Key privacy concerns in Denmark 2007
(Dieser Artikel ist auch in deutscher Sprache verfügbar)
a. Data Retention - a reality
15 September 2007 - data retention became a reality in Denmark. The administrative order, which sets the scope and conditions for data retention, was approved on 28 September 2006 with an implementation deadline of one year. The order, which was drafted by the Ministry of Justice, had been underway for more than four years. The Act providing for data retention was approved by the Danish Parliament already in June 2002 as part of the Danish "anti-terrorism package," which extended the scope of Section 786 of the Administration of Justice Act (Act No. 378 of 6 June 2002).
The administrative order regulates in more details the obligations of the telecommunications providers and further implements the recently adopted EU Directive on Data Retention. On some issues the order goes further than the EU Directive, e.g. session logging. The order applies only to commercial ISPs, excluding non commercial ISPs, libraries, universities and smaller housing associations. There is no obligation on ISPs to invest in new systems, but the law demands 24/7 point of contact at ISPs and security clearing of relevant ISP personnel.For fixed lines and mobile phones (including voice, voicemail, call forwarding, conference calls, SMS, MMS) the retained data are: phone number, user ID (e.g. customer number), name and address of customer, IMSI / IMEI number, unsuccessful call attempts, first and last cells ID and physical location (mobile communication), and date and time for start and end of communication. For Internet use, the retained data are session logging (first and last or every 500 package), IP address, port number and transport protocol, user ID, phone number for dialup access, location and ID of hot spots, date and time for start and end of communication. For email and VoIP the order covers the ISPs own email services (and not hotmail, gmail, etc) and all VoIP services. The retained data are sender and receiver, user ID, email address, date, time and duration of communication.
During the 4-year drafting period, the proposed scheme for mandatory data retention was heavily criticized by the Telecom and IT industry, the Data Protection Agency, the Human Rights Institute, and non-governmental organizations for being privacy invasive, disproportionate and inconsistent, i.e. letting private companies store large amounts of personal information, while at the same time being easy to evade, because of the many exemptions, such as libraries and universities.
b. Extended means of surveillance
On 1 June 2007 an Act on TV Surveillance, which replaced the previous Act Prohibiting Video Surveillance was adopted in the Parliament (Act. no. 162 of 1 June 2007). The bill gives private enterprises such as banks, gas stations, hotels, shops etc. extended powers to perform surveillance on areas related to their property. The police may set quality standards for the recordings. General surveillance of public areas such as public streets and squares are not allowed for private parties, however the police may perform surveillance in any public area if it is found necessary to prevent or investigate crime. Both public and private surveillance must comply with the Danish Data Protection Act, i.e. requirements of deletion of data after max. 30 days. However, there is no longer a duty to notify the Data Protection Agency prior to installing surveillance equipment.
c. Extended access to personal information
On 8 June 2006, an Act amending the Administration of Justice Act, Act Prohibiting Video Surveillance etc., and Act on Air Traffic (Strengthening of the efforts to fight terrorism etc.) was adopted in Parliament (Act No. 542 of 8 June 2006). The bill was presented as the second "anti-terrorism package" in Denmark. The amendment to the Administration of Justice Act gives the Police Intelligence Service increased powers to exchange information with the Defense Intelligence Service and to collect information from other public authorities, e.g. hospitals, schools, libraries, social services etc. without a warrant. Concerning phone tapping in relation to criminal investigations, this is now targeted to individuals rather than means of communication, for instance a specific landline. This implies that all the phones a person may use may be tapped. Also, the notification of the individual may be omitted or postponed for a fixed period of time if the notification is considered to be detrimental to the investigation. The amendment of the Act Prohibiting Video Surveillance gives the police increased powers to demand of public offices and private parties that they install and conduct video surveillance. The amendment of the Air Traffic Act obliges airline companies to register and keep data on passengers and crews for one year and to provide the Police Intelligence Service with electronic access to the data, without a warrant.
Draft Administrative Order on data retention in Denmark (19.07.2006)
EU Data retention directive and its implementation in Denmark (in Danish
CCTV (in Danish only)
Privacyforum.dk - about CCTV (in Danish only, 21.11.2006)
Act No. 542 of 8 June 2006 (in Danish only, 8.06.2006)
(contribution by Rikke Frank Joergensen - Digital Rights Denmark)