Denmark: Our data retention law is illegal, but we keep it for now
On 2 March 2017, the Danish Minister of Justice appeared before the Legal Affairs Committee of the Danish Parliament to answer questions about the implications of the Tele2 data retention ruling (joined cases C-203/15 and C-698/15) from the Court of Justice of the European Union (CJEU).
In his statement to the committee, the Minister started by noting that the Danish government is still analysing the consequences of the judgment, but two conclusions are clear. First, EU law precludes a general and undifferentiated data retention scheme covering all subscribers. Secondly, EU law does not preclude a targeted data retention scheme for the purpose of fighting serious crime. The Minister of Justice then noted that the Danish data retention law covers all subscribers, similar to the data retention laws in the other Member States that currently have data retention. The unavoidable implication of this is that the current Danish data retention law does not comply with EU law, which the Minister of Justice admitted before the committee.
It is definitely noteworthy that this conclusion comes from the Danish Ministry of Justice after two months of undoubtedly very intensive internal analysis of the Tele2 judgment and presumably consultations with other Member States. In June 2014, there was also a meeting in the Legal Affairs Committee of the Danish Parliament, two months after the CJEU ruled on 8 April 2014 that the Data Retention Directive (2006/24/EC) was invalid. However, at that meeting, the Minister of Justice was able to get away with presenting a legal analysis with a very narrow interpretation of the 2014 CJEU judgment that allowed the minister to conclude that there was no reason to assume that the Danish data retention law was in conflict with the Charter of Fundamental Rights. At the committee meeting on 2 March 2017, no doubt about the interpretation of the new Tele2 judgment was possible: blanket data retention is illegal in the European Union.
In this situation, a country committed to the rule of law would take immediate steps to repeal the illegal legislation. In Denmark, this can be done very easily, since the Danish data retention law authorises the Minister of Justice to lay down the specific data retention requirements in an administrative order. A simple executive decision by the Minister of Justice, repealing the illegal data retention administrative order (”logningsbekendtgørelsen”), would suffice to uphold the rule of law in Denmark.
However, this will not happen in the immediate future. Despite being unable – twice – to convince the Court of Justice of the EU of this, the Minister of Justice still argues that data retention is simply too valuable for the Danish police. Therefore, the current blanket data retention will simply continue without any change until new rules for targeted data retention have been fully implemented. The Minister of Justice claims that the EU Commission has not made any demands to the Danish government to repeal the current (illegal) data retention rules.
The projected timeline for the future process is somewhat unclear, although the next parliamentary year was mentioned tentatively at the meeting. Currently, the Danish government is consulting with the other Member States and the EU Commission on interpreting the Tele2 ruling and in particular how targeted data retention should be defined. Another requirement for the Minister of Justice is that the targeted data retention scheme is technically feasible for the telecommunications operators, and consultations with the telecommunications industry on this are ongoing. When a technically feasible targeted data retention plan is available, the Minister of Justice will present a legislative proposal to the Danish Parliament, which eventually will lead to replacing the illegal data retention scheme with a new, hopefully legal, scheme.
The Minister of Justice made it clear that the future targeted data retention rules will even include the extensions for internet traffic that were planned under blanket data retention until just prior to the Tele2 judgment, possibly including internet connection records (introduced in the United Kingdom with the Investigatory Power Act). Retention of internet connection records was a massive failure when used between 2007 and 2014 in Denmark (under the old name “session logging”). Just before the Tele2 judgment in December 2016, the working plan of the Ministry of Justice was to re-introduce internet connection records for subscribers with Carrier Grade Network Address Translation (CG-NAT) connections.
At the committee meeting on 2 March 2017, the Minister of Justice described the future process towards targeted data retention as an ”adjustment of the current data retention rules”, and he emphasised the importance of ensuring that the police and intelligence services would continue to have the necessary tools to protect the population, as had been the case for the past 10 years with data retention. Here, the Minister of Justice is clearly confusing the use of telecommunications metadata in police investigations with mandatory data retention. Danish police has systematically used available telecommunications metadata in investigations for the past 20 years, and mandatory data retention only took effect on 15 September 2007.
While the Minister of Justice repeatedly referred to the ongoing EU consultations and that the EU Commission is currently preparing guidelines for targeted data retention, there was also some informal discussion of the issue among the Members of Parliament (MPs) that participated in the committee meeting. MPs in favour of data retention were clear about their intentions: data retention should allow the police to look into the past for suspects that were unknown at the time of the crime. This sounds very much like blanket data retention, and the word targeted is only used because the CJEU has made it very clear that EU law only allows targeted data retention. There seems to be little doubt that the Danish government, backed by a clear majority in Parliament, will push the scope of targeted data retention, once this concept has been defined, to the legal limit of EU law in the future revision of the Danish data retention rules.
EDRi: Denmark: Data retention is here to stay despite the CJEU ruling (04.06.2014)
Webcast of meeting in the Legal Affairs Committee of the Danish parliament (in Danish, 02.03.2017)
EDRi: Danish government postpones plans to re-introduce session logging (23.03.2016)
Minister of Justice continues illegal surveillance, Information (in Danish, 03.03.2017)
(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)