Venice Commission - Report on a rule of law and human rights compliant regulation of spyware

Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).

Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/

Denmark

1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?

There are no constitutional provisions on the issue in question, and until 2002 there was also no specific legislation. In 2002, a specific provision was introduced as (now) Art. 791 b of the Administration of Justice Act. It concerns “reading of non-publicly available data in an information system by virtue of programs or other equipment (data reading)”. The provision concerns reading of information systems such as computers or similar devices, e.g. tablets and mobile phones etc. It provides for the police to install so-called “sniffing software” in computers etc. by which the police may obtain information about the user’s use of the device, including handling of documents and information seeking. This is presumably what the Venice Commission refers to as “spyware”.

2. Are there specific rules (covering notably the scope ratione materiae, temporis and personae) in place or do the general rules on targeted surveillance (interception of communications) apply (could you please provide us with such specific or general rules)?

The said provision in Art.791 b of the Administration of Justice Act sets out the conditions for data reading. They are as follows (cumulative):
There must be specific reasons to assume that the information system in question is used by the suspect in connection with planned or already committed criminal activity which a) under the law is punishable by prison of 6 years or more or b) concerns intentional violation of criminal law provisions concerning state security etc.
Data reading must be assumed to be of decisive importance to the investigation of such crime.
Data reading must be proportionate in relation to its purpose, the criminal activity in question and the violation of the right to privacy of the person(s) subjected to data reading.

3. What kind of data, if any, could be collected with spyware?

The law does not set up any specific limitations in this respect.

4. Has there been any official evaluation of the need for, or added value of, spyware?

N/A

5.Who authorises/approves measures of targeted surveillance in criminal and intelligence investigations (judiciary, executive, expert bodies, security services)?

Authorization of measures of targeted surveillance (including data reading) is issued by the court. This is the case with both criminal and intelligence investigations. However, if the purpose of data reading would be defeated by having to initiate court procedures, the police (or intelligence service) may decide on its own to initiate data reading. In such cases the police (or intelligence service) must, within 24 hours, refer the case to the court for decision. If the court deems that data reading should not have been initiated, the court must report this to the Director of Public Prosecution (in case of the intelligence service to the Ministry of Justice).
See Art. 783 of the Administration of Justice Act.

6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?

An expert oversight body exists in Denmark (the Danish Intelligence Oversight Board - Tilsynet med Efterretningstjenesterne).It has the power to fully access data collected by security services. However, the Oversight Board does not supervise individual cases of use of spyware in the context of criminal or intelligence investigation. This is a matter for the courts. A specialised parliamentary committee overseeing the activities of the security services is in place.

7. Does a post-surveillance notification mechanism exist? Are there any other remedies available for individual targeted by measures of targeted surveillance?

As a general rule, the individual in question must be notified once data reading is completed together with notification of the character of the suspected criminal activity in question. However, if such notification would be harmful to the investigation of the case, notification may be delayed or even not done at all. Decision on this is made by the court at the request of the police.
See Art. 788 of the Administration of Justice Act.