The new Danish data retention law: attempts to make it legal failed after just six days
Author: Jesper Lund, Chairman of IT-Pol (firstname.lastname@example.org)
Summary: General and indiscriminate data retention for national security with a semi-permanent ”serious threat” level, and access to the retained data permitted also for serious crime, was meant to keep the old data retention framework (which transposed the 2006 Data Retention Directive) essentially intact, despite warnings that this was not really possible. When the CJEU struck down the interpretation about access for serious crime on 5 April 2022 (six days after entry into force of the new law), the Danish police was left with very limited access to retained traffic and location data. The Ministry of Justice is now planning to introduce targeted data retention for combatting serious crime alongside generalised retention for national security. This is provided for in the new law, but due to various implementation issues, it was meant as an ”insurance policy” for a later date, not in mid 2022. The ”targeted” data retention outlined in the new law is expected to cover 67% of the Danish population by the government's own estimates.
In November 2021, the Danish government presented a proposal for a new data retention law (L 93). The proposal was adopted with mostly minor amendments by the Parliament in March 2022. The main motivation for the new law was a long overdue need to adapt the Danish data retention framework to the case law of the Court of Justice of the European Union (CJEU).
In March 2017, the Danish government recognised that the data retention law did not comply with EU law, as interpreted by the CJEU in the Tele2 judgment (joined cases C-203/15 and C-698/15). The revision of the Danish law was postponed five times (after March 2017) for various reasons. Initially, the Danish government wanted to wait for guidance from the European Commission (EC) on targeted data retention. Later, the postponement was rationalised by the forthcoming judgments in the new data retention cases before the CJEU from France and Belgium (C-511/18, C-512/18 and C-520/18, henceforth referred to as the La Quadrature du Net case), where several Member States asked the CJEU to revise the case law from Tele2. After the CJEU delivered its judgment La Quadrature du Net case on 6 October 2020, the Ministry of Justice finally committed to drafting a new data retention law in compliance with EU law.
This article has a detailed description of the new Danish data retention law (to be precise: the data retention provisions in the Administration of Justice Act, which will be referred to as the new/old data retention law in this article). The reader is assumed to be familiar with the (annulled) Data Retention Directive and the CJEU case law on data retention.
The old data retention law
The old data retention law basically transposed the Data Retention Directive from 15 September 2007. It remained in effect after the annulment of the Directive in 2014 until the new data retention law entered into force on 30 March 2022.
Providers of electronic communications services were required to store the following information (slightly simplified) for all subscribers with a retention period of one year.
For telephony services:
- Called and calling number for incoming and outgoing voice calls, SMS and MMS
- Time of the start and end of the communication (voice call, SMS or MMS)
- Location (cell ID) of the mobile device at the start and end of the communication
- IMSI and IMEI number used for the communication
- Name and address of the subscriber (if available)
For internet access services:
- User ID and source IP address used to access the internet
- Time of the start and end of the communication (connection to the internet)
- Name and address of the subscriber (if available)
Compared to the Data Retention Directive there are two noteworthy differences. The first is that the location (cell ID) of the mobile device must also be stored at the end of the communication. The second difference is that the Danish law does not require retention of location data for mobile internet access.
The data retention requirements applies to data that is generated or processed by providers of electronic communication services, similar to Article 1(1) of the Directive. If the name and address of the user is not processed, e.g. prepaid SIM cards or internet access from WiFi hotspots in cafés, there is no requirement to retain this information.
Between September 2007 and June 2014 the Danish data retention requirements also included the destination of internet traffic, known as session logging. Providers of internet access services were required to retain the source and destination IP address and port numbers, session type e.g. TCP or UDP, and timestamp for every 500th internet packet. The session logging provision was repealed in June 2014 after the annulment of the Data Retention Directive, officially because the Danish police had been unable to use the massive amount of data collected. Attempts to reintroduce session logging in 2015 and 2016 were unsuccessful.
Police access to retained traffic data requires prior court authorisation, except in cases of urgency. For location data and source IP addresses, access can be granted for investigation of all criminal offences. For traffic data revealing the destination of telephone calls (and SMS/MMS messages), access is limited to serious crime. Serious crime covers all criminal offences with a maximum custodial sentence of six years or more, as well as a list of other criminal offences (with maximum sentences below six years).
Outline of the new law
The Danish government is a huge proponent of general and indiscriminate data retention and very critical of the CJEU judgments. This is not an outcome of evidence-based policy making demonstrating the necessity of the highly intrusive measure since only anecdotal evidence about the possible usefulness of retained traffic and location data has been presented since 2007, typically even without distinguishing between whether the data is available because of data retention requirements or for other reasons (storage for commercial considerations). The government, and a sizeable majority in Parliament, simply believes that data retention is an important investigative tool for the police, no questions asked.
This explains why the stated aim of the revision proposed in November 2021, following some consultation with stakeholders earlier in the year, is to maintain as much as possible of the old data retention regime while claiming to comply with EU law and the CJEU judgments.
The structure of the new data retention law is very similar to the non-paper WK 7294/2021 presented by the EC on 10 June 2021. Based on an analysis of the La Quadrature du Net judgment, the EC non-paper outlines the possibilities for Member States to have
- Generalised retention of traffic and location data for national security purposes
- Targeted retention of traffic and location data for serious crime
- Expedited retention (quick freeze) of traffic and location data for serious crime
- Generalised retention of IP addresses for serious crime
- Generalised retention of civil identity data
In the spirit of having as much data retention as possible, the new data retention law pushes each type of retention to the legal limit, and arguably beyond what is permissible under EU law in some cases. Indeed, a critical element about access to data retained for national security purposes was overturned by the CJEU only six days after entry into force of the new law.
The new data retention law covers the same service providers as the old law: providers of telephony services (number-based interpersonal communications services) and providers of internet access services, as well as email services offered in connection with these services. The use of these email services is very limited, so this part of the law will be ignored. All other number-independent interpersonal communications services, sometimes called over-the-top (OTT) services, are outside the scope of the new law.
General and indiscriminate data retention for national security
In the La Quadrature du Net judgment (paras. 134-139), the CJEU ruled for the first time that general and indiscriminate retention of all traffic and location data is compatible with EU law if there is a serious threat to national security which is shown to be genuine and present or foreseeable. The order requiring generalised retention must be limited in time to what is strictly necessary and subject to safeguards that protect the personal data concerned against risk of abuse. Effective review by a court or an independent administrative authority must verify that the extraordinary conditions justifying generalised retention exist.
Under Section 786e of the new data retention law, the Minister of Justice can issue an order for general and indiscriminate data retention if there is is reason to believe that Denmark faces a serious threat to national security. For telephony services, the generalised retention order will cover precisely the same traffic data as the old law with a retention period of one year, which means no changes to the data retention requirements as long as there is a serious threat to national security. Generalised retention orders can be issued for a period of time up to 12 months, which the Ministry of Justice believes is sufficient to ensure that the orders are limited in time.
The first generalised retention order was issued for the period from 30 March 2022 to 29 March 2023. In the annex, the order is justified by general information such as the annual non-classified threat assessment from the intelligence services and statistical information about the number of terrorist cases (number of persons charged, indicted and convicted of terrorist offences). The latter is by definition backward looking (previous threats which cannot be said to be ”actual or foreseeable”), and the threat assessments from the intelligence services are very general in nature. Since the mid 2000s, the conclusion in the annual assessments from the intelligence services has consistently been that Denmark faces a ”serious threat” from terrorism.
If retention orders for safeguarding national security will continue to be issued based on this type of general information, rather than concrete intelligence about specific serious threats to national security that are present or foreseeable, general and indiscriminate data retention is likely to become a semi-permanent, rather than exceptional, measure. It is highly doubtful that such a retention regime will comply with the La Quadrature du Net judgment.
Another problematic aspect of the new data retention law is the lack of effective court review. There are no provisions for automatic prior or even subsequent court review of the generalised retention order. In order to get review of the order by a court, someone, e.g. a civil society organisation, will have to launch a civil court proceeding against the Ministry of Justice. Litigation against the government often takes a long time in Denmark, so by the time the decision in the civil case is handed down, the retention order could very well have expired and be replaced by a new order, possibly based on new information. For its independent review, the court will only get access to the non-classified information justifying the retention order. This cannot comply with the CJEU requirement that effective review by a court must verify that the conditions for generalised retention are satisfied (para. 139).
In summary, the generalised data retention regime in Section 786e of the new law is highly prone to becoming essentially permanent, while effective court review of the retention orders will remain illusionary in practice.
Access to data retained for national security purposes
Arguably, the biggest challenge for the Danish government was to ensure that traffic and location data could not only be retained on a generalised basis, but also that access to the retained data could be granted for investigations of serious crime, and not just cases involving national security (typically terrorism cases). If both objectives could be achieved, the new data retention law would have general and indiscriminate retention of traffic and location data with access permitted for serious crime, just like the old data retention law.
According to para. 166 of the La Quadrature du Net judgment, access to the retained data can only be justified by the public interest objective for which those providers were ordered to retain that data or by an objective of greater public interest (e.g. national security if the retention is justified by combatting serious crime). This is the purpose limitation principle of data protection law in combination with the principle of proportionality.
Nonetheless, the Ministry of Justice invoked various arguments to the contrary, based mostly on para. 33 of the Prokuratuur judgment C-746/18, which is only concerned with serious crime and not national security. As a result, access to traffic and location data is allowed for serious crime in all situations in the new law, even when the data is retained in a generalised manner for national security purposes.
However, the explanatory remarks of the new law state quite explicitly that this interpretation of para. 166 of the La Quadrature du Net judgment is subject to ”substantial procedural risk” (in Danish: ”væsentlig procesrisiko”), an expression that has never before been used in a Danish law. The highly unusual wording strongly suggests that the interpretation is based on political convenience (a desire to keep the data retention framework intact), rather than solid legal arguments.
As mentioned above and discussed in detail later, the dubious interpretation only survived six days. On 5 April 2022, the CJEU rejected the argument that competent national authorities should be able to access, for the purposes of combating serious crime, traffic and location data which have been retained in a generalised manner for national security.
Targeted data retention for combatting serious crime
Since the 2014 judgment on the Data Retention Directive (joined cases 293/12 and C-594/12), the CJEU has consistently held that general and indiscriminate data retention for combatting serious crime violates EU law (interpreted in light of the Charter of Fundamental Rights) because it is not limited to what is strictly necessary. Only targeted data retention can comply with EU law when the purpose is combatting serious crime.
In the La Quadrature du Net judgment, the CJEU provides guidance to Member States on possible criteria for person-based and location-based targeted data retention. This guidance is used in the EC non-paper from June 2021 to outline a targeted data retention scheme which seems very comprehensive because all possible targeting criteria are applied cumulatively. The new Danish data retention takes the same approach as the EC non-paper.
For persons and geographical areas covered by the targeting criteria in the new Danish law, the traffic and location data to be retained as well as the retention period (one year from time of collection) are precisely the same as for the generalised data retention for national security. This means that the targeted data retention will be a subset of the generalised data retention if there is serious threat to national security. As discussed above, the Danish law is heavily biased towards having generalised data retention for national security on a semi-permanent, if not permanent, basis.
When drafting the new law, the Danish government believed (or hoped, as discussed above) that generalised data retention for national security purposes could be accessed by law enforcement in cases involving serious crime. With this interpretation, there is no point in having targeted data retention as long as there is a serious threat to national security which can justify generalised data retention. The traffic and location data from targeted data retention will simply be a subset of what is already retained on a generalised basis, and the same rules for access were believed to apply for both types of data retention (until the CJEU struck that interpretation down on 5 April 2022).
Therefore, even though the new law has detailed provisions for targeted data retention (described below), no orders for targeted data retention have been issued as of 15 June 2022. In the new law, targeted data retention plays the role of an ”insurance policy” for the Danish government if the general and indiscriminate data retention for national security cannot continue (e.g. if the generalised retention sometime in the future cannot be renewed again without violating the requirement that it must be limited in time) or if the government's interpretation about access for serious crime is overturned by national courts or the CJEU.
Since the latter already happened on 5 April 2022 (much earlier than expected), the Ministry of Justice is now planning to introduce targeted data retention alongside general and indiscriminate data retention for national security. In their consultation responses to the draft data retention law, the telecom providers indicated that they would need 12-15 months to prepare the implementation of targeted data retention in their systems. An implementation period is also foreseen on the side of the Danish National Police, as the comments of the new law mention a pre-analysis for designing IT systems which will be concluded in 2023, at the earliest. However, there are provisions for a partial implementation of targeted data retention based on temporary specifications, which presumably is the strategy currently being considered by the Ministry of Justice.
The actual extent of the targeted data retention scheme (when implemented) is intended to be kept secret from the public. Any information about the geographical areas covered by targeted data retention will be exempted from the Freedom of Information Act. Moreover, all subject access requests (GDPR Article 15) for traffic and location data processed (stored) under a targeted data retention order must be refused by service providers. There is no legal assessment whether this blanket restriction of data subject rights complies with the GDPR and the Charter of Fundamental Rights.
The criteria for targeted data retention, defined in Sections 786b, 786c and 786d of the law, are described in the next section. Like the generalised retention scheme for national security, targeted data retention does not include IP addresses since there is a general and indiscriminate retention regime for IP addresses.
Categories of persons and geographical areas for targeted data retention
The following categories of persons are covered by the targeted data retention in Section 786b:
- Persons convicted of serious criminal offences: for a period between 3 and 10 years, depending on the maximum custodial sentence for the criminal offence.
- Devices (telephone numbers) that have been subject to a communications interception order, as well as the registered owners of the devices: for a period of one year from the end of the interception order. This covers all telephone numbers registered to a person, including future registered numbers, if just one of the numbers has been subject to an interception order.
The targeted data retention is automatic, without any individual assessment, for all subscribers that fall into one of the two categories.
For the location-based data retention in Section 786c, the Danish National Police will divide the Danish territory into areas of 3 km by 3 km. An area will be automatically covered by targeted data retention, without any individual assessment, if at least one of two criteria is satisfied:
- The number of serious criminal offences reported to the police is greater than 1.5 times the national average over the last three years.
- The number of residents in the area convicted of serious criminal offences is greater than 1.5 the national average over the last three years.
No adjustments for population density will be made in these comparisons with national averages. The metrics are based on the actual number of reported crimes or convictions, not crime or conviction rates (relative to the local population size). Invariably, any city above a certain (relatively low) threshold for its population size will be covered by these criteria.
The targeted data retention in Section 786c will also include safety critical areas which is very broadly defined: Royal Palaces, the Parliament, the Prime Minister's residence, embassies, police stations and buildings, prisons, military areas, hazardous industries (e.g. explosives), bridges, tunnels, ferry connections, traffic intersections and major roads, border crossings, intercity train stations, local metro, light rail and S-train stations, bus terminals and airports.
The list of safety critical areas is non-exhaustive, but the Danish National Police must make an individual assessment of each potential safety critical area and only include areas with special security needs. In practice, there will be a substantial overlap with the 3 km by 3 km areas that are automatically included based on the number of reported crimes or convictions, which means that the formal requirement for individual assessment of safety critical areas has a rather limited effect on reducing the overall area covered by targeted data retention.
All mobile towers with potential radio coverage of the targeted areas must be included, even if the mobile tower is located outside the targeted area. Therefore, persons outside the targeted areas will also be affected. Fixed telephony in the targeted areas, including internet telephony (VoIP), is excluded from the location-based retention.
Finally, Section 786d allows the police to obtain retention orders for persons or specific areas if there is reason to assume that the persons or areas have a connection to serious crime. These retention orders must be approved by a court for a period up to six months which can be extended.
Assessment of the targeted data retention regime
The targeted data retention outlined in the new law is very comprehensive, to put it mildly. In response to a parliamentary question, the Danish National Police has estimated that 11% of the geographical area of Denmark and 67% of the population (3.9 million individuals) will be covered by the location-based targeted data retention in Section 786c (of which the 3 km by 3 km areas account for 65% of the population). The person-based data retention in Section 786b and the orders for specific persons and geographical areas in Section 786d will, of course, increase the number of persons affected.
First and foremost, the definition of areas with above-average levels of serious crime in Section 786c without any adjustment for population density is clearly aimed at including as many persons as possible in the data retention regime. In densely populated areas, where most of the Danish population resides, the data retention will be general and indiscriminate, even in places where the crime rate is considerable below the national average when adjusted for population density.
Moreover, the criterion ”above average” for crime rates, used by the EC in the non-paper from June 2021 and the Danish government in the new law, is not consistent with the CJEU case law on targeted data retention. The CJEU uses the wording ”places with a high incidence of serious crime” (La Quadrature du Net, para. 150) which emphasises that data retention should be an exceptional measure, not the norm. This criticism of ”above average” in the EC non-paper was raised in the legal opinion by Prof. Dr. iur. Vilenas Vadapalas, Former Judge of the General Court of the European Union.
For all types of targeted data retention, precisely the same traffic and location data is included, and the retention period is always one year from time of collection, without any differentiation. The targeting criteria are mostly automatic without any individual assessment. Because of the automated nature, there is no effective limitation on the duration of the targeted data retention measures.
Rather than being limited to what is strictly necessary, as the CJEU case law requires, the targeting parameters are consistently aimed at maximising the coverage of the Danish population. The CJEU has ruled that data retention for combatting serious crime must be the exception rather than the rule. It is highly doubtful that a targeted data retention regime covering 67% of the population can satisfy the requirement of being the exception when it is much closer to being the rule.
Expedited retention of traffic and location data (quick freeze)
Since ratification of the Budapest Convention (Cybercrime Convention) in 2004, the Administration of Justice Act has included a provision on data preservation orders (Section 786a). In the last couple of years, data preservation orders have been used regularly by the Danish police for traffic and location data from mobile operators, especially location data in connection with internet traffic which is retained for about two weeks for network management purposes. There is no data retention requirement for this type of location data, neither in the old nor the new data retention law.
The new data retention law amends the data preservation provision in light of the La Quadrature du Net judgment. The main change is that data preservation orders for traffic and location data can only be issued for investigation of serious crime or cases involving national security. Data preservation orders can still be issued by the police without authorisation from a court, even though para. 163 of the La Quadrature du Net judgment mentions effective judicial review. This will only happen if the preservation orders are challenged in court by the electronic communications service provider which is rather unlikely.
Data retention for source IP addresses
In paras. 152-156 of the La Quadrature du Net judgment, the CJEU clarified that general and indiscriminate retention of IP addresses assigned to the source of an internet connection for the purpose of combatting serious crime is compatible with EU law. The retention period must not exceed what is strictly necessary, and the legislative measure must establish strict conditions and safeguards concerning the use of the retained data. In practice, use of the retained data means ordering the internet access service provider to disclose the identity of the user of a specific dynamic IP address.
The old Danish data retention law had general and indiscriminate retention of source IP addresses, and the retained data could be used for investigation and prosecution of all criminal offences. A court order was required, but apart from that there were no substantive or procedural conditions for access to the retained data.
Needless to say, the new data retention law also has general and indiscriminate retention of source IP addresses with a retention period of one year (unchanged from the old law). For IP addresses which are shared between multiple subscribers with Carrier Grade Network Address Translation (CG-NAT) networking technology, the provider must also retain the source ports used for the CG-NAT sessions.
This is an extension of the old data retention law for IP addresses which substantially increases the amount of internet traffic (connection) data to be retained. No information about the destination of the internet traffic is retained since that information is deleted from the CG-NAT session records before storage. However, the number of CG-NAT data records and their individual timestamps could, at least in some cases, reveal internet usage patterns for the subscriber and information about daily household habits similar to what can be ascertained from electricity smart meters.
The new Danish data retention law does not limit the purpose of retention to combatting serious crime. Accordingly, the retained source IP addresses can be used for all criminal offences, without any change from the old data retention law.
This aspect of the new law is very surprising in light of the La Quadrature du Net judgment, where paras. 152-156 permit general and indiscriminate retention of source IP addresses, but only for the purpose of combatting serious crime. The reason is that the Ministry of Justice very conveniently interprets paras. 152-156 as applying to the retention of destination IP addresses (like the former session logging in Denmark), whereas retention of source IP addresses is regarded as retention of data relating to civil identity (subscriber information), covered by paras. 157-159 of the judgment.
In doing so, the Ministry of Justice completely ignores that para. 168 of the La Quadrature du Net judgment specifically says ”IP addresses assigned to the source of an Internet connection”. Moreover, the interpretation used by the Ministry of Justice implies that general and indiscriminate retention of destination IP addresses for combatting serious crime is compatible with EU law, whereas general and indiscriminate retention of the destination of telephone calls (call detail records) is precluded by EU law. This makes no sense, since the former collection of traffic data is more sensitive than the latter, which incidentally is recognised by the CJEU in para. 174 of the same judgment.
These objections to the Ministry of Justice's questionable interpretation of paras. 152-159 of the La Quadrature du Net judgments were raised in the consultation response by IT-Pol (as well as others), but were completely ignored by the Ministry of Justice.
According to a briefing to Parliament, the Danish government will use its written submission in the upcoming case C-470/21 (La Quadrature du Net and Others) to encourage the CJEU to clarify that retention of source IP addresses falls under retention of subscriber information, where no purpose limitation to serious crime applies.
Mandatory verification of subscriber information
The new data retention law will introduce mandatory registration and verification of subscriber information for telephony (number-based services), including pre-paid SIM cards. This will put an end to the possibility for anonymous communication using pre-paid SIM cards, which can negatively affect whistleblowers and other vulnerable persons. The ID requirements needed for subscriber verification could exclude some people from access to electronic communications services.
The precise rules and procedures for subscriber verification will be laid down in a future order from the Ministry of Justice. Existing subscriptions for fixed telephony (including VoIP) and existing prepaid SIM cards will be exempted from these rules.
A working group in the Ministry of Justice has considered mandatory registration of prepaid SIM cards since 2005, but apart from producing a report in 2010, nothing concrete has happened until now. Plans or demands for registration of prepaid SIM cards have surfaced a couple of times between 2005 and 2021, either from politicians or the police, only to be quickly forgotten again. Since 2009, the number of active prepaid SIM-cards has dropped by 90%, due to changes in customer demand and providers preferring subscription-based services with a recurring revenue stream. Only a couple of specialised MVNOs offer prepaid SIM cards in 2022, e.g. to tourists and other persons with short-term visits to Denmark. Most mobile providers with subscription-based services require a Danish citizen ID number (CPR number). Prepaid SIM cards is a convenient solution in these cases.
Against this backdrop, it is very unclear why mandatory SIM registration must suddenly be implemented in 2022. The Ministry of Justice is aware that many mobile subscriptions are registered to another person than the real user. Mobile subscriptions can also be registered to companies or other organisations, in which case there is no central database of the real user. These data limitations do not prevent the police from obtaining communications interception (wiretapping) orders as they are issued (with court authorisation) for the phone number assumed to be used by the suspected person.
Police access to retained data
The new data retention law makes two main changes to the rules for law enforcement access to retained traffic and location data.
The first change is that access to stored traffic and location data is limited to investigation and prosecution of serious crime in all cases, except for IP addresses (which is regarded as subscriber information, as mentioned above). Previously, access to location data was possible for all criminal offences. This change to the access rules was long overdue. Since the CJEU judgment on the Data Retention Directive in April 2014, the Ministry of Justice has been aware that access to location data for non-serious crime does not comply with EU law (evident from remarks in footnote 3 of a legal analysis to the Danish Parliament on 2 June 2014).
The rules for access in the new law apply irrespective of whether traffic and location data is stored because of a data retention requirement, a data preservation order (expedited retention) or for commercial reasons, e.g. subscriber billing or network management operations. This was not the original intention of the Ministry of Justice, which argues that the CJEU case law on law enforcement access to traffic and location data only applies to data which is retained because of a data retention requirement or preservation order under Article 15(1) of the ePrivacy Directive 2002/58. After objections from mobile operators, concerned with the practical problems of separating two sources of traffic and location data, the Ministry of Justice amended the proposal shortly before the final adoption by Parliament.
The second change is that the definition of serious crime is expanded to include criminal offences with a maximum custodial sentence of three years or more. Previously the threshold was six years. The list of additional criminal offences with a maximum sentence below (now) three years is also extended to include a number of minor offences if they are connected to conflicts between gangs (Section 81a of the Penal Code). The broad definition of serious crime is quite obviously aimed at maximising police access to sensitive traffic and location data with little regard for the principle of proportionality.
EU law precludes access to stored traffic and location data for criminal offences below the threshold of serious crime. Although the definition of serious crime is left to Member States in their national law, the scope of serious crime cannot be so broad that nearly all relevant offences are included. That would render the limitation to serious crime in EU law meaningless and deprive the limitation of its purpose in relation to the principle of proportionality.
The threshold of three years for the maximum custodial sentence is used to delimit serious crime in EU legislation, e.g. the Passenger Name Records (PNR) Directive and the proposed e-Evidence Regulation. However, the Danish definition of ”serious crime” also encompasses a number of minor offences. They are included in the catalogue list because they are often committed by a group of persons that communicate with each other, which makes it useful for police investigations to have access to traffic and location data. Including such offences based on ”usefulness” for the police is likely to make the Danish definition of serious crime overly broad and disproportionate.
Response to the judgment in C-140/20 on 5 April 2022
On 5 April 2022, the CJEU delivered its judgment in the G.D. case from Ireland (C-140/20). The judgment does not address any new issues compared to the previous case law, but there are couple of useful clarifications. At the oral hearing, the Danish government submitted that competent national authorities should be able to access, for the purpose of fighting serious crime, traffic and location data which have been retained in a general and indiscriminate way for national security purposes. The CJEU rejected this interpretation, and restated from the La Quadrature du Net ruling that access to retained data can only by justified by the public interest objective for which the providers were order to retain the data or an objective of greater interest (in the hierarchy of national security, serious crime and all criminal offences).
The obvious intention of the Danish government was to get the CJEU's stamp of approval for the most critical element of the new data retention law, carefully designed to keep the old data retention framework mostly intact. First, a serious threat to national security is invoked in order to ensure that traffic and location data can be retained in a generalised manner. Second, the CJEU case law is interpreted so that the data can be accessed not just for national security (the compatible purpose) but also for serious crime. The legality of latter access was definitively rejected by the CJEU on 5 April 2022. It is noteworthy that the CJEU press release uses the wording ”rejects again”, perhaps as a tacit suggestion to Denmark and other Member States that they should have known this beforehand.
As mentioned earlier in this article, the Ministry of Justice was aware that its interpretation of para. 166 of the La Quadrature du Net judgment was subject to considerable legal uncertainty. The politically convenient interpretation of para. 166 was accompanied by the very unusual reservation of ”substantial procedural risk”. Nonetheless, the Ministry of Justice did probably not expect that its interpretation would be rejected just six days after the entry into force of the new data retention law, but this is what happened on 5 April 2022.
On the positive side, the reaction from Danish authorities was very quick. On the same day as the CJEU judgment, the Danish National Police and the Director of Public Prosecutions instructed police and prosecutors not to seek access to traffic and location data retained in accordance with Section 786e (general and indiscriminate retention for national security), unless the case involved national security (e.g. terrorism).
For the time being, this leaves police and prosecutors with limited access to retained traffic and location data, which has generated some complaints from the police and politicians (who blatantly ignored the Ministry of Justice's reservations about the legality of the new law). Even though the new data retention law also provides for targeted data retention, where access to the retained data can be granted for serious crime in compliance with EU law (if the data retention is actually targeted), no orders for targeted data retention have been issued as of 15 June 2022.
In a press release on 25 May 2022, the Ministry of Justice announced that the new retention law adopted in March 2022 must be revised after the CJEU judgment on 5 April 2022. The Ministry of Justice will present a draft law with the necessary amendments after the Summer. In the meantime, the current rules on access to retained traffic and location data must be interpreted so that Danish law is not applied contrary of EU law. This confirms the immediate decision of the police and prosecution service on 5 April 2022 to suspend access (in cases of serious crime) to traffic and location data from generalised retention.
The press release of 25 May 2022 also announced that orders for targeted data retention would be issued before the Summer. Mobile operators have previously informed the Ministry of Justice that they need 12-15 months to implement targeted data retention according to the specifications in the new law, so a targeted data retention order which can be effective before the Summer is likely to be based on transitional measures until the full scheme can be implemented (the new law provides for that). This article will be updated when orders for targeted data retention are issued.
Even with the planned revisions of the data retention law outlined in the press release, the Ministry of Justice still has doubts whether the Danish data retention framework complies with EU law. The press release again mentions ”procedural risk” although without the added ”substantial” this time. At a meeting in the Legal Affairs Committee on 2 June 2022, the Minister of Justice was very clear about the government's political intention to challenge the CJEU and its ”activist” case law by pushing the scope of data retention to the absolute limit of what is permissible under EU law, a strategy which historically has produced data retention regimes that violate fundamental rights and repeatedly are overturned by courts. The Minister of Justice more than hinted that future revisions of the new law could be needed whenever the CJEU delivers a new judgment on data retention.
In the legal analysis accompanying the press release, the Ministry of Justice considers the consequences of the CJEU judgment in the G.D. case for previous and ongoing investigations of serious crime where traffic and location data from generalised retention has been obtained unlawfully by the police (unlawfully when Danish law is interpreted in light of EU law). The CJEU has ruled in La Quadrature du Net and later cases, that admissibility of illegally obtained evidence is a matter for national law, subject to compliance with the EU law principles of equivalence and effectiveness.
The Ministry of Justice notes that the Danish Administration of Justice Act has no prohibition on using illegally obtained evidence in criminal trials. Case law from the European Court of Human Rights on the right to a fair trial in Article 6 of the European Convention of Human Rights puts some restrictions on the use of illegally obtained evidence, but the Ministry of Justice concludes quite generally that these restrictions will not affect the large number of cases since 2007 where illegally obtained evidence from data retention has been used. In this connection, the Ministry of Justice emphasises that traffic and location data is always used in combination with other evidence, so that no person is convicted solely on the basis of evidence from data retention. Needless to say, the final decision on this matter must be made by the courts, and not the Ministry of Justice. However, there will be no automatic reassessment of the large number of previous criminal cases (more than 10,000 since 2007), where evidence from data retention has been assessed as normal evidence, rather than unlawfully obtained evidence as it should have been. Convicted persons must to submit applications to have their individual cases re-examined, and these requests are only granted in exceptional cases.
The legal analysis about admissibility of evidence exposes a systemic contradiction in the Ministry of Justice's own arguments about data retention. Whenever the highly intrusive measure must be justified at the legislative level, data retention is always described as an important investigative tool for the police, and even that data retention can be crucial for the subsequent prosecution of suspected offenders (needless to say, without providing any evidence for these claims). The arguments from the Ministry of Justice very conveniently change whenever evidence obtained from data retention is cast into doubt, either because it has been illegally obtained (the present case), or because flawed data handling practices by the police have introduced errors in the evidence (the telecommunications data scandal of 2019). In these situations, data retention suddenly becomes just one of multiple pieces of evidence in the criminal trial, and apparently not ”crucial” in any way because that could imply a high risk of miscarriage of justice.