Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Denmark adopts new data protection law [2000] PLBIRp 34; (2000) 55 Privacy Laws and Business International Report 3

Denmark adopts new data protection law

DENMARK'S NEW LAW has been in force since 1st July, but it will take some time to learn how these rules can be applied in practice. Professor Dr Peter Blume explains the main differences between the new Act and the EU Data Protection Directive, and looks in detail at how the Act restricts direct marketing.

At its third attempt, Denmark's Parliament passed, on 25th May, the new Data Processing Act that implements the EU Data Protection Directive. The Act (no. 429 of 31st May) came into force on 1st July.

It was not with great pleasure that a majority voted for this Act. Since the Parliamentary deliberations started in 1998, it has been evident that most members in the judicial committee found it almost impossible to understand the proposed bill and the EU Data Protection Directive. In fact, they would have preferred to uphold the current law. As a result, the final statute discussed below was influenced by this preference.

The new Act has been characterised as one of the most incomprehensible texts that Parliament has ever enacted, and this fact is severely criticised in the report by the judicial committee. Had there not been a directive, this statute would never have been enacted.

Although this criticism is perhaps too severe, there is no doubt that the statute, like the EU Data Protection Directive, is very complicated. It is problematic that rules which aim to guarantee the protection of the citizens' personal data are drafted in such a way that it is unlikely that most citizens will understand them. There is a clear risk that data protection will become the domain of experts to an even larger degree than before.

THE ACT APPLIES TO LEGAL PERSONS IN CREDIT REPORTING

The Act protects personal data of physical persons. With respect to credit reporting, the Act also covers legal persons. Protection is afforded in the private sector, public administration and, as something new, also in the courts.

All kinds of digital processing are included together with manual files. In the private sector, other kinds of systematic manual processing related to sensitive data are also protected. Exemptions are made for the mass media and the secret services. Processing for purely personal and private purposes is also excluded in section 2(3), and in the preparatory remarks it is made clear that such processing includes data which are broadly disclosed, e.g. in Internet chat groups.

This interpretation is stated as part of a general assumption emphasising that data protection ought not to restrict freedom of speech. To this effect, a general interpretation rule is stated in section 2(2) indicating that article 10 of the Human Rights Convention must be respected in the interpretation and application of the Data Protection Act.

To a large degree, the text of the Act resembles the directive, as this makes it likely that the EU obligations have been met. Of particular interest are those provisions that do not conform with the directive. Their legal foundation is mainly article 5 and recitals 10 and 22. In particular, emphasis has been given to ensuring that the level of protection must not be lower than before the directive was transposed. It is rules of this nature that are discussed in the following.

THE QUESTION OF APPLICABLE LAW

Section 4 contains the rules on civil jurisdiction. As in the directive, the fundamental point is whether the controller is established in Denmark or another EU member country. However, jurisdiction based solely on this assumption does not provide sufficiently broad scope which is the reason for the special provision in section 4(3). According to this rule, Danish law applies when a controller established in a third country collects personal data in Denmark in order to process the data in a third country.

This rule provides a broad jurisdiction and, for example, includes websites located in third countries. It is not obvious that the rule conforms with the general principles of international private law and in any case it seems doubtful whether it will be possible to enforce it. However, it demonstrates the intention of ensuring the best possible protection for Danish citizens.

A THIRD CATEGORY OF PERSONAL DATA

In the core provisions of the directive, articles 7 and 8, a distinction is made between ordinary and sensitive personal data. The listing of sensitive data in article 8 is exhaustive but is not identical with the categorisation previously made in Danish law. Implementation of these rules would mean that data on criminal offences, serious social problems and other matters of a purely private nature, would be afforded less protection in the future. This observation caused major problems in the transposition process, as articles 7 and 8 were perceived by the government to be in conformity with the directive, but, on the other hand, were not acceptable to Parliament.

For this reason, conditions for processing the aforementioned kinds of data have been stated in a special rule in section 8 thus creating a third category of personal data. Processing can take place under the same conditions that apply to sensitive data, and when processing is necessary. Special strict rules on disclosure of data from social service authorities are also laid down. In the preparatory remarks, it is furthermore made clear that public authorities will not disclose these data to the private sector to a greater degree than was the case before the Act was passed.

It seems somewhat doubtful whether section 8 is in accordance with the directive. Rules of this nature, which differ from those of other member states may restrict the free flow of personal data within the EU which is also foreseen in recital no.9. It will depend on future decisions of the European Court of Justice whether section 8 can be upheld.

STRICT RULES ON MARKETING

The most discussed question, with respect to the private sector, concerned the processing of data for the purpose of direct marketing. In article 14(1b) of the directive, the data subject is given a right to object, which can be applied in situations where the controller can lawfully process data for this purpose. This opt-out rule can apply to both actual marketing and the disclosure of data for this purpose. When considering this rule, the directive on distance selling (97/7EC) and the directive on privacy in telecommunications (97/66EC) have also been taken into account. Both these directives contain opt-in rules and the relationship between the three directives is not at all clear.

It was, furthermore, important that the statute on private registers in section 4b contained a rule stating that express consent must be given in order to disclose data for marketing purposes. With this background, a very complex legal regulation has been made, consisting to some degree, of rules whose accordance with the directive seems quite doubtful. It should be added that the following account demonstrates the complexities of data protection law which, in most countries, consists of a web of statutes that can be difficult to fully comprehend.

The question of how a company can market its own products to its own customers is mainly regulated in section 6a of the Marketing Act. Application of this rule presupposes that data are processed lawfully in accordance with the Data Protection Act. The following provisions are seen as a closer definition of a general principle on good marketing practice given in section 1 of the Act. First, it is determined that usage of certain methods, e.g. fax and e-mail, can take place only with the prior consent of the consumer.

The inclusion of e-mail has been much criticised by private enterprise as it hinders e-commerce. This rule was adopted to protect consumers against spam. In other situations, an opt-out rule is applied. It has been seen as important that the consumer is sufficiently informed, and that it is easy to object. For this reason, optout is made possible in the Central Persons File (a register of all citizens, which includes names, personal identification numbers and addresses. It is administered by the Home Office with the help of local government).

Companies are obliged to review this file the first time marketing takes place and every 3 months after that. If a general objection has not been made, the consumer must, in a neutral way, be informed of his right to object, and be given 14 days to make such an objection. This information must not be given using e-mail or fax and it must not in itself contain a marketing message.

THE REGULATION GOES ABOVE THE DIRECTIVE'S REQUIREMENTS

These strict rules demonstrate how seriously this kind of processing is viewed. This is also evident when the regulation under the Data Protection Act is taken into account. These rules concern the disclosure of data and the usage of data on behalf of other companies. The Act consists of rules on processing in section 6(2-4) and on the opt-out model in section 36. Processing of data which provides specific knowledge of previous transactions of the data subject can take place only with consent.

This opt-in rule is stricter than the directive and is not in accordance with article 7. Specific data are, for example, information on the exact kind or amount of previously purchased commodities. Consent is always necessary if the data are sensitive. If the data are merely general and do not provide precise knowledge on the data subject's behaviour, such information can be disclosed if the data subject does not object.

Objections are recorded in the Central Persons File, and the controller must review this file each time a disclosure is considered. If a general objection has not been filed, the data subject must be notified about his right to object and be given 14 days to exercise this right. Once again, fax or e-mail cannot be used to provide this information. As e-mail addresses are not included in the Central Persons File, marketing to data subjects whom the company can identify solely through their e-mail address can be legitimised only through consent.

These complex and strict rules on marketing have already created problems, as Denmark's leading bank was forced to withdraw a customer information leaflet as it turned out not to be in accordance with the rules. Accordingly, even very resourceful controllers have difficulties in understanding these rules. They also demonstrate that the original harmonising idea behind the directive will not be a complete success, and that the conditions for this kind of processing will differ between the member states.

USE OF PINS

Article 8(7) of the directive lets the member states decide the conditions under which personal identity numbers can be processed. Denmark has had such a system since 1968. While there are few problems with respect to the public sector, the conditions of processing in the private sector is an important policy issue. Before the Data Protection Act, the rules in the Private Registers Act, section 4a, were strict. Whether these rules should be relaxed or not became a major theme.

Although the PIN in itself only contains trivial data (birthday and gender) it can be used to combine data, providing vast amounts of information on the data subject. In practice, there have been several incidents where the use of another person's PIN number has opened access to quite sensitive information. The new rules are, therefore, based on the precondition that PIN numbers must not be used as the only access point to files with personal data. Such a system violates the security rules in section 41(3).

With this background, section 11(2) provides increased possibilities of processing PINs. First of all, this can take place when the data subject gives his consent. This could seem natural but, in practice, there will, in many cases, be a risk that consent is not given voluntarily. Processing is also possible if it has been specifically authorised. This will often be the case, e.g. in connection with tax collection. In processing solely for a scientific or statistical purpose, PINs can also be used as it is generally assumed in Danish law that this kind of processing does not pose a risk for infringements of privacy.

Finally, disclosure of PINs has been made possible if disclosure is natural for the normal running of the business of the controller and is necessary for an unambiguous identification of the data subject. This special rule will probably not be applied much in practice.

With respect to both the public and the private sector, section 11(3) makes it clear that PINs can be published only with consent. All in all, the new rules will mean that PINs are used to a large degree in the private sector and for this reason many view them with caution. If section 11(2) should lead to infringements on a larger scale, it is likely that this rule will be amended.

FUTURE PRACTICE

In July, the Ministry of Justice issued several statutory instruments concerning the notification system and security measures in public administration and the courts. The Data Protection Agency has also published guidance on several issues, in particular, on how the rules on rights of data subjects should be understood. According to the Act notifications must, except for scientific processing, be completed by 1st October 2000.

There is no doubt that the new rules, although in some cases resembling the old Registers Acts, give rise to many controversies that have to be settled in practice, often by decisions of the Data Protection Agency. There is also little doubt that the new Act has led to increased interest in data protection. Its broad scope means that informational privacy has been strengthened in Danish law.

This report was written for Privacy Laws & Business by Professor Dr Peter Blume. He can be contacted at the University of Copenhagen, Studiegarden, Studiestraede 6, 1455 Copenhagen, Denmark Tel: + 45 3532 3107, e-mail: Peter.Blume@jur.ku.dk. The Act is not yet available in English, but readers who can understand Danish can be referred to his commentary in the following publication: Peter Blume / Personoplysningsloven (Greensjura, Copenhagen 2000).