Octopus Cybercrime Community

• The Criminal Code of Denmark addresses all of the substantive law aspects of the Convention with exception of direct implementation of offences related to misuse of devices.
• The Danish Administration of Justice Act addresses most of the procedural powers under the Budapest Convention; however, data preservation requirements extend only to service providers.

Illegal access to information systems is criminalised in the following sections of the Criminal Code:

• Section 263(2) regarding wrongfully (unjustifiable) gaining of access to any data or programs of another person intended for use in an information system.
• Section 263a regarding the wrongful selling or distribution to a wide group for commercial gain of a code or other means access to a non-public information system protected by a code or other special access protection and disclosure of a larger number of such codes or access means (concerns non-commercial systems).

Illegal system interference is criminalised by  Section 193(1) regarding the causing of comprehensive interference with the operation of any public transport means, public postal service, telegraph or telephone service, radio or television broadcasting system, information system or service providing public utility supplies of water, gas, electricity or heating.

Illegal data interference is criminalised by the same Sections of the Criminal Code as the Sections mentioned with regard to illegal system interference, such as deletion of damage to, etc., computer data.

Illegal interception of computer data is criminalised in Section 263(2) of the Criminal Code which deals with the wrongful (unjustifiable) gaining of access to any data or programs of another person intended for use in an information system.

Misuse of devices - production, distribution, procurement for use, import or otherwise making available or possession of computer misuse tools is not criminalised per se. However, the production, procurement etc. of devices or tools with features that can be misused for the purpose of committing criminal offences is punishable as incitement or aiding and abetting an offence (Section 23) or attempting to commit an offence (Section 21).

Computer-related and content related offences under the Budapest Convention on Cybercrime are also criminalized extensively by the Criminal Code.

Sources:

• https://www.coe.int/en/web/octopus/country-legislative-profile/-/asset_publisher/LA6eR74aAohY/content/denma-1
• http://data.consilium.europa.eu/doc/document/ST-13204-2016-REV-1-DCL-1/en/pdf

Providers of telecommunications services can be ordered to preserve computer data pursuant to Section 786a. A preservation order obliges the providers to preserve the data for a period not exceeding 90 days. Within this period police authorities can secure the data through a seizure under Sections 801-802.

Search and seizure of information is possible during investigation of a cybercrime offence in accordance with Chapter 73 and 74 of the Administration of Justice Act. Sections 793 to 807 contain general provisions on trace, search, seizure and freezing.

Police may request information on statistic IP addresses without a court order. In addition, a service provider can be ordered to disclose customer information only necessary for dynamic IP addresses in accordance with Section 804 on condition that the order is issued as part of an investigation into an offence and on condition that there is reason to presume, inter alia, that the item or information can serve as evidence.  Disclosure of traffic and content data is restricted to the serious cybercrime offences punishable by at least six years' imprisonment.

The use of real-time interception of traffic and content data pursuant to Section 791b is restricted to the serious cybercrime offences punishable by six years' imprisonment. Hence, interception is not possible as part of a investigation of a person who illegally prevents another from using or disposing computer data etc., e.g. a denial of service attack, in accordance with Section 293(2) of the Criminal Code. In addition to this basic condition, reasonable grounds to presume that information is being used or passed by a suspect need to be present as well as a presumption that the interception is of essential importance to the investigation.

Under Section 781 interception of telecommunications (content data) etc. is also permitted in relation to the serious cybercrime offences punishable by at least six years' imprisonment if there are reasonable grounds to presume that information is being used or passed from a suspect and that the interception is presumed to be of essential importance to the investigation. This measure includes disclosure of email-correspondence and other available content. This Section concerns tapping communication through the service provider’s facilities, in contrast to interception under Section 791b, which covers “skimming” via computers (or other information systems).

Sources:

• https://www.coe.int/en/web/octopus/country-legislative-profile/-/asset_publisher/LA6eR74aAohY/content/denma-1
• http://data.consilium.europa.eu/doc/document/ST-13204-2016-REV-1-DCL-1/en/pdf

Specific safeguards under the Danish Administration of Justice Act cover an extensive range of procedural powers, with significant limitations as to applicability to serious offences, provision of judicial oversight, and data protection aspects related to processing of data in the criminal investigations.

In terms of police activities oversight, the Independent Police Complaints Authority is an independent authority headed by the Police Complaints Council and the Chief Executive. The Police Complaints Council is the supreme governing body of the Authority and consists of a Chair, who must be a High Court judge, an attorney, a professor of law and two representatives of the general public.

Danish Security and Intelligence Service (PET) is subject to several forms of external supervision from e.g. the Minister of Justice, the Danish Parliament, the courts and the Intelligence Oversight Board.

Sources:

• https://www.coe.int/en/web/octopus/country-legislative-profile/-/asset_publisher/LA6eR74aAohY/content/denma-1
• https://www.humanrights.dk/sites/humanrights.dk/files/media/dokumenter/udgivelser/hrs/2018/police_complaint_mechanisms_dihr2018.pdf
• https://www.pet.dk/English/Legal%20matters/Supervision%20of%20the%20Danish%20Security%20and%20Intelligence%20Service.aspx

Specific legislation and regulation related to cybersecurity and cybercrime has been enacted through the following instruments:

Critical infrastructure

• The Danish Act on Network and Information Security of Domain Name Systems and Certain Digital Services (Act No. 436 of 8 May 2018);
• The Danish Act on Network and Information Security for Operators of Essential Internet exchange points (Act No. 437 of 8 May 2018);
• The Danish Act on Security Requirements for Network and Information Systems in the Health Sector (Act No. 440 of 8 May 2018); and
• The Danish Act on Security of Network and Information Systems in the Transport Sector (Act No. 441 of 8 May 2018).

Data protection

• The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR); and
• the Danish Data Protection Act (Act No. 502 of 23 May 2018).

Health sector

• The Danish Executive Order on Health Preparedness Planning (Order no 971 of 28 June 2016); and
• The Danish Executive Order on Health Records (Order No. 530 of 24 May 2018).

Financial sector

• The Danish Financial Business Act (Consolidated Act No. 1140 of 26 September 2017);
• The Danish Act on Payment Services (Act No. 652 of June 2017);
• The Danish Order on Management and Control of Banks (Order No. 1026 of 30 June 2016); and
• The Danish Order on Outsourcing (Order No. 1304 of 25 November 2010).

Telecommunications sector

• The Danish Act on Electronic Communication Networks and Services (Consolidated Act No. 128 of 7 February 2014); and
• The Danish Act on Radio and Television Activities (Consolidated Act No. 444 of 8 May 2018).

Transport sector

• The Danish Act on Network and Information Security for the Transport Sector (Act No. 442 of 8 May 2018); and
• The Danish Executive Order on Network and Information Security for the Transport (Order No. 1042 of 6 August 2018).

Intellectual property law

• The Danish Copyright Act (Act No. 1144 of 23 October 2014).

Other sector-specific regulations promoting cybersecurity

• The Danish Executive Order on Preparedness for the Electricity Sector (Order No. 1024 of 21 August 2007);
• The Danish Executive Order on IT Preparedness for the Electricity and Natural Gas Sector (Order No. 425 of 1 May 2018);
• The Danish Executive Order on Preparedness for the Oil Sector (Order No. 424 of 25 April 2018); and
• The Danish Executive Order on Security Requirements for the Network and Information Systems of Certain Water Supplies (Order No. 429 of 4 May 2018).
• The Danish Act on Television Surveillance (Act No. 1190 of 11 October 2017);
• The Danish Act on the Centre for Cyber Security (Act No. 713 of 25 June 2014);
• The Danish Executive Order on Providers of Electronic Communications Networks and Electronic Registration and Storage of Communications Services (Order No. 988 of 28 September 2006, the ‘Logging Order’).

Source:

• https://www.lexology.com/library/detail.aspx?g=a2b86bca-08e1-479d-9a9a-46535babecd9
• http://data.consilium.europa.eu/doc/document/ST-13204-2016-REV-1-DCL-1/en/pdf

Authority for extradition and provisional arrest in the absence of other treaties (Article 24)

Name of the authority: Director of Public Prosecutions

Note: Decisions concerning the use of provisional arrest are made by the district prosecutors.

Contact details:

• Address: Frederiksholms Kanal 16, 1220 Copenhagen K
• Tel/Fax: tel: + 45 72 68 90 00 / fax: +45 72 68 90 04
• E-mail: rigsadvokaten@ankl.dk
• Website: Information not available

Authority for Mutual Legal Assistance in the absence of other agreements or arrangements (Article 27)

The authority for Mutual Legal Assistance in the absence of other agreements or arrangements depends on which country sends the request. If the request comes from an EU Member State the competent authority is the District Police Commissioner. It is possible to find the competent judicial authority by using Atlas’ function of the European Judicial Networks webpage.

24/7 Contact point (Article 35)

Name of the authority: Danish National Police

The National Centre of Investigation under the Danish National Police operates the Danish Communications Centre 24/7/365 as a Single Point of Contact (SPOC) to the entire Danish police force which includes requests under the auspices of Europol, Schengen, Baltic Sea Task Force, Frontex, Interpol, the Nordic police cooperation, bilateral cooperation with law enforcement of other countries, cross border surveillance and controlled deliveries. It furthermore handles urgent requests according to the Budapest Convention relating to cybercrime. This means one point of entry to the entire Danish police and no “red tape” in the opening phase of cooperation with other countries. Procedural steps are in place so that requests directed to the SPOC are immediately redirected to the National Cyber Crime Center (NC3) in order to implement appropriate investigative measures and the involvement of the prosecution service and the judiciary system when needed.

Sources:

• https://www.coe.int/en/web/octopus/-/denma-2?redirect=https://www.coe.int/en/web/octopus/international-cooperation-wiki
• https://rm.coe.int/t-cy-2016-30-mla-rec-follow-up/168076cf93

There is no specific Danish legislation relating to mutual legal assistance in criminal matters. In all cases where assistance from Denmark is required, the Danish authorities apply national legislation by analogy. This implies that Danish authorities can comply with requests for mutual legal assistance even though no bilateral or multilateral agreement exists between Denmark and the requesting country. This also implies that Danish authorities can comply with a request if the investigative measure(s) covered by the request could be carried out in a similar national case. Therefore, requests are executed in accordance with national law concerning criminal procedure (The Administration of Justice Act) and - if applicable - in accordance with relevant international instruments such as the 1959 Council of Europe Convention on Mutual Legal Assistance and Agreements between the Nordic countries.

Danish law enforcement authorities can always provide foreign law enforcement authorities with requested information. In some cases, there can be a restriction on the further use of the information, for example if there is an on-going investigation in Denmark.

The Ministry of Justice was until 1 March 2016 designated as central authority to receive requests for mutual legal assistance and to execute them or in some cases transmit them to the competent authorities for execution. Requests are executed where appropriate by one or more authorities, e.g. the Danish State Prosecutor for Serious Economic and International Crime, the Police or the Prosecution Service. 

Since 1 March 2016, the Director of Public Prosecutions has been designated as central authority instead of the Ministry of Justice.

In general, requests for mutual legal assistance and any communication related thereto must be transmitted to the Director of Public Prosecutions by the requesting State. However, urgent requests and communications may be addressed through diplomatic channels, Europol, Interpol or directly to the relevant authorities.

Additionally, any requests sent within the Schengen system or requests on the basis of the European Convention of 29 May 2000 on Mutual Assistance in Criminal Matters may be sent directly to the relevant judicial authorities. Requests may be sent by e-mail or by regular mail.

Denmark has no special limitations concerning fiscal matters. Thus, Denmark does not refuse a request for mutual legal assistance on the sole ground that the offence is also considered to involve fiscal matters. It can be noted in this connection that the 1978 Additional Protocol to the Council of Europe Convention on Mutual Assistance in Criminal Matters withdraws the possibility of refusing assistance solely on the ground that the request concerns an offence which the requested party considers a fiscal offence. There are only a few areas where information due to secrecy provisions (legal professional privileges etc.) is not available in an investigation, for example obtaining information exchanged between a suspect and his defence attorney.

Assistance is always given unless it is impossible. In a few cases, assistance which requires dual criminality, is denied because there is no such duality but in such situations it will be discussed with the requesting country whether they can provide additional information which might enable the Danish authorities to comply with the request or if more limited assistance not involving coercive measures is wanted.

Dual criminality is not required for non coercive measures.

In the Danish legal system, dual criminality is seen as a question of whether the same facts are criminalized and not as formal duality. This implies that dual criminality is considered on the basis of the underlying conduct rather than on the basis of specific offences.

Source: https://www.coe.int/en/web/octopus/country-legislative-profile/-/asset_publisher/LA6eR74aAohY/content/denma-1