decision of 24 May 2017, the Danish telecom regulator concluded that the retention of location data for internet traffic is lawful.
A Danish citizen discovered, through a subject access request under the Data Protection Act, that his mobile operator retained a substantial amount of location data for internet traffic. In February 2016, this citizen filed a complaint with the Danish Business Authority, the telecom regulator responsible for the enforcement of the data protection rules of the e-Privacy Directive.
In its response to the complaint case, the mobile communications service provider TDC confirmed that location data is stored for so-called “state changes” in the network, which include start/end of an internet session, after 60 minutes of an uninterrupted session, after a certain volume of traffic, and when changing between different radio technologies (2G, 3G and 4G). TDC argued that this practice is necessary in order to comply with the data retention requirement for MMS traffic where the cell ID of sent and received messages must be retained. In the TDC mobile network, MMS messages are sent as data traffic, and the MMS traffic cannot be separated from the ordinary internet traffic. The cell IDs for internet traffic are retained based on pre-defined criteria related to data and network usage patterns, so the actual cell ID used when sending or receiving an MMS message is not directly available.
When law enforcement seeks access to communications metadata for a subscriber, TDC will match timestamps for MMS messages with the closest timestamp for the retained cell IDs for internet traffic in order to generate approximate cell IDs for MMS traffic. Law enforcement can also seek access to the full location data for internet traffic. Under Danish law (the Administration of Justice Act), law enforcement access to mobile location data, even if detailed in a way that it effectively records every movement of the citizen, is not restricted to investigation and prosecution of serious crime. Any offence that is subject to public prosecution is a legal ground for access to location data by the police. TDC was asked by the Danish Business Authority whether it would be possible to crosslink the cell IDs with MMS traffic immediately after collection and erase the records which are not related to MMS traffic. TDC responded that this procedure would compromise the data quality since the original location data (described as “raw data”) is no longer available.
The Danish Business Authority also asked the Ministry of Justice for an opinion on the interpretation of the Danish data retention rules. According to the Ministry of Justice, the obligation to retain location data (cell ID) for MMS traffic applies even if the mobile network is designed so that location data for other traffic types will have to be retained as well. This broad interpretation is hard to reconcile with data retention being an exception to the main rule in the e-Privacy Directive of erasure of traffic data. The Danish data retention law includes a provision similar to Article 1(1) and recital 13 of the now annulled Data Retention Directive 2006/24. The Directive limited the retention requirement to traffic data that is accessible (generated or processed) when supplying a communication service. In the present case, it could certainly be argued that location data for the MMS communication service is not accessible for the provider, especially as the procedure followed by TDC does not necessarily deliver the actual cell ID from which an MMS message is sent or received.
Based on the information received from TDC and the Ministry of Justice, the Danish Business Authority decided that the retention of location data for internet traffic by TDC is not in violation of the Danish law transposing the e-Privacy Directive. Retaining this data can be allowed, since there is a retention requirement for MMS traffic, and it would be disproportionate to require that TDC modifies its systems so that MMS and internet traffic are physically separated in the mobile network. In this regard, the Danish Business Authority accepted the argument from TDC that erasing the internet location records not related to MMS traffic – most likely all but a small fraction of the total set of location data – would compromise the traffic data that can be made available to law enforcement. The legal basis for this part of the decision seems somewhat questionable since the data retention law has no provisions on data quality or documentation for the retained data. All retained traffic data is presumably filtered or processed from a larger pool of traffic data that only exists temporarily in the network.
In the proportionality assessment of the decision, the Danish Business Authority also took into account that a revision of the Danish data retention rules is being planned, and that the Ministry of Justice intends to propose new requirements to retain location data for internet traffic. The decision mentions a pre-draft proposal for retention of location data for internet traffic which coincidentally is very close to what TDC is currently doing on the company’s own accord. However, this preliminary proposal by the Ministry of Justice for blanket retention of location data for internet traffic predates the Tele2 judgment of 21 December 2016, where the Court of Justice of the European Union (CJEU) clearly ruled that a blanket data retention requirement is illegal under European Union law. In March 2017, the Ministry of Justice accepted that the Danish data retention law would have to be changed as a consequence of the CJEU judgment. While a targeted data retention scheme could potentially include new requirements with location data for internet traffic, the overall setup would have to be distinctly different from the current practices of TDC which are based on retention of location data for all subscribers.
Decision by the Danish Business Authority on the processing and storage of mobile location data by TDC (only in Danish, 24.05.2017)
EDRi: Denmark: Our data retention law is illegal, but we keep it for now (08.03.2017)
(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)