Denmark

EU Member State: Denmark is a member of the European Union and is therefore subject to the General Data Protection Regulation (GDPR), the Law Enforcement Directive, the ePrivacy Directive, and other EU-level data protection instruments. For a detailed treatment of the EU framework, see the EU Framework page. This page covers Denmark’s national implementing legislation, domestic enforcement record, intelligence and surveillance laws, and its role in the Nine Eyes intelligence alliance.

Overview

Denmark presents a notable contrast between its civilian data protection framework and its intelligence activities. On the civilian side, it operates a data protection authority (the Datatilsynet) that processes thousands of cases annually and has steadily increased its enforcement ambitions under the GDPR. On the intelligence side, Denmark served for decades as the NSA’s primary signals intelligence partner on European soil, granting the American agency direct access to submarine cables carrying communications between Europe and the United States.

The collision between these two worlds became public in May 2021, when Danish Broadcasting Corporation (DR) revealed that Denmark’s military intelligence service, the Forsvarets Efterretningstjeneste (FE), had facilitated NSA surveillance of senior European leaders (including German Chancellor Angela Merkel, Swedish, Norwegian, and French officials) through cable-tapping infrastructure on Danish territory.^[1] The internal investigation that uncovered this abuse was codenamed Operation Dunhammer, and its revelations triggered the suspension of FE’s director and the removal of five senior intelligence officials.

Denmark is a member of the Nine Eyes intelligence alliance alongside the Five Eyes nations (United States, United Kingdom, Canada, Australia, New Zealand) and three other European states (France, the Netherlands, Norway). It is also a founding member of Maximator, a secret European SIGINT alliance established in 1976 that was not publicly revealed until 2020.^[2] These overlapping intelligence relationships, combined with Denmark’s geographic position astride critical undersea cable routes, make it a significant node in the global surveillance architecture, relative to other Five Eyes and Nine Eyes partners.

Data Protection Authority: Datatilsynet

The Datatilsynet (Danish Data Protection Authority) is Denmark’s independent supervisory authority responsible for monitoring and enforcing compliance with the GDPR and the Danish Data Protection Act. It operates under the Ministry of Justice but functions as an independent administrative body.^[3]

The Prosecutorial Model

Denmark’s enforcement model is distinct among EU member states. Unlike most data protection authorities, which can directly impose administrative fines, the Datatilsynet cannot itself issue fines. Instead, when it identifies a violation warranting a financial penalty, it recommends a fine to the Danish police, who then present the case to the courts for adjudication.^[4] This prosecutorial model introduces significant delays: cases must pass through the criminal justice system before any financial penalty is imposed, and the courts may reduce or reject the recommended amount. The practical effect is a slower, less predictable enforcement pipeline compared to authorities in Germany, France, or Ireland that can issue fines directly.

Structure and Resources

The Datatilsynet has grown steadily in recent years, though it remains modestly sized compared to its Western European counterparts:

• Staff (end of 2024): 74 employees^[5]
• Caseload (2022): 16,896 cases processed (up from 5,024 in 2017)
• Audits (2022): 513 conducted
• Breach reports (2023): 9,537 received^[6]

The more than threefold increase in caseload between 2017 and 2022 reflects both the expansion of data protection obligations under the GDPR and a growing awareness among Danish organizations and citizens of their rights and reporting obligations.

Notable Enforcement Actions

The Netcompany case in 2024 marked a significant escalation. The mit.dk platform is Denmark’s public digital mail system, used for government-to-citizen communications, and the authentication failures exposed sensitive personal data at scale. The DKK 15 million recommended fine reflects increased enforcement activity by the Datatilsynet, even within the constraints of the prosecutorial model.

National Framework

Danish Data Protection Act (Databeskyttelsesloven, Act No. 502 of 23 May 2018)

The Databeskyttelsesloven entered into force on May 25, 2018, simultaneously with the GDPR, and serves as Denmark’s national supplementary legislation. It exercises several GDPR derogations specific to Danish legal traditions and administrative practices:^[11]

• Age of digital consent: Denmark lowered the age at which a child can independently consent to information society services to 13 years, below the GDPR’s default of 16. This places Denmark alongside countries like Sweden, the United Kingdom, and Ireland that have adopted lower thresholds^[12]
• CPR number provisions: The Danish civil registration number (personnummer or CPR-nummer) is subject to specific processing restrictions that treat it similarly to sensitive personal data. Public authorities may process CPR numbers when required for unambiguous identification. Private entities may only process CPR numbers when authorized by law, with consent, or when the number is made available by the data subject and processing is clearly in the data subject’s interest^[13]
• Criminal records: The Act restricts private processing of information about criminal convictions and offenses, limiting it to cases where consent has been given or where necessary for a legitimate interest that clearly overrides the interests of the data subject
• Journalism exemption: Chapters II through VII and Chapter IX of the GDPR do not apply to data processing carried out for journalistic purposes or the purpose of academic, artistic, or literary expression, a broad carve-out reflecting Denmark’s strong press freedom traditions^[12]
• Video surveillance: Section 12 of the Act establishes specific rules for CCTV and video surveillance in public spaces and private premises, supplementing the GDPR’s general processing requirements

Marketing and Direct Communication

The Databeskyttelsesloven includes a distinctive provision requiring companies to check the Central Personal Register (CPR register) before using consumer data for direct marketing. If a consumer has registered an objection in the CPR register, companies are prohibited from sending marketing communications to that individual.^[13] This opt-out mechanism is integrated directly into the national identity system, providing a centralized, government-maintained marketing preference register.

Surveillance and Intelligence

Intelligence Agencies

PET (Politiets Efterretningstjeneste) – The Danish Security and Intelligence Service is Denmark’s domestic intelligence agency, responsible for counterterrorism, counterintelligence, dignitary protection, and threats to national security. PET operates under the Ministry of Justice and is regulated by the PET Act of 2014, which established the legal framework for its intelligence activities and data processing.^[14]

FE (Forsvarets Efterretningstjeneste) – The Danish Defence Intelligence Service is responsible for foreign and military intelligence, including signals intelligence (SIGINT). FE operates under the Ministry of Defence and maintains the cable-tapping infrastructure that became the focus of the Operation Dunhammer scandal. Its SIGINT activities have been conducted in close partnership with the NSA for decades, making it one of the more extensively resourced European intelligence services.^[15]

Operation Dunhammer: The Cable-Tapping Scandal

Operation Dunhammer is the most significant publicly known intelligence scandal in recent Danish history. The affair revealed that Denmark’s geographic position (astride the submarine cables carrying vast volumes of European and transatlantic communications) had been systematically exploited by the NSA with the active assistance of Danish military intelligence.

The infrastructure: Copenhagen is strategically positioned for signals intelligence. Multiple submarine fiber-optic cables carrying communications between the United States and Europe transit Danish territorial waters. Beginning in the early 1990s, FE began developing cable-tapping capabilities and approached the NSA to share access. The partnership deepened over the following decades, culminating in the construction of a purpose-built data center at the Sandagergård military complex on the island of Amager, near Copenhagen. The facility was built with direct NSA assistance and designed to house surveillance systems for intercepting cable traffic.^[16]

XKEYSCORE deployment: The NSA deployed its XKEYSCORE system (a search and analysis tool for intercepted communications) at the Sandagergård facility. XKEYSCORE allowed NSA analysts to search through raw cable traffic using selectors such as phone numbers, email addresses, and IP addresses. The system was operated within FE’s infrastructure, giving the NSA direct access to communications transiting Danish cables.^[17]

The abuse discovered: Following the 2013 Snowden revelations, which raised concerns about NSA overreach globally, FE created a secret internal working group of four hackers and analysts in 2014, codenamed “Operation Dunhammer.” Their task was to examine whether the NSA had abused the Danish cable access to spy on targets in Denmark and its neighboring countries. The working group’s 2015 report confirmed the worst fears: the NSA had used selectors (provided by the NSA itself, not by Denmark) to target the communications of senior European political leaders during the period 2012 to 2014.^[1]

Targets identified: The NSA used Danish cable infrastructure to spy on:

• Angela Merkel – German Chancellor
• Frank-Walter Steinmeier – German Foreign Minister (later President)
• Peer Steinbrück – German opposition leader
• Senior officials in Sweden, Norway, the Netherlands, and France
• Denmark’s own Foreign Ministry and Finance Ministry
• A Danish weapons manufacturer^[18]

The revelation that the NSA had used Danish infrastructure to spy on Denmark’s own government ministries was particularly damaging, demonstrating that even the host nation was not exempt from surveillance by its intelligence partner.

Delayed consequences: The Dunhammer report was completed in 2015, but led to no immediate repercussions. The FE-NSA collaboration continued as normal for five more years. It was only in August 2020 that FE director Lars Findsen was suspended, along with three other senior officials, after TET (the intelligence oversight board) reported that FE had purposefully withheld information and breached Danish laws. A special commission was established in December 2020 to investigate.^[19]

Public revelation: The full story broke publicly on May 30, 2021, when a consortium of European media outlets (including DR (Denmark), Sveriges Television (Sweden), NRK (Norway), NDR, WDR, Süddeutsche Zeitung (Germany), and Le Monde (France)) published coordinated reports based on the Dunhammer findings. The revelations triggered diplomatic fallout across Europe, with France and Germany demanding explanations from both Washington and Copenhagen.^[18]

The Findsen prosecution: In December 2021, Lars Findsen was arrested on charges of leaking highly classified information to journalists and other individuals. He was held in custody until February 2022 and formally charged in September 2022 with six counts of disclosing classified material. However, in November 2023, the prosecution dropped all charges after a Supreme Court ruling determined that the trial could not proceed without breaching the confidentiality of classified information.^[20] In August 2024, Findsen announced he was suing PET and the Ministry of Justice for violations of his privacy and honor.^[21]

Nine Eyes Membership

Denmark’s participation in the Nine Eyes alliance dates to 1954, when it joined as a “third party” under extensions to the UKUSA Agreement.^[22]

Denmark’s relationship with the NSA has been described as that of a “de facto Five Eyes member” due to the exceptionally close nature of the partnership. The combination of submarine cable access, jointly operated surveillance infrastructure at Sandagergård, and decades of uninterrupted SIGINT cooperation places Denmark in a category above typical third-party partners.^[16]

However, third-party status carries a critical limitation: unlike Five Eyes “second party” members, third-party partners are not automatically exempt from being targeted by NSA intelligence collection. An internal NSA document revealed by Edward Snowden states: “We can, and often do, target the signals of most 3rd party foreign partners.”^[23] Operation Dunhammer confirmed this in practice: Denmark provided the NSA with cable access, and the NSA used it to spy on Denmark itself.

Maximator Alliance

Beyond the Nine Eyes framework, Denmark is a founding member of Maximator, a secret European SIGINT alliance that was not publicly revealed until a 2020 academic paper by Dutch intelligence historian Bart Jacobs. Maximator was established at Denmark’s initiative in 1976, initially comprising Denmark, Sweden, and Germany. The Netherlands joined in 1978, and France in 1985.^[2]

The alliance focused on intercepting and decrypting diplomatic communications, both from HF radio transmissions and SHF satellite links. Its existence for nearly fifty years without public disclosure (in contrast to the well-known Five Eyes) underscores the depth of European intelligence cooperation that operates outside public and parliamentary scrutiny.

Commercial Surveillance Procurement

Beyond Denmark’s extensive involvement in Nine Eyes and Maximator intelligence sharing, Danish law enforcement has supplemented its investigative capabilities through commercial surveillance technology procurement. These contracts create a parallel surveillance infrastructure that operates outside the intelligence oversight framework governing PET and FE.

Palantir Technologies: The POL-INTEL Platform

Danish police have deployed Palantir’s POL-INTEL platform, an analytics system designed for law enforcement pattern-matching, intelligence fusion, and investigative support. The system provides capabilities for analyzing criminal networks, tracking patterns across disparate databases, and identifying connections that might not be visible through traditional investigative methods.^[32]

The procurement raises familiar concerns about data sovereignty. Palantir, as a US company, is subject to the US CLOUD Act, which allows American law enforcement agencies to compel production of data held by US companies regardless of where that data is stored. Danish police investigations processed through POL-INTEL could thus become subject to US legal process, creating a pathway for American access to Danish law enforcement data that bypasses the mutual legal assistance treaty (MLAT) framework Denmark negotiated with the United States.

Cellebrite: Digital Forensics and Device Exploitation

Danish law enforcement agencies have procured Cellebrite systems, Israeli-made tools for extracting data from mobile devices, including encrypted smartphones. Cellebrite products can bypass device encryption, extract deleted messages, access encrypted messaging applications, and recover data that users believed was permanently deleted.^[33]

The use of Cellebrite by Danish authorities places them in a global marketplace where the same tools are sold to dozens of governments with widely varying human rights records. While Danish procurement may be for legitimate law enforcement purposes, the revenue supports a vendor whose technologies have been deployed in authoritarian states for political suppression.

The Oversight Gap

When FE taps submarine cables or conducts SIGINT operations, those activities fall under intelligence law and TET oversight (limited though that oversight has proven to be). When Danish police purchase Palantir analytics or Cellebrite forensic tools, those procurements are treated as standard law enforcement equipment purchases subject to normal administrative procurement rules, not the oversight framework that governs intelligence agencies.

This creates a regulatory asymmetry: intelligence services operating under the 2014 PET Act face TET review, while police forces deploying commercial surveillance platforms face no equivalent independent oversight specific to the privacy implications of those technologies. The result is a market-based expansion of surveillance capabilities that bypasses the accountability mechanisms Denmark established for its intelligence services.

The Dunhammer Lesson

The Dunhammer scandal demonstrated that even with oversight structures in place, intelligence abuses can persist for years before discovery. The NSA exploited Danish cable infrastructure to surveil European allies and Denmark itself for years, and the full scope was not publicly revealed until 2021. The investigation found that FE had purposefully withheld information from the TET.^[19]

Commercial surveillance procurement creates similar risks. When Danish police deploy systems built by US and Israeli vendors, those systems operate under legal frameworks governed by the vendor’s home country, not Danish oversight. If history is a guide, the full implications of those relationships may not become apparent until years after the contracts are signed, if they become apparent at all.

Cable Surveillance: Operation Dunhammer and XKeyscore Deployment

Denmark’s position as a hub for fiber-optic cables connecting Scandinavia to the rest of Europe made it a strategic target for the NSA’s global surveillance infrastructure. As detailed in the Operation Dunhammer section above, FE allowed the NSA to use Danish cable access points to surveil the targeted officials, EU institutions, and even Danish companies, all while concealing the arrangement from oversight authorities.

Cable Infrastructure and the Dunhammer Operation

The Dunhammer operation exploited Denmark’s cable infrastructure using the XKeyscore system deployed at Sandagergård, as described above. What this section examines in greater detail is the geographic significance of these cable routes and the specific intelligence value they provided to the NSA.^[34]

The operation was not disclosed to the Wamberg Committee (the TET’s predecessor), and FE actively withheld information about the NSA’s activities from Danish oversight authorities. An internal investigation commissioned by the Danish Ministry of Defence in 2014 found serious legal violations, leading to the dismissal of FE’s leadership. However, the public did not learn of the operation until Danmarks Radio published the findings in 2021.^[19]

XKeyscore Deployment in Denmark

The XKeyscore deployment at Sandagergård, described earlier, gave the NSA the ability to search and analyze traffic intercepted from Danish cables. The system’s “widest-reaching” capabilities allowed analysts to query intercepted communications without prior authorization, making Denmark’s cable infrastructure an especially valuable intelligence asset.^[72]

The deployment in Denmark allowed the NSA to intercept traffic passing through critical European cable routes, including connections between Scandinavia and Germany. Much of the internet traffic between Sweden, Norway, Finland, and the rest of Europe passes through Denmark, giving the NSA a chokepoint for monitoring Northern European communications.

Cable Access to DE-CIX Frankfurt

Danish cables provide a route for traffic flowing to and from DE-CIX Frankfurt, one of the world’s largest internet exchange points. Documents indicate that the NSA used Danish cable access to monitor traffic destined for DE-CIX, complementing the BND’s direct surveillance of the exchange point itself. This gave the NSA visibility into European internet traffic at a critical hub, affecting communications from across the European Union.^[35]

Legal and Oversight Failures

The Dunhammer affair exposed fundamental weaknesses in Danish intelligence oversight. Despite the establishment of the Wamberg Committee in 1988, FE was able to conduct a multiyear collaboration with a foreign intelligence service, targeting Danish allies and companies, without oversight authorization or review. The operation violated Danish law, breached GDPR obligations, and undermined the political commitments Denmark had made to its EU and NATO partners.

The 2014 internal investigation led to the dismissal of FE leadership, but no criminal charges were filed. The TET, established the same year, was supposed to prevent such abuses through enhanced oversight. However, as academic analyses have noted, the resulting reforms were “piecemeal and limited,” and it remains unclear whether similar arrangements could be detected under the current framework.^[26]

The scandal illustrates a broader problem with cable surveillance partnerships: When intelligence agencies provide foreign partners with access to domestic cable infrastructure, oversight becomes nearly impossible. The intercepted traffic includes communications from allied nations, domestic companies, and the country’s own citizens, all collected in bulk, filtered by foreign analysts, and subject to legal frameworks beyond the reach of domestic courts or oversight bodies.

Intelligence Oversight: TET

The Tilsynet med Efterretningstjenesterne (TET), the Danish Intelligence Oversight Board, was established on January 1, 2014, replacing the long-standing Wamberg Committee. TET is an independent administrative body responsible for monitoring whether PET and FE comply with applicable law in their processing of personal data and intelligence activities.^[24]

Structure

TET is composed of a chair, who must be a High Court judge, and four additional members. The board has access to all PET information and any material of importance to its oversight work. Natural and legal persons may request that TET examine whether PET is wrongfully processing information about them.^[25]

Limitations

TET’s powers are significantly constrained compared to intelligence oversight bodies in neighboring countries. Critically, TET cannot issue binding decisions. Its remit has been described as “much narrower” than those of its Norwegian and Swedish counterparts.^[26] The board can investigate, report, and recommend, but it cannot compel an intelligence agency to change its behavior. This limitation was starkly illustrated by the Dunhammer affair: even after TET reported serious legal violations by FE, the consequences were determined not by the oversight board but by political and prosecutorial processes that ultimately collapsed without resolution.

2024 Reforms

A legislative amendment effective January 1, 2025, expanded TET’s mandate to include retrospective legality checks, and TET published updated standards for Danish intelligence review activities in February 2024. However, observers have characterized the post-Dunhammer oversight reforms as inadequate, noting that no substantial intelligence reforms have been enacted since mid-2016.^[26]

Data Retention

Denmark’s approach to data retention illustrates the tension between national security imperatives and EU fundamental rights jurisprudence. For years, Denmark maintained one of Europe’s most expansive data retention regimes, and continued to do so even after the EU’s highest court ruled such regimes unlawful.

The Pre-2022 Regime

Denmark imposed a blanket one-year retention obligation on telecommunications providers, requiring them to store traffic and location data on all users indiscriminately. Denmark maintained this obligation even after the Court of Justice of the European Union (CJEU) invalidated the underlying EU Data Retention Directive in Digital Rights Ireland (2014) and further restricted member state retention laws in Tele2/Watson (2016). In an acknowledgment, the Danish government publicly stated that its data retention law was illegal under EU law but would be maintained temporarily for operational reasons.^[27]

The 2022 Reform

A new data retention framework took effect on March 30, 2022, establishing a dual-track system:^[28]

• Targeted retention: Traffic data may be retained for specific persons, specific communication equipment, or specific geographical areas, for the purpose of combating serious crime. Retention orders must be issued by the courts and must be proportionate to the investigative need
• General undifferentiated retention: Under Section 786e of the Administration of Justice Act, the Minister of Justice may issue an order for general and indiscriminate retention of communications data if there is reason to believe that Denmark faces a serious threat to national security. This track preserves the essence of the previous blanket retention regime under a national security justification

The timing proved immediately problematic. Just six days after the new law entered into force, the CJEU issued a ruling on April 5, 2022, further restricting access to retained data for serious crime purposes. This left Danish police with significantly reduced access to traffic and location data almost immediately after the reform was supposed to resolve the legal issues.^[28]

Both retention tracks remain in effect as of 2026. Civil liberties organizations, including IT-Politisk Forening (IT-Pol), continue to contest the legality of the general retention provision, arguing that it effectively recreates blanket retention under a permanent national security justification that is never meaningfully reassessed.^[28]

International Data Sharing Agreements

Denmark participates in extensive international data sharing frameworks that complement its domestic intelligence oversight through the TET. These agreements provide foreign agencies with pathways to access Danish person data, often through processes that operate outside the TET’s oversight mandate, as the Dunhammer scandal demonstrated when FE purposefully withheld information from the oversight body about NSA activities on Danish soil.

Mutual Legal Assistance Treaty with the United States

Denmark maintains an MLAT with the United States via the EU framework and bilateral provisions. The MLAT allows Danish law enforcement to request data on US persons, and US law enforcement to request data on Danish persons, through diplomatic channels with average processing times of 10 months.^[36]

Nine Eyes Intelligence Sharing

As a Nine Eyes member, FE shares signals intelligence with Five Eyes partners, though with less privileged access than core Five Eyes members.^[37]

The Dunhammer scandal exposed how Nine Eyes intelligence sharing can bypass domestic oversight: the NSA used Danish infrastructure to collect intelligence on the surveillance targets identified earlier, shared the results with Five Eyes partners, and the entire arrangement was concealed from the TET and its predecessor. This demonstrated how intelligence alliances can circumvent domestic legal restrictions.

EU Law Enforcement Data Sharing (with Caveats)

Schengen Information System (SIS II): Denmark joined Schengen on March 25, 2001, and the Danish National Police serves as the SIRENE office (SIS central authority). Danish police can query SIS II in real time and contribute alerts visible across all Schengen countries.

Europol (Special Status): Denmark stepped out of formal Europol membership on May 1, 2017, but maintains database access through a special agreement. This unique arrangement allows Danish police to access Europol databases while technically remaining outside the EU’s Justice and Home Affairs framework.^[38]

European Investigation Order: Denmark participates in the EIO framework for cross-border evidence gathering.

EU Law Enforcement Directive 2016/680: Despite its opt-outs, Denmark is required to apply data protection safeguards similar to the EU Law Enforcement Directive, transposed through the Danish Law Enforcement Act.

EU-US Data Sharing Frameworks

PNR Agreements: Denmark participates in the EU-Norway-Iceland PNR agreement and EU-US PNR framework, enabling transfer of passenger data from Danish air carriers.

SWIFT/TFTP: US Treasury can subpoena SWIFT for financial data affecting Danish persons’ international transactions, with Europol verification.

Multilateral Frameworks

Interpol I-24/7: Denmark participates in Interpol’s global network for criminal intelligence sharing.

Egmont Group: The Danish FIU participates in the Egmont Group network for financial intelligence sharing.

The Privacy Backdoor Effect

The Dunhammer scandal demonstrated that international data sharing agreements can be used to bypass domestic oversight mechanisms. Despite the TET’s mandate to monitor FE activities, the multiyear NSA collaboration proceeded without oversight authorization or review.

For Danish persons, this means data nominally protected by GDPR, the Datatilsynet, and TET oversight can be accessed through:

• Nine Eyes Laundering: NSA/Five Eyes can collect on Danish persons and share with FE; FE provided NSA with Danish cable access for spying on the targeted officials and institutions
• EU Framework Sharing: Danish person data entered into SIS II or EIO channels becomes accessible to 27 EU member states, and through Europol’s special agreement, to Danish authorities despite Denmark’s opt-out
• MLAT Bypass: US authorities can request data via MLAT, potentially with lower evidentiary standards than Danish judicial warrants
• PNR/SWIFT Dragnet: All international travel and financial transactions subject to foreign access

The Dunhammer scandal demonstrated that oversight mechanisms like the TET can be circumvented when intelligence agencies prioritize international partnerships over domestic accountability. The operation violated Danish law, breached GDPR obligations, and undermined Denmark’s political commitments to EU and NATO partners, yet no criminal charges were filed, and subsequent reforms have been widely criticized as insufficient.

Recent Developments

Datatilsynet 2025 Focus Areas

The Datatilsynet announced its supervisory priorities for 2025, reflecting the evolving data protection landscape:^[29]

• Artificial intelligence in healthcare: The authority will prioritize oversight of AI systems used in the healthcare sector, examining how patient data is processed, how algorithmic decisions are made, and whether data protection impact assessments are being conducted
• Children’s data protection: Building on its role in developing regional principles to protect minors in online gaming environments (adopted at a Nordic meeting in Oslo in May 2024), the Datatilsynet will expand its focus on how platforms process children’s personal data^[30]
• Right to erasure: Enforcement of data subjects’ right to have their personal data deleted remains a priority, particularly in the public sector
• Regulatory sandbox for AI: The Datatilsynet expanded its regulatory sandbox program in 2024, allowing selected organizations to test AI tools under direct supervision, and this program continues into 2025

Record Enforcement in 2024

The Netcompany fine recommendation of DKK 15 million in 2024 (the highest in Datatilsynet history) reflects increased enforcement activity. The mit.dk case involved Denmark’s national digital mail platform, meaning the security failures had potential impact on virtually every Danish citizen. Combined with the Capio hospital chain enforcement and continued attention to accountability failures at major financial institutions, the Datatilsynet has demonstrated a pattern of pursuing larger penalties despite the constraints of the prosecutorial model.^[7]

Intelligence Oversight: Still Unresolved

The aftermath of the Dunhammer scandal remains fundamentally unresolved. No senior official was ultimately convicted. The charges against Lars Findsen were dropped not because he was exonerated, but because the trial could not proceed without exposing classified information. The special commission established in December 2020 has not produced structural intelligence reforms. TET’s expanded mandate effective January 2025 represents incremental progress, but its inability to issue binding decisions remains a fundamental limitation.^[26]

Academic analysis published in Intelligence and National Security reinforces this assessment, noting that the TET retains a “much narrower remit” than equivalent bodies in Norway and Sweden, and that Denmark has enacted no substantial intelligence reforms since mid-2016, meaning the legal framework governing FE’s cable-tapping activities remains essentially the same framework under which the Dunhammer abuses occurred.^[26]

First EU Member State to Adopt AI Act National Law (May 2025)

AI Act Implementation: On May 8, 2025, the Danish Parliament (Folketing) adopted the Act on Supplementary Provisions to the Regulation on Artificial Intelligence (Lov om supplerende bestemmelser til forordningen om kunstig intelligens), making Denmark the first EU member state to complete national implementation of the EU AI Act ahead of the August 2, 2025 deadline. The law designates the Agency for Digital Government (Digitaliseringsstyrelsen) as the national coordinating supervisory authority and single point of contact, with the Datatilsynet and the Danish Court Administration (Domstolsstyrelsen) serving as market surveillance authorities. The law entered into force on August 2, 2025.^[39]

NIS2 Transposition (July 2025)

NIS-2-loven: Denmark’s national transposition of the EU NIS2 Directive entered into force on July 1, 2025, bringing approximately 6,000 organizations across multiple sectors into scope. The general law (Bill L 141) sets the framework for most sectors, while separate sector-specific bills apply to telecommunications, energy, and financial services. Organizations were required to self-register via the CFCS portal by October 1, 2025, with supervisory audits beginning in early 2026. Consistent with Denmark’s prosecutorial model, the transposition does not include administrative fines or management body personal liability; enforcement follows the standard public prosecution process.^[40]

EU Council Presidency (July–December 2025)

Council Presidency: Denmark held the Presidency of the Council of the European Union from July 1 to December 31, 2025, under the slogan “A strong Europe in a changing world.” The Presidency prioritized security (including defense, enlargement, and cyber resilience) and competitiveness (including regulatory simplification and the green transition). In the digital and privacy domain, the Danish Presidency drove several significant initiatives: proposing a GDPR simplification non-paper, advancing the contested Child Sexual Abuse (CSA) Regulation, and steering Council positions on AI governance and telecom infrastructure resilience.^[41]

Chat Control: CSA Regulation Compromise (October–November 2025)

Chat Control: As Council Presidency holder, Denmark made the Child Sexual Abuse Regulation (commonly known as “Chat Control”) a high priority, initially reviving proposals for mandatory detection orders requiring messaging platforms to scan user communications for CSAM. After Germany announced on October 8 that it would not support mandatory scanning, Denmark pivoted on October 30, announcing removal of mandatory detection orders from the Council’s position. The revised compromise passed the Council’s LIBE committee on November 26, 2025, replacing mandatory scanning with voluntary detection by platforms while introducing mandatory age verification. Privacy advocates, including former MEP Patrick Breyer, warned that vague obligations requiring providers to take “all appropriate risk mitigation measures” could serve as a backdoor to mandatory scanning.^[42]

GDPR Simplification Non-Paper (July 2025)

GDPR Simplification: On July 4, 2025, Denmark circulated a non-paper proposing targeted revisions to the GDPR and the ePrivacy Directive, aimed at reducing compliance burdens on businesses. Among the most consequential proposals, the non-paper suggested removing the right to data portability (Article 20 GDPR), lifting documentation obligations for SMEs under Article 24(1), exempting controllers from certain data breach notification requirements, simplifying DPIA thresholds under Article 35, and making the right to lodge complaints with supervisory authorities conditional upon prior engagement with the data controller. Digital rights organizations and the EDPB raised concerns that the proposals risked weakening fundamental data subject rights under the guise of administrative simplification.^[43]

Deepfake and Digital Identity Copyright Bill (June 2025)

Deepfake Legislation: On June 26, 2025, the Danish government announced an amendment to the Danish Copyright Act granting individuals copyright protection over their physical likeness and voice, believed to be the first such legislation in Europe. The bill introduces two new provisions: Section 65-a protects performing artists from unauthorized sharing of realistic AI-generated imitations of their performances, and Section 73-a extends similar protection to all individuals against unauthorized deepfake content. Affected persons can request removal of deepfake content, and artists can demand compensation, with rights extending 50 years beyond death. The bill was submitted for public consultation on July 7, 2025, with cross-party support and a parliamentary vote expected in autumn 2025.^[44]

Social Media Ban for Under-15s (October–November 2025)

Youth Social Media Ban: In October 2025, Prime Minister Mette Frederiksen announced plans to ban social media access for children under 15, stating that platforms are “stealing childhood.” On November 7, 2025, the government formalized a cross-party agreement to implement the ban, with a parental opt-in exception allowing access from age 13 after a specific assessment. Enforcement would leverage Denmark’s MitID national electronic identity system through a planned “digital evidence” age-verification app. Platforms that fail to implement proper age verification face fines of up to 6% of global revenue under EU enforcement mechanisms. The legislation is expected to pass by mid-2026.^[45]

EU Data Act National Implementation (December 2025)

Data Act Implementation: On December 11, 2025, Denmark adopted national legislation supporting the implementation and enforcement of the EU Data Act (Regulation 2023/2854), which has applied across the EU since September 12, 2025. The legislation designates national competent authorities and establishes the enforcement framework for the Data Act’s provisions on data access, sharing, and cloud switching rights in Denmark.^[46]

CJEU ILVA Ruling on GDPR Fine Calculation (February 2025)

CJEU ILVA Ruling: On February 13, 2025, the Court of Justice of the European Union issued its ruling in Case C-383/23 (ILVA), a preliminary reference originating from Danish courts. ILVA A/S, a furniture retailer and subsidiary of the Lars Larsen Group, had been charged with GDPR violations concerning retention of former customers’ personal data. The CJEU held that the concept of “undertaking” in Articles 83(4)–(6) GDPR must be interpreted consistently with EU competition law, meaning that the global turnover of an entire corporate group may be used to determine the maximum fine ceiling (2% or 4% of worldwide annual turnover). However, the specific fine imposed must also account for the individual company’s economic capacity. The ruling has significant implications for Denmark’s prosecutorial fine model, as courts calculating GDPR penalties must now consider group-level turnover.^[47]

Datatilsynet 2026 Focus Areas

2026 Enforcement Priorities: The Datatilsynet announced that cookie consent practices will be a primary enforcement focus for 2026, specifically targeting whether users have a genuine opportunity to decline cookies. The authority is coordinating with Digitaliseringsstyrelsen (the Agency for Digital Government) for simultaneous examination of consent practices. Targeted practices include dark patterns (making “Accept” prominent while hiding “Reject”), cookie walls that block content unless users accept tracking, pre-checked consent boxes, asymmetric designs requiring one click to accept but multiple steps to decline, and missing granular consent options. This follows the Datatilsynet’s 2025 focus on consent practices in retail applications and reflects a broader Nordic trend of coordinated, strict enforcement on consent compliance.^[48]

Denmark’s Position in 2026

Denmark enters 2026 as a country whose data protection enforcement is maturing but whose intelligence oversight remains inadequate to the scale of surveillance activity conducted on its territory. The submarine cables still transit Danish waters. The Sandagergård facility still exists. The Nine Eyes and Maximator partnerships continue. And the legal framework that permitted the Dunhammer abuses has not been meaningfully reformed. These intelligence relationships are relevant to any assessment of data transiting through Denmark.

Sources