Draft Administrative Order on data retention in Denmark

By EDRi · July 19, 2006

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The long awaited draft administrative order on data retention in Denmark is
now public. The draft, which implements the data retention provisions in the
anti-terrorism law of June 2002, is currently submitted to a group of
telecoms, business associations, NGOs, and public authorities for
consultations with deadline on 10 August 2006.

The proposal drafted by the Ministry of Justice and Ministry of Science &
Technology, with the advice of a small group of telecom representatives, is
more limited in scope than the previous draft of Spring 2004. The proposal
implements part of the recent EU data retention directive but is more
invasive, since it includes Internet session data.

Summary of the proposal with focus on internet data:
– Retention period is one year;
– Scope of data to be retained are data that are generated or processed in
the ISPs current systems, thus it is not limited to data that are generated
for billing purposes;
– No obligation on the ISPs to invest in new equipment;
– All commercial ISPs are included (non commercial ISPs, housing
associations with less than 100 units, libraries, universities and other non
commercial public institutions are excluded);
– The Internet session data to be retained is (paragraph 5, 1): the sending
internet protocol address, the receiving internet protocol address,
transport protocol, sending port number, receiving port number, start and
ending time of the communication.

These data are to be retained for each internet sessions initiating and
closing “communication package” leaving the ISPs own network, or if this is
not feasible, for every 500 “communication packages” leaving the ISPs own
network (paragraph 5, 4). According to the telecom industry the latter is
the solution they expect to implement.

In addition, the following user data need to be registered (paragraph 5, 2):
the assigned user identity (e.g. customer number), the user identity and
phone number assigned to communications in a public network, name and
address of the registered subscriber or user of a given IP address, user
identity or phone number, and start and ending time of the communication.

For wireless access points offered by ISPs, data on the physical location
and identity of the equipment need to be registered (paragraph 5, 3).

For e-mails, the sending and receiving email address need to be retained,
but only for users of the ISPs own email services, e.g. not for email
services such as hotmail or gmail (paragraph 6).

The coming weeks will show how the Telecom Industry, NGOs and others respond
to the draft. So far, it seems the industry is willing to accept the
proposal without much outcry, not least because it has included much of
their earlier critique. Besides, many see it as a lost cause given the legal
anti-terrorism provisions adopted in Denmark back in 2002.

Ministry of Justice Draft administrative order on data retention (in Danish

EDRI-gram : New anti-terrorism measures in Denmark (5.12.2005)

(Contribution by Rikke Frank Jørgensen, EDRI-member Digital Rights Denmark)