Privacy law in Denmark

Last updated January 13, 2021

Privacy law in Denmark is supervised and enforced by the independent agency Datatilsynet (The Danish Data Protection Agency) based mainly upon the Act on Processing of Personal Data.^[1]

History of Danish Privacy Law

Privacy law in Denmark was originally determined by 2 acts: the Private Registers Act of 1978, and the Public Authorities’ Registers Act of 1978, which governed the private sector and the public sector respectively. These 2 acts were replaced by the Act on Processing of Personal Data July 1, 2000, thereby implementing the European Union’s Data Protection Directive (1995/46/EC). The Danish constitution also mentions privacy, in the form of paragraph 72 that stipulates that the confiscation and examination of letters and other papers; as well the interception of postal-, telegraph- and telephone communication cannot be done without a judicial order.^[2] September 28, 2006 The declaration of providers of electronic communication networks and electronic communication services registration and storage of information regarding teletraffic (Bekendtgørelse om udbydere af elektroniske kommunikationsnets og elektroniske kommunikationstjenesters registrering og opbevaring af oplysninger om teletrafik) was publicised, thereby implementing the European Union’s Data Retention Directive (2006/24/EC), on "the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC”.^[3]

The Main Acts

In Danish privacy law, there are several acts that provides the basis for the collecting and storing private data. These are the Act on Processing of Personal Data and the Data Retention Executive Order.

Act on Processing of Personal Data

The Act on Processing of Personal Data is the main law regarding when and how personal data can be processed, in an electronic system, as well as manual handling of the data, when it is contained in a register. The act applies to all private companies, associations, organisations and to the public authorities. In the private sector, the law also applies to systematic processing of personal data, even if it does not happen electronically.^[4] The act differentiates between 3 different kinds of personal data, as they have to be treated differently, depending on the sensitivity of the data:

Sensitive information
Information regarding other purely private conditions
Ordinary non-sensitive information

The different kinds of personal data have different requirements for when they can be requested from a citizen, as to avoid that too much unnecessary sensitive data will be given to organisations that does not need them. The act also gives the citizens a series of rights, designed to help give more control of what information is being stored about him or her:

Right to insight into the information, that is being handled about the citizen
Right to be informed that information is being collected about the citizen
Right to have incorrect information deleted or corrected

The Data Retention Executive Order

The Danish Surveillance law is the ratification of the European Union’s Directive 2006/24/EC, which requires all providers of communication like telephones and internet to log certain data regarding the communication through their systems.^[5] §4 of the law require phone companies to log:

The caller’s phone number (A-number) as well as the name and address of the subscriber or registered user
The called phone number (B-number) as well as the name and address of the subscriber or registered user
The redirected phone number (C-number) as well as the name and address of the subscriber or registered user
The receipt for receiving a message
The identity of the used communications equipment (IMSI- and IMEI-numbers)
The cell or cells a mobile phone was connected to by the communications start and end, and the exact geographical or physical location of the used cell masts used during the time of the communication
The exact time of the start and end of the communication
The time of the first activation of anonymous services (Prepaid mobile phones)

§5 of the law require Internet Service Providers to log the following information about the initiating and the terminating packets:

The senders IP-address
The receivers IP-address
The transport protocol used
The senders port number
The receivers port number
The exact time of the start and end of the communication

§5 section 2 of the law require Providers of Internet access to end users to log the following information about user:

The allocated user identity
The user identity and the phone number that have been allocated communications, which is a part of a public communicationsnetwork
The name and address of the subscriber or registered user, to whom an IP-address, a user identity or a phone number was allocated at the time of the communication
The exact time of the start and end of the communication

The European Union’s Directive 2006/24/EC do not require the member counties to record and store all of these items,^[6] but the Danish government decided to expand upon the European directive, to include collection of more data. This led to a drop in Denmark’s Privacy index of 0.5, from 2.5 to 2.0^[7]^[8]

The Data Protection Agency

The Data Protection Agency is the central independent authority that makes sure the Act on Processing of Personal Data is obeyed in Denmark. Amongst other things it provides counselling, advice, treat complaints and perform inspections of authorities and companies. It comprises The Data Council and a secretariat. Anyone can complain to The Data Protection Agency if they feel Act on Processing of Personal Data is not obeyed in Denmark, The Agency will then launch a formal investigation into the matter and if required, it can issue fines and/or injunctions. It is possible to appeal the decisions of The Agency to a Danish court of law

The Data Council

The Data Council is composed of a chairperson and six board members. Its main task is to evaluate and make rulings:

Of a principal nature
Of significant common interest or with significant consequences for a public authority or private company
That due to special circumstances should be decided by the council
That a council member wish to discuss during a council meeting

The current chairperson and 6 board members are:

Chairperson, High Court Judge Henrik Waaben

Lawyer Janne Glæsel
Professor, dr. jur. Peter Blume
CEO of the Danish Consumer Council Rasmus Kjeldahl
Manager of concern IT-Security Kim Aarenstrup
City manager Niels Johannesen
Chief physician Hans Henrik Storm

Important Cases

The Preben Randløv case

The goldsmith Preben Randløv was robbed February 8. 2008 where the robber not only got away with approximately 1.3 million DKR (€173,333) worth of jewelry, but also assaulted 2 employees, including Preben Randløv's wife. He then proceeded to upload a video from his shop surveillance camera of the masked robber, and issued a 25,000 DKR (€3,333) reward for any information that would lead to the arrest of the robber. The Data Protection Agency decided to initiate an administrative proceeding against Preben Randløv as he had not “asked the robber to consent” to the uploading of the video, and he was fined by 10,000 DKR (€1,333) by the police, as only the police have the authority to release videos of this nature. The video did lead to an arrest of 2 individuals who claimed they had bought the jewelry, but neither of them were convicted for the robbery. In October 2008, another one of Preben Randløv stores was robbed, and he told reporters during an interview, that he would upload a video of the new robbery as well.^[9]

The Shell case

In March 2009 it was discovered a Shell petrol station had a wall with pictures of petrol thieves in the shop of the petrol station. The Data Protection Agency decided to prosecute them because it was not legal according to the Act on Processing of Personal Data.^[10]

Privacy Problems in Denmark

According to Privacy International’s study: Leading surveillance societies in the EU and the World 2007, the main concerns in Denmark regarding privacy is the following:

Constitutional right to privacy depends on section 71 on personal liberty and section 72 on search and seizure
Comprehensive privacy law, and exempts security and defence services
Data privacy authority is appointed by the minister of justice, and the ministry is also responsible for the budget
Data privacy authority may enter any premise without a court order to investigate under the privacy law
Extensive interception of communications; and use of bugs on computers to monitor activity and keystrokes; and plans are in place to minimise notification
Police require list of all active mobile phones near the scene of a crime
DNA samples may be required from applicants for residency based on family ties
Implemented retention of communications data well before EU mandate, for one year
Police took the DNA of 300 youth protestors in 2007
Implementing air travel surveillance program
Parliament is over-keen to implement surveillance programs
Ratified Cybercrime convention

These issues have cause Denmark to receive a very low rating on their Privacy index, a 2.0 (Extensive surveillance societies) compared to a 2.5 in 2006 (Systemic failure to uphold safeguards). This places Denmark on a 34th place of the 45 included counties in the study (although United States and United Kingdom are placed on 40th and 43rd place respectively, with scores of 1.5 and 1.4)

Related Research Articles

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, is a European Union directive which regulates the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive is an important component of EU privacy and human rights law.

$Mass surveillance Intricate surveillance of an entire or a substantial fraction of a population$

Mass surveillance is the intricate surveillance of an entire or a substantial fraction of a population in order to monitor that group of citizens. The surveillance is often carried out by local and federal governments or governmental organisations, such as organizations like the NSA and the FBI, but it may also be carried out by corporations. Depending on each nation's laws and judicial systems, the legality of and the permission required to engage in mass surveillance varies. It is the single most indicative distinguishing trait of totalitarian regimes. It is also often distinguished from targeted surveillance.

A pen register, or dialed number recorder (DNR), is an electronic device that records all numbers called from a particular telephone line. The term has come to include any device or program that performs similar functions to an original pen register, including programs monitoring Internet communications.

The Data Protection Act 1998 was a United Kingdom Act of Parliament designed to protect personal data stored on computers or in an organised paper filing system. It enacted the EU Data Protection Directive 1995's provisions on the protection, processing and movement of data.

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Digital, Culture, Media and Sport (DCMS). It is the independent regulatory office dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland.

The Electronic Communications Privacy Act of 1986 (ECPA) was enacted by the United States Congress to extend restrictions on government wire taps of telephone calls to include transmissions of electronic data by computer, added new provisions prohibiting access to stored electronic communications, i.e., the Stored Communications Act, and added so-called pen trap provisions that permit the tracing of telephone communications . ECPA was an amendment to Title III of the Omnibus Crime Control and Safe Streets Act of 1968, which was primarily designed to prevent unauthorized government access to private electronic communications. The ECPA has been amended by the Communications Assistance for Law Enforcement Act (CALEA) of 1994, the USA PATRIOT Act (2001), the USA PATRIOT reauthorization acts (2006), and the FISA Amendments Act (2008).

Lawful interception (LI) refers to the facilities in telecommunications and telephone networks that allow law enforcement agencies with court orders or other legal authorization to selectively wiretap individual subscribers. Most countries require licensed telecommunications operators to provide their networks with Legal Interception gateways and nodes for the interception of communications. The interfaces of these gateways have been standardized by telecommunication standardization organizations.

Personal data, also known as personal information or personally identifiable information (PII) is any information relating to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Data retention defines the policies of persistent data and records management for meeting legal and business data archival requirements. Although sometimes interchangeable, it is not to be confused with the Data Protection Act 1998.

Privacy law refers to the laws that deal with the regulation, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organisations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handing sensitive information.

Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD), is an EU directive on data protection and privacy in the digital age. It presents a continuation of earlier efforts, most directly the Data Protection Directive. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data, spam and cookies. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent.

Workplace privacy is related with various ways of accessing, controlling, and monitoring employees' information in a working environment. Employees typically must relinquish some of their privacy while in the workplace, but how much they must do so can be a contentious issue. The debate rages on as to whether it is moral, ethical and legal for employers to monitor the actions of their employees. Employers believe that monitoring is necessary both to discourage illicit activity and to limit liability. With this problem of monitoring employees, many are experiencing a negative effect on emotional and physical stress including fatigue, lowered employee morale and lack of motivation within the workplace. Employers might choose to monitor employee activities using surveillance cameras, or may wish to record employees activities while using company-owned computers or telephones. Courts are finding that disputes between workplace privacy and freedom are being complicated with the advancement of technology as traditional rules that govern areas of privacy law are debatable and becoming less important.

The Data Retention Directive was passed on 15 March 2006 and regulated data retention, where data has been generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks. It amended the Directive on Privacy and Electronic Communications. According to the Data Retention Directive, EU member states had to store citizens' telecommunications data for a minimum of six months and at most twenty-four months.

The Spanish Data Protection Agency is an independent agency of the government of Spain which oversees the compliance with the legal provisions on the protection of personal data. The agency is headquartered in the city of Madrid and it extends its authority to the whole country.

There are across the world several National data protection authorities, which are authorities tasked with information privacy. In the European Union and the EFTA member countries their status was formalized by the Data Protection Directive and they were involved in the Madrid Resolution.

The Telecommunications Amendment Act 2015 is an Australian law that amends the Telecommunications Act 1979 and the Telecommunications Act 1997 to introduce a statutory obligation for Australian telecommunication service providers to retain, for a period of two years, particular types of telecommunications data (metadata) and introduces certain reforms to the regimes applying to the access of stored communications and telecommunications data under the TIA Act.

The ePrivacy Regulation (ePR) is a proposal for the regulation of various privacy-related topics, mostly in relation to electronic communications within the European Union. Its full name is "Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC ." It would repeal the Privacy and Electronic Communications Directive 2002 and would be lex specialis to the General Data Protection Regulation. It would particularise and complement the latter in respect of privacy-related topics. Key fields of the proposed regulation are the confidentiality of communications, privacy controls through electronic consent and Browsers, and cookies.

{{Use American English|date = March 2019}

References

↑ S, Clemens Advokatfirma-Camilla; Fink; Bonde, Søren; Angermair, Tommy. "How are data protection laws enforced in Denmark? | Lexology". www.lexology.com. Retrieved 2020-12-06.
↑ http://www.grundloven.dk (in Danish)
↑ "Archived copy". Archived from the original on 2010-02-18. Retrieved 2010-04-06.CS1 maint: archived copy as title (link)[347]=x-347-559545
↑ (in Danish)
↑ http://logningsdirektivet.dk (in Danish)
↑ "L_2006105EN.01005401.xml". europa.eu. Retrieved 18 January 2017.
↑ "Archived copy" (PDF). Archived from the original (PDF) on 2012-01-10. Retrieved 2009-11-05.CS1 maint: archived copy as title (link)
↑ "Archived copy". Archived from the original on 2010-02-18. Retrieved 2010-04-06.CS1 maint: archived copy as title (link)[347]=x-347-559597
↑ (in Danish)
↑ (in Danish)

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] S, Clemens Advokatfirma-Camilla; Fink; Bonde, Søren; Angermair, Tommy. "How are data protection laws enforced in Denmark? | Lexology". www.lexology.com. Retrieved 2020-12-06.

[2] ttp://www.grundloven.dk (in Danish)

[3] "Archived copy". Archived from the original on 2010-02-18. Retrieved 2010-04-06.CS1 maint: archived copy as title (link)[347]=x-347-559545

[4] (in Danish)

[5] ttp://logningsdirektivet.dk (in Danish)

[6] "L_2006105EN.01005401.xml". europa.eu. Retrieved 18 January 2017.

[7] "Archived copy" (PDF). Archived from the original (PDF) on 2012-01-10. Retrieved 2009-11-05.CS1 maint: archived copy as title (link)

[8] "Archived copy". Archived from the original on 2010-02-18. Retrieved 2010-04-06.CS1 maint: archived copy as title (link)[347]=x-347-559597

[9] (in Danish)

[10] (in Danish)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

v t e Privacy
Principles	Expectation of privacy Right to privacy Right to be forgotten Post-mortem privacy
Privacy laws	Australia Canada Denmark England European Union Germany Ghana New Zealand Singapore Switzerland United States
Data protection authorities	Australia Denmark European Union France Germany Ireland Isle of Man Norway Philippines Poland Spain Sweden Switzerland Turkey Thailand United Kingdom
Areas	Consumer Medical Workplace
Information privacy	Law Financial Internet Personal data Personal identifier Privacy-enhancing technologies Social networking services Privacy engineering Secret ballot
Advocacy organizations	American Civil Liberties Union Center for Democracy and Technology Computer Professionals for Social Responsibility Future of Privacy Forum Electronic Privacy Information Center Electronic Frontier Foundation European Digital Rights Global Network Initiative NOYB Privacy International Privacy Rights Clearinghouse
See also	Anonymity Cellphone surveillance Cyberstalking Data security Eavesdropping Global surveillance Mass surveillance Privacy engineering Telephone tapping Human rights Identity theft Panopticon Personality rights Search warrant