Denmark

Overview

EU Member State: Denmark is subject to the GDPR, the Law Enforcement Directive, and the ePrivacy Directive. For the EU framework, see the EU Framework page. This page covers national laws, intelligence and surveillance, and Denmark’s role in international data sharing.

Denmark served for decades as the NSA’s primary signals intelligence partner on European soil, granting direct access to submarine cables carrying communications between Europe and the United States. In May 2021, Operation Dunhammer revealed that the FE (Danish Defence Intelligence Service) had facilitated NSA surveillance of senior European leaders — including German Chancellor Angela Merkel and Swedish, Norwegian, and French officials — through cable-tapping infrastructure at the Sandagergård facility near Copenhagen, where the NSA deployed XKeyscore. The NSA also used this infrastructure to spy on Denmark’s own government ministries.^[1]

Denmark is a Nine Eyes member (since 1954) and a founding member of Maximator, the secret European SIGINT alliance established at Danish initiative in 1976 and not publicly revealed until 2020.^[2]

Privacy Framework

The Datatilsynet operates a prosecutorial enforcement model unique among EU DPAs: it cannot directly impose fines but recommends penalties to the police for court adjudication. The highest recommendation was DKK 15 million (~EUR 2M) against Netcompany for authentication failures in Denmark’s mit.dk digital mail system (2024). Staff: 74 employees; 9,537 breach reports (2023).^[3][4]

The Danish Data Protection Act (Databeskyttelsesloven, 2018) supplements the GDPR with age of digital consent at 13, CPR number restrictions treating national ID numbers as quasi-sensitive data, a broad journalism exemption, and specific video surveillance rules. Denmark’s CPR register provides a centralised marketing opt-out mechanism.^[5]

Surveillance and Intelligence

Intelligence Agencies

PET (Politiets Efterretningstjeneste): Domestic intelligence, counterterrorism, counterintelligence. Under Ministry of Justice, regulated by PET Act 2014.^[6]

FE (Forsvarets Efterretningstjeneste): Foreign and military intelligence, including SIGINT. Under Ministry of Defence. Maintains the cable-tapping infrastructure central to the Dunhammer scandal.^[7]

Operation Dunhammer: The Cable-Tapping Scandal

The infrastructure: Denmark’s geographic position astride submarine cables carrying vast volumes of European and transatlantic communications made it strategically valuable. Beginning in the 1990s, FE developed cable-tapping capabilities with NSA assistance, culminating in a purpose-built data centre at Sandagergård on Amager island. The NSA deployed XKeyscore there, allowing its analysts to search raw cable traffic using phone numbers, email addresses, and IP addresses.^[8][9]

The abuse: Following the 2013 Snowden revelations, FE created a secret four-person working group in 2014 codenamed “Operation Dunhammer.” Their 2015 report confirmed the NSA had used Danish cable access to target European political leaders 2012–2014:^[1]

• Angela Merkel – German Chancellor
• Frank-Walter Steinmeier – German Foreign Minister
• Peer Steinbrück – German opposition leader
• Senior officials in Sweden, Norway, the Netherlands, and France
• Denmark’s own Foreign Ministry and Finance Ministry
• A Danish weapons manufacturer

Delayed consequences: The report led to no immediate action. The FE-NSA collaboration continued for five more years. In August 2020, FE director Lars Findsen and three officials were suspended after TET reported FE had purposefully withheld information and breached Danish law. The story broke publicly on May 30, 2021 through coordinated European media reports. Findsen was arrested December 2021 for leaking classified information; charges were dropped November 2023 because the trial could not proceed without exposing classified material.^[10][11]

Nine Eyes Membership

Denmark joined as a third party under UKUSA extensions in 1954. The relationship has been described as “de facto Five Eyes” due to the exceptionally close NSA partnership. However, third-party partners are not exempt from NSA collection. An internal NSA document states: “We can, and often do, target the signals of most 3rd party foreign partners.” Dunhammer confirmed this: Denmark provided cable access and the NSA used it to spy on Denmark itself.^[12][13]

Maximator Alliance: Founding Member

Denmark founded Maximator in 1976 with Sweden and Germany (Netherlands joined 1978, France 1985). The alliance focused on breaking encryption systems used by third-country governments, sharing decrypted intelligence product collectively. Germany’s BND membership connected Maximator to Operation Rubicon (CIA-BND co-ownership of Crypto AG, which sold backdoored encryption to 120+ governments). The alliance operated in secret for nearly fifty years until publicly disclosed in 2020.^[2][14]

Commercial Surveillance Procurement

Palantir POL-INTEL: Danish police deployed Palantir’s analytics platform for criminal network analysis and investigative support. As a US company subject to the CLOUD Act, Danish police data processed through POL-INTEL could become subject to US legal process, bypassing the MLAT framework.^[15]

Cellebrite: Danish law enforcement procured Cellebrite for mobile device exploitation, bypassing device encryption and accessing encrypted messaging.^[16]

These procurements face no equivalent of TET oversight, creating a regulatory asymmetry between intelligence operations (subject to TET review, limited though it proved) and commercial surveillance tools (standard procurement rules only).

Intelligence Oversight: TET

The Tilsynet med Efterretningstjenesterne (TET) (established January 1, 2014) monitors PET and FE compliance. Chaired by a High Court judge with four additional members. However, TET cannot issue binding decisions and has a “much narrower” remit than its Norwegian and Swedish counterparts. A January 2025 amendment expanded TET’s mandate to include retrospective legality checks, but observers characterise post-Dunhammer reforms as inadequate — no substantial intelligence reforms have been enacted since mid-2016, meaning the legal framework governing FE’s cable-tapping remains essentially the same framework under which the Dunhammer abuses occurred.^[17][18]

Data Retention

Denmark maintained blanket one-year retention even after the CJEU invalidated such regimes, publicly acknowledging the law was illegal under EU law while continuing it for operational reasons.^[19]

A dual-track reform (March 2022) introduced: (1) targeted retention for specific persons, equipment, or geographic areas (court-ordered, for serious crime); and (2) general undifferentiated retention when there is a “serious threat to national security” (ministerial order, preserving blanket retention under a national security justification). Six days after the reform took effect, a CJEU ruling further restricted access to retained data. Civil liberties organisations contest the general retention track as permanent blanket retention that is never meaningfully reassessed.^[20]

International Data Sharing Agreements

Mutual Legal Assistance: Layered Framework

EU Member States (26 countries): The EU Convention on Mutual Assistance in Criminal Matters (2000) and the Schengen Convention provide the primary MLA framework. Denmark participates in the European Investigation Order (EIO) for cross-border evidence gathering. Note: Denmark has a special Europol arrangement — it stepped out of formal membership on May 1, 2017 but maintains database access through a bilateral agreement.^[21]

Council of Europe (50 signatory states): Denmark is party to the European Convention on Mutual Assistance in Criminal Matters (1959) and its Additional Protocols.

US-Denmark: No separate bilateral MLAT; covered by EU-US MLA instrument only (in force February 1, 2010).^[22]

Nordic cooperation: Longstanding Nordic mutual assistance frameworks with Sweden, Norway, Finland, and Iceland provide streamlined judicial cooperation across the Nordic region.

Nine Eyes Intelligence Sharing and NSA Cable Access

Denmark’s geographic position — straddling fibre-optic cables connecting Scandinavia to the rest of Europe — made it strategically critical. Internet traffic between Sweden, Norway, Finland, and the rest of Europe passes through Danish territory. XKeyscore at Sandagergård queried this traffic, including connections to DE-CIX Frankfurt, giving the NSA visibility into European internet traffic from multiple angles complementing BND’s direct DE-CIX surveillance.^[23]

EU Law Enforcement Data Sharing

SIS II: Denmark joined Schengen March 2001; Danish National Police serves as SIRENE office. PNR: EU-Norway-Iceland PNR agreement and EU-US PNR framework. SWIFT/TFTP: International wire transfers subject to US Treasury subpoena.

The Privacy Backdoor Effect

The Dunhammer scandal demonstrated how intelligence sharing can bypass domestic oversight entirely. Despite TET’s mandate, the multiyear NSA collaboration was concealed from the oversight body. For Danish persons:

• Nine Eyes / FE-NSA Sharing: FE provided NSA with cable access used to spy on European officials and Denmark itself; NSA can collect on Danish persons and share with FE
• EU Framework Sharing: Danish person data in SIS II or EIO channels accessible to 27 EU states; through Europol special agreement, accessible despite Denmark’s opt-out
• MLAT/CoE Convention: US and 50+ states can request data through MLA channels
• PNR/SWIFT: International travel and financial data subject to foreign access

The legal framework that permitted the Dunhammer abuses has not been meaningfully reformed. The cables still transit Danish waters. The Sandagergård facility still exists. The Nine Eyes and Maximator partnerships continue.

Age Verification: Identity Infrastructure as Surveillance

In November 2025, a cross-party agreement committed Denmark to banning social media for children under 15, enforced via the MitID national electronic identity system. Platforms face fines up to 6% of global revenue for non-compliance. A parental opt-in exception allows access from age 13 after specific assessment.^[26]

Denmark’s approach is distinctive because it leverages an existing government-operated identity system (MitID, used for banking, tax, and public services) for age verification, creating a direct link between state-issued digital identity and platform access. Unlike biometric estimation or third-party verification tokens, MitID-based verification creates an authenticated government record of which citizens access which platforms. This transforms a financial/administrative identity tool into surveillance infrastructure for online activity, with the government identity system sitting between every Danish user and every covered platform.

Encryption and Lawful Access

Denmark has no domestic encryption backdoor mandate and no compelled decryption law comparable to the UK’s RIPA Part III or France’s judicial decryption orders. However, Denmark’s position on encryption access at the EU level has been notably inconsistent.

During its 2024 EU Council Presidency, Denmark initially revived mandatory scanning proposals for the CSA Regulation (“Chat Control”), which would have required messaging platforms to scan encrypted communications for CSAM — effectively mandating either client-side scanning or encryption backdoors. After Germany announced opposition, Denmark pivoted in October 2025, dropping mandatory scanning in favour of voluntary detection with mandatory age verification. The compromise text’s vague “risk mitigation” obligations have been criticised as a potential backdoor to mandatory scanning.^[24]

Denmark’s July 2025 GDPR simplification non-paper proposed weakening data subject rights but did not include encryption-specific provisions. Denmark’s practical approach to encrypted communications relies on FE’s cable-tapping infrastructure (intercepting communications before or after encryption at the network level) and Cellebrite endpoint exploitation tools rather than mandating providers to build backdoors — though the Dunhammer scandal demonstrated that this infrastructure was used without adequate oversight for years.

Recent Developments

Intelligence Oversight Still Unresolved: No senior official was convicted from Dunhammer. Findsen charges dropped because the trial would expose classified information. TET’s expanded mandate (January 2025) still cannot issue binding decisions. The legal framework governing FE cable-tapping remains essentially unchanged since the abuses occurred.^[18]

Chat Control: Danish Presidency Compromise (October–November 2025): During its EU Council Presidency, Denmark initially revived mandatory scanning proposals for the CSA Regulation, then dropped them after German opposition, shifting to voluntary detection with mandatory age verification. Privacy advocates warn vague “risk mitigation” obligations could serve as a backdoor to mandatory scanning.^[24]

GDPR Simplification Non-Paper (July 2025): Denmark proposed removing the right to data portability (Article 20 GDPR), easing SME documentation obligations, and making the right to lodge DPA complaints conditional upon prior engagement with the controller. EDPB raised concerns about weakening data subject rights.^[25]

Social Media Under-15 Ban (November 2025): Cross-party agreement for a ban enforced via MitID national identity system, with parental opt-in from age 13. Platforms face fines up to 6% of global revenue.^[26]

Sources