The Danish Constitution of 1953 contains two provisions relating to privacy and data protection. Section 71 provides for the inviolability of personal liberty. Section 72 states, "The dwelling shall be inviolable. House searching, seizure, and examination of letters and other papers as well as any breach of the secrecy to be observed in postal, telegraph, and telephone matters shall take place only under a judicial order unless particular exception is warranted by Statute."[1014] Section 72 also applies to all kinds of telecommunication and electronic data. The European Convention on Human Rights was formally incorporated into Danish law in 1992.
The Act on Processing of Personal Data entered into force on July 1, 2000.[1015] The act implements the European Union Data Protection Directive into Danish law. It replaces the Private Registers Act of 1978, which governed the private sector,[1016] and the Public Authorities' Registers Act of 1978, which governed the public sector.[1017] The law divides personal information into three categories: ordinary, sensitive and semi-sensitive and provides different conditions for the processing of each.[1018] A broad exemption from the Act is provided for law enforcement activities.[1019]
An independent agency, the Data Protection Agency (Datatilsynet), enforces the act. The Agency supervises registries established by public authorities and private enterprises in Denmark. It ensures that the conditions for registration, disclosure and storage of data on individuals are complied with. It mainly deals with specific cases on the basis of inquiries from public authorities or private individuals, or cases taken up by the agency on its own initiative. Staff of the DPA is allowed to enter any premise where a file is operated without a court order. Decisions made by the DPA are final and may not be appealed by any other administrative body. They may, however, be brought before the courts. Under the new Act, the DPA is required to give an opinion before any new laws or regulations that have an impact on privacy are issued.
In 2002 the DPA received 785 inquiries and complaints and initiated 117 investigations. As of June 2003, there were 11,000 databases registered and notifications for registrations. In the past year there was an increase in numbers, to 31, of staff employed by the agency.[1020]
Other laws regulating the processing of personal information by the public sector include the Public Administration Act of 1985, the Publicity and Freedom of Information Act of 1985, the Public Records Act of 1992, and the National Registers Act of 2000. These laws set out basic data protection principles and determine what data should be available to the public and what should be kept confidential.[1021] Sectoral laws also provide special protections for medical information[1022] and credit card details[1023] and lay down restrictions on direct marketing (including spam).[1024] Provided that they are in accordance with Denmark's international and community obligations, these sectoral laws take priority over the general Data Protection Act.[1025]
Wiretapping is regulated by the Penal Code.[1026] In March 2001, the Danish Minister of Justice proposed a new law (L194) that would dramatically increase police surveillance powers by allowing them to access a list of all mobile phones that were in operation near the scene of a crime at the time the crime was committed. This law was approved by the Parliament in June 2001. Statistical data on the interference of communications by the police show that out of 2,178 requests, 99% were approved by the courts. The vast majority of requests were related to drug-related crimes (1,195), 15 to computer crimes; 1,003 requests involved telephone tapping while 1,441 dealt with the "requiring of information[1027] from telephone companies"[1028]
Also in March 2001, Denmark amended its laws on search and seizure in accordance with its obligations under the Agreement on Trade-Related Aspects of Intellectual Property Rights and under pressure from the United States software industry. The Administration of Justice Act now authorizes physical searches for copyright infringements without "prior notification of the defendant if it is assumed that the notification would cause a risk of removal, destruction or modification of objects, documents, information in computer systems or anything else that are comprised by the petition for investigation." The law took effect on April 1, 2001.[1029]
In October 2001, the Ministry of Justice and the Ministry of the Interior issued a package of "anti-terrorism" proposals in order to implement the United Nations Security Council's Resolution 1373 (2001) on Combating Terrorism and to prepare for the UN's International Convention for the Suppression of the Financing of Terrorism.[1030] These proposals were postponed because of the general election but were re-introduced, with minor changes, by the new government in January 2002. In May 2002, the Parliament approved the Anti-Terrorism bill despite vocal opposition from non-governmental organizations and industry groups. The bill became law in June 2002.[1031] Among other things, the legislation establishes mandatory registration and storage of traffic data for one year by telecommunications and Internet providers. It also gives law enforcement the power to secretly install snooping software on the computers of criminal suspects. The software will record keystroke data and transmit it electronically to the law enforcement agency. This power may only be used for serious crimes and will require an interception warrant. Serious crimes are defined as those punishable by jail for six years or more, including narcotics offences, homicide, assault and battery, causing danger to other peoples lives and health, theft, computer crimes, trafficking of refugees and child pornography, crimes against national security and the public order. During the passage of the law there was considerable debate on what kind of traffic data would have to be retained by service providers and, also, what constitutes a service provider for the purposes of the retention requirement. As a follow up on the Danish anti-terror package, which was adopted in June 2002, the Ministry of Justice and the Ministry of Science and Technology are currently drafting an administrative order regarding Internet service provider data retention. The order is expected to be finalized by August 2003.
On June 4, 2003, the Parliament enacted a bill to combat organized crime. The Act amends the Administration of Justice Act and Penal Code and expands the possibility for the police secretly to install snooping software on criminal suspects' computers.[1032] This is an extension of the "anti terrorism" package, and expands the area in which the police can use snooping software to also cover all crimes carrying a maximum penalty of 6 years or more, grave theft, serious tax fraud and smuggling.
All citizens in Denmark are provided with a Central Personal Registration (CPR) number that is used to identify them in public registers. The number can only be processed by private entities if they have specific legal authority to do so. Both the public and private sectors can only disclose this number with the consent of the individual.
Under the Aliens Act, immigration authorities may require DNA samples from applicants for residency or persons with whom the applicant claims family ties for the purposes of residency. In its report of October 2001, the United Nations Human Rights Committee expressed concern about the privacy implications of this practice and called on Denmark to ensure that such testing is used only when "necessary and appropriate to the determination of the family tie on which a residence permit is based."[1033]
Spamming has since June 2000 been forbidden under the Marketing Practices Act (Markedsfoeringsloven)[1034]. Implementing Art. 13 of the new European Union Privacy and Electronic Communications Directive[1035] will imply a change to Denmark's legal data protection framework on spam. According to the Directive, people who have already given their address to companies can be spammed with advertisements for "similar services" ('soft opt-in'), which the Marketing Practices Act had not previously allowed.[1036]
The Danish company Fonn Danmark was convicted[1037] in May 2003 for spamming. The company, which specialized in human resource software, had to pay a fine of EUR2,000 for sending out 156 unsolicited commercial e-mails to 50 different addresses. The company was sued by the Consumer Council, which is the anti-spam supervisory authority.
In September 2002, the Danish ministry of Science and Technology initiated a committee on citizens IT-rights. The committee has representatives from various ministries, consumer organizations, the IT-business sector and civil society. Its aim is to give recommendations in areas where existing Danish laws and practices may hinder citizens' enjoyment of their IT-rights. Areas under scrutiny include citizens' communication with the public sector, privacy, freedom of expression, and access to information. The recommendations of the committee are expected to be finalized by July 2003.
The Access to Information Act and the Access to Public Administration Files Act[1038] govern access to government records.
Denmark is a member of the Council of Europe and has signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.[1039] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[1040] Denmark has signed the Convention on Cybercrime on April 22, 2003.[1041] The legislative amendments, which are necessary for the implementation of the Convention, are expected to be presented to the Parliament in the second part of 2003. It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
The original (unamended) Danish Public and Private Registers Acts of 1978 and Guidelines regarding Notification of Data Processing Bureaus of 1979 continue to apply within Greenland, a self-governing territory. The Danish Data Surveillance Agency oversees compliance with the law. The 1988 amendments that brought Denmark into compliance with the Council of Europe Convention on Privacy do not apply to Greenland. Greenland is not part of the European Union and therefore has not adopted the European Union Data Protection Directive. Greenland's data protection requirements are much less stringent than those of Denmark and the other nations of the European Union.