Danish data collection procedures are being called into question following a widely reported tabloid spying scandal and a call-to-action by whistleblower Edward Snowden. With the scandal looming, Danish officials say they are gearing up to enter a series of debates over summer. The talks will focus on the a potential reworking of data collection and surveillance policies.
By: Alexander Montero and Thomas Rizza
The global debate over data protection and government surveillance has recently been thrust to the forefront of Danish society.
In the wake of a widespread tabloid spying scandal and subsequent criticism from NSA whistleblower Edward Snowden, the Danish Parliament is scrambling to answer public concern over data collection. Under current policy, the government logs nearly all information—from texts to phone calls to emails.
“Danes are afraid right now about how safe their personal data is,” said Michael Aastrup Jensen, a member of Danish Parliament and IT spokesperson for Venstre—a liberal, free-market party. “We see [data surveillance] as an attack on our freedom as individuals. Most Danes don’t even know how much surveillance there is: how much their phones are being logged, how much their texts are logged, how much CCTV there is. Everything is on the table right now.”
Michael Aastrup Jensen explains the Danish surveillance infrastructure and the need for change. [Photo: © Venstre (CC: reuse via non-commercial creative commons)www.flickr.com/photos/venstredk/4919910526/]
A Rough Month for Denmark
Trailing the recent, negative press, the Danish Parliament is set to enter a series of debates, which will center on potentially excising widespread data collection and upping enforcement.
According to Jensen, the talks will take place over summer and continue into the fall with the intent of reworking existing data security policy and enforcement.
The data debate in Denmark has arrived on the back of the widely publicized “See and Hear” scandal in early May—its namesake derived from the Scandinavian magazine “Se og Hør.” The tabloid specializes in celebrity gossip and entertainment news, offering bounties for inside information and photos concerning the whereabouts of celebrities.
From 2008 to 2012, “See and Hear” published information sold to them by a former employee at the Nordic company Nets, which handles credit and information services for banks and other public sector businesses. The information provided included credit card payment information and phone calls made by celebrities, politicians and even the Danish royal family.
The identity of the former Nets employee has yet to be released, as the situation is still under investigation.
“See and Hear” provided anonymity to the source of the illegally obtained information in exchange for hot headlines. No inquiry was made concerning the source of the information until Ken B. Rasmussen, a former “See and Hear” employee, published his book ‘Livet, det forbandede’ (Life, the damned) which made claims against his employer regarding their illicit business practices.
Karin Gaardsted, IT spokesperson for Denmark’s Social Democratic Party and member of Parliament, said it was a “surprise” this illegal activity could go on for so many years without law enforcement finding the source.
“It was just because of [Rasmussen’s] book that it came into light,” said Gaardsted. “I think that the police are very satisfied that he has written his book.”
Listen to Karin Gaardsted go in depth on “See and Hear” and the potential for changed legislation. Photo: Lars Schmidt. January 31, 2011
In May, Nets published a press release on their website, which stated that, while their internal investigation has not been finalized, they “will strengthen the control functions aimed at ensuring that employees with access to confidential data do not abuse this access.”
Now, the scandal has garnered international attention following famed American whistleblower Edward Snowden’s open letter to Denmark in May. In the published statement, he calls upon the public to take action against what he calls “suspicionless surveillance.”
“The Se og Hør allegations are a reminder that until the Folketing [Danish Parliament] takes action to get to the bottom of the mass surveillance problem, our rights are at risk,” wrote Snowden. “Anybody who writes an email in Aarhus, uses a credit card in Odense, or calls their mother in Copenhagen will have their private records intercepted, analyzed, and stored not just by unaccountable State Security Bureaus, but even private companies and newspapers.”
A Blessing in Disguise?
Having spurred a chain of causation, the “See and Hear” scandal is being viewed by some top officials as a necessary evil—streamlining the surveillance debate to the top of the government agenda.
“The magazine scandal has absolutely opened the eyes of everyday Danes,” said Jensen. “This is something that they talk about around the dinner table, and they’re writing emails to the Parliamentarians. It has also become the big data scandal and has opened a completely new debate about data protection and surveillance.”
Lena Andersen, Deputy Data Protection Commissioner at the Danish Data Protection Agency (DPA), agrees:
“The tabloid case for data protection has done some good. It’s a scandal, and we cannot approve in any way of what has happened, but you can take something positive out of it. It has put data protection out on the agenda, and we’ve begun questioning how it can be done.”
For Jensen’s Venstre party, curbing widespread data collection will be a key point in this summer’s debates.
Scaling back data collection, said Jensen, is now of the highest importance in light of the recent abuses and what he sees as a growing national sentiment regarding data privacy.
Was Snowden Right?
While the “See and Hear” imbroglio coincides with media law and direct theft of information via private entities, Snowden’s follow-up warning has extended the conflict to everyday citizens and their digital relationship with the government.
Under Danish law, the DPA, an independent public body, is given the task of enforcing the Danish Act on Processing Personal Data. Passed in 2010 as a required implementation of a 1995 EU Directive, the act was aimed at protecting individuals with regards to the processing of their personal information—from finances to social security.
While the act lays out collection policies and requirements (such as encryption of sensitive data) it provides the DPA with no power over Danish intelligence agencies.
“We have no supervisory powers in Denmark,” said Andersen. “What is done by intelligence services is outside our supervisory powers…it’s outside our competence.”
The inherently nebulous activity of the Danish intelligence agencies has previously attracted criticism from outside groups.
A 2007 report by Privacy International, a UK-based charity that researches international data security and privacy, labeled Denmark as an “extensive surveillance state,” in which individual protection against surveillance was “deteriorating.”
Privacy International stated Danes lack security in the following areas:
2. Government access to data.
3. Communication data retention
4. Surveillance of medical, financial and movement
5. Border and trans border issues.
Representatives of Privacy International did not respond to a request for comment.
Furthermore, as Snowden posited, Danish intelligence services are capable of intercepting nearly all metadata (e.g., phone calls, location services, texts and emails)
“We log every phone call, every piece of text; that is all logged in big data centers around Denmark,” said Jensen. “And we think that is too far. The Parliament position is that we should not completely abolish the system, but scale it down very, very, very considerably.”
Others, however, see Snowden’s claims as too overarching and are calling for a more nuanced approach that looks at ways to secure data rather than diminish collection.
Evelyne Juliane Beatrix Sørensen, an Aarhus University professor of data law, said Denmark, as an EU member state, has some of the strongest data security in the world. The problem, she stated, is not with changing legislation or cutting data collection but with enforcement.
“EU legislation is very detailed and ensures high protection of personal data for every individual. There are also strong rules on data security,” said Sørensen. “However, the problem is on enforcement, meaning there are clear rules, but the system behind the rules—in other words, enforcing our rights—are apparently not adequate.
Sørensen said the Danish Parliament should be looking into ways to improve enforcement, to ensure security is kept within the parameters of existing “strong” national and EU-based regulatory structure.
According to Social Democrat Gaardsted, Danish data protection laws are strong enough to safeguard the publication of private information. Companies like Nets, which are responsible for handling such information, are being pressured to restructure the chain of command in regards to access.
“What concerned me is, for instance, when you have an organization where too many people are allowed to go into the center of the system,” said Gaardsted. “That young students at Nets could go to the most important part of the IT system there, it was very surprising for me that that was the case.”
From the DPA’s perspective, Andersen said the utilization of so-called data protection authorities within large companies would be a productive first step in upping the enforcement of existing regulations.
“One of the tools in the toolbox for data protection is the Swedish model, which has data protection officials placed in companies of a certain size to enhance protection,” said Andersen. “It’s not been implemented in Denmark, but it could widen the scope of what politicians could take on board.”
Privacy vs. Safety
Further data collection regulations, however, may conflict with national security.
For example, according to a 2011 Privacy International report, Danish courts approved a “vast majority” of over 900 requests in 2009 to intercept communications regarding drug crimes and human trafficking. The interception of such data is contingent on its prior collection and storage.
But court approval is not always necessary. The Danish Administration of Justice Act “gives the Police Intelligence Service increased powers to exchange information with the Defence Intelligence Service and to collect information from other public authorities, e.g. hospitals, schools, libraries, social services etc. without a court order,” according to Privacy International.
Terrorist threats pose yet another problem for cutting back data protection, as authorities, inherently, utilize such methods for national security.
As Parliament enters debate over data protection, individual privacy is being weighed against national security.
“[Venstre] is a party that, of course, has a very strict approach to terrorism. We want to have our intelligence agency have the tools that are necessary to combat the different terrorist groups that are targeting Denmark,” said Jensen. “But on the other hand, we are a liberal party that doesn’t support going further than utilizing the necessary tools. That’s why the Parliament group is having a debate about how far we should go.”
Conflicting relations with the US
As a member of the EU, but also a US ally, Denmark constitutes a larger international community, in which counterterrorism efforts transcend national borders.
For Jensen, the trans border actions of the NSA, of which Snowden is famed for leaking, require a more nuanced approach:
“The question about Edward Snowden and the NSA scandal is not black and white for us. On one hand, we are a very close ally with the US, and we also believe it is important that agencies like the NSA, but also ours, have the necessary tools to combat terrorism and also [provide] a defense against countries like Russia and China…that are potentially harmful to Danish businesses…our integrity and our borders.”
The interface of security, privacy and international relations composes a multi-faceted debate. Much of these complexities are not present in Snowden’s call to action.
The Danish government, however, may be nearing a more straightforward approach with the US.
“We don’t condone, in any way or form that the NSA is spying on Danes,” said Jensen. “We believe it is important that the NSA and every other agency in the US has strict borders about what they can and cant do against our citizens, and we are more and more willing to put this discussion in a more, can you say, frank way to the allies in the US.”
Michael Aastrup Jensen maps out the moves the Danish government may take to ensure privacy. [Photo: © Venstre (CC: reuse via non-commercial creative commons)www.flickr.com/photos/venstredk/4919910526/]
The Future of Data Protection
As Snowden stated, public awareness and action regarding data privacy is now building on a global level.
“Denmark’s parliamentarians haven’t yet had a chance to show whether their votes represent the public’s will, but that day is coming,” wrote Snowden. “The SF Party’s Karina Lorentzen has proposed a public inquiry into this kind of spying, and Uffe Elbæk’s B 69 Asylum bill is due for a vote at any time.”
The bill in question would promote providing asylum for whistleblowers, such as Snowden, who are fleeing persecution in their home countries.
In March, the European Parliament—an EU body—rubberstamped an irreversible data protection regulation and directive. The legislation places harsh restrictions on companies who process consumers’ data. It also contained numerous provisions, such as the right to know how and why data is being processed, and provides citizens of EU member states with “the right to be forgotten.”
This right to request removal of personal information from web searches was recently implemented in the EU. According to a press release posted by the European Union Court of Justice, citizens within the EU may file a complaint with “competent authorities,” if search engines, such as Google, refuse to comply with the regulation.
But, according to Jensen, more needs to be done on a national level in order to strengthen the undercurrent of EU regulations.
“It’s important that there is a minimum standard. But also on a national level we should be prepared to go even further, which is why we’re pushing the government right now,” said Jensen. “From our party’s position we are very willing to go very much against the surveillance we’ve had for many years now.”
With Danish Parliamentarians entering debate over data protection, the government faces a situation more complex than Snowden’s terse call to action. As top officials stated, the Parliament will have to weigh privacy against security, collection against enforcement and national solidarity against supranational relations.