4. The legal framework
4.1 Introduction
The legal framework of the Danish digital administration can be divided into two overall categories. One consists of regulation applicable only to specific public bodies such as the police or for specific areas such as welfare regulation. The other category is the general regulation that applies to all public authorities’ activities unless otherwise laid down in legislation. Within the latter category are, among others, constitutional law and legal principles derived from the constitution, EU- and international fundamental rights regulation and general administrative law. These legal disciplines interact with the overall legal framework of the Danish digital administration and are presented in the following sections 4.2–4.4. Section 4.5 presents the forthcoming AI Act, and the AI Act's impact on the Danish regulatory system is discussed in section 4.6.
4.2 Constitutional principles and legal basis for digitalisation
The Danish constitution has been linguistically almost unchanged since the June constitution of 1849 was adopted. In spite of this, national constitutional law, by virtue of tradition and interpretation of the historical text, does contain some basic principles of relevance for the digitalised administration.
First and foremost, it is recognised as an underlying value that the legislative power draws its legitimacy from democratic elections and that the executive power, which does not have such legitimacy, thus must be exercised in compliance with the regulation adopted or otherwise regarded as accepted by the legislator. Further, those who exercise the entrusted executive powers must be able to be held accountable by (at least) the courts. Second, from Article 3 of the Danish constitution, constituting the legislative, executive and judicial powers, the requirement that the executive power must have a basis in law for its activities is derived.
The above generally implies for the Danish administration that public authorities must be authorised in law to carry out their activities, have to perform their tasks in accordance with applicable regulation and that legislation takes precedence over executive orders, administrative orders, guidelines and decisions (the principle of legality). However, the significance of this is not straightforward in relation to the development and use of digital systems in public administration.
There is, however, consensus that a basis in statutory law is required if burdens are placed on citizens (natural as well as legal persons) or their legal or financial status is affected by public authorities' activities. The heavier the burden or deeper the intervention, the more precise and unambiguous the legal basis must be. On the other hand, an indirect presupposed and/or budgetary basis is usually sufficient to decide organisational matters, design workflows and similar internal matters. In some instances, such indirect presupposed problems and/or budgetary basis can even be extended to regulate the behaviour of citizens, e.g. issue t relevant and proportionate codes of conduct in a public institution.
Regarding the digitalisation of public administration, it is evident that a statutory legal basis is not required to buy and use simple digital tools such as office packages. A budgetary basis is sufficient in such cases. On the other side, some digitisation projects may be so disruptive for the affected area of administration that the abovementioned ideals pull towards ensuring acceptance of the democratically legitimised legislature. In addition, other circumstances may add additional weight for a legislative process, e.g. a high-risk economic profile of a digitalisation process or significant risk of imposing financial loss on citizens – natural and legal persons alike – due to e.g. prolonged response periods when a system is taken into use. Further, tendencies in legislative practice indicate that Danish public bodies, to some extent, either perceive themselves as obliged to or find it appropriate to seek legislative approval of more transformative digitalisation processes. Common denominators in seeking a legislative framework seem to be whether a planned digitalisation project possesses a risk of non-compliance with fundamental legal principles, a potential negative impact on the governance mechanisms within the public administration or the interaction with citizens. Finally, the project's financial risk profile, the risk of legal repercussions and data ethics considerations seem to be of relevance.
An example is an amendment to the Danish Tax Reporting Act and the Tax Control Act, adopted in 2021. The amendment provided a legal basis 'to process, including share, possessed data to develop digital systems necessary for the customs’ and tax administration's exercise of authority' and that the tax authorities: 'may collect and process all necessary data about natural or legal person’s financial and business affairs from other public authorities and from publicly available sources, and merge such data with data already in the custom's s and tax administrations possession, with the purpose of developing systems necessary for the customs and tax administration's exercise of authority'. In harmony with the above described, it is indicated in the preparatory documents that the establishment of an unambiguous legal basis for the planned development of machine learning and analytical models had been found appropriate due to: 'fundamental societal values and basic legal principles'.
Further, the initially mentioned requirement of compliance with applicable regulation may presuppose legislative changes as efficient use of digital systems burdens citizens or a governance structure violates applicable rules. This was clearly shown during the National Digitalisation Strategy 2011–15 as this strategy initiated mandatory use of the majority of self-service systems to achieve a goal of 80 per cent of the population of legal age communicating with public authorities through these systems. Requiring citizens to use a specific form of communication is, however, regarded as a burden and, at the same time, deviates from a fundamental principle of Danish administration stating that citizens (within reasonable limits) have the right to contact an administrative body in any form.
In the Danish Parliamentary Ombudsman's opinion, published in FOB 2015-36, he stated that the Municipality of Frederiksberg did not have a legal basis for – as indicated on the municipality’s website – that citizens had to file complaints regarding parking charges via the municipality's digital self-service system. A similar statement can be found in the opinion published in FOB 2019-11 and the Parliamentary Ombudsman's newsletter, published on the 25th of May 2023.
In other words, a statutory legal basis is required if developing and/or using a digital system implies deviation from existing regulations. Article 32 b of the Danish Public Administration Act's derogation from the former signature requirement when automated decision-making is initiated, is an early example. Another example is related to the doctrine of delegation (outsourcing of executive power), which led to the Act on NemID and, later on MitID, allowing private companies to operate, maintain and govern the systems on authentication.
The Danish Parliamentary Ombudsman's case, published in FOB 2017-19, was initiated by a local ombudsman in the municipality of Faxe, who had tried to advise some elderly citizens who had been rejected a NemID by the municipality but needed a NemID in order to report their leasing of farmland (fields) via the mandatory self-service system for such (mandatory) reporting. As justification for the refusal, the municipality referred to the binding guidelines on NemID, which had been drafted by the private company Nets DanID. The background hereof was that the Agency for Public Digitalisation, who owned NemID, had outsourced the development and maintenance of NemID to Nets DanID. Net's DanID had later agreed with the municipalities that the municipalities handled the citizen-related tasks regarding issuing NemID as so-called registration units. As part of the agreement, the municipalities were obliged to comply with the guidelines and instructions drawn up by Nets DanID when issuing a NemID. In other words, outsourcing from the Danish Agency for Digitalisation to Nets DanID had been followed with Nets DanID's subsequent instructions to the in relation to the Danish Agency for Digitalisation independent municipalities. An agreement was therefore reached between the Ombudsman and the Agency for Digitalisation that an unambiguous legal basis for the outsourcing of NemID had to be established.
Finally, the legislator will probably be involved increasingly in connection with the initiation of – at least more extensive – projects when it is necessary to deviate from EU regulation (if such deviations are possible under EU law) or EU law requires a more precise and more unambiguous legal basis for processing personal data than required according to Danish constitutional and administrative law. An early example of such deviation is the Act on the Danish Business Authority's processing of data. Based on Article 23 of the data protection regulation (GDPR), this Act provided a mandate for executive orders deviating from the purpose limitation principle in Article 5, subsection 1, letter b, of the GDPR. The preparatory documents state that the purpose hereof was to provide the Danish Business Authority with the opportunity to develop machine learning-based predictive modules and modern data analysis methods.
The requirement of an unambiguous legal basis follows from the GDPR and Article 8 of the Charter of Fundamental Rights of the European Union, which states that a legal basis for processing personal data must be established. As a citizen's consent can rarely constitute the legal basis for processing personal data in the digital administration, public bodies must rely on Article 6, subsection 1, letter e, of the GDPR. According to this provision, the processing of personal data can be initiated if the processing is necessary for the exercise of public authority. The embedded requirement of necessity varies from an implicit to a strict assessment, requiring clear, precise and unambiguous national regulation allowing the processing in question. Clear, precise and unambiguous clarification in national law is especially needed if the processing of personal data can be regarded as high risk, e.g., profiling vulnerable citizens using sensitive personal data processing.
The Act on an Active Employment Effort is another example of a regulation providing an unambiguous legal basis for processing personal data. An amendment in 2019 provided the Agency for Labour Market and Recruitment with a legal basis to process personal data in order to develop and offer a nationwide digital profiling tool. The tool entailed, among other things, that an assessment of the risk of long-term unemployment of newly unemployed citizens could be carried out based on data from the citizens and from the Ministry of Employment as well as from other public databases. Several years later, the Danish Data Protection Authority was asked if a municipality could lease and use a similar profiling system called Asta, which a private company had developed. Using Asta similarly entailed a machine learning-based analysis of newly unemployed citizens' risk of becoming long-term unemployed. However, the processing of personal data via Asta – in contrast to the tool developed by the Agency for Labour Market and Recruitment – did not have a clear national legal basis. The Danish Data Protection Authority stated, in general, that for completely harmless processing of personal data, the requirements [for clarity in national law] will not be particularly strict. If, however, the processing in question may be regarded as intrusive, as is the case of Asta, the demand for clarity of the necessity increases.
In summary, there is a tendency towards seeking a legal basis in legislation for at least a more significant high-risk digitalisation project. Such a basis will be required if the development or use of a system will imply a deviation from existing regulations or a clear and unambiguous basis for processing personal data. In other words, the core democratic functions must be regarded as integrated in relation to the digital administration, as the democratically legitimised legislature's acceptance of more far-reaching digitisation initiatives seems to be sought.
4.3 Fundamental Rights
4.3.1 Introduction
The result of an ageing Danish constitution, combined with a dualistic approach to international law, is that fundamental rights are primarily carried into the digital administration via EU law. Of lesser – but still some – influence are the international human rights instruments. Denmark has ratified and implemented the European Convention on Human Rights (hereafter ECHR) in Danish law, just as Denmark has ratified the UN Convention on the Rights of Persons with Disabilities. Together, the Charter and these international instruments form part of the overall legal framework to ensure citizens' fundamental rights in the digitalised Danish administration as in the former analogue and paper-based administration.
The relevance of international human rights regulation can be illustrated by cooperation between the Danish Institute for Human Rights and the German Agency for International Cooperation (GIZ). The institutions have introduced a tool to identify and assess human rights risks while developing digital systems.
In the following, those provisions of the Charter of Fundamental Rights of the European Union, which assumedly will be essential elements of the legal framework for the digitalised administration in the forthcoming years, are presented in section 4.3.2, followed by a similar presentation of international human rights instruments in section 4.3.3. In section 4.3.4, an analysis of the capability of Danish Administrative law to ensure compliance with fundamental rights in digital administration is carried out before looking into the forthcoming AI Act and the EU regulation's potential impact on the Danish legal framework in sections 4.5 and 4.6.
4.3.2 The Charter of Fundamental Rights of the European Union
Within the scope of EU law, the Danish legislature and the executive power are obliged to respect the fundamental rights of citizens as these are recognised in EU law. This implies that public authorities – just like the bodies of the EU – are to observe the duties arising from the ECHR and the Charter of Fundamental Rights of the European Union (hereafter the Charter), cf. Article 51 of the Charter. Within the digital administration, the authorities must, therefore, not only respect secondary EU legislation applying to the development, implementation and use of digital systems but also – if an activity is within the scope of EU law – ensure compliance with fundamental rights and the core principles of EU law, e.g. equal treatment, protection of legitimate expectations and proportionality.
According to Article 51 of the Charter, national public authorities and courts must ensure compliance with the Charter when they make decisions based on EU regulation or a national regulation implementing an EU directive. The same applies if there is a strong functional connection with EU law or national regulation that interferes with the four freedoms regarding goods, persons, services and capital.
The Charter consists of a broad pamphlet of rights not recognised in the Danish constitution and of legal principles, which in Denmark are regarded as case law-based principles of administrative law (even though EU and national legal principles are not entirely identical). In particular, articles 41, 8, 20 and 21 of the Charter are essential elements of the legal framework applying to the Danish digital administration.
For the digital administration, the underlying principles of Article 41 of the Charter laying down the requirement of good administration may be relevant for the Danish legislature's ability to deviate from the requirements for, among other things, a consultation (fair hearing) before a decision is taken. Article 41 does, in principle – in a relatively general form – only regulate administrative procedures within EU administration. However, the EU Court of Justice has stated that, among other things, the right to a hearing, established in Article 41, is a codification of an underlying principle. This legal principle binds the Member States if EU law applies – and will thus carry the contained procedural requirements into the digital administration.
Furthermore, the Charter's article 8, subsection 1, states that: "[e]veryone has the right to the protection of personal data concerning him or her" and in subsection 2, that: "Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified." Article 8 is, in particular, specified in the GDPR and the directive on data protection in law enforcement. See above in section 4.2. The GDPR are – in a Danish context – regarded as a part of general administrative law.
Finally, articles 20 and 21 of the Charter will probably gain increasing importance as the development and use of machine learning and other forms of artificial intelligence expand – a goal pursued as a part of the visions in the Danish Joint Government Digital Strategy for 2022–2025, see above in section 3.2. Article 20 of the Charter proclaims that "Everyone is equal before the law ", and the Charter's Article 21, subsection 1 states that "Any discrimination based on any ground such as sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation shall be prohibited“. Since an inherent risk of AI is that bias in training data is passed on to the developed models, these provisions will form a legal framework requiring that the use of AI does not lead to discrimination contrary to these provisions. This will, in particular, apply to profiling models used to assess citizens based on differences in variable values, which – depending on the model's design – may entail a risk of direct or indirect discrimination.
Direct discrimination against a protected group may occur if a profiling model uses a variable characterising a protected group of citizens. This could, for example, be gender, consequently awarding male citizens a higher probability of being classified positively while females are classified negatively (or vice versa). Indirect discrimination may occur if a model in practice places a protected group in an unfavourable position compared to others, even if the model does contain a variable characterising the protected group, i.e. even if the model is blinded to said group. An example could be a statistical connection between residence and ethnicity. If citizens of specific ethnicities are overrepresented in certain residential areas, a model with residence as a variable might affect some ethnicities more than others.
In continuation of the above, it is noteworthy that the Danish Institute for Human Rights has pointed out in a recent report that the use of opaque AI may increase citizens' difficulties in proving indirect discrimination unless the legal framework is adjusted into a shared burden of proof.
4.3.3 The European Convention of Human Rights (ECHR)
The scope of the ECHR and the Danish dualistic approach entails that the ECHR affects the legal framework for the Danish digital administration differently than EU law. In contrast to the promotion of harmonisation and the enforcement of the EU interpretation style, the ECHR provides a relatively wide margin, and the EctHR have a distinctive focus on the circumstances of every individual case. The ECHR's impact on the Danish legal system has, therefore, primarily played out within the specialised administrative law, se about the distinction between general regulation and regulation applying to delimited areas above in section 4.1. This is, for example, forced fixation of psychiatric patients, expropriation and regard to the Danish legislation and case law on immigrants and refugees.
However, the ECtHR's expanding interpretation of the ECHR has historically shown to establish duties of care for public authorities that might become important as a part of the legal framework for the Danish digital administration, as this might lead to proactive measures must be taken in order for ensure that systems and the use hereof are design in such a way that compliance with the ECHR is promoted. Here, attention is drawn to six aspects expected to become relevant for those who develop and use digital digital systems for and in public administration.
Firstly, the ban on self-incrimination in Article 6 of the ECHR must be taken into account when citizens are required to provide data (information) to the public authorities via self-service systems and these data are intended to be used in different contexts, and Article 6 are relevant in some of these contexts. Secondly, the ECtHR has stated that article 8 of the ECHR – as article 41 of the Charter – contains procedural rights as the right to a fair hearing before a decision directed at a citizen is reached. Thirdly, case law from the ECtHR requires reasonable processing time. This might not seem relevant regarding digitalisation, but experience shows that implementing newly developed systems might cause prolonged processing time. Fourthly, in principle, Article 8 of the ECHR lays down requirements for processing personal data, just as this provision, in interaction with Article 10 of the convention, may impact certain groups' right to access documents. Finally – as the fifth theme – the ECHR requires that public bodies ensure translation services in a number of situations in order to ensure citizens can understand guidance from and decisions made by public authorities.
The latter requirement illustrates how legal requirements under the ECHR in Denmark will interact with other international obligations and national administrative law, thereby placing the ECHR in the background. In relation to translation services, Denmark has ratified the Nordic Language Convention, the European Charter for Regional or Minority Languages (the Language Pact) and the Council of Europe's Framework Convention of the 1 of February 1995 on the Protection of National Minorities (the Minority Convention). When interpreted into Article 7 of the Danish Public Administration Act, laying down an obligation to provide guidance for citizens, this spaghetti ball-like framework of conventions entails a duty to ensure that at least the digital self-service systems, which are mandatory for citizens to use, are offered in relevant foreign languages, or an alternative communication channel is available.
4.4 Danish Administrative law
4.4.1 Introduction
Danish administrative law only partially consists of legislation such as the Public Administration Act, the Freedom of Information Act, the GDPR, and the supplementary Danish Data Protection Act. Case law-based principles apply next to this statutory regulation, thereby providing Danish administrative law with a somewhat dynamic nature, enabling the regulation based on underlying legal values to adapt to societal changes such as the digitalisation of the public administration. In accordance herewith, supervisory bodies, with the Parliamentary Ombudsman at the forefront, have developed Danish administrative law and set up requirements for the design and functionality of digital systems, their development, implementation and use. This case law is under continuous development in line with the technological and societal changes and is characterised by searching: "the legal toolbox for regulation able to be meaningful in the new technological context."
The development of administrative law in Denmark has revolved mainly around two starting points. First, administrative law and the norms of good administration are technology-neutral. Therefore, the regulatory requirements apply regardless of the technology a public body uses to perform its assigned tasks. Second, public administration must be organised and carried out in a compliant, efficient and trustworthy manner, no matter the technologies used. The following section, 4.4.2, will outline how these starting points led to a requirement of designing technologies and their use in such a way that compliance with administrative law is supported. Section 4.4.3 focuses on another requirements – namely, the demand for a prior compliance investigation, testing and supervision, respectively.
4.4.2 Administrative law by design
The Danish principles of good administration require that public authorities establish an organisation and implement workflows that are able to support a compliant and efficient administration. This fundamental requirement is mirrored in legislative practice. It is, for example, stated in the preparatory documents to Act on the Regions that the regional Council is 'responsible for ensuring that formalities are complied with, i.e. that sufficiently qualified personnel are employed, that these employees observe the principles of good administration and, that internal measures are taken to implement appropriate workflows, routines and supervisory procedures'.