Denmark: Government postpones the data retention law evaluation
This article is also available in:
Deutsch: Dänemark: Regierung verschiebt Evaluierung des VDS-Gesetzes
In the coming months, the Danish Parliament will conduct an evaluation and revision of the Danish data retention law which implements directive 2006/24/EC. The review process has been postponed twice on earlier occasions (2010 and 2012), and the Danish government wants another two-year extension, officially in order to coordinate with any changes in the directive at the EU level.
The Danish law exceeds the requirements of the data retention directive in several respects, especially as far as Internet logging is concerned. The Danish law contains a requirement for session logging which includes data about every Internet packet being transmitted.
Specifically, the following information must be retained: source and destination IP address, source and destination port number, transmission protocol (like TCP and UDP) and timestamps. The contents of the Internet packets are not being logged, but the IP addresses will contain information about visits to websites of political parties (that is, in effect, registration of political preferences) and the online news services that the citizen reads. Last year in the Danish Parliament, there was considerable debate about the Danish over-implementation of the data retention directive, in particular Internet session logging.
The Parliament instructed the Danish government to produce an evaluation report with special focus on session logging. The Danish Ministry of Justice published this report in December 2012.
The evaluation report contains detailed descriptions of nine police cases where telephone logging was useful, or maybe even critical, to the Danish police. These cases are taken from an earlier report submitted to the EU Commission. All nine cases are about serious and violent crimes such as murder, armed robbery and organized narcotics smuggling.
For Internet logging there are only three police cases. Moreover, one of the three cases is really about telephone logging since location data from a mobile device is used by the police. The location registration just happens to be triggered by "data calls" from a smartphone. This leaves two police cases to demonstrate the value of internet logging, and only one case uses session logging. Both cases involve economic crimes (fraud) on a relatively minor scale. There is a huge discrepancy between the nature of the police cases involving telephone and Internet logging.
The report confirms the EDRi member IT-Pol suspicion that Internet logging, and especially Internet session logging, is rarely used by the Danish police. Quite interestingly, the Ministry of Justice formally states in their own evaluation report that session logging was implemented in a way that made it useless for the police (the implementation is according to the requirements of the law). Before September 2007, the Danish Internet service providers repeatedly warned the Ministry of Justice that session logging would be useless for the police.
The Danish Ministry of Justice report (only in Danish, 12.2012)
Danish government wants to postpone the evaluation of the data retention
law for the third time (12.02.2013)
EDRi-gram: Key privacy concerns in Denmark 2007 (30.01.2008)
(Contribution by Jesper Lund, EDRi member IT-Pol Denmark)