(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The long awaited draft administrative order on data retention in Denmark is now public. The draft, which implements the data retention provisions in the anti-terrorism law of June 2002, is currently submitted to a group of telecoms, business associations, NGOs, and public authorities for consultations with deadline on 10 August 2006.

The proposal drafted by the Ministry of Justice and Ministry of Science & Technology, with the advice of a small group of telecom representatives, is more limited in scope than the previous draft of Spring 2004. The proposal implements part of the recent EU data retention directive but is more invasive, since it includes Internet session data.

Summary of the proposal with focus on internet data:
- Retention period is one year;
- Scope of data to be retained are data that are generated or processed in the ISPs current systems, thus it is not limited to data that are generated for billing purposes;
- No obligation on the ISPs to invest in new equipment;
- All commercial ISPs are included (non commercial ISPs, housing associations with less than 100 units, libraries, universities and other non commercial public institutions are excluded);
- The Internet session data to be retained is (paragraph 5, 1): the sending internet protocol address, the receiving internet protocol address, transport protocol, sending port number, receiving port number, start and ending time of the communication.

These data are to be retained for each internet sessions initiating and closing "communication package" leaving the ISPs own network, or if this is not feasible, for every 500 "communication packages" leaving the ISPs own network (paragraph 5, 4). According to the telecom industry the latter is the solution they expect to implement.

In addition, the following user data need to be registered (paragraph 5, 2): the assigned user identity (e.g. customer number), the user identity and phone number assigned to communications in a public network, name and address of the registered subscriber or user of a given IP address, user identity or phone number, and start and ending time of the communication.

For wireless access points offered by ISPs, data on the physical location and identity of the equipment need to be registered (paragraph 5, 3).

For e-mails, the sending and receiving email address need to be retained, but only for users of the ISPs own email services, e.g. not for email services such as hotmail or gmail (paragraph 6).

The coming weeks will show how the Telecom Industry, NGOs and others respond to the draft. So far, it seems the industry is willing to accept the proposal without much outcry, not least because it has included much of their earlier critique. Besides, many see it as a lost cause given the legal anti-terrorism provisions adopted in Denmark back in 2002.

Ministry of Justice Draft administrative order on data retention (in Danish only)
http://www.jm.dk/wimpdoc.asp?page=document&objno=75577

EDRI-gram : New anti-terrorism measures in Denmark (5.12.2005)
http://www.edri.org/edrigram/number3.24/Danish_antiterror

(Contribution by Rikke Frank Jørgensen, EDRI-member Digital Rights Denmark)