Key privacy concerns in Denmark 2007

By EDRi · January 30, 2008

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

a. Data Retention – a reality

15 September 2007 – data retention became a reality in Denmark. The
administrative order, which sets the scope and conditions for data
retention, was approved on 28 September 2006 with an implementation deadline
of one year. The order, which was drafted by the Ministry of Justice, had
been underway for more than four years. The Act providing for data retention
was approved by the Danish Parliament already in June 2002 as part of the
Danish “anti-terrorism package,” which extended the scope of Section 786 of
the Administration of Justice Act (Act No. 378 of 6 June 2002).

The administrative order regulates in more details the obligations of the
telecommunications providers and further implements the recently adopted EU
Directive on Data Retention. On some issues the order goes further than the
EU Directive, e.g. session logging. The order applies only to commercial
ISPs, excluding non commercial ISPs, libraries, universities and smaller
housing associations. There is no obligation on ISPs to invest in new
systems, but the law demands 24/7 point of contact at ISPs and security
clearing of relevant ISP personnel.For fixed lines and mobile phones
(including voice, voicemail, call forwarding, conference calls, SMS, MMS)
the retained data are: phone number, user ID (e.g. customer number), name
and address of customer, IMSI / IMEI number, unsuccessful call attempts,
first and last cells ID and physical location (mobile communication), and
date and time for start and end of communication. For Internet use, the
retained data are session logging (first and last or every 500 package), IP
address, port number and transport protocol, user ID, phone number for
dialup access, location and ID of hot spots, date and time for start and end
of communication. For email and VoIP the order covers the ISPs own email
services (and not hotmail, gmail, etc) and all VoIP services. The retained
data are sender and receiver, user ID, email address, date, time and
duration of communication.

During the 4-year drafting period, the proposed scheme for mandatory data
retention was heavily criticized by the Telecom and IT industry, the Data
Protection Agency, the Human Rights Institute, and non-governmental
organizations for being privacy invasive, disproportionate and inconsistent,
i.e. letting private companies store large amounts of personal information,
while at the same time being easy to evade, because of the many exemptions,
such as libraries and universities.

b. Extended means of surveillance

On 1 June 2007 an Act on TV Surveillance, which replaced the previous Act
Prohibiting Video Surveillance was adopted in the Parliament (Act. no. 162
of 1 June 2007).
The bill gives private enterprises such as banks, gas stations, hotels,
shops etc. extended powers to perform surveillance on areas related
to their property. The police may set quality standards for the recordings.
General surveillance of public areas such as public streets and squares are
not allowed for private parties, however the police may perform
surveillance in any public area if it is found necessary to prevent or
investigate crime. Both public and private surveillance must comply with the
Danish Data Protection Act, i.e. requirements of deletion of data after max.
30 days. However, there is no longer a duty to notify the Data Protection
Agency prior to installing surveillance equipment.

c. Extended access to personal information

On 8 June 2006, an Act amending the Administration of Justice Act, Act
Prohibiting Video Surveillance etc., and Act on Air Traffic (Strengthening
of the efforts to fight terrorism etc.) was adopted in Parliament (Act No.
542 of 8 June 2006). The bill was presented as the second “anti-terrorism
package” in Denmark. The amendment to the Administration of Justice Act
gives the Police Intelligence Service increased powers to exchange
information with the Defense Intelligence Service and to collect information
from other public authorities, e.g. hospitals, schools, libraries, social
services etc. without a warrant. Concerning phone tapping in relation to
criminal investigations, this is now targeted to individuals rather than means of communication, for instance a specific landline. This implies that
all the phones a person may use may be tapped. Also, the notification of the
individual may be omitted or postponed for a fixed period of time if the
notification is considered to be detrimental to the investigation. The
amendment of the Act Prohibiting Video Surveillance gives the police
increased powers to demand of public offices and private parties that they
install and conduct video surveillance. The amendment of the Air Traffic Act
obliges airline companies to register and keep data on passengers and crews
for one year and to provide the Police Intelligence Service with electronic
access to the data, without a warrant.

Draft Administrative Order on data retention in Denmark (19.07.2006)

EU Data retention directive and its implementation in Denmark (in Danish

CCTV (in Danish only) – about CCTV (in Danish only, 21.11.2006)

Act No. 542 of 8 June 2006 (in Danish only, 8.06.2006)

(contribution by Rikke Frank Joergensen – Digital Rights Denmark)