Blogs

Denmark: Data retention is here to stay despite the CJEU ruling

By EDRi · June 4, 2014

Following the Court of Justice of the European Union (CJEU) ruling on 8 April 2014, which declared the data retention directive 2006/24/EC invalid, the Danish parliament asked the government about the implications for the Danish data retention law. On 2 June 2014, the government presented its response in a 30-page legal analysis and at a meeting in the Justice Committee of the parliament.

The Danish data retention law was passed by parliament in June 2002, so there is no direct reference to the data retention directive. The specific rules were delayed until September 2006, with effect from 15 September 2007, in part because of technical difficulties with specifying workable data retention rules. One of the difficulties faced at the time was that  of ensuring that the rules included the requirements of the EU directive. The Danish law exceeds the requirements of the invalid data retention directive in several respects, especially as far as internet data retention is concerned. The Danish law contains a requirement for session logging which includes data about every 500th internet packet transmitted, specifically source and destination IP addresses and port numbers, as well as a timestamp for the packet. The retention period is one year for all telephone and internet data.

The conclusion of the legal analysis from the Danish Ministry of Justice is that the Danish retention law is not affected by the CJEU ruling on 8 April. This is based on a very narrow interpretation of the CJEU ruling, as explained below.

The special session logging requirements in the Danish law will, however, be lifted immediately, but the reason for this is not the CJEU ruling. Instead, the motivation is the technical difficulties of using the retained data on internet sessions for police investigations. These problems were also known in 2013 when a majority in the Danish parliament decided to postpone a revision of the data retention law, including the heavily critised session logging part.

In its legal analysis of the CJEU ruling on the data retention directive, the Danish Ministry of Justice first notes that the Charter of Fundamental rights applies to the Danish data retention law even though the national law no longer transposes an EU directive. This reasoning is based on Article 15.1 of the e-privacy directive 2002/58/EC and an interpretation of the CJEU ruling C-617/10 (Fransson case).

The Ministry of Justice then notes that the CJEU ruling on data retention is based on three elements:

  1.  The directive covers all electronic communication for all persons (paras. 57-59)
  2. The directive does not contain objective criteria for access to the retained data (paras. 60-62)
  3. The retention period is not based on objective criteria (paras. 63-64)

Before assessing the Danish national law on the these elements, the Ministry of Justice emphasises that the CJEU ruling is based on all three elements, and that there is doubt about the weight given to the individual elements. This point plays an important role in justifying the conclusion reached in the legal analysis.

Firstly, The Danish data retention law covers all persons and all communications, so with respect to the points in paragraphs 57-59, there is no difference between the Danish law and the directive.

Secondly, The Danish Administration of Justice Act contains rules for access to the data. A prior court order is required, except in urgent cases, and there must be grounds for suspicion against the individual whose retained data is accessed. Also, access is restricted to “serious crime”, where the main rule is a prison term of six years or more. However, a number of criminal offences with shorter maximum prison sentences than six years are also included, in particular criminal offences where multiple offenders are likely to work together and use electronic communication for their criminal activities. For example, credit card fraud is included in the list of offences where retained telecommunications data can be used for police investigations.

Thirdly, the Ministry of Justice argues that the retention period in the Danish law is based on objective criteria. The retention period is one year for all types of data, but the Ministry of Justice cites preparatory work for the 2002 data retention law  in which the one-year retention period was justified on grounds that terrorist attacks such as 9/11 are often planned for more than six months, so a retention period of one year would be appropriate.

In the final conclusion of the 30-page legal analysis, the Ministry of Justice emphasises that the CJEU ruling is based on all three elements, and that the weight given to each individual element is not clear. During the meeting in the Justice Committee, the Minister of Justice said that they had found it difficult to read and evaluate the CJEU decision.

Since the Danish data retention law “only” has a problem with the first element of the CJEU ruling, the mass surveillance part (paras. 57-59), the Danish Ministry of Justice argues that there is no reason to assume that the Danish law is in conflict with the Charter of Fundamental Rights.

During the meeting the minister was asked repeatedly by Member of Parliament Pernille Skipper about paragraphs 57-59. Each time the answer was that the Ministry of Justice looked at the combined weight of the three elements in the CJEU ruling, and because there was doubt as to what weight should be given to the three elements individually, the minister saw no conflict between the Danish law and the Charter of Fundamental Rights.

The Minister of Justice also announced that the Danish government would propose a revision of the Danish data retention law in the next parliamentary session 2014-15. The minister suggested that this could lead to new data retention requirements, for example related to internet sessions. The current session logging requirements were only lifted because they could not produce data that the police could actually use, not because of any inherent conflict with fundamental rights. The decision to lift the session logging requirements was heavily criticized by the Conservative Party and the Danish People’s Party. It appears that ideological arguments in favour of storing all available data are considered more important than the practical consideration that the data cannot be used. Such ideological motivations also appear to override the obvious fact that, as the data are not useable, their collecting is patently not necessary and is, therefore, unquestionably contrary to the legal obligations of the Charter of Fundamental Rights and European Convention on Human Rights.

Legal analysis from the Danish Ministry of Justice (only in Danish, 02.06.2014)
http://justitsministeriet.dk/sites/default/files/media/Pressemeddelelser/pdf/2014/Notat%20om%20logningsdirektivet.pdf

Webcast of meeting in Justice Committee of the Danish parliament (only in Danish, 02.06.2014)
http://www.ft.dk/webtv/video/20131/reu/td.1130634.aspx

Homepage of Pernille Skipper, Member of Parliament for the Red-Green Alliance (only in Danish)
http://www.ft.dk/folketinget/findmedlem/elpesk.aspx

EDRi-gram: Denmark: Government postpones the data retention law evaluation (13.02.2013)
http://history.edri.org/edrigram/number11.3/dk-postpones-data-retention-evaluation

(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)