UPDATED: March 2017 | SOURCE: Telenor Group with support from Hogan Lovells

Provision of Real-time Lawful Interception Assistance

CONSOLIDATION ACT ON ELECTRONIC COMMUNICATIONS NETWORKS AND SERVICES, 2014

(Bekendtgørelse af lov om elektroniske kommunikationsnet og –tjenester (Act no. 128 of 7 February 2014, (the “Tele Act”)) 

The Tele Act, in conjunction with the Retention Order (described in section 2 of this report below), sets out a telecom provider’s obligation to make data available to the police, both by providing access to retained data and by providing interception capabilities.

According to section 10 Tele Act, a network operator or service provider must ensure that all technical equipment and systems used to provide an electronic communication network or service to end-users are set up in such a way that the police may intercept current communications and conduct mobile phone surveillance. In this context, mobile phone surveillance means the procurement of data that makes it possible to locate a mobile phone on a continuous basis as long as it is turned on.

Under section 10, the systems of the network operator or service provider must be set up to allow interception and immediate transmission of telecommunications data to another EU member state under the Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union (2000/C 197/01).

In the case of a data interception request, the network operator or service provider must provide the IP-address, MAC-address or any similar identifier of the device making or receiving the communications that are to be intercepted.

ADMINISTRATION OF JUSTICE ACT 2016 (BEKENDTGØRELSE AF LOV OM RETTENS PLEJE (ACT NO. 1257 OF 13 OCTOBER 2016, (THE “AJA”))

Section 783 sets out the general rule that the police must obtain a court order and present it to the relevant network operator or service provider before an interception may be made. The application for a court order must comply with the following conditions:

  • there must be specific indications that communications, using the method of communication that is to be intercepted, are taking place to or from a suspect of the investigation;
  • the interception must be decisive to the investigation; and
  • the alleged offence must have a sentence of at least six years’ imprisonment, or be one of a list of specified offences, such as desertion from the military or possession of child pornography.

In addition, interception must always be proportionate to the purpose for which it is to be used.

Section 783(4) provides for an exception to the general rule. Where obtaining a court order would cause a delay that would defeat the purpose of carrying out the interception, the police may conduct the interception without obtaining a court order first.

However when this happens, the police must, as soon as possible and no later than 24 hours from the interception, submit an application for a court order for the interception as set out above. The court then determines whether the interception was lawful, and if so, the length of time it should be allowed to continue. If the court finds that the interception was not lawful, it is obliged to notify the Ministry of Justice, which has statutory authority to investigate any breach of this process by the police.

CENTRE FOR CYBERSECURITY ACT 2014 (LOV OM CENTER FOR CYBERSIKKERHED (ACT NO. 713 OF 25 JUNE 2014, (THE “CENTRE FOR CYBERSECURITY ACT”))

The Danish Centre for Cybersecurity (the “Centre”) is the national IT Security authority who has established a “network security service” (the “Service”) to which companies whose businesses have a socially important function, such as pharmaceutical companies, food companies and companies that administer administrative IT-systems, as well as most public institutions, can apply for connection. Through the Service, the Centre aims to discover, analyse and prevent cybersecurity breaches within the connected entities in order to maintain a high level of information security in Denmark, for example, to prevent hacking. 

In order to connect to the Service, the relevant company or public institution must enter into an affiliation agreement with the Centre. Once connected, the Centre may process content and traffic data in the networks of the connected entities to the Centre’s Service, without obtaining a court order, so long as such interception is made with the purpose of ensuring a high level of information security. The Centre cannot connect a company or institution to the Service unless such a company or institution actively asks to be connected. Further cybersecurity related provisions under the Centre for Cybersecurity Act are explained in section 7 of this report.

Disclosure of Communications Data

EXECUTIVE ORDER ON THE RETENTION AND STORAGE OF TRAFFIC DATA BY PROVIDERS OF ELECTRONIC COMMUNICATIONS NETWORKS AND SERVICES (Bekendtgørelse om udbydere af elektroniske kommunikationsnets og elektroniske kommunikationstjenesters registrering og opbevaring af oplysninger om teletrafik (logningsbekendtgørelsen) (No. 988 of 28 September 2006, as ame nded by executive order of amendment no. 660 of 19 June 2014, (the “Retention Order”))

The Retention Order governs what data must be stored by a network operator or service provider

Under section 5(1), a network operator or service provider must retain the following data about a user’s access to the internet:

(a) the allocated user identity (for example, the user name or customer number);

(b) the telephone number which has been allocated to the user’s communications as a part of a public electronic communication network;

(c) the name and address of the subscriber or registered user to whom an IP address or user identity or telephone number had been allocated at the time of communication; and

(d) the time of the beginning and the end of a communication.

Under section 5(2), a network operator or service provider providing wireless access to the internet must retain data concerning the local network’s precise geographical or physical location and the identity of the user’s communication equipment. Data retained under the Retention Order must be stored for one year.

CONSOLIDATION ACT ON ELECTRONIC COMMUNICATIONS NETWORKS AND SERVICES 2014 (THE “TELE ACT”)

According to section 10 Tele Act, a network operator or service provider must ensure that all technical equipment and systems used to provide an electronic communication network or service to end-users are set up in such a way that the police may obtain access to information about telecommunications traffic in the form of;

  • telecommunications data, meaning information regarding which telephones or similar communications devices have been connected to a specific telephone or similar communications device either prior to or after the issue of an authorising court order; and
  • extended telecommunications data, meaning information listing the connections made by the telephones or similar communication devices within a defined area (described by the police) either prior to or after the issue of an authorising court order (this would typically be information from cell phone masts).

Under section 13, when required by the police, network operators and service providers are obliged to disclose to the police data which identifies an end-user’s access to electronic communications networks or services. This includes static information such as a designated IP-address, address, or phone number that the network operator or service provider has assigned to the end-user. The police can lawfully obtain this information without obtaining a court order.

A network operator or service provider which offers encrypted data as an integrated part of its service is obliged to decrypt an encrypted communication when complying with a court order. If, however, encryption has taken place outside of the services offered by the network operator or service provider, it will be the police’s own responsibility to remove any encryption from the provided data.

It is prohibited for network operators and service providers to retain content data. However, the police may retain, access and review the content of a person’s correspondence, subject to the rules on lawful interception outlined in section 1 of this report above.

ADMINISTRATION OF JUSTICE ACT 2016 (THE “AJA”)

The police may obtain access to historic telecommunications data in accordance with chapter 71 AJA. Section 783 sets out the general rule that, in order to do so, the police must obtain a court order and present it to the relevant network operator or service provider. The application for a court order must comply with the following conditions:

  • there must be specific indications that communications are taking place to or from a suspect of the investigation using the method of communication that is to be intercepted;
  • access to the relevant telecommunications data must be decisive to the investigation; and
  • the alleged offence must have a sentence of at least six years’ imprisonment, or be one of a list of specified offences, such as desertion from the military or possession of child pornography.

In addition, access to historic telecommunications data must be proportionate to the purpose for which it is to be obtained

National Security and Emergency Powers

RADIO FREQUENCIES ACT 

(Act no. 1100 of 10 August 2016, Lov om radiofrekvenser (the “RFA”)), and the Order on maritime radio services in extraordinary situations (Bekendtgørelse om de maritime radiotjenester i ekstraordinære situationer (Executive order no. 916 of 13 November 2002, (the “Maritime Radioservice Order”))

According to section 32 RFA and the Maritime Radioservice Order, the Danish Navy Operative Command may, in situations of crisis, war, catastrophes and other extraordinary situations, shut down the coastal radio station and thus shut down normal public correspondence over coastal radio.

In accordance with section 33 RFA, the Danish Energy Agency (the “DEA”), who acts as the regulatory supervisory authority for the telecoms industry under the remit of the Danish Ministry of Energy, Utilities and Climate, may prohibit the use of certain radio frequencies when the safety of the state demands it.

Under section 6(5) of the RFA, the police, when exercising a power to disturb or interrupt radio and telecommunications that is granted under section 791(c) of the Administration of Justice Act, may do so without first obtaining a licence or other authorisation from the DEA to use the radio frequency spectrum in question.

NETWORK AND INFORMATION SECURITY ACT

(Net- og informationssikkerhedsloven (Act no. 1567 of 25 December 2015, (the “Network and Information Security Act”))

In 2016, the Network and Information Security Act, a framework regulation, was enacted. Following this the Centre has drafted new regulations on network and information security, including the ‘Information and Security Order’ (Bekendtgørelse om Informationssikkerhed og beredskab i net og tjenester) (Executive Order Number 567 of 1 June 2016) under which a provider of public electronic communications networks or services is responsible for information security in its network based on a documented risk management process. A provider must identify any possible cybersecurity risks and using this risk assessment, implement proper measures to ensure the accessibility, integrity and confidentiality of its networks and services. Further cybersecurity obligations under the Network and Information Security Act are set out in section 7 of this report.

The Information and Security Order also governs a provider’s obligations in relation to crisis management in emergency situations, such as large disasters, where it may be necessary to implement remedial actions in regards to networks and services in order to maintain critical services. Also, ‘significant commercial providers’ shall ensure that the Centre can make contact with them in connection with an emergency situation at any time. Centre may also direct such providers to participate in national or international crisis management practices.

In addition to the Information and Security Order, the Centre has also issued the “Emergency Operator Order” (Bekendtgørelse om beredskabsaktørers adgang til elektronisk kommunikation i beredskabssituationer mv.) (Executive Order Number 564 of 1 June 2016), which sets out certain actions that providers must take in emergency situations, including the prioritization of calls in mobile networks, the provision of secure access to a telephone network and the prioritization of re-establishment of certain parts of a provider’s network as directed by the Centre.

Oversight of the Use of Powers

JUDICIAL OVERSIGHT

Insofar as a court order is required to intercept or access retained data or to block any website, the competent court will have oversight of this procedure.

EXECUTIVE ORDER ON THE RETENTION AND STORAGE OF TRAFFIC DATA BY PROVIDERS OF ELECTRONIC COMMUNICATIONS NETWORKS AND SERVICES (the “Retention Order”)

The Retention Order was issued by the Danish Ministry of Justice (the “Ministry”). The Ministry oversees the compliance of network operators and service providers with the retention and storage requirements specified in the Retention Order. Non-compliance with the Retention Order may lead to financial penalties imposed by the Ministry.

CONSOLIDATION ACT ON ELECTRONIC COMMUNICATIONS NETWORKS AND SERVICES 2014 (the “Tele Act”)

Following the Danish general election in 2015, it was decided to relocate much of the regulation of the telecoms sector from the Ministry of Business and Growth to the Ministry of Energy, Utilities and Climate and accordingly move the main parts of the regulatory authority from the Danish Business Authority (the “DBA”) (an agency under the Ministry of Business and Growth) to the Danish Energy Agency (the “DEA”) (an agency under the Ministry of Energy, Utilities and Climate).

Consequently, the DEA is now the main regulatory authority responsible for electronic communications who administers the legal framework within this area. This includes promoting information technology security, promoting individual and public use of information technology and the Internet, developing the telecoms market, administering scarce resources, protecting consumers, and protecting public information and communications business.

However, certain areas still remain under the Danish Business Authority (the “DBA”), including matters within telecoms regulations relating to personal data and sector-specific competition regulation.

Both the DEA and DBA therefore oversee compliance by network operators and service providers with the Tele Act. For example, the DEA ensures that electronic communication networks are set up to enable interception by the police. Under chapter 33, section 79 Tele Act, both the DEA and the Telecommunications Complaints Board (the “Board”) may enforce compliance and issue financial penalties for breaches of the Tele Act described in this report.

The Board comes under the remit of the Ministry of Energy, Utilities and Climate. Decisions taken by the DEA may be brought before the Board and any decisions taken by the Board may be appealed to the High Court.

ADMINISTRATION OF JUSTICE ACT 2016 (the “AJA”))

For the Danish police to conduct a lawful interception, section 783 AJA contains the general rule that they must first obtain a court order to do so. This rule is subject to certain exemptions which allow for an interception to take place without an order provided that the police make a submission to the court within 24 hours of the interception for its retrospective examination. If the court rules that the interception was not in compliance with law, it then notifies the Danish Ministry of Justice of the matter. The Ministry of Justice has statutory authority to investigate such non-compliance by the Danish police.

CENTRE FOR CYBERSECURITY ACT 2014 (the “Centre for Cybersecurity Act”)

For interceptions made in accordance with the Centre for Cybersecurity Act, it is the Centre for Cybersecurity (the “Centre”) who is solely responsible for determining whether or not to intercept. The Centre is placed under the Danish Defence Intelligence Service, which sits within the Danish Ministry of Defence. In relation to the data processed by the Centre, the Danish Data Protection Act 2000 will not apply (nor does it apply generally to the police). However, the Minister of Justice and the Minister of Defence appoints a supervisory board that supervises the Centre’s use and processing of personal data.

RADIO FREQUENCIES ACT 2016 (the “RFA”)AND THE MARITIME RADIO SERVICE ORDER 2002

Under the RFA, the DEA determines whether consideration to the safety of the state demands the prohibition of the use of certain radio frequencies.

Under the Maritime Radioservice Order, the Danish Navy Operative Command determines whether the coastal radio station should be shut down.

GAMING ACT 2016 (the “Gaming Act”)

The Danish Gaming Board oversees compliance by network operators and service providers with the Gaming Act.

NETWORK AND INFORMATION SECURITY ACT

(Net- og informationssikkerhedsloven (Act no. 1567 of 25 December 2015, (the “Network and Information Security Act”))

The Centre oversees compliance by network operators and service providers with the Network and Information Security Act. The Centre is placed under the Danish Defence Intelligence Security and Intelligence Service which sits within the Danish Ministry of Defence.

Censorship-related Powers

THE CONSTITUTIONAL ACT OF THE KINGDOM OF DENMARK, 1953 (the “Constitution”)

Under section 77 of the Constitution, censorship and other measures prohibiting freedom of expression are prohibited.

GAMING ACT 2016

(Act no. 1494 of 6 December 2016, Bekendtgørelse af Lov om spil, (the “Gaming Act”))

As a general rule, government agencies do not have the authority to block IP addresses. The Telecommunications Industry Association (Teleindustrien) (a private industry organisation of which the majority of Danish network operators and service providers are a part) has stated that network operators and service providers need only carry out DNS blocking following an authorising court order and that they will not carry out any DNS blocking based solely on requests from intellectual property rights holders, government agencies or other third parties. The only current exception to this is the Danish Gaming Board who may request that a network operator or service provider blocks a website containing illegal gambling systems.

Publication of Laws and Aggregate Data

RESTRICTIONS ON NETWORK OPERATORS AND SERVICE PROVIDERS

There are no restrictions on whether a network operator or service provider may publish aggregate data regarding government powers of interception, disclosure of communications data or censorship as described in this report. Equally, there are no restrictions on whether a network operator or service provider may publish descriptions or analysis regarding such powers.

AGGREGATE DATA PUBLISHED BY GOVERNMENT AGENCIES

Government agencies do not publish aggregate data in relation to the use of their powers of interception, disclosure of communications data or censorship as described in this report