Provision of Real-Time Lawful Interception Assistance

Consolidation Act on Electronic Communications Networks and Services, 2014 (Act no. 128 of 7 February 2014, Bekendtgørelse af lov om elektroniske kommunikationsnet og –tjenester (the “Tele Act”))

The Tele Act, in conjunction with the Retention Order (described in section 2 below), sets out a telecom provider’s obligation to make data available to the police, both by providing access to retained data and by providing interception capabilities.

According to section 10, a network operator or service provider must ensure that all technical equipment and systems used to provide an electronic communication network or service to end-users are set up in such a way that the police may intercept current communications and conduct mobile phone surveillance.  In this context, mobile phone surveillance means the procurement of data that makes it possible to locate a mobile phone on a continuous basis as long as it is turned on.

Under section 10, the systems of the network operator or service provider must be set up to allow interception and immediate transmission of telecommunications data to another EU member state under the Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union (2000/C 197/01).

In the case of a data interception request, the network operator or service provider must provide the IP-address, MAC-address or any similar identifier of the device making or receiving the communications that are to be intercepted.

Administration of Justice Act 2014 (Bekendtgørelse af lov om rettens pleje (Act no. 1308 of 12 December 2014, (the “AJA”))

Section 783 sets out the general rule that the police must obtain a court order and present it to the relevant network operator or service provider, before an interception may be made.  The application for a court order must comply with the following conditions:

  • there must be specific indications that communications, using the method of communication that is to be intercepted, are taking place to or from a suspect of the investigation;
  • the interception must be decisive to the investigation; and
  • the alleged offence must have a sentence of at least six years’ imprisonment, or be one of a list of specified offences, such as desertion from the military or possession of child pornography.

In addition, interception must always be proportionate to the purpose for which it is to be used.

Section 783 (4) provides for an exception to the general rule. Where obtaining a court order would cause a delay that would defeat the purpose of carrying out the interception, the police may conduct the interception without obtaining a warrant first.

However when this happens, the police must, as soon as possible and no later than 24 hours from the interception, submit an application for a court order for the interception as set out above. The court then determines whether the interception was lawful, and if so, the length of time it should be allowed to continue. If the court finds that the interception was not lawful, it is obliged to notify the Ministry of Justice, which has statutory authority to investigate any breach of this process by the police.

Centre for Cybersecurity Act 2014 (Lov om Center for Cybersikkerhed (Act no. 713 of 25 June 2014, (the “Centre for Cybersecurity Act”))

The Danish Centre for Cybersecurity (the “Centre“) has established a “net security service” (the “Service“), to which companies whose businesses have a socially important function, such as pharmaceutical companies, food companies and companies that administer administrative IT-systems, as well as most public institutions, can apply for connection. Through the Service, the Centre aims to discover, analyse and prevent cyber security breaches within the connected entities in order to maintain a high level of information security in Denmark, for example, to prevent hacking.

In order to connect to the Service, the relevant company or public institution must enter into an affiliation agreement with the Centre.  Once connected, the Centre may process content and traffic data in the networks of connected entities to the Centre’s Service, without obtaining a court order.

In addition to the entities described above, any company or public institution may temporarily connect to the Service if there is suspicion of a potential security incident based on specific and objectively identifiable facts, for example, if the company or institution has received threats from hackers.

At the time of writing this report, there are indications that new legislation in relation to the powers of the Centre for Cybersecurity Act may be introduced during 2015 but the precise nature of these new powers has not yet been formally announced.

Disclosure of Communications Data

Executive Order on the retention and storage of traffic data by providers of electronic communications networks and services (No. 988 of 28 September 2006, as amended by executive order of amendment no. 660 of 19 June 2014 (Bekendtgørelse om udbydere af elektroniske kommunikationsnets og elektroniske kommunikationstjenesters registrering og opbevaring af oplysninger om teletrafik (logningsbekendtgørelsen) (the “Retention Order”))

The Retention Order governs what data must be stored by a network operator or service provider.

Under section 5(1), a network operator or service provider must retain the following data about a user’s access to the internet:

  • the allocated user identity (for example, the user name or customer number);
  • the telephone number which has been allocated to the user’s communications as a part of a public electronic communication network;
  • the name and address of the subscriber or registered user to whom an IP address or user identity or telephone number had been allocated at the time of communication; and
  • the time of the beginning and the end of a communication.

Under section 5(2), a network operator or service provider providing wireless access to the internet must retain data concerning the local network’s precise geographical or physical location, and the identity of the user’s communication equipment.  Data retained under the Retention Order must be stored for one year.

Consolidation Act on Electronic Communications Networks and Services 2014 (the “Tele Act”)

According to section 10, a network operator or service provider must ensure that all technical equipment and systems used to provide an electronic communication network or service to end-users are set up in such a way that the police may obtain access to information about telecommunications traffic in the form of:

  • telecommunications data, meaning information regarding which telephones or similar communications devices have been connected to a specific telephone or similar communications device either prior to or after the issue of an authorising court order; and
  • extended telecommunications data, meaning information listing the connections made by the telephones or similar communication devices within a defined area (described by the police) either prior to or after the issue of an authorising court order (this would typically be information from cell phone masts);

Under section 13, when required by the police, network operators and service providers are obliged to disclose to the police data which identifies an end-user’s access to electronic communications networks or services. This includes static information such as a designated IP-address, address, or phone number that the network operator or service provider has assigned to the end-user. The police can lawfully obtain this information without obtaining a court order.

A network operator or service provider which offers encrypted data as an integrated part of its service is obliged to decrypt an encrypted communication when complying with a court order.  If, however, encryption has taken place outside of the services offered by the network operator or service provider, it will be the police’s own responsibility to remove encryption from the provided data.

It is prohibited for network operators and service providers to retain content data. However, the police may retain, access and review the content of a person’s correspondence, subject to the rules on lawful interception outlined in section 1 above.

 Administration of Justice Act 2014 (the “AJA”))

The police may obtain access to historic telecommunications data in accordance with chapter 71 AJA. Section 783 sets out the general rule that, in order to do so, the police must obtain a court order and present it to the relevant network operator or service provider.  The application for a court order must comply with the following conditions:

  • there must be specific indications that communications are taking place to or from a suspect of the investigation using the method of communication that is to be intercepted;
  • access to the relevant telecommunications data must be decisive to the investigation; and
  • the alleged offence must have a sentence of at least six years’ imprisonment, or be one of a list of specified offences, such as desertion from the military or possession of child pornography.

In addition, access to historic telecommunications data must be proportionate to the purpose for which it is to be obtained.

National Security and Emergency Powers

Radio Frequencies Act (Act no. 475 of 12 June 2009, Lov om radiofrekvenser (the “RFA”)), and the Order on maritime radio services in extraordinary situations (Executive order no. 916 of 13 November 2002, Bekendtgørelse om de maritime radiotjenester i ekstraordinære situationer (the “Maritime Radioservice Order”)

According to section 32 RFA, and the Maritime Radioservice Order, the Danish Navy Operative Command may, in situations of crisis, war, catastrophes and other extraordinary situations, shut down the coastal radio station, and thus shut down normal public correspondence over coastal radio.

In accordance with section 33 RFA, the Danish Business Authority (the “DBA”) (the regulatory supervisory authority for the telecoms industry under the remit of the Danish Ministry for Business and Growth) may prohibit the use of certain radio frequencies when the safety of the state demands it.

Under section 6 (5) RFA, the police, when exercising a power to disturb or interrupt radio and telecommunications that is granted under section 791(c) of the Administration of Justice Act, may do so without first obtaining a licence or other authorisation from the DBA to use the radio frequency spectrum in question.

Censorship Related Powers

The Constitutional Act of the Kingdom of Denmark, 1953 (the “Constitution”)

Under section 77 of the Constitution, censorship and other measures prohibiting freedom of expression are prohibited.

  • Gaming Act 2010 (Act no. 848 of 1 July 2010, Lov om spilth, (the “Gaming Act”))

As a general rule, government agencies do not have authority to block IP addresses, and the Telecommunications Industry Association (Teleindustrien) (a private industry organisation, of which the majority of Danish network operators and service providers are a part) has stated that network operators and service providers need only carry out DNS blocking following an authorising court order, and will not carry out any DNS blocking based solely on requests from intellectual property rights holders, government agencies or other third parties.

The only current exception to this is the Danish Gaming Board, which may request that a network operator or service provider blocks a website which contains illegal gambling systems.

Oversight of the Use of these Powers

Judicial Oversight

Insofar as a court order is required to intercept or access retained data, or to block any website, the competent court will have oversight of this procedure.

Executive Order on the retention and storage of traffic data by providers of electronic communications networks and services (the “Retention Order”)

The Retention Order was issued by the Danish Ministry of Justice (the “Ministry“).  The Ministry oversees the compliance of network operators and service providers with the retention and storage requirements specified in the Retention Order.  Non-compliance with the Retention Order may lead to financial penalties imposed by the Ministry.

Consolidation Act on Electronic Communications Networks and Services 2014 (the “Tele Act”)

The Danish Business Authority (the “DBA“) oversees compliance with the Tele Act by network operators and service providers.  For example, it ensures that electronic communication networks are set up to enable interception by the police.  Under chapter 33, section 79 of the Tele Act, both the DBA and the Telecommunications Complaints Board (the “Board“) may enforce compliance and issue financial penalties for breaches of the Tele Act described in this report.

The Board comes under the remit of the Ministry for Business and Growth.  Decisions taken by the DBA may be brought before the Board, and any decisions taken by the Board may be appealed to the High Court.

Administration of Justice Act 2014 (the “AJA”))

For the Danish police to conduct a lawful interception, section 783 of the AJA contains the general rule that they must first obtain a court order to do so.  This rule is subject to certain exemptions which allow for an interception to take place without an order provided that the police make a submission to the court within 24 hours of the interception for its retrospective examination. If the court rules that the interception was not in compliance with law, it then notifies the Danish Ministry of Justice of the matter. The Ministry of Justice has statutory authority to investigate such non-compliance by the Danish police.

Centre for Cybersecurity Act 2014 (the “Centre for Cybersecurity Act”)

For interceptions made in accordance with the Centre for Cybersecurity Act, the Centre for Cybersecurity (the “Centre“) is solely responsible for determining whether to intercept. The Centre is placed under the Danish Security and Intelligence Service, within the Danish Ministry of Defence. In relation to the data processed by the Centre, the Danish Data Protection Act 2000 will not apply (nor does it apply generally to the police). However, the Minister of Justice and the Minister of Defence appoints a supervisory board that supervises the Centre’s use and processing of personal data.

Radio Frequencies Act 2009 and the Maritime Radioservice Order 2002

Under the RFA, the DBA determines whether consideration to the safety of the state demands the prohibition of the use of certain radio frequencies.

Under the Maritime Radioservice Order, the Danish Navy Operative Command determines whether the coastal radio station should be shut down.

Gaming Act 2010

The Danish Gaming Board oversees compliance by network operators and service providers with the Gaming Act.

Publication of law and aggregate data relating to lawful intercept and communications data requests

Restrictions on network operators and service providers.

There are no restrictions on whether a network operator or service provider may publish aggregate data regarding government powers of interception, disclosure of communications data or censorship as described in this report.  Equally, there are no restrictions on whether a network operator or service provider may publish descriptions or analysis regarding such powers.

Aggregate data published by government agencies.

Government agencies do not publish aggregate data in relation to their powers of interception, disclosure of communications data or censorship as described in this report.

Law stated as at 29 January 2015.
This information was originally published in the Legal Overview to the Telenor Group report on Authority Requests for Access to Electronic Communication in May of 2015.

Social

Follow us on Twitter @IndustryDialog