The study shows significant discrepancies in the data retention regulation of the Nordic countries. Denmark has aligned the data retention rules with the rules of data preservation and secret coercive measures interfering with electronic communication, as well as rules concerning subscriber identification. The aim is to the widest extent possible, ensure the availability of data that may be necessary to an investigation of serious crime or protect national security, including to identify perpetrators of serious crime, while still respecting fundamental human rights.
Seemingly, among the Nordic countries only Sweden performs data retention for the purpose of preventing, averting, and detecting crime in addition to criminal investigation and prosecution. The Swedish Expert Report SOU 2023:22 proposes a revision of the data retention rules to closely resemble the Danish. It is proposed that retained data shall be available for intelligence purposes also in the future. In contrast, Denmark has provided legal basis for general undifferentiated data retention to protect national security, without extending the right of access to include intelligence purposes.
Norway stands alone with data retention rules that are limited to concern internet access services only. The other countries include telephone services and IP-telephony in addition, though the extent to which the services are included is not identical. The legal situation regarding NI-ICS is also a bit unclear.
A recurring question concerns the scope of data related to internet access services. It has been demonstrated that legal provisions that prima facie are similar may have different outcomes, illustrated by the differences between Denmark and Norway in the application of data retention rules to “hot spot” internet at restaurants and hotels. The issue seems to be influenced by several factors that are quite different from each other. Firstly, there is the interpretation of the e-com definitions, that is, how to interpret “publicly available” and “normally for remuneration.” A point in this regard is that there seems to be no explanation offered by the legislator, for not making use of the reservation provided by the word “normally.” For instance, it seems odd that Norway imposes a flat obligation to retain data on 300 providers with only a 5 % market share, while large institutions such as universities, or operators such as airports, do not have this duty.
Secondly, there is the problems associated with NAT and Carrier Grade NAT technology. Both are solutions allowing several users to share and IP-address simultaneously. It is not clear whether it is the technological solution, the level in the communication chain where it is applied, or other considerations that are at play when determining the scope of the obligation to retain data. Thirdly, the proportionality assessment each country must perform, may be influenced by circumstances special to that country, such as the threat assessment and crime statistics.
Looking at the regulation in each country, Denmark, Finland and Sweden have aligned the data retention rules with the rules of secret coercive measures regarding data related to use of electronic communications services (teleoplysning, teleövervakning, hemlig övervakning av elektronisk kommunikation). In each of these countries, the conditions for access to retained data correspond to those applicable to the said coercive measure. The situation in Norway is different, but then again, the scope of the data retention rules is much narrower than for the secret coercive measure kommunikasjonskontroll.
Finally, the regulation on national level is often quite complicated and abstract. It seems doubtful that to integrate rules of data retention as part of the of e-com regulation is the most suitable approach given the discrepancy between the purpose of electronic communication regulation and the mandate of the police, in addition to the widely different terminologies used in the respective fields of the law. While the regulatory field is quite complicated in itself, it adds to the opacity of the law that the principle of technology neutrality is applied to make the law as resilient as possible to technological change. This is a valid consideration, but at some point the cost to the foreseeability of the law may be too high. National data retention law is free to specify the providers and data subjects in more detail, which could be a way to achieve greater legal certainty and make the rules more easily comprehensible.