Database

Law 2006-64 of January 2006 gives to the government the possibility to obtain data directly from Internet Services Providers (ISPs) without a court order.

In December 2013, such requirement was expanded. With the adoption of the Military Programming Law, both the security forces and intelligence services from various ministries (defense, interior, economy and budget) are allowed to see “electronic and digital communications” in “real time”. Under the law, agencies have until 48 hours after surveillance has begun to seek approval from the National Commission for the Control of Security Intercepts (CNCIS) president and can continue while awaiting his/her decision. The law came into force in January 2015.

In May 2014, the European Court of Justice ruled that individuals are entitled to seek the deletion of links on search engines about themself if "the data appear to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed". The ruling is therefore recognizing the so-called right to be forgotten.

France enforces the ECJ decision trough its the Commission Nationale de l'Informatique et des Libertés (CNIL). In March 2016, it fined Google €100,000 for not applying Europe’s right to be forgotten across the search engine’s global network of sites.

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

France has not overturned the data retention law (French Decree No 2006-358) and, therefore, telecommunication operators, both internet and phone operators, must retain their data for one year.

A ministerial circular dated 5 April 2016 on public procurement states that it it illegal to use a non "sovereign" cloud for data produced by public (national and local) administration: all data from public administrations has to be considered as archives and therefore stored and processed in France.

Before the enactment of the Information Society Code, the operational obligations related to the protection of privacy have only concerned telecom operators, corporate subscribers and providers of value-added services. Since 2015, those obligations apply to all operators whose electronic communication services are used for exchanging confidential messages, including social media. Thus, social media companies must now ensure that users of their messaging services get the same standards of privacy and security as the ones that telecommunications companies offer.

For Finland, IP address can be regarded as personal data. It is reported that this classification could have serious implications for search engines and other electronic businesses, concerning online personalised marketing business models.

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union (ECJ) declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

In Finland, data retention laws are still in force. However, following the ECJ ruling invaliding the Data Retention Directive, the scope and the application of the Finnish Information Society Code is limited. For instance, it does not include website browsing. Moreover, small operators are not required to retain their data. The data retention period goes from six months to 12 months, according to the category of the data.

The Accounting Act requires that a copy of the accounting records in kept within Finland. Alternatively, the records can be stored in another EU country if a real-time connection to the data is garanteed.

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union (ECJ) declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

In Estonia, the national law imposing the obligation of Internet Service Providers (ISPs) and communications providers to retain data is still in place. The retention period is 12 months.

In 2011, the Danish Data Protection Agency denied the city of Odense permission to transfer “data concerning health, serious social problems, and other purely private matters” to Google Apps, citing security concerns. In its opinion, the Agency spefied that the reason behind the decision lies on the impossibility to assess whether "all of Google Inc.'s data centres in Europe are located within the EU/EEA".

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union (ECJ) declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

The Danish law on data retention is still into force after the ECJ ruled the Data Retention Directive unconstitutional. However, it now does not affect session logging requirements.

Since 2011, the Danish Data Protection authority has ruled in several cases against processing of local authorities' data in third countries without using standard contractual clauses. This is the result of a strict interpretation of the European Directive 95/46/EC. Therefore, services such as Dropbox, Google Apps and Microsoft's Office 365 cannot be used by local authorities unless they have signed an agreement with the processor based on standard contractual clauses.

The basis for the Audit Act (section 45) is that financial records for governamental institutions must be stored in Denmark. This applies to both physical appendixes and digital data. This regulation means that financial records may be stored on a server abroad provided that an exact copy of the records is made on a monthly basis at a minimum. Such copy must be placed on a server in Denmark or in paper.

The basis of the Bookkeeping Act (section 12) is that financial records must be stored in Denmark or in the Nordic countries. This applies to both physical appendixes and digital data. Hence, if financial records are stored on a server physically placed outside Denmark a complete copy must be kept in Denmark.

According to the Directive 2002/58/EC, traffic and location data generated by using electronic communications services must be erased or made anonymous when no longer needed for the purpose of the transmission of a communication, except for the data necessary for billing or interconnection payments.