Danish decree on data retention heavily criticised

By EDRi · August 4, 2004

On 24 March 2004 the Danish Ministry of Justice released a draft Administrative Order and a set of guidelines for mandatory retention of telecommunication traffic data. It is a follow-up to the ‘anti-terror package’ from 6 June 2002 (Act no. 378), that extended the minimum time for data retention to a year and allowed police and intelligence agents to look at such material with court permission where serious crimes were involved and to install on ISP servers software similar to the US Carnivore system to intercept e-mail.

The Administrative Order and the guidelines aim to regulate in detail the obligations of the Danish telecommunication providers (minor private ISPs included), specify how they must assist the Danish police interfering with the secrecy of communication, what data should be retained, and how it should be done. For internet, this means an obligation for providers to keep an extended mail server logfile with precise information who has been e-mailing whom, an extensive IP-registration of all incoming and outgoing IP-requests and an obligation to log all IP-addresses from visitors to chatrooms. Mobile telephony providers are to store all data about incoming and outgoing calls, including SMS and MMS, and all localisation data they generate for each call, even if the call is not successful.

When circulated for comments in May 2004, the draft was heavily criticised by both Internet Service Providers, co-operative housing associations and non-governmental organisations for being disproportional and inconsistent, e.g. by letting private entities store huge amounts of personal information while at the same time leaving ample loopholes, since for example libraries and universities are not included. Everyone now awaits the next steps from the Ministry of Justice.

Danish Ministry of Justice

Danish Data Protection Agency

(Contribution by Rikke Frank Joergensen, EDRI-member Digital Rights Denmark)