By Jesper Lund, IT-Pol
When the EU data retention Directive was transposed into national law after its adoption in 2006, Denmark implemented one of the most excessive transpositions into national law. Danish Internet service providers (ISPs) were required to retain session information (source and destination IP addresses, port numbers, session type e.g. TCP or UDP, and timestamp) for every 500th internet packet. In June 2014, the response of the Danish government to the data retention judgment of the Court of Justice of the European Union (CJEU) was to uphold the national data retention law, but rules on session logging were repealed. The Ministry of Justice could no longer argue for the necessity of session logging when, after seven years of collecting detailed information about internet usage for the entire population, the Danish Police could only point to a single case, involving web banking fraud on a minor scale, where this information had been useful.