Republic of Lithuania

Article 22 of the Constitution states, „The private life of an individual shall be inviolable. Personal correspondence, telephone conversations, telegraph messages, and other intercommunications shall be inviolable. Information concerning the private life of an individual may be collected only upon a justified court order and in accordance with the law. The law and the court shall protect individuals from arbitrary or unlawful interference in their private or family life, and from encroachment upon their honor and dignity.”[1767]

Lithuania’s predominant data protection regulation, the Law on Legal Protection of Personal Data (the „Law”),[1768] was first passed in 1996 and has since been amended multiple times to account for both domestic and European concerns. In 1998 the law was extended to regulate privately, in addition to publicly, held computerized information.[1769] It was further amended in 2000[1770] to ensure compliance with the EU Directives on Data Protection and Telecommunications, and most recently in 2002[1771] to further bring Lithuania in line with European data protection standards.

The appearance of data protection law in Lithuania was mainly fostered by Lithuania’s political aim to become a member of the EU and, consequently, the wish to intercept Acquis Communautaire. These aims, together with many references to the EU directives, are stated in the travaux préparatoires of all six amendments to the Law. The negative side of this process is that there were no discussions about data protection in the media, no publications and no academic texts in the field before the enactment of the Law. All academic texts discussing problems of legal protection of personal data were published long after the enactment of the Law. Academic research, professional consultations as well as public awareness campaigns in the field are currently widely encouraged by the Data Protection Authority as well as academics.[1772]

Lithuania passed its first data protection law in 1996 and has since amended the law several times. Three stages in the wording of the data protection law can be distinguished. Between 1996 and 1998, the scope of its application was limited to personal data processed in the public sector, and the law did not apply to „relations regulated by other laws”[1773] and thus was just a secondary law Between 1998 and 2002, the law was extended to regulate privately-held, in addition to publicly-held, computerized information.[1774] The law was significantly altered in 2000[1775] to ensure compliance with the EU Data Protection and Telecommunications Privacy Directives. Special provisions were added to cover the processing of personal data in various sectors and for various purposes, including social security, social care, health care, scientific research, direct marketing, statistics and telecommunications. The 2002 amendments[1776] to the Law further strengthened data subjects’ rights and covered the processing of personal data for purposes of elections, referenda and citizens’ legislative initiative.

Beyond 2003, the aim of the Law has radically changed. The current law seeks „protection of an inviolability of an individual’s right to private life with regard to the processing of personal data”[1777] in comparison with previous wording of the Law which aimed at balancing individual’s interests with processor’s. Special provisions devoted to the processing of personal data in public registers, credit and solvency data were also included in the wording of the Law.

The stated purpose of the Law on Legal Protection of Personal Data is to protect the private lives of people by establishing the rights of individuals and regulations for data processors. Individuals are entitled to know about the processing of their personal data; have access to that data; familiarise themselves with the processing method; demand rectification or destruction of their personal data; and, object to the processing of their personal data. These rights are, however, contingent upon several enumerated exceptions, such as national security, law enforcement and important economic or financial interests of the state. In addition to these rights, the data subject, who has sustained damage as a result of unlawful processing of personal data or any other acts or omissions by the data controller, the data processor or any other persons in violation of the provisions of the Law shall be entitled to claim compensation for pecuniary and non-pecuniary damage caused to him. The extent of pecuniary and non-pecuniary damage shall be determined by court. Most of these rights are further detailed in the Law and most of them are contingent upon enumerated exceptions. The increase of personal complaints regarding the processing of personal data corroborates that individuals care about their informational privacy and examine their rights effectively.[1778]

Once consent from the data subject is obtained, data processors are subject to both regulations on both their means and ends. Personal data can only lawfully be processed if used for predefined purposes such as compliance with a legal obligation or as a necessary adjunct to a commercial transaction. The use must be accurate, fair and lawful and not excessive in relation to the predefined purpose. Finally, personal data can only be further disclosed under a personal data disclosure contract, specifying the purposes for which the data will be used and the conditions and procedures of its use.

As a complement to the protections described above, in 1998 the Code of Administrative Offenses[1779] was supplemented with monetary penalties for unlawful personal data processing, unlawful state information systems processing.[1780] In addition, the Law on State Registers[1781] provides further controls on the use and legitimacy of state data registers that contain personal information, and mandates that data registers may only be erased or destroyed in cooperation with the State Data Protection Inspectorate.

In order to enforce the provisions of the Law on Legal Protection of Personal Data and the Law on State Registers, the State Data Protection Inspectorate was established in 1996.[1782] It registers data controllers, supervises processing, handles appeals for denial of access to records, and approves transborder data flows. The office previously operated within the Ministry of Public Administration Reforms and Local Authorities but was granted full independence under the 2000 Act. The Inspectorate has eight staff members. As of December 2000 it had registered 695 data controllers, conducted 25 direct inspections, drafted 21 legal acts, granted ten permissions for transfers of data abroad and issued two protocols for violation of the law.[1783] The office has prepared a strategic plan for the development of data protection and measures of implementation for the years 2002-2004.[1784] The plan has three main objectives: to create a reliable and efficient data protection system in harmonization with European Union regulations; to foster an environment that respects constitutional rights to privacy; and to encourage the development of privacy enhancing technologies.

In order to supervise and monitor the implementation of the Law and the Law on State Registers, the State Data Protection Inspectorate was established.[1785] It started to function practically in 1997 and since then has attained much power to supervise and monitor the processing of personal data ex ante as well as ex post. Before data processing takes place, the data processor shall inform the Inspectorate which has the power to carry out prior checking. After processing is carried out, the Inspectorate checks its lawfulness and grants authorizations to data controllers to disclose personal data to data recipients in third countries. Other functions of the Inspectorate include examination of personal requests and complaints, assistance to data controllers and data subjects, drawing up of methodological recommendations on the protection of personal data.

There is no encouragement of self-regulation of data controllers and codes of conduct of data protection in the law, supervision of data protection is exclusively concentrated in the hands of the Inspectorate. Thus the effectiveness of data protection rests on the powers of the sole institution. Such situation creates additional burdens for the free movement of personal data and at the same time induces more power to be attributed to the Inspectorate. The last tendency could be illustrated by the newest legislative initiative to amend the Administrative code to empower the Inspectorate to issue an administrative protocol. Under the actual wording of the Administrative code, the Inspectorate is empowered to sue the infringer of the Law before an administrative court.

The Inspectorate previously operated within the Ministry of Public Administration Reforms and Local Authorities. From 2000 it is a government institution financed from the state budget. The Inspectorate is accountable to, and its regulations approved by, the government. The status of the Inspectorate is a specific one because while being under the executive power, it is competent to inspect and control the processing of personal data by legislative bodies. So far, nobody in Lithuania has disputed the competence of the Inspectorate although such discussions are likely to take place due to indistinctness of legislative and executive powers.

The Inspectorate maintains close relations with the data protection authorities in other central and eastern European countries. In December 2001, the Data Protection Commissioners from the Czech Republic, Hungary, Lithuania, Slovakia, Estonia, Latvia and Poland signed a joint declaration agreeing to closer cooperation and assistance. The Commissioners agreed to meet twice a year in the future, to provide each other with regular updates and overviews of developments in their countries, and to establish a common website for more effective communication.[1786]

Although it appears that Lithuania has implemented a comprehensive legal and governmental regime for the protection of personal data, the concepts, duties and rights conferred are still unfamiliar. Compliance with the laws, while growing, still has much room to improve. According to one report „[t]wo percent of Lithuanian hotels, seven percent of electronic shops and seventy percent of banks observe the requirements of the law.”[1787]

Government observation of and intrusion into individuals is limited by the Constitution and the law.[1788] Under a criminal procedure law, as well as a Law on Operative Activities wiretapping requires a warrant issued by the Prosecutor General or a judge. The Law on Telecommunications also contains provisions requiring Internet service providers (ISPs) to implement data retention measures for data (identificators and content) transmissions through common access telecommunications networks, and to provide them free of charge to criminal investigators and other law enforcement authorities according to the government-established procedures. Already before those data retention measures came into force of these data retention provisions (which was set for January 1, 2003), these provisions have failed to survive a constitutional challenge in a September 19, 2002 Constitutional Court decision. The Court found that such provisions are unconstitutional to the extent that they require unlimited and unpaid data retention. The Court held that only data retention measures that are necessary for ISPs’ ordinary business activities may be justified and considered reasonable. Thus ISPs are effectively entitled to decide on the scope and length of data retention, with due regard to data protection laws.

The government recently adopted a resolution that affects Internet privacy. Resolution No. 290 of March 5, 2003 „on procedures for control of harmful information and distribution of restricted information in publicly accessible computer networks” introduces data retention requirements for hosting service providers to log operations with data and content hosted on their servers and to provide them, along with the personal data of the individual and entities using the hosting services, to criminal investigators and other law enforcement authorities free of charge. The obligation to provide such data is however limited to data necessary for normal business operations, following the September 2002 Constitutional Court decision.

In practice, the boundaries of lawful surveillance are still being contended, with the emergence of new national and international case law. According to the United States Department of State Human Rights Report for the year 2001:

[I]t is assumed widely that law enforcement agencies have increased the use of a range of surveillance methods to cope with the expansion of organized crime. In July 2001, in the case of Juozas Valasinas v. Lithuania […], the European Court of Human Rights found that officials in his correctional institution were reading his correspondence without the approval of the court. During the first half of the year, the Parliament controller confirmed a violation of prisoner’s correspondence rights. Pursuant to a change in the law, since April prisoners’ complaints to courts, the Parliament controller, and human rights groups have not been censored, and censorship of their private correspondence has been subject to stricter control by prison authorities.

Local media reported that the security services monitored the activities of the nongovernmental organization Collegiate Association for the Research of the Principle, Jehovah’s Witnesses, and a visiting member of the Russian Vissarion Church.

In May, a member of the Parliament complained that a government agency had monitored his cell phone calls in 2000, when he was not yet a member of the Parliament; a printout of his calls were published in a national daily newspaper during a political dispute.[1789]

There are specific privacy protections in laws relating to telecommunications,[1790] radio communications,[1791] statistics,[1792] the population register,[1793] and health information.[1794] The Criminal Code provides for criminal responsibility for violations of the inviolability of a residence, infringement on secrecy of correspondence and telegram contents, on privacy of telephone conversations, persecution for criticism, secrecy of adoption, slander, desecration of graves and impact on computer information. Civil laws provide for compensation for moral damage because of dissemination of unlawful or false information demeaning the honor and dignity of a person in the mass media.[1795] In February 2001, the European Court of Human Rights accepted two cases against Lithuania filed by a former prosecutor and a former tax inspector who allege that their privacy was violated when they were fired from their positions and prohibited from taking certain posts in the private sector because of their previous collaboration with the KGB.[1796]

The 1996 Law on the Provision of Information to the Public provides for a limited right of access to official documents and to documents held by political parties, political and public organizations, trade union and other entities.[1797] A more comprehensive „Law on the Right to Receive Information from the State and Municipal Institutions” was enacted on January 11, 2000.[1798] However, there are few examples of the practical application of this law.

The journalist’s right not to disclose the source of information provided in this law was recently approved in a October 21, 2002 decision of the Constitutional Court. The Court emphasized that this right shall not be enjoyed only in case there is a valid court order to disclose such information, and where such disclosure is needed for the public interest. On the other hand, in the same decision the Court approved the right to publicize private information on public figures, when such disclosure raises reasonable public interest, or does not cause any harm to the affected individual.

Lithuania is a member of the Council of Europe and in June 2001 ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[1799] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[1800]

*****

1767] Constitution of the Republic of Lithuania (Approved by The Citizens of the Republic of Lithuania in the Referendum on 25 October 1992 as amended by 20 March, 2003, No. IX-1379), available at http://www.litlex.lt/Litlex/Eng/Frames/Laws/Documents/CONSTITU.HTM.

[1768] The Law on Legal Protection of Personal Data (No. I-1374, 1996) (State News, 1996, No. 63-1479).

[1769] Law No.VII-662, March 12, 1998.

[1770] Law No. VIII-1852, July 17, 2000 (State News, 2000, No.64-1924).

[1771] Law No. IX-719, February 6, 2002.

[1772] e.g. Department of Legal Informatics of the Law University of Lithuania.

[1773] Law on Legal Protection of Personal Data, No. I-1374, 1996 (State News, 1996, No.63-1479).

[1774] Law on Legal Protection of Personal Data, No.VII-662, March 12, 1998. (State news, 1998, No.31-819).

[1775] Law on Legal Protection of Personal Data, No. VIII-1852, July 17, 2000 (State News, 2000, No.64-1924).

[1776] Law on Legal Protection of Personal Data, No. IX-719, February 6, 2002 (State news, 2002, No.64-1924); Law on Legal Protection of Personal Data, No.IX-970, June 20, 2002 (State news, 2002, No.68-2769).

[1777] Law on Legal Protection of Personal Data, No.IX-1296, January 21 (State news, 2003, No.15-597).

[1778] Activity Reports of State Data Protection Inspectorate of the year: 1997-2000, 2001, 2002, first quarter of the year 2003.

[1779] (State News, 1998, No.40-1065). See Data Protection Development Programme for the Year 2002-2004, II, Current Statement, available at http://www.ada.lt/en/legal.html.

[1780] See Ona Jakstaite, „Regulating Data Security in Lithuania,” Baltic IT Review.

[1781] The Law on the Public Registers (13 August 1996, No. I-1490), (State News, 1996, No.86-2043), available at http://www.ada.lt/en/docs/Ist_reg.htm.

[1782] Resolution No. 1185, „Concerning the Setting up of the State Data Protection Inspectorate,” October 10, 1996.

[1783] The State Data Protection Inspectorate, Overview of The First Four Years (1997-2000), available at http://www.ada.lt/en/activity-s.html.

[1784] The State Data Protection Inspectorate, Data Protection Development Programme for the Year 2002-2004, available at http://www.ada.lt/en/legal.html

[1785] Government of Republic of Lithuania Resolution No.1185 Concerning the Setting up of the State Data Protection Inspectorate, October 10, 1996 (State news, 1996, No.100-2293).

[1786] E-mail from Karel Neuwirt, President, Office for Personal Data Protection, Czech Republic, to Sarah Andrews, Research Director, Electronic Privacy Information Center, May 15, 2002 (on file with EPIC).

[1787] „Protection of Personal Data on the Internet Poor in Lithuania – Research,” Baltic News Service, May 16, 2002.

[1788] Law on Operative Activities, 1991.

[1789] United States Department of State, Country Reports on Human Rights Practices – Lithuania, 2001 http://www.state.gov/g/drl/rls/hrrpt/2001/eur/8287.htm.

[1790] The Law on Telecommunications, November30, 1995, No. I-1109.

[1791] Law on Radio Communication, November 7, 1995, No.I-1086, http://www.litlex.lt/Litlex/Eng/Frames/Laws/Documents/366.HTM.

[1792] The Law on Statistics, 12 October 1993, No.I-270.

[1793] Law on the Population Register, January 23, 1992, No. I-2237.

[1794] Law on the Health System, 19 July 1994, No.I-552.

[1795] United Nations Human Rights Committee, Consideration of Reports Submitted by States Parties Under Article 40 of the Covenant, Initial reports of States parties due in 1993, Addendum, Lithuania, 1996, available at http://www.hri.ca/fortherecord1997/documentation/tbodies/ccpr-c-81-add10.htm.

[1796] „Strasbourg Probing 2 Cases Of Ex-KGB Agents Vs. Lithuania,” Baltic News Service, February 8, 2001.

[1797]The Law on the Provision of Information to the Public, July 2 1996 No.I-1418 (as amended on January 23, 1997). http://www.lrtv.lt/en_lrtvm.htm.

[1798] Memorandum on the Submission of Article 19 Critique – Lithuanian Draft Law on „The Right to Receive Information” http://www.article19.org/docimages/404.doc.

[1799] Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS no.: 108). Signed Feb. 11, 2000; ratified June 1, 2001; entered into force Oct. 1, 2001. http://conventions.coe.int/Treaty/EN/CadreListeTraites.htm.

[1800] Convention for the Protection of Human Rights and Fundamental Freedoms. (ETS no.: 005). Signed May 14, 1993; ratified June 20, 1995; entered into force June 20, 1995 http://conventions.coe.int/Treaty/EN/CadreListeTraites.htm.