DENMARK

Hanne Marie Motzfeldt and Adam Hyldkrog Lindberg

The Danish digital administration is developed within an existing organisation and governance model. Yet, digitalisation in itself has affected these fundamental structures – changes and connected challenges which, to some extent, has been counteracted by regulative developments. Therefore, the following will begin with a brief, superficial introduction to the (traditional) organisation and governance structure of the Danish Public administration in section 2. Hereafter, the main characteristics of Danish digital administrations and some of the challenges that have occurred are presented in section 3. In section 4, the legal framework is introduced and debated; first, legal principles derived from the constitution; second, EU- and international fundamental rights regulation; and third, Danish administrative law. Fourth and final, the overall structure and regulatory model of the forthcoming EU regulation on artificial intelligence (hereinafter AI). This so-called AI Act is examined, and the regulation's future impact on the Danish legal system is discussed. In section 5, attention is drawn to a gap in existing regulation, which potentially poses a major threat to Danish society and citizens  - natural and legal persons alike – and, thereby, the trust in public administration.    

Since the June constitution of 1849 was adopted, the Danish public administration has been organised into two distinctive branches which today consist of: The (mainly) hierarchical-led, centralised administration and the collectively led, decentralised municipality and regional administration.

Forvaltningsret / Mørup, S. H., Garde, J., Jensen, J. A., Jensen, O. F., Madsen, H. B., Revsbech, K., and Terkelsen, O. 7 ed. Copenhagen: Djøf Publishing, 2022. p 42 and 57.

The Central Administration consists of multiple entities divided into ministerial areas (jurisdictions) where the assigned administrative tasks (competencies) geographically cover the entire country. The competencies (jurisdictions) are delimited according to substantive criteria connected to legislation, e.g., tax law, environmental regulation, or religious matters. In alignment with the Danish constitution, this centralised administration is mainly hierarchical. At the top of each ministerial structure are the departments, in principle, managed directly by the ministers whom the prime minister appoints. In practice, however, management within the departments is steered by the Head of Departments, who acts as the right hand of the ministers.

Unlike many other countries, the Danish Head of Departments are not politically appointed and will act as head of the departments no matter the result of an election.

Since the 1960s, the departments have developed into organisations that support the ministers’ strategic and political initiatives. Consequently, supervisory tasks, handling administrative cases and even issuing execute orders have been pushed down to the lower organisations in the centralised organisation or to independent Board of Appeals. The tendency is that the directorates and agencies are entrusted with the supervision of the administration and the task of ensuring compliance via instructions and guidelines within the jurisdiction of the relevant Ministry. See below for more information on directorates and agencies. Handling citizens' and companies' complaints about decisions and actions taken by lower administrative units or municipalities and regions has mainly been placed with bodies established in legislation (appeal boards). Such appeal boards are, at the same time, usually given an independent status in the relevant legislation, ensuring they cannot be subject to orders from the politically appointed minister about the outcome of specific cases.

Under the departments, a range of agencies and directorates are to enforce regulation, ensure proper supervision of the administration within the ministerial jurisdiction, and, to some extent, act as appeal bodies and supervisory authorities. In other words, these lower directorates and agencies focus on governance and more citizen-oriented administration, including forming decisions in administrative cases related to their area of responsibility.

Almindelig Forvaltningsret / Bønsing, 5 ed. Copenhagen: Djøf Publishing, 2023, 71 p.

Examples of such Agencies are the Danish Agency for Labour Market and Recruitment and the Danish Agency for Higher Education.

https://www.star.dk/en/ and https://ufm.dk/en

Further, as mentioned above, an extensive range of independent boards and councils, many of them appeal bodies and supervisory authorities, have been established in statutory law since the 1960s, deviating from the principle of hierarchical order between the administrative bodies within the central administration.

Almindelig Forvaltningsret / Bønsing, 5 ed. Copenhagen: Djøf Publishing, 2023, 7p 72p.

The other major branch of the Danish administration consists of the Municipalities and the regions, which are entrusted with providing most of the welfare services and thus are highly citizen-oriented in their tasks. Municipalities and regions are collegially led administrations with democratically elected councils as the highest authority.

Almindelig Forvaltningsret / Bønsing, 5 ed. Copenhagen: Djøf Publishing, 2023, 73 p.

The regions’ primary area of administration (competencies) is health care, combined with delimited tasks related to environmental matters, public transportation and institutions providing specialised care, whereas the municipalities are entrusted with tasks within almost all administrative areas.

The competencies of the Danish municipalities are traditionally divided into three categories: Service, regulation, and collection.

Almindelig Forvaltningsret / Bønsing, 5 ed. Copenhagen: Djøf Publishing, 2023, 58-59 p.

Services include very different areas, such as care of the elderly and disabled, renovation, libraries, day-care, schools, maintenance of infrastructure (roads) and public transportation. The regulatory functions include, for example, decision-making related to some social benefits, issuing building permits and other permits related to construction, as well as business permits and supervision of potential terms and conditions outlined in such permits within the geographic boundaries of the municipality. Regarding the tasks of collection, this has been narrowed down during the last decades as collective functions related to debt recovery and tax have been transferred to the highly digitalised central tax administration; today, the majority of collection tasks are associated with the services offered by the municipalities.

Almindelig Forvaltningsret / Bønsing, 5 ed. Copenhagen: Djøf Publishing, 2023, 59 p.

Generally, governance in the Danish public administrations may be divided into governance within the hierarchy-led administrations and collegial-led administrations. In hierarchically organised administrations, the minister or leader of an entrusted organisation is, in principle, given the authority to execute (all) the administrative powers entrusted to the organisation. As an underlying condition for (the necessary) transfer of tasks and powers to subordinate civil servants or other public authorities, it follows both an access to give instructions and a duty to supervise the subordinates' execution of the transferred tasks and powers. This approach – and fundamental principle – originates from the Danish Minister Accountability Act and follows any further delegation of powers within the hierarchical systems, internally in the various organisations, as well as between the hierarchically organised units.

Act no. 117 of 15. April 1964.

The appointed leaders – in the end, the minister – also have the power to overturn a decision or to initiate a general or specific 'call-in', the latter referring to taking over particular cases from a lover body or an employee. The access to give instructions – and to withdraw any transfer of power – does, however, not follow if the executive power in question is transferred to an independent organisation or a private person (natural or legal), e.g. a company providing a digital system for a public organisation. Therefore, such a transfer of executive power requires a basis in statutory regulation in Denmark.

Developing Administrative Law into Handling the Challenges of Digital Government in Denmark. / Motzfeldt, Hanne Marie; Næsborg-Andersen, Ayo. I: Electronic Journal of e-Government, 2018.

The leadership of the collegial-led administrations consists of multiple members with the same level of authority, and decisions will usually have to be made based on a majority vote. However, as such procedures are only realistic in matters of strategic or otherwise significant importance, everyday administration is delegated to administrative entities within different areas. These administrative entities are usually organised in a hierarchy under the collegial leadership.

The municipalities and regions are self-governing organisations and, therefore, not subject to the direct authority of the politically appointed Ministers. However, as stated in Article 82 of the Danish constitution, the municipalities are subject to supervision from centralised bodies as this supervision is defined in statutory law. The present supervision of the administration in the municipalities can be divided into two types.

First, the general supervision focuses on financial affairs and compliance with the regulation of municipalities and general administrative law, and second, supervision related to legislation, which only applies to specific areas of administration, e.g. environmental law. Whereas the general supervisory public agency, Ankestyrelsen, is located at the Ministry of the Interior and Health of Denmark, the special supervision rests with the appointed ministers within the different ministries' competencies (jurisdictions). The special supervision focuses on compliance with the legislation within the ministerial jurisdiction (although in practice, this special supervision has been pushed down to agencies and directorates or supervisory authorities, the responsibility of ensuring supervision and instructions still rests on the ministers due to the Danish Constitution and the Danish Minister Accountability Act). The general supervisory public agency, Ankestyrelsen, is in the relevant legislation given several remedies to enforce compliance, e.g. opposing fines on the democratic elected in the lead bodies of the municipalities. In contrast, the minister’s supervision within the specialised areas does not have such powers vested in them (unless such is clearly stated in the relevant legislation).

The main aim of conducting public governance within this roughly described organisational framework is – and has long been – to ensure an efficient, citizen-friendly administration that acts within the powers legally granted to the said organisations and in compliance with the relevant regulatory framework. In Denmark, digitisation has long been regarded as a measure to support achieving these goals. Today, almost all services and administrative tasks are supported by or carried out through varying digital tools.

The development from a paper-based, analogue public administration to a highly digitalised, interconnected organisation has not only significantly impacted how the administration appears and acts externally towards citizens and businesses and governance within the public administration. See further regarding this issue in section 3.5. The digital transformation has simultaneously disrupted the above-described governance model. This shows itself in several contexts. First, workflows and activities were traditionally steered internally via general orders and guidelines developed by organisations or civil servants ranking higher in the hierarchy or by relevant supervisory bodies with a basis in legislative provisions. If harm or unlawfulness was caused by a lack of supervision from the higher-ranking public bodies, leaders and, in the end, the minister within the jurisdiction, said person could be held liable for neglecting the duty of supervision and relevant instructions.

Further, any civil servant performing a public task could be held liable if the person in question was not fulfilling his or her task in accordance with the law, orders, guidelines and professional standards. Today, process-support and process-steering digital systems significantly impact workflows, processes and even the outcome of decisions. Yet, private companies develop and maintain these systems, and the relationship between the public authorities and the private suppliers is only governed by contracts. In other words, the digital transformation has placed actors not bound by administrative law in a significant role in defining workflows and sometimes even how decisions directed at citizens and companies are formed.

Second, systems and databases have been increasingly cross-linked during the last decade, causing massive data flows and interconnected decision processes across entities and jurisdictions within the Danish public administration, thereby disrupting the traditional model of distribution of responsibilities and roles as well as blurring which body is supposed to supervise and ensure compliance in which scenarios.

An example illustrating this new organisational landscape and the disruption of the traditional model of governing in Danish public administration is the influential company KOMBIT, established and owned by Local Government Denmark –– the association and interest organisation of 98 Danish municipalities. KOMBIT specialises in the procurement of digital systems directed towards municipalities and has paved the way for shared use of the same systems across all Danish municipalities and new ways to share data between public entities. Further, KOMBIT has taken a lead role in defining standards and architecture models for at least the municipalities.

https://digitaliseringskataloget.dk/

This impressive initiative does, however, have as a side effect that the knowledge and insight in the logic, architectures, designs – and flaws – of the digital systems used by the municipalities are gathered in KOMBIT and KOMBITs contract partners as opposite to the municipalities themselves.

Some of the different angles of this side effect showed themselves several times in 2020 and 2021 after KOMBIT launched the so-called KSD-system in 2019. The KSD-system was purchased by KOMBIT and developed by another private company, KMD. The KSD-system supports and automates the municipalities' case processing and payments in the area of social benefits in case of a natural person’s illness. However, deficiencies and flaws in KSD caused extended case processing time and, to some extent, digitally generated incorrect consultation letters as well as wrongful decisions and payments. In the fall of 2020, when the Parliamentary Ombudsman sent a series of questions regarding the flaws in KSD to Herning, Holstebro and Viborg municipalities, the municipalities had to involve KOMBIT in order to answer the Ombudsman's questions.

The Danish Parliamentary Ombudsman, letter to Herning Municipality of 2. marts 2021, dok.nr. 20/05623-22/STM, pkt. 2.

Further, the Minister of Employment later briefed the Parliament Employment Committee on the progress of rectification of the flaws and deficiencies of the system. Here, he stated that: "KOMBIT, which is owned by the municipalities via Local Government Denmark, sent a statement on the 9 of June to the Labour Market and Recruitment Agency (STAR) which describes that there has been a flaw in KSD, which resulted in wrong payments to smaller private companies and self-employed citizens. KOMBIT informs of a total wrong payment of up to DKK 110 million in the period November 2019 to March 2022.”

The Minister of Employment's briefing to the Parliamentary Employment Committee on erroneous payments to smaller private companies and the self-employed in the Municipal Sickness Benefit System (KSD) as a result of flaws in the system of the 1 of July 2022, Employment Committee 2021-22, appendix 312, https://www.ft.dk/samling/20211/almdel/beu/bilag/312/2603953.pdf.

In other words, the development from analogue to digitalised public administration has impacted how the public sector is organised and the embedded governance structure, especially as the systems are developed by private companies who are, per definition, not subject to administrative law.

The high level of digitisation in the Danish public sector stems from early efforts later combined with more than 20 years of national public digitalisation strategies prioritising and pushing the development of digital infrastructure and different corporations across administrative areas and jurisdictions. This approach has resulted in the United Nations rating Denmark as the country in the world with the best digitalised public administration several times throughout the years.

In United Nations Department of Economic and Social Affairs, 2022, United Nations eGovernment

Survey 2022 – The Future of Digital Government, the Danish Public administration is ranked number one.

To present the Danish digital administration's main characteristics in a proper context, a brief historical overview will be given below in section 3.2. Hereafter, the key elements essential for the functionalities of the digitalised administration will be outlined in section 3.3. In order to provide an idea of the areas prioritised for further development and adjustment in the forthcoming years, the present Joint Government Digital Strategy is presented in section 3.4 before some recent challenges related to citizens’ trust are outlined in section 3.5.

As outlined above, the Danish Public sector is highly digitised. The journey towards this level of digitalisation began over 60 years ago as the first government agencies acquired so-called 'data processing machines.' These vast and rather clumsy machines were primarily used to transfer existing paper-based registers into the first databases, e.g. the population register (Folkeregisteret). Further, these first machines assisted some government agencies in performing complex or compressive calculations, e.g. within tax administration.

Article 33 in the Ministry of the Interior's instructions for the population register no. 98 of 9 June 1956 mentions punch cards (§ 33 i Indenrigsministeriet instruks for førelse af folkeregister nr. 98 af 9. juni 1956)

Accordingly, the software used at that time was customised to fit delimited tasks in a specific administrative area and created internally by developers hired as civil servants to address the public body's particular needs.

With the later introduction of personal computers (PCs) and, subsequently, standard software for generic tasks, digital tools quickly became widespread in all areas of the Danish public administration. In continuation of this, the  public authorities established small local networks, tying the PCs together to share resources, e.g., disk space and printers. These experiments took off a little later as the introduction of the Internet set in motion an action towards increased digital communication. Thus, from the late 80s, networks, printers, PCs, e-mails, and electronic calendar systems steadily replaced typewriters, calculators, mail carriers, and paper calendars. During the 90s, almost all internal communication became digitalised in the public sector in Denmark.

With the increased use of IT, early digitisation quickly followed as EDH and ESDH systems emerged (Electronic Document Handling and Electronic Case and Document Handling Systems). These systems introduced the potential of process support systems and are to be regarded as the beginning of the digitalisation era in the Danish public administration.

Legal literature generally refers to automatisation as a term covering all predefined processes, sometimes divided into fully and partly automatisation. Here, a distinction is made between digitalisation as process support and as process steering. Process support, as a term, covers digital elements that are 'simply' included in an otherwise analogue process, i.e., tools for caseworkers. Process steering, however, means that central functions in a process are predefined (automated) and embedded in a digital system, e.g. in a health and care system, where integrated workflows such as automatic calculation of medication and sharing of prescriptions with pharmacies are combined as workflows with decision-support elements that affect each other according to the defined rules. The difference between these two types of digitalisation can be illustrated via different designs of self-service systems. A process steering system automatically fills in information from public databases, and the process is designed to adapt according to different information, such as addresses, marital statuses, etc. A process support system may be a simple PDF to be submitted by the citizen via a portal. The latter form is often referred to in Denmark as "digital paper", as it is simply an electronic replication of one or more manual proceedings and not digitalisation as such.

During the late '90s and the '00s, larger, customised software became increasingly common in Public administration. An early example is the PAS (Patient Administration System), which was designed specifically for the Danish healthcare sector. The technological developments also prompted the Danish municipalities in 1970 to form a collaboration and establish a company, Kommunedata, which was assigned to develop and purchase digital systems for the Danish municipalities. This company was sold decades later, and KOMBIT was established; see about KOMBIT above in section 2. From this point, if one fast forward to 2023, the Danish public administration at all levels uses more than 4000 digital tools and process-support and process-steering digital systems, handling and steering everything from taxation to healthcare.

The development described above also caused almost symbolic changes in terminology. In the early times of digitalisation, the purchase of EDB (Electronic Data Processing) was the common phrase, later replaced by the term ITC or just IT (Information Technology). Today, the term IT is steadily replaced by digitalisation and digital systems, meaning that technology is used to rethink and merge with organisations, processes and governance.

Digital Forvaltning: Udvikling af sagsbehandlende løsninger. / Motzfeldt, Hanne Marie; Taheri Abkenar, Azad. Copenhagen: Djøf Publishing, 2019, and Fra forvaltningsjurist til udviklings- og driftsjurist: Retlige og dataetiske rammer for den digitale forvaltning. / Motzfeldt, Hanne Marie (ed). Djøf Publishing, 2024.

However, the digitalisation stage has only been possible due to the development of a network of databases and a shared digital infrastructure. Here, Denmark has been a timely frontrunner.

As described above, the Danish public administration digital systems support or even handle almost all aspects of public administration. However, for these systems to function as intended, relevant and updated data needs to be accessible at all times. In other words, a doctor can only provide proper care for a patient with information from other healthcare personnel on the patient's former treatments, medicine and condition. The tax authorities will only be able to calculate and gather the correct amounts of taxes automatically if they have straightforward and easy digital access to relevant and accurate as well as updated information (data) on citizens income. Therefore, an almost unmanageable number of small and large databases feed the different systems with data gathered from citizens, companies and organisations, as well as by other public bodies.

Even before the digital era, the Danish public administration had a strong tradition of keeping large registers, record systems and archives structured and usable for civil servants when performing their tasks. For example, see the population register above in section 2 and just below in the present section. Since data regarding citizens and companies were already stored and maintained, the transition into databases started in the last century, and today, most of the extensive digital databases are readable and connected to multiple digital systems. 

The Danish public administration's two largest and most essential databases are the Population register, which is named Central Person Register (CPR-Register) and the Central Company Register (CVR-Register). The Central Person Register consists of basic information on every citizen in Denmark connected to the national identification number given to every citizen seconds after being born or receiving a residence permit. This national identification number functions as a unique identifier across all the other databases in the Danish public administration. It enables accurate search for and identification of natural persons in all contexts, enabling crosswise data sharing. The other system – the Central Company Register – offers similarly basic information on legal persons, e.g. who owns a company or is responsible for an organisation. The real importance is, however, as the population register, that the Central Company Register provides a unique identifier given to all legal persons established in Denmark. As the national identification number for natural persons, this number functions as a ‘can opener function’, enabling information to be shared more efficiently between different public bodies.

Further, as digitalisation increased the demand for data and, thereby, data sharing, the national strategies of public digitalisation launched efforts to ensure common technical standards and definitions of data across the public administration as well as projects aiming at improving data quality, enabling easy connection between different systems and databases as well as trustworthy data. Further, several specific public agencies have been established to gather, format, and make data available for other public entities and the private sector. Typically, these agencies are tasked with collecting, structuring, processing, and sharing data from specific parts of the public sector or private actors, such as health data, geodata or data regarding education.

An example of such a Danish agency is the Danish Health Data Authority (Sundhedsdatastyrelsen), which gathers and formats data from the public and private Danish healthcare sector, such as doctors, hospitals, and private practitioners. The Danish Health Data Authority also maintains several national health databases, such as the Medicine Card (Fælles Medicinkort). Another example is the Agency of Data and Infrastructure (Styrelsen for Data og Infrastruktur), which is tasked with gathering geodata, including data on buildings, exact borders and sizes of regions and municipalities, as well as handling data regarding all building addresses in the country. This data is being shared with other public agencies, such as the tax authorities, who use the data to calculate property values for taxation purposes. A third example is the Agency for IT and Learning (Styrelsen for IT og Læring) gathering data from all schools and other educational institutions in Denmark, such as graduation data related to which courses students choose.

Besides the databases, centralised and decentralised, used by the Danish public administration, a range of shared systems and platforms have been developed at a central level during the last decades, enabling a high degree of digitalisation. First – and maybe foremost, the Agency for Digital Government has had an authentication system, MitID, developed. MitID can be combined with signature systems in compliance with the eIDAS regulation and is used across and at all levels of the Danish public administration.

Regulation (EU) no 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.

Further, the platforms Borger.dk (Citizen.dk) and Virk.dk (Company.dk) are essential as they are a window for citizens – natural and legal persons – to gain information on public services, regulations and to access a wide range of self-service systems from different public bodies, which are gathered at the portals. Also available on the platforms is the public Digital Mail (Digital Post), an official mailbox dedicated to all communication between the public administration and citizens (natural and legal persons alike). Digital Post is regulated in statutory legislation, ensuring that possession and use hereof is mandatory for citizens (unless a dispensation is applied for due to, e.g. mental handicap) and that Danish authorities can write to both natural and legal persons with binding effect via this mail system.

Act no. 686 of 15. April 2021 on Digital mail from public authorities.

 

As MitID, Borger.dk and Virk.dk might be the most visible of the systems forming the infrastructure of the Danish digital administration they are supplemented by the databases and a large number of systems that support digitalisation internally and across different jurisdictions, e.g. the invoice system developed to ensure compliance with the standards set by the EU-Commission and the Agency for Public Digitalisations synthetic dataset developed for testing systems before they are taken into use.

Commission Implementing Decision (EU) 2017/1870 of the 16 of October 2017 on the publication of the reference of the European standard on electronic invoicing and the list of its syntaxes pursuant to Directive 2014/55/EU of the European Parliament and of the Council.

The development towards becoming one of the world's most digitalised public sectors has required significant investments and planning, coordination and prioritisation of initiatives and projects. Therefore, since 2001, the Danish Agency for Public Digitalisation, originally a part of the Ministry of Finance, now of the Ministry for Digitalisation and Gender Equality, has cooperated with other central, regional, and local government institutions in order to draft Joint Government Digital strategies every fourth year.

See further https://en.digst.dk/policy/the-danish-digital-journey/

The latest of these strategies was published in 2022 and will thus steer initiatives and projects until 2025.

https://digst.dk/media/19302/national_strategi_for_kunstig_intelligens_final.pdf.

The Joint Government Digital Strategy for 2022–2025 focuses on how digitalisation can solve some of Denmark's significant societal challenges in the coming years, mainly an increasing labour shortage, a need for a green transformation and a lack of resources within welfare and healthcare. The strategy is structured into four visions with specific initiatives to be funded to fulfil said visions. Across the visions are five so-called objectives – waypoints - to steer all the initiatives.

In subtitles, these waypoints are: Digitisation is a mean, not a goal in itself; everyone is to be included; focus on coherency, transparency and trust, responsible digital development and shared digital foundations. See further on inclusion in section 3.5.

The first vision is to develop a more coherent and user-friendly digital public sector for everyone. This includes 17 initiatives, including more cross-jurisdiction corporations, user-friendly digitalisation, improvements of the public power of attorney solution, further development of the so-called My Insight system (Mit Overblik) enabling citizens to access an overview of their cases and data and a national guide to health apps.

https://en.digst.dk/strategy/the-joint-government-digital-strategy/

The second vision is to remedy the labour shortage in Denmark via digitalisation, which focuses on further automation and – notably – increased use of AI. The third vision is to utilise digitalisation to support the green transition, and the connected initiatives are, among others, the establishment of a database for the recycling and reuse of construction materials and to develop a CO2 calculator to be used at all levels of the public administration. Finally, the fourth vision of the Joint Government Digital Strategy for 2022–2025 is to ensure a stronger foundation for future digital development, which, among others, will lead to initiatives strengthening the development of Danish language models and initiatives within cyber- and information security.

At first glance, all of these visions and initiatives seem to aim to further the digitalisation of the Danish public sector and bring even more advanced technology into use. In reality, some of the initiatives are; however, continuations, even adjustments of former initiatives as these are still not fully realised, or further initiatives turned out to have been realised via too far-reaching measures thereby negatively affecting citizens trust and inclusion.

As mentioned above in section 2, the digitalisation of the Danish public sector has affected the traditional organisation and governance model. The long-term effects hereof have still not surfaced but will probably have to be handled in the future in order to ensure the values of democracy, the rule of law and a citizen-friendly public sector. In the summer of 2022, however, another challenge was uncovered as a heated public debate arose. The background hereof was that a rather large group of citizens claimed to feel helpless, alienated, and frustrated when interacting with the digitalised administration.

The background for this debate might illustrate how difficult it is to predict the challenges that will arise due to public digitalisation. In 2021, the Danish Agency for Public Digitization published a report that concluded a high degree of trust among the population in the digitalised administration.

https://digst.dk/nyheder/nyhedsarkiv/2021/november/ny-analyse-afdaekker-borgernes-tillid-til-den-digitale-offentlige-sektor/

However, in July 2022, a legal Think Tank, Justitia, published another report. The report from the independent legal Think Tank concluded that there were significant challenges to inclusion and as a result, also to citizens’ legal certainty. It estimated that up to one-fourth of the population had significant or at least some difficulties navigating the digital administration.

https://justitia-int.org/digitalt-udsatte/

The report from Justitia was the starting point for the abovementioned extensive debate, which introduced a new term in Denmark: The digital underclass. In line with a series of articles from a leading newspaper in Denmark, Politiken, the debate became broader. Even famous artists joined. The painter Per Arnoldi contributed by designing a sign for digitally vulnerable citizens, on which was written I(t)nvalid corresponding to the well-known  sign for invalid.

https://en.wikipedia.org/wiki/Per_Arnoldi

The famous Danish actor Ghita Nørby was interviewed in several articles and at events as she claimed that digitisation had 'broken the welfare state'.

https://politiken.dk/danmark/art8920891/Velf%C3%A6rdsstaten-%C2%BBer-%C3%B8delagt-desv%C3%A6rre%C2%AB

This debate is mirrored in the first of the visions in the present Joint Government Digital Strategy for 2022–2025, as this vision implies a series of initiatives to increase accessibility and ensure non-digital citizens can contact public bodies (inclusion). As former strategies initiated legislation to turn the use of digital self-service systems, the public digital mail, and possession of the authentication system, MitID, mandatory, the present strategy acknowledges that those hush means lead to a public administration perceived distant and unapproachable by some citizens.

The National Digitalisation strategy for 2011-2015 aimed at increasing citizens' use of self-service systems. Therefore, a basis for issuing executive orders turning the use hereof mandatory was given in Act no 742 of 1. June 2015, Act no. 552 of 2. June 2014, Act no. 622 of 12. June 2013 and Act no. 558 of 18. June 2012, see the Strategy https://digst.dk/media/12704/digitale_vej_til_fremtidens_velfaerd.pdf .

In other words, the present Danish vision of a digital administration for all citizens illustrates how the former strategies might have driven digitalisation far but also caused unforeseen consequences that are now to be mitigated in the present strategy.

The legal framework of the Danish digital administration can be divided into two overall categories. One consists of regulation applicable only to specific public bodies such as the police or for specific areas such as welfare regulation. The other category is the general regulation that applies to all public authorities’ activities unless otherwise laid down in legislation. Within the latter category are, among others, constitutional law and legal principles derived from the constitution, EU- and international fundamental rights regulation and general administrative law. These legal disciplines interact with the overall legal framework of the Danish digital administration and are presented in the following sections 4.2–4.4. Section 4.5 presents the forthcoming AI Act, and the AI Act's impact on the Danish regulatory system is discussed in section 4.6.

The Danish constitution has been linguistically almost unchanged since the June constitution of 1849 was adopted. In spite of this, national constitutional law, by virtue of tradition and interpretation of the historical text, does contain some basic principles of relevance for the digitalised administration.

First and foremost, it is recognised as an underlying value that the legislative power draws its legitimacy from democratic elections and that the executive power, which does not have such legitimacy, thus must be exercised in compliance with the regulation adopted or otherwise regarded as accepted by the legislator. Further, those who exercise the entrusted executive powers must be able to be held accountable by (at least) the courts.

Further, but not quite as relevant for the digitalised administration, citizens are guaranteed a certain minimum of rights. The Danish constitution's catalogue of fundamental rights could be more impressive compared to other countries, but individual political and personal rights are nevertheless granted. The politically oriented rights are the freedom of expression, the freedom of association, the freedom of assembly, the individual personal freedom and the inviolability of housing and property rights.

Second, from Article 3 of the Danish constitution, constituting the legislative, executive and judicial powers, the requirement that the executive power must have a basis in law for its activities is derived.

The above generally implies for the Danish administration that public authorities must be authorised in law to carry out their activities, have to perform their tasks in accordance with applicable regulation and that legislation takes precedence over executive orders, administrative orders, guidelines and decisions (the principle of legality). However, the significance of this is not straightforward in relation to the development and use of digital systems in public administration.

There is, however, consensus that a basis in statutory law is required if burdens are placed on citizens (natural as well as legal persons) or their legal or financial status is affected by public authorities' activities. The heavier the burden or deeper the intervention, the more precise and unambiguous the legal basis must be.

Forvaltningsret / Mørup, S. H., Garde, J., Jensen, J. A., Jensen, O. F., Madsen, H. B., Revsbech, K., and Terkelsen, O. 7 ed. København: Djøf Forlag, 2022, p 148-155.

On the other hand, an indirect presupposed and/or budgetary basis is usually sufficient to decide organisational matters, design workflows and similar internal matters. In some instances, such indirect presupposed problems and/or budgetary basis can even be extended to regulate the behaviour of citizens, e.g. issue t relevant and proportionate codes of conduct in a public institution.

Regarding the digitalisation of public administration, it is evident that a statutory legal basis is not required to buy and use simple digital tools such as office packages. A budgetary basis is sufficient in such cases. On the other side, some digitisation projects may be so disruptive for the affected area of administration that the abovementioned ideals pull towards ensuring acceptance of the democratically legitimised legislature.

Forvaltningsret / Mørup, S. H., Garde, J., Jensen, J. A., Jensen, O. F., Madsen, H. B., Revsbech, K., and Terkelsen, O. 7 ed. København: Djøf Forlag, 2022, p 178-182.

In addition, other circumstances may add additional weight for a legislative process, e.g. a high-risk economic profile of a digitalisation process or significant risk of imposing financial loss on citizens – natural and legal persons alike – due to e.g. prolonged response periods when a system is taken into use. Further, tendencies in legislative practice indicate that Danish public bodies, to some extent, either perceive themselves as obliged to or find it appropriate to seek legislative approval of more transformative digitalisation processes. Common denominators in seeking a legislative framework seem to be whether a planned digitalisation project possesses a risk of non-compliance with fundamental legal principles, a potential negative impact on the governance mechanisms within the public administration or the interaction with citizens. Finally, the project's financial risk profile, the risk of legal repercussions and data ethics considerations seem to be of relevance.

An example is an amendment to the Danish Tax Reporting Act and the Tax Control Act, adopted in 2021.

Act no. 2612 of 28. December 2021.

The amendment provided a legal basis 'to process, including share, possessed data to develop digital systems necessary for the customs’ and tax administration's exercise of authority' and that the tax authorities: 'may collect and process all necessary data about natural or legal person’s financial and business affairs from other public authorities and from publicly available sources, and merge such data with data already in the custom's s and tax administrations possession, with the purpose of developing systems necessary for the customs and tax administration's exercise of authority'. In harmony with the above described, it is indicated in the preparatory documents that the establishment of an unambiguous legal basis for the planned development of machine learning and analytical models had been found appropriate due to: 'fundamental societal values and basic legal principles'.

Bill no 73 of 10. November 2021

Further, the initially mentioned requirement of compliance with applicable regulation may presuppose legislative changes as efficient use of digital systems burdens citizens or a governance structure violates applicable rules. This was clearly shown during the National Digitalisation Strategy 2011–15 as this strategy initiated mandatory use of the majority of self-service systems to achieve a goal of 80 per cent of the population of legal age communicating with public authorities through these systems.

Act no. 742 of 1. June 2015, no 552 of 2. June 2014, no 622 of 12. June 2013 og nr. 558 of 18. June 2012.

Requiring citizens to use a specific form of communication is, however, regarded as a burden and, at the same time, deviates from a fundamental principle of Danish administration stating that citizens (within reasonable limits) have the right to contact an administrative body in any form.

In the Danish Parliamentary Ombudsman's opinion, published in FOB 2015-36, he stated that the Municipality of Frederiksberg did not have a legal basis for – as indicated on the municipality’s website – that citizens had to file complaints regarding parking charges via the municipality's digital self-service system. A similar statement can be found in the opinion published in FOB 2019-11 and the Parliamentary Ombudsman's newsletter, published on the 25th of May 2023.

In other words, a statutory legal basis is required if developing and/or using a digital system implies deviation from existing regulations. Article 32 b of the Danish Public Administration Act's derogation from the former signature requirement when automated decision-making is initiated, is an early example.

Consolidated Act 2014-04-22 No. 433 Public Administration Act and Lovforslag nr. 13 af 2. oktober 2013 om ændring af forvaltningsloven, lov om Politiets Efterretningstjeneste (PET) og lov om Forsvarets Efterretningstjeneste (FE).

Another example is related to the doctrine of delegation (outsourcing of executive power), which led to the Act on NemID and, later on MitID, allowing private companies to operate, maintain and govern the systems on authentication.

Act no. 439 of 8. May 2018.

The Danish Parliamentary Ombudsman's case, published in FOB 2017-19, was initiated by a local ombudsman in the municipality of Faxe, who had tried to advise some elderly citizens who had been rejected a NemID by the municipality but needed a NemID in order to report their leasing of farmland (fields) via the mandatory self-service system for such (mandatory) reporting. As justification for the refusal, the municipality referred to the binding guidelines on NemID, which had been drafted by the private company Nets DanID. The background hereof was that the Agency for Public Digitalisation, who owned NemID, had outsourced the development and maintenance of NemID to Nets DanID. Net's DanID had later agreed with the municipalities that the municipalities handled the citizen-related tasks regarding issuing NemID as so-called registration units. As part of the agreement, the municipalities were obliged to comply with the guidelines and instructions drawn up by Nets DanID when issuing a NemID. In other words, outsourcing from the Danish Agency for Digitalisation to Nets DanID had been followed with Nets DanID's subsequent instructions to the in relation to the Danish Agency for Digitalisation independent municipalities. An agreement was therefore reached between the Ombudsman and the Agency for Digitalisation that an unambiguous legal basis for the outsourcing of NemID had to be established.

Finally, the legislator will probably be involved increasingly in connection with the initiation of – at least more extensive – projects when it is necessary to deviate from EU regulation (if such deviations are possible under EU law) or EU law requires a more precise and more unambiguous legal basis for processing personal data than required according to Danish constitutional and administrative law. An early example of such deviation is the Act on the Danish Business Authority's processing of data. Based on Article 23 of the data protection regulation (GDPR), this Act provided a mandate for executive orders deviating from the purpose limitation principle in Article 5, subsection 1, letter b, of the GDPR.

Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27 of April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

The preparatory documents state that the purpose hereof was to provide the Danish Business Authority with the opportunity to develop machine learning-based predictive modules and modern data analysis methods.

Act no. 438 of 8. May 2018 and Executive Order no 989 of 29. June 2018 and Bill no. 149 of 21. February 2018, section 3.1.2 and commentary on article 1.

The requirement of an unambiguous legal basis follows from the GDPR and Article 8 of the Charter of Fundamental Rights of the European Union, which states that a legal basis for processing personal data must be established. As a citizen's consent can rarely constitute the legal basis for processing personal data in the digital administration, public bodies must rely on Article 6, subsection 1, letter e, of the GDPR. According to this provision, the processing of personal data can be initiated if the processing is necessary for the exercise of public authority. The embedded requirement of necessity varies from an implicit to a strict assessment, requiring clear, precise and unambiguous national regulation allowing the processing in question. Clear, precise and unambiguous clarification in national law is especially needed if the processing of personal data can be regarded as high risk, e.g., profiling vulnerable citizens using sensitive personal data processing.

The Danish Data Protection Agency Guide on Public Authorities Use of Artificial Intelligence, 2023, p. 19.

The Act on an Active Employment Effort is another example of a regulation providing an unambiguous legal basis for processing personal data.

Consolidated Act no 701 of 22. May 2022.

An amendment in 2019 provided the Agency for Labour Market and Recruitment with a legal basis to process personal data in order to develop and offer a nationwide digital profiling tool.

Bill no 210 of the 27 of March 2019 and the Danish Data Protection Agency case no. 2019-11-0236

The tool entailed, among other things, that an assessment of the risk of long-term unemployment of newly unemployed citizens could be carried out based on data from the citizens and from the Ministry of Employment as well as from other public databases. Several years later, the Danish Data Protection Authority was asked if a municipality could lease and use a similar profiling system called Asta, which a private company had developed. Using Asta similarly entailed a machine learning-based analysis of newly unemployed citizens' risk of becoming long-term unemployed. However, the processing of personal data via Asta – in contrast to the tool developed by the Agency for Labour Market and Recruitment – did not have a clear national legal basis. The Danish Data Protection Authority stated, in general, that for completely harmless processing of personal data, the requirements [for clarity in national law] will not be particularly strict. If, however, the processing in question may be regarded as intrusive, as is the case of Asta, the demand for clarity of the necessity increases.

In summary, there is a tendency towards seeking a legal basis in legislation for at least a more significant high-risk digitalisation project. Such a basis will be required if the development or use of a system will imply a deviation from existing regulations or a clear and unambiguous basis for processing personal data. In other words, the core democratic functions must be regarded as integrated in relation to the digital administration, as the democratically legitimised legislature's acceptance of more far-reaching digitisation initiatives seems to be sought. 

The result of an ageing Danish constitution, combined with a dualistic approach to international law, is that fundamental rights are primarily carried into the digital administration via EU law. Of lesser – but still some – influence are the international human rights instruments. Denmark has ratified and implemented the European Convention on Human Rights (hereafter ECHR) in Danish law, just as Denmark has ratified the UN Convention on the Rights of Persons with Disabilities. Together, the Charter and these international instruments form part of the overall legal framework to ensure citizens' fundamental rights in the digitalised Danish administration as in the former analogue and paper-based administration.

The relevance of international human rights regulation can be illustrated by cooperation between the Danish Institute for Human Rights and the German Agency for International Cooperation (GIZ). The institutions have introduced a tool to identify and assess human rights risks while developing digital systems.

https://digitalrights-check.bmz-digital.global/

In the following, those provisions of the Charter of Fundamental Rights of the European Union, which assumedly will be essential elements of the legal framework for the digitalised administration in the forthcoming years, are presented in section 4.3.2, followed by a similar presentation of international human rights instruments in section 4.3.3. In section 4.3.4, an analysis of the capability of Danish Administrative law to ensure compliance with fundamental rights in digital administration is carried out before looking into the forthcoming AI Act and the EU regulation's potential impact on the Danish legal framework in sections 4.5 and 4.6.

Within the scope of EU law, the Danish legislature and the executive power are obliged to respect the fundamental rights of citizens as these are recognised in EU law. This implies that public authorities – just like the bodies of the EU – are to observe the duties arising from the ECHR and the Charter of Fundamental Rights of the European Union (hereafter the Charter), cf. Article 51 of the Charter. Within the digital administration, the authorities must, therefore, not only respect secondary EU legislation applying to the development, implementation and use of digital systems but also – if an activity is within the scope of EU law – ensure compliance with fundamental rights and the core principles of EU law, e.g. equal treatment, protection of legitimate expectations and proportionality.

According to Article 51 of the Charter, national public authorities and courts must ensure compliance with the Charter when they make decisions based on EU regulation or a national regulation implementing an EU directive. The same applies if there is a strong functional connection with EU law or national regulation that interferes with the four freedoms regarding goods, persons, services and capital.

The Charter consists of a broad pamphlet of rights not recognised in the Danish constitution and of legal principles, which in Denmark are regarded as case law-based principles of administrative law (even though EU and national legal principles are not entirely identical). In particular, articles 41, 8, 20 and 21 of the Charter are essential elements of the legal framework applying to the Danish digital administration.

For the digital administration, the underlying principles of Article 41 of the Charter laying down the requirement of good administration may be relevant for the Danish legislature's ability to deviate from the requirements for, among other things, a consultation (fair hearing) before a decision is taken. Article 41 does, in principle – in a relatively general form – only regulate administrative procedures within EU administration. However, the EU Court of Justice has stated that, among other things, the right to a hearing, established in Article 41, is a codification of an underlying principle. This legal principle binds the Member States if EU law applies – and will thus carry the contained procedural requirements into the digital administration.

Furthermore, the Charter's article 8, subsection 1, states that: "[e]veryone has the right to the protection of personal data concerning him or her" and in subsection 2, that: "Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified." Article 8 is, in particular, specified in the GDPR and the directive on data protection in law enforcement. See above in section 4.2.

Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27 of April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and Directive (EU) 2016/680 of the European Parliament and of the Council of the 27 of April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

The GDPR are – in a Danish context – regarded as a part of general administrative law.

Finally, articles 20 and 21 of the Charter will probably gain increasing importance as the development and use of machine learning and other forms of artificial intelligence expand – a goal pursued as a part of the visions in the Danish Joint Government Digital Strategy for 2022–2025, see above in section 3.2. Article 20 of the Charter proclaims that "Everyone is equal before the law ", and the Charter's Article 21, subsection 1 states that "Any discrimination based on any ground such as sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation shall be prohibited“. Since an inherent risk of AI is that bias in training data is passed on to the developed models, these provisions will form a legal framework requiring that the use of AI does not lead to discrimination contrary to these provisions. This will, in particular, apply to profiling models used to assess citizens based on differences in variable values, which – depending on the model's design – may entail a risk of direct or indirect discrimination.

Direct discrimination against a protected group may occur if a profiling model uses a variable characterising a protected group of citizens. This could, for example, be gender, consequently awarding male citizens a higher probability of being classified positively while females are classified negatively (or vice versa). Indirect discrimination may occur if a model in practice places a protected group in an unfavourable position compared to others, even if the model does contain a variable characterising the protected group, i.e. even if the model is blinded to said group. An example could be a statistical connection between residence and ethnicity. If citizens of specific ethnicities are overrepresented in certain residential areas, a model with residence as a variable might affect some ethnicities more than others.

In continuation of the above, it is noteworthy that the Danish Institute for Human Rights has pointed out in a recent report that the use of opaque AI may increase citizens' difficulties in proving indirect discrimination unless the legal framework is adjusted into a shared burden of proof.

https://menneskeret.dk/udgivelser/naar-algoritmer-sagsbehandler-rettigheder-retssikkerhed-offentlige-myndigheders-brug

The scope of the ECHR and the Danish dualistic approach entails that the ECHR affects the legal framework for the Danish digital administration differently than EU law. In contrast to the promotion of harmonisation and the enforcement of the EU interpretation style, the ECHR provides a relatively wide margin, and the EctHR have a distinctive focus on the circumstances of every individual case. The ECHR's impact on the Danish legal system has, therefore, primarily played out within the specialised administrative law, se about the distinction between general regulation and regulation applying to delimited areas above in section 4.1. This is, for example, forced fixation of psychiatric patients, expropriation and regard to the Danish legislation and case law on immigrants and refugees.

However, the ECtHR's expanding interpretation of the ECHR has historically shown to establish duties of care for public authorities that might become important as a part of the legal framework for the Danish digital administration, as this might lead to proactive measures must be taken in order for ensure that systems and the use hereof are design in such a way that compliance with the ECHR is promoted. Here, attention is drawn to six aspects expected to become relevant for those who develop and use digital digital systems for and in public administration.

Firstly, the ban on self-incrimination in Article 6 of the ECHR must be taken into account when citizens are required to provide data (information) to the public authorities via self-service systems and these data are intended to be used in different contexts, and Article 6 are relevant in some of these contexts. Secondly, the ECtHR has stated that article 8 of the ECHR – as article 41 of the Charter – contains procedural rights as the right to a fair hearing before a decision directed at a citizen is reached. Thirdly, case law from the ECtHR requires reasonable processing time. This might not seem relevant regarding digitalisation, but experience shows that implementing newly developed systems might cause prolonged processing time. Fourthly, in principle, Article 8 of the ECHR lays down requirements for processing personal data, just as this provision, in interaction with Article 10 of the convention, may impact certain groups' right to access documents. Finally – as the fifth theme – the ECHR requires that public bodies ensure translation services in a number of situations in order to ensure citizens can understand guidance from and decisions made by public authorities.

The latter requirement illustrates how legal requirements under the ECHR in Denmark will interact with other international obligations and national administrative law, thereby placing the ECHR in the background. In relation to translation services, Denmark has ratified the Nordic Language Convention, the European Charter for Regional or Minority Languages  (the Language Pact) and the Council of Europe's Framework Convention of the 1 of February 1995 on the Protection of National Minorities (the Minority Convention).

Executive Order No. 16 of the 10 of March 1987 of the Nordic Convention of the 17 of June 1981 on the right of Nordic citizens to use their own language in another Nordic country, Executive Order No. 28 of the 23 of August 2001 of the European Pact on Regional or Minority Languages of the 5 of November 1992 and Executive Order No. 13 of the 23 of April 1998 of the Council of Europe's Framework Convention of the 1 of February 1995, see the conventions at https://www.norden.org/en/treaties-and-agreements/nordic-language-convention   https://llengua.gencat.cat/en/serveis/legislacio_i_drets_linguistics/el-catala-i-europa/carta_europea_de_llengues_regionals/ and https://rm.coe.int/168007cdac

When interpreted into Article 7 of the Danish Public Administration Act, laying down an obligation to provide guidance for citizens, this spaghetti ball-like framework of conventions entails a duty to ensure that at least the digital self-service systems, which are mandatory for citizens to use, are offered in relevant foreign languages, or an alternative communication channel is available.

Danish administrative law only partially consists of legislation such as the Public Administration Act, the Freedom of Information Act, the GDPR, and the supplementary Danish Data Protection Act.

Consolidated Act no nr 145 of 24. February 2020, and act no. 502 of 23. May 2018.

Case law-based principles apply next to this statutory regulation, thereby providing Danish administrative law with a somewhat dynamic nature, enabling the regulation based on underlying legal values to adapt to societal changes such as the digitalisation of the public administration. In accordance herewith, supervisory bodies, with the Parliamentary Ombudsman at the forefront, have developed Danish administrative law and set up requirements for the design and functionality of digital systems, their development, implementation and use.

The Danish Principle of Administrative Law by Design. / Motzfeldt, Hanne Marie. I: European Public Law, Bind 23, Nr. 4, 2017, s. 739-754.

This case law is under continuous development in line with the technological and societal changes and is characterised by searching: "the legal toolbox for regulation able to be meaningful in the new technological context."

Niels Fenger, Ombudsmanden – et værn for borgernes retssikkerhed, U 2020 B 37. See the same author (and the appointed Danish Parliamentary ombudsman), How do we digitise without harming our legal certainty? , FOB 2019.

The development of administrative law in Denmark has revolved mainly around two starting points. First, administrative law and the norms of good administration are technology-neutral. Therefore, the regulatory requirements apply regardless of the technology a public body uses to perform its assigned tasks. Second, public administration must be organised and carried out in a compliant, efficient and trustworthy manner, no matter the technologies used. The following section, 4.4.2, will outline how these starting points led to a requirement of designing technologies and their use in such a way that compliance with administrative law is supported. Section 4.4.3 focuses on another requirements – namely, the demand for a prior compliance investigation, testing and supervision, respectively.

The Danish principles of good administration require that public authorities establish an organisation and implement workflows that are able to support a compliant and efficient administration. This fundamental requirement is mirrored in legislative practice. It is, for example, stated in the preparatory documents to Act on the Regions that the regional Council is 'responsible for ensuring that formalities are complied with, i.e. that sufficiently qualified personnel are employed, that these employees observe the principles of good administration and, that internal measures are taken to implement appropriate workflows, routines and supervisory procedures'.

Bill no. 65 of the 24th of February 2005, comments to article 16.

How the above-described approach has been carried into the digital era can be illustrated via a response from a former Minister of Health to the Danish Parliament's Health and Elderly Committee in 2017 regarding a system named Cura. The minister stated, among other things, 'Responsibility for patient safety in the healthcare system lies with the operators, i.e. regions, municipalities and private actors. It is the operators' responsibility to react if tasks are carried out in a way that endangers patient safety, just as the operators are obliged to ensure that the employees have the proper skills for the tasks they are carrying out. Similarly, it is the operators' responsibility to ensure that the digital systems used are reliable, that the employees are trained to use the systems and that the systems do not endanger patient safety'.

The Parliament Health Committee 2017–18, answer to question no. 402, https://www.ft.dk/samling/20171/almdel/SUU/spm/402/svar/1464763/1855071.pdf

Similarly, the Danish Parliamentary Ombudsman has stated in numerous opinions that digital systems for the public sector are to be designed to support a compliant and efficient administration.

This implies that Danish authorities are obliged to commit to a value-based design and ensure that administrative law is included in the design and use of their digital systems. The underlying idea is that since the design, architecture, functionalities and use of digital systems affect the administration, the responsible authorities are obliged to – similarly to designing analogue processes – proactively ensure the system’s capacity to support a compliant and efficient administration.

An older yet illustrating case is published by the Parliamentary Ombudsman in FOB 2006.390. The case related to a record system used by the University of Copenhagen in connection with handling cases on student grants. The system lacked functionality for searching previous cases based on provisions of the applied legislation or similar substantive criteria. In his opinion, the Ombudsman raised doubt that it was possible to ensure a uniform practice in accordance with the principle of equality if the university was not able to conduct searches in the institutions' previous administrative decisions. In this specific case, the Ombudsman recommend measures to mitigate the effects of the deficiencies of the record system, for example, procedures for keeping lists or summaries based on substantial criteria. In other words, the opinion illustrates that digital systems should be designed to support compliance with the principle of equality.

The Danish principle of administrative law by design is, among others, codified in the Freedom of Information Act. Article 1, section 2 of the Act states that public authorities are to ensure that openness is considered to the widest possible extent when digital systems are chosen, developed and implemented. The Danish Freedom of Information Act entered into force in 2013. The value-based approach was, however, strengthened as a fundamental legal figure in Danish administrative law when the GDPR came into effect in 2018. 

The Danish administrative law requirements for developing and using technologies are somewhat similar to the EU regulatory models applied in the GDPR  and regarding high-risk systems in the AI Act. First, a prior investigation of a digitalisation project's legal, practical and technical aspects must be carried out (a good administration impact assessment). Second, public authorities are to ensure proper testing of digital systems before they are taken into use and to initiate training of employees in using the system. Finally, the system and the impact on the administration are to be supervised, and action taken if system deficiencies or flaws lead to violations of regulation or the norms of good administration.

The good administration impact assessment is to be started up already in the early stages of a process of developing a digital system. The requirement for this procedure originates from a combination of the norms of good administration, the inquisitorial principle, the principles of civil servants’ liability, and the principles of responsible use of public funds. Further, influence or inspiration from legislative trends is likely, as similar requirements can be found in the GDPR.

A preliminary status on the requirement for a good administration impact assessment has recently been given by the Parliamentary Ombudsman in FOB 2022-11 and FOB 2022-12. Here, the Ombudsman stated, 'It is a fundamental requirement that public digital systems support a correct application of the relevant legislation – including administrative law and fundamental principles. This can best be ensured by early identification and system incorporation of the relevant regulation. A proper organisation of the development of new digital systems for the public sector, therefore, presupposes, among other things, that an overview of the types of cases and processes affected by the planned system is created, that is mapped which formal rules (e.g. on hearing and reasons for decisions) and substantive rules (e.g. on the exercise of discretion in the individual case) that applies to the processes of the affected cases, including whether there may be a need for the regulatory changes in order to enable automatisation, that great care is shown in deciding how the new system have to be designed in order to be able to comply with the mapped regulation in the various processes, that relevant legal expertise is available in all significant phases of the development process, e.g. when preparing specifications and design and when carrying out tests etc. I hereby refer to my article, ‘How do we digitise without harming our legal certainty?’ in the Ombudsman's report for 2019 and to the Ministry of Justice's memorandum of the 18 of November 2015 on administrative law requirements for the public sector's digital systems. See also the Agency for Public Digitalisation guide on digitisation-ready legislation (2018), p. 28, according to which: 'The introduction of digitally supported public administration requires that both development of systems, data flows, administrative s needs, proceedings and regulation are considered. If the application of legislation is to be supported digitally, the public authority must, therefore, map the legal requirements, i.e. the material and formal rules that a digital system must support. In this way, the public authority will be able to identify the elements of the regulatory framework at an early stage that may pose challenges for digitalised administration […] I finally refer to Hanne Marie Motzfeldt and Azad Taheri Abkenar, Digital Forvaltning (2019), p. 81: It seems to be firmly supported by case law, administrative regulations and legislative indications that public authorities are responsible for and obliged to proactively ensure that technologies are designed and used in such a way that they enable and contribute to the affected administrations' compliance with administrative law and promote the principles of good administration.'

As mentioned above, testing is considered a prerequisite for bringing a digital system into use in the Danish public administration. This has been stated in several opinions from the Parliamentary Ombudsman, most recently in FOB 2023-7. The background to FOB 2023-7 was an EU directive with an implementation deadline in December 2019. In 2018, the Danish Police realised that a new process-support and process-steering system for weapons registration was needed to implement the directive. Therefore, public procurement procedures were conducted in 2019, and a developer was chosen in the summer of 2020. In April 2022, the developer wrote to the police that the system: 'was taken in use the 17 of January 2022 due to the EU deadline. At this point, the structured test was not completed, and therefore, there were more flaws in the system than normally; several integrations were incomplete, some minor development tasks were not completed [...], and letters and forms necessary for case processing had not yet been set up in the solution […] The system is, therefore, in a state where it only supports the case processing in PAC to a limited extent.' The Parliamentary Ombudsman criticised that the system had been taken into use before the responsible public authorities had ensured that the system was able to provide sufficient support to the affected administration. He stated that it is very regrettable that the untimely implementation of the system had affected citizens negatively – natural and legal persons alike – by causing an unreasonably prolonged case processing time.

According to Danish administrative law, the testing procedures must be supplemented with measures ensuring an efficient implementation followed by steady supervision of the system and its use. Such measures will usually be instructions for and training of the case workers or other employees in using the system. Furthermore, routines and workflows should be established to ensure that flaws or deficiencies are continuously detected, identified and rectified.

Agreement on a regulation on AI has recently been reached within the EU, although the final text has not yet been published.

https://www.europarl.europa.eu/news/en/press-room/20231206IPR15699/artificial-intelligence-act-deal-on-comprehensive-rules-for-trustworthy-ai

According to the proposal set forth by the Commission in 2021, the overall purpose of the regulation is to establish a well-functioning market for AI within the EU via harmonised regulation. Furthermore, the regulation is to ensure that AI on the EU Market is safe and respects existing legislation, fundamental rights and the EU's values. In addition, the regulation is to ensure regulatory clarity in order to promote investment and innovation and enable effective enforcement.

Public bodies developing and using AI must comply with the regulation when the act enters into force. If the final text corresponds roughly to the EU Commission's proposal and the later published agreements from the trilogue proceedings there will be three steps in order to ensure compliance. As a first step, it must be examined whether the development, adaptation (change) or use of a given digital solution falls within the scope of the regulation. In this connection and for the sake of the further process, it will often be necessary – similarly to the GDPR – to identify the various actors. Next, the second step is to be a categorisation of the system's future, changed, or current use. As the third step, the respective provisions for unacceptable risk, high risk and limited risk must be complied with. For the Danish administration, however, it should ideally be considered as a fourth step whether any measures for systems with limited or low risk should be implemented.

Rather than giving a detailed presentation of the regulation based on the preliminary texts, the following section, 4.5.2, focuses on describing the basic structure of the proposal, after which the impact on Danish regulation is discussed in section 4.5.3.

The proposal for AI regulation rests on a risk-based approach, meaning that the requirements follow the risks assumed to be associated with the various uses of AI. The risk classification is based on the intended purpose of the systems rather than their functions. The specific purpose of and the particular modalities in the use of the system have thus been – and in the future will be – decisive for determining the risk categories.

The Commission's proposal to the European Parliament and the Council Regulation on harmonised rules for artificial intelligence (Artificial Intelligence Act) and on amending certain of the Union's legislative acts, COM(2021) 206 final, section 5.2.3.

The scale of risks is closely linked to the purpose of the proposal, which aims to ensure that the beneficial potential of AI is realised while harmful effects on society and humans are prevented. Focus is not only the risk of a negative impact on individuals' fundamental rights regarding decisions directed at citizens. For example, the need for precision, safety and robustness is mentioned in connection with the risk of major shutdowns or incorrect treatment in the health and care sector. 

Based on an overall assessment of the severity and probability of the possible damages, the AI Act will divide the use of AI systems into the following risk categories: Unacceptable risk, high risk, limited risk and low or minimal risk.

It is not likely that Danish administrative authorities will consider the use of AI, which will be viewed as an unacceptable risk to society and the rights of individuals. These are listed in section II of the draft regulation on prohibited practices with regard to AI, which, among other things, includes some instances of evaluation or classification of persons' credibility by public authorities. The prohibited use is evaluation or classification based on citizens' social behaviour, personal characteristics or personality traits. However, the ban only applies if one of the following additional conditions is met. Firstly, the use has to lead to harmful or unfavourable treatment of individuals or smaller or larger groups in a social context unrelated to the contexts in which the data were originally generated or collected. Secondly, the harmful or unfavourable treatment has to be unjustified or disproportionate in relation to their social behaviour or the seriousness thereof. In both cases, the prohibition applies regardless of whether the evaluation or classification is carried out by a public authority or by private companies on behalf of a public authority.

Contrary to the unacceptable risk systems, some so-called high-risk systems are likely to be used in the Danish public administration. In the proposed chapter 1 of the AI Act, two main categories were identified as posing a high risk to society and the fundamental rights of individuals.

Chapter 2 sets out the proposed requirements for establishing a risk management system as well as requirements for data and data management, technical documentation, registration, transparency, information, accuracy, robustness, and cyber security. The proposed Chapter 3 laid down obligations on the various actors, while Chapter 4 proposed an administrative framework, and Chapter 5 contained detailed provisions, e.g. standards, certificates and registration.

The first category of high-risk systems will probably only be relevant for public service when using different tools such as welfare tech, as this category is AI intended to be used as a security component in a product or is itself one product. The second category – are independent systems assessed to pose a high risk to human health and safety or fundamental rights.

Besides the areas of law enforcement and immigration, including border control, the most relevant high-risk systems for the Danish administration must be assumed to be, firstly, the management and operation of critical infrastructure. Secondly, the area of education and vocational training is relevant. Here, the proposal lists systems intended to grant access to or allocate places at educational institutions, evaluate students, or assess participants in tests that are typically required to gain access to educational institutions. Such systems are considered risky due to their potential impact on citizens' educational and working life courses and thus affect their ability to secure a livelihood. Thirdly, AI within employment, management of workers and access to self-employment are regarded as high risk if they are intended for recruiting or selecting candidates, making decisions about promotion and dismissal, assigning tasks, and monitoring and evaluating the performance and behaviour of persons in work-related contractual relationships. It is, however, also included that AI systems used to monitor employees can affect their right to data protection and right to privacy. Fourthly, and probably the most significant area, is access to and use essential public services and benefits. AI intended to assess people's eligibility for public social benefits and services and assign, reduce, cancel or revoke such benefits and services is considered high-risk. On the other hand, the use of AI in other areas to conduct control – of natural and legal persons alike – does not seem to be considered high risk unless the use can be considered law enforcement.

During the legislative process, supplementary provisions for AI systems that can be used for different purposes were added. Such AI is termed AI for general purposes. The background for introducing the specific provisions hereon was mainly the progress within language models such as ChatGPT. These will be subject to transparency requirements, including technical documentation, compliance with EU copyright law, and disseminating detailed summaries about the content used for training. For so-called high-impact models with systemic risk, further requirements will be applied.

For high-risk systems, comprehensive compliance procedures will be required to ensure risk mitigation, data governance, detailed documentation, human oversight, transparency, robustness, accuracy, and cybersecurity, as well as conformity assessments prior to being put in use and ongoing supervision after the system has been put into use.

Systems with limited risk include all systems – high risk and not high risk –e intended to interact with people, recognise emotions, carry out biometric categorisation, or generate or manipulate images, audio or video content. However, the obligation to ensure transparency will mainly be relevant to the Danish Public sector in connection with chatbots. Here, public authorities will be obliged to inform citizens that they are interacting with an AI system if it is not otherwise clear from the context.

The low-risk systems are not subject to regulation according to the AI Act. The proposed text from 2021 did, however, encourage codes of conduct. 

Today, all AI systems developed for and used in the Danish public sector are subject to the requirements laid down in administrative law and are thereby designed to support compliance with relevant regulations, including fundamental rights. Further, a good administration impact assessment has to be performed as AI systems are developed, and the systems are, as outlined above in section 4.4.3, to undergo testing before being taken into use and monitored during use. The national case law has also touched upon the criteria for selecting datasets for training as the Parliamentary Ombudsman in FOB 2021-22 pointed out that a 'data-driven tool' to support the valuation of used cars had to be developed in order to provide qualified assistance to caseworkers, which among other things, involved mapping the appeals body's case law for which data to use and how to weight the developed variables.

When the AI Act enters into force, comprehensive compliance procedures will be required for (only) high-risk systems in a regulatory model with significant similarities with Danish administrative law's proactive approach, according to which digital systems may only be used when it is ensured in advance that the systems support a compliant administration or data processing. Also similar to Danish administrative law is the requirement for ongoing supervision after the system is implemented.

At present, the purposes of the AI Act and the use of regulation as opposed to a directive suggest that no At present, the purposes of the AI Act and the use of regulation as opposed to a directive suggest that the ECJ will not accept additional compliance requirements imposed on AI systems under national law when the regulation takes effect. In other words, the AI Act might disrupt the carefully developed and balanced national regulation. However, it might be possible to regard the national norms of good administration as a code of conduct applying (only) to the public sector.

As elaborated on in section 2, the traditional organisational and governance structures within the public administration in Denmark have been somewhat disrupted by digitalisation. First, process-support and process-steering digital systems are developed and maintained by private companies that are not subject to instructions unless set out in the contracts and are not under the regime of criminal and civil liability, which applies to public servants. In other words, the digital transformation has placed actors not bound by administrative law in a significant role in relation to the digital systems, which are indispensable for everyday administration, services, regulation and collection. Second, systems and databases have been increasingly connected across jurisdictions, further blurring the distribution of responsibilities and roles and establishing a new interdependence as one public body might be unable to perform its assigned tasks if one or more connected systems become inoperable.

The digital administration in Denmark has, as described above in section 3.2, been developed over decades. Most of the infrastructure, as well as the thousands of systems managing everything from learning activities in schools and other educational institutions to automated calculation and collection of income tax, was developed in what one might, in a dramatic tone, call a very different situation related to threats of cyberterror and crime. At the same time, the initiatives to strengthen information and cybersecurity in Denmark need to be more cohesive, which can be illustrated by the fact that the national cybersecurity strategy does not include the municipalities.

https://en.digst.dk/strategy/the-danish-national-strategy-for-cyber-and-information-security/

Further and in light of the high level of digitalisation in Denmark, the forthcoming EU regulation is hardly sufficient to raise the level of awareness and security – a concern that increases as the enforcement of the regulation seems to be somewhat superficial, probably because supervisory tasks have been fragmented into the various ministries.

In other words, as an overall conclusion, Denmark can benefit from stronger and closer Nordic-Baltic cooperation on regulatory issues related to public digitalisation. The most urgent theme – among the many – is probably regulation supplementing the EU's cyber- and information directives and regulations with private suppliers as subjects as well as the public bodies. While EU regulation may be relevant and adequate for the less digitalised countries within the EU, the high degree of digitalisation in the Nordic and Baltic countries necessitates further initiatives. Nordic-Baltic regulatory cooperation in information and cybersecurity might simultaneously increase the potential of systems developed in one of the Nordic-Baltic countries to be considered safe enough to be used in other countries.