Danish government wants more data retention and plans to re-introduce session logging

The Danish response on 2 June 2014 to the CJEU ruling on the Data Retention Directive (of 8 April 2014) was fairly limited. The Ministry of Justice produced a legal analysis saying that the Danish data retention law was not necessarily in conflict with the Charter of Fundamental Rights and the CJEU judgment.

The Minister of Justice did, however, repeal the so-called session logging which is a Danish extension of the requirements of the now annulled Data Retention Directive, whereby session information (source and destination IP addresses, port numbers, and session types e.g. TCP or UDP) is retained for every TCP connection or every 500th internet packet. The official reason given for repealing session logging was not the CJEU ruling, but the fact that the Danish police had been unable to use the massive amount of data collected with session logging.

The Ministry of Justice legal analysis is discussed in the EDRi-gram article, Denmark: Data retention is here to stay despite the CJEU ruling from 4 June 2014. The Danish session logging scheme, and its inherent problems, are described in this IT-Pol article.

The Danish session logging scheme has gained some international attention, mainly because of its utter failure, for example this article in TechPresident by Torben Olander and two articles in Techdirt from May 2013 and June 2014.

After the decision on 2 June 2014 to repeal session logging, data retention in Denmark essentially consists of the elements from the, now invalid, Data Retention Directive (call detail records for outgoing and incoming calls, cellular location data, and the IP address assigned to the customer). Before the Summer of 2015, the Danish Parliament is supposed to evaluate and possibly revise the Danish data retention law.

On the 8th of January, 2015, the Danish newspaper Berlingske reports that the Danish Ministry of Justice apparently plans to re-introduce session logging. Even though session logging has failed miserably for seven years (2007-2014), the Danish Police simply cannot give up on the phantom idea that it is possible to map every internet connection with the same level of precision as a telephone call (who has called whom, where, when, and for how long). This is the stated purpose of session logging, in previous documents from the Ministry of Justice (going back to 1999), as well as in the newly leaked documents from the Danish Police as seen by Berlingske. The changes proposed to session logging are minimal, and they are not going to address the inherent problems - mainly because they cannot be addressed in a meaningful way.

If the Danish Minister of Justice really puts this proposal before Parliament, the Danish data retention policy will have taken an absurd zig-zag course over the last three years. For several years, the Danish Police and the Ministry of Justice told Parliament that session logging was a useful instrument for law enforcement, even though it was rarely used. Then, on the 2nd of June, 2014, the Danish Minister of Justice decided to repeal session logging, to the great astonishment of the politicians who had supported data retention in previous votes. And now, apparently, the Minister of Justice seems to be planning to re-introduce session logging.