Why Denmark’s data protection is a disgrace

Danish DPA imageBy Simon Davies

There’s a catchy line from Hamlet that – in modern times – is usually abbreviated to “There’s something rotten in Denmark”. That quote could well apply both to Danish data protection and to the national authority that supervises it.

Perhaps it’s not fair to single out that delightful kingdom, but I will do so anyway. True, there’s something rotten in many European states in terms of the way data protection authorities (DPA’s) go about their business. Some of them are tenacious, but some are becoming increasingly timid, isolated and invisible to the public. Others are – to use a quaint British expression – simply up their own arse.

In summary, some government authorities in Denmark are lining up to brutalise protections, while the general population appears increasingly chilled about the collapse of their privacy rights.

But Denmark deserves special mention, not just because its government appears to be running amok on surveillance initiatives, but also because its’ famously dysfunctional DPA is about to receive a new boss. This is the moment for straight talking in the hope of agency reform throughout the challenging years ahead.

By way of background, Denmark has embarked on the sort of surveillance and control agenda that some other EU states have pursued (particularly France, Belgium, Netherlands, UK, Spain and Italy). The intelligence services have been expanded, data retention is being extended, anti terror packages are being introduced and police powers increased. These include proposed new powers for the Danish Defence Intelligence Service to monitor Danish citizens abroad without the need for a warrant.

Beyond the realm of police and security, there has been strong criticism about the level of data protection generally in Danish public institutions.

In summary, some government authorities in Denmark are lining up to brutalise protections, while the general population appears increasingly chilled about the collapse of their privacy rights.

Given the Copenhagen shootings earlier this year perhaps it is natural for a nation in shock to take such a road. However something is amiss when such measures are adopted without substantial debate – particularly when Denmark routinely boasts a claim to being the pinnacle of human rights.

But where is Denmark’s DPA in this dangerous situation? In terms of legislated government powers, its profile is opaque at best. I looked at a summary of the office’s activities over the past six months and there are only one or two elements that offer any hope whatever. Yes, this DPA has engaged police and some authorities over intrusive technologies, but the language and process it uses is sterile and uninspiring to anyone outside the legal realm. People who should in normal events be fellow travellers with a data protection watchdog overwhelmingly describe it as toothless, aloof and compromised.

It would probably not be fair to say the Danish DPA is inactive, but I believe it would be accurate to say that the agency appears to be uninspiring, inefficient and that it has failed to show leadership. At the international level, the Danish DPA barely exists.

Perhaps one explanation is that it’s hard to know where the Danish Ministry of Justice ends and where the Danish DPA begins. There’s a revolving door between the two. Technically, the agency is independent, but if you populate a hen house with enough foxes, it soon ceases to be a hen house – regardless of what you call it.

The highly respected Danish Institute for Human Rights also appears to have concerns about the DPA. In a report this year it slapped the authority over its handling of social media complaints. To be fair, the DPA does issue a warning that it doesn’t normally deal with complaints about the likes of Facebook, preferring instead to refer complainants to the Irish authority or to Facebook itself, but that’s beside the point.

Technically, the agency is independent, but if you populate a hen house with enough foxes, it soon ceases to be a hen house – regardless of what you call it.

This jurisdiction deficiency, in my view, is outrageous. I earlier described the Danish DPA as dysfunctional, and the Facebook situation is one reason why I chose that word. Denmark has the highest proportion of Facebook users of any EU country. The place is steeped in social media culture. Facebook penetration in Denmark is almost fifty percent greater than the EU average of 38 percent, and yet the Danish DPA sees no reason to advocate on behalf of this huge sector.

I have a theory that might explain this bizarre situation. I believe the Danish DPA is insular and inward looking. This is evidenced by the absence of an external expert technical advisory group – despite continuous recommendations that it should establish such independent technical advice. Gosh, even the UK DPA set up a technical board – even though its members don’t usually understand why they are involved.

I also believe the Danish agency lacks the ability or the will to look beyond Denmark’s borders. Even the Estonian and Italian DPA’s saw the folly of this attitude and changed course to a more global outlook.

I have personal experience of this dysfunction. I have tried several times without success to meet the Danish DPA for an open discussion of global privacy issues. Just about every DPA in the world meets me for such important dialogue, but not in Denmark. The first request was lost or ignored and the second one was batted back with the explanation that no-one had time.

However it was the response to my third attempt that set alarm bells ringing. A senior DPA staff member told me to set out an agenda of issues so he could check whether there was any “compatibility” for a meeting.

Compatibility? How could there not be compatibility? I was utterly astonished.

I replied to the effect that every other national authority was happy to meet without the constraints of pre-notification of issues. I argued that an open approach was within the Danish DPA’s mandate and that they should welcome a discussion with me.

I completed my protest with the observation that the Danish DPA has a responsibility to engage civil society and if they (the Agency) feels Denmark is an exception to that dynamic, then we really do have an urgent issue for discussion.

Of course I never received a response. I didn’t expect to receive one.

To be honest, if that agency was ruthlessly effective within Denmark’s borders, I might have been more empathetic – but it isn’t effective. A report by the Danish Auditor General (Rigsrevisionen) from 2013 and 2014 revealed that several state institutions have inadequate protection of personal data (cited here). The report observed that the many cases of leakage of personal information underscores a need to strengthen security and supervision in the handling of personal information by public institutions. In other words, the Danish DPA has failed to adequately do its job.

I’m not sure who will be leading the Danish DPA from next month, but that person faces a vast challenge. In my view, the agency has real potential to show global leadership – but only if it drops the pomposity about its “important” quasi-judicial functions and learns to become a true advocate and ambassador for privacy.