Wrongful convictions? Danish DPA to investigate data retention scandal

After an inquiry by MEP Patrick Breyer (Pirate Party Germany), the European Data Protection Board (EDPB) announced that the Danish Data Protection Agency has opened a case investigating the data retention scandal in Denmark.[1]

The LIBE committee of the European Parliament previously discussed how errors in police software (errors when converting raw data received from providers) resulted in false communications data being used to prosecute crime in Denmark.[2] Denmark is currently reviewing thousands of cases to see whether the false data has had an effect on their outcome.

A consultancy commissioned by Denmark has identified several shortcomings in the police’s IT systems and in prosecution:

• IT systems and the associated IT infrastructure were found to be “complex, outdated, and difficult to maintain”, and were maintained by a single employee
• there was a lack of administrative practices for quality control of the data conversion system
• prosecuters were frequently “overstating the accuracy of mobile location data”

This issue is also highly problematic considering that Denmark exchanges communications data with other Member States. While the Commission said Denmark was obliged under the data protection directive to notify recipients of false communications data, the Danish police representative said they were only answering questions from receiving authority. The data protection authority would need to make sure all receiving authorities are notified of errors and, in the meantime, notified that the data MAY be erroneous.

Furthermore, it appears that no other Member States is examining their systems for similar “conversion errors”. There appears to be no systematic quality control/audit of those systems. When asked whether the Danish scandal justifies initiating a joint examination of the IT systems used in processing communications data, the EDPB only commented that its members would take due account of the conclusion of the Danish Data Protection Agency investigation.[3]

[1] EDPB Response to MEP Patrick Breyer regarding the Danish national police data retention case: https://edpb.europa.eu/our-work-tools/our-documents/letters/edpb-response-mep-patrick-breyer-regarding-danish-national_en

[2] Danish data retention: Back to normal after major crisis: https://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2020/01-20/Danish_data_retention_EN.pdf

[3] Guidelines 4/2019on Article 25 Data Protection by Design and by Default: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_201904_dataprotection_by_design_and_by_default.pdf