Privacy law in Denmark

Privacy law in Denmark is supervised and enforced by the independent agency Datatilsynet (The Danish Data Protection Agency) based mainly upon the Act on Processing of Personal Data.

History of Danish Privacy Law
Privacy law in Denmark was originally determined by 2 acts: the Private Registers Act of 1978, and the Public Authorities’ Registers Act of 1978, which governed the private sector and the public sector respectively. These 2 acts were replaced by the Act on Processing of Personal Data July 1, 2000, thereby implementing the European Union's Data Protection Directive (1995/46/EC). The Danish constitution also mentions privacy, in the form of paragraph 72 that stipulates that the confiscation and examination of letters and other papers; as well the interception of postal-, telegraph- and telephone communication cannot be done without a judicial order. September 28, 2006 The declaration of providers of electronic communication networks and electronic communication services registration and storage of information regarding teletraffic (Bekendtgørelse om udbydere af elektroniske kommunikationsnets og elektroniske kommunikationstjenesters registrering og opbevaring af oplysninger om teletrafik) was publicised, thereby implementing the European Union's Data Retention Directive (2006/24/EC), on "the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC”.

The Main Acts
In Danish privacy law, there are several acts that provides the basis for the collecting and storing private data. These are the Act on Processing of Personal Data and the Data Retention Executive Order.

Act on Processing of Personal Data
The Act on Processing of Personal Data is the main law regarding when and how personal data can be processed, in an electronic system, as well as manual handling of the data, when it is contained in a register. The act applies to all private companies, associations, organisations and to the public authorities. In the private sector, the law also applies to systematic processing of personal data, even if it does not happen electronically. The act differentiates between 3 different kinds of personal data, as they have to be treated differently, depending on the sensitivity of the data: The different kinds of personal data have different requirements for when they can be requested from a citizen, as to avoid that too much unnecessary sensitive data will be given to organisations that does not need them. The act also gives the citizens a series of rights, designed to help give more control of what information is being stored about him or her:
 * 1) Sensitive information
 * 2) Information regarding other purely private conditions
 * 3) Ordinary non-sensitive information
 * 1) Right to insight into the information, that is being handled about the citizen
 * 2) Right to be informed that information is being collected about the citizen
 * 3) Right to have incorrect information deleted or corrected

The Data Retention Executive Order
The Danish Surveillance law is the ratification of the European Union's Directive 2006/24/EC, which requires all providers of communication like telephones and internet to log certain data regarding the communication through their systems. §4 of the law require phone companies to log: §5 of the law require Internet Service Providers to log the following information about the initiating and the terminating packets: §5 section 2 of the law require Providers of Internet access to end users to log the following information about user: The European Union's Directive 2006/24/EC do not require the member counties to record and store all of these items, but the Danish government decided to expand upon the European directive, to include collection of more data. This led to a drop in Denmark's Privacy index of 0.5, from 2.5 to 2.0
 * 1) The caller's phone number (A-number) as well as the name and address of the subscriber or registered user
 * 2) The called phone number (B-number) as well as the name and address of the subscriber or registered user
 * 3) The redirected phone number (C-number) as well as the name and address of the subscriber or registered user
 * 4) The receipt for receiving a message
 * 5) The identity of the used communications equipment (IMSI- and IMEI-numbers)
 * 6) The cell or cells a mobile phone was connected to by the communications start and end, and the exact geographical or physical location of the used cell masts used during the time of the communication
 * 7) The exact time of the start and end of the communication
 * 8) The time of the first activation of anonymous services (Prepaid mobile phones)
 * 1) The senders IP-address
 * 2) The receivers IP-address
 * 3) The transport protocol used
 * 4) The senders port number
 * 5) The receivers port number
 * 6) The exact time of the start and end of the communication
 * 1) The allocated user identity
 * 2) The user identity and the phone number that have been allocated communications, which is a part of a public communicationsnetwork
 * 3) The name and address of the subscriber or registered user, to whom an IP-address, a user identity or a phone number was allocated at the time of the communication
 * 4) The exact time of the start and end of the communication

The Data Protection Agency
The Data Protection Agency is the central independent authority that makes sure the Act on Processing of Personal Data is obeyed in Denmark. Amongst other things it provides counselling, advice, treat complaints and perform inspections of authorities and companies. It comprises The Data Council and a secretariat. Anyone can complain to The Data Protection Agency if they feel Act on Processing of Personal Data is not obeyed in Denmark, The Agency will then launch a formal investigation into the matter and if required, it can issue fines and/or injunctions. It is possible to appeal the decisions of The Agency to a Danish court of law

The Data Council
The Data Council is composed of a chairperson and six board members. Its main task is to evaluate and make rulings: The current chairperson and 6 board members are:
 * 1) Of a principal nature
 * 2) Of significant common interest or with significant consequences for a public authority or private company
 * 3) That due to special circumstances should be decided by the council
 * 4) That a council member wish to discuss during a council meeting
 * Chairperson, High Court Judge Henrik Waaben
 * 1) Lawyer Janne Glæsel
 * 2) Professor, dr. jur. Peter Blume
 * 3) CEO of the Danish Consumer Council Rasmus Kjeldahl
 * 4) Manager of concern IT-Security Kim Aarenstrup
 * 5) City manager Niels Johannesen
 * 6) Chief physician Hans Henrik Storm

The Preben Randløv case
The goldsmith Preben Randløv was robbed February 8. 2008 where the robber not only got away with approximately 1.3 million DKR (€173,333) worth of jewelry, but also assaulted 2 employees, including Preben Randløv's wife. He then proceeded to upload a video from his shop surveillance camera of the masked robber, and issued a 25,000 DKR (€3,333) reward for any information that would lead to the arrest of the robber. The Data Protection Agency decided to initiate an administrative proceeding against Preben Randløv as he had not “asked the robber to consent” to the uploading of the video, and he was fined by 10,000 DKR (€1,333) by the police, as only the police have the authority to release videos of this nature. The video did lead to an arrest of 2 individuals who claimed they had bought the jewelry, but neither of them were convicted for the robbery. In October 2008, another one of Preben Randløv stores was robbed, and he told reporters during an interview, that he would upload a video of the new robbery as well.

The Shell case
In March 2009 it was discovered a Shell petrol station had a wall with pictures of petrol thieves in the shop of the petrol station. The Data Protection Agency decided to prosecute them because it was not legal according to the Act on Processing of Personal Data.

Privacy Problems in Denmark
According to Privacy International’s study: Leading surveillance societies in the EU and the World 2007, the main concerns in Denmark regarding privacy is the following:
 * Constitutional right to privacy depends on section 71 on personal liberty and section 72 on search and seizure
 * Comprehensive privacy law, and exempts security and defence services
 * Data privacy authority is appointed by the minister of justice, and the ministry is also responsible for the budget
 * Data privacy authority may enter any premise without a court order to investigate under the privacy law
 * Extensive interception of communications; and use of bugs on computers to monitor activity and keystrokes; and plans are in place to minimise notification
 * Police require a list of all active mobile phones near the scene of a crime
 * DNA samples may be required from applicants for residency based on family ties
 * Implemented retention of communications data well before EU mandate, for one year
 * Police took the DNA of 300 youth protestors in 2007
 * Implementing air travel surveillance program
 * Parliament is over-keen to implement surveillance programs
 * Ratified Cybercrime convention

These issues have cause Denmark to receive a very low rating on their Privacy index, a 2.0 (Extensive surveillance societies) compared to a 2.5 in 2006 (Systemic failure to uphold safeguards). This places Denmark on a 34th place of the 45 included counties in the study (although United States and United Kingdom are placed on 40th and 43rd place respectively, with scores of 1.5 and 1.4)