Country Reports

Argentine Republic

Articles 18 and 19 of the Argentine Constitution provide (in part), “The home is inviolable as is personal correspondence and private papers; the law will determine what cases and what justifications may be relevant to their search or confiscation. The private actions of men that in no way offend order nor public morals, nor prejudice a third party, are reserved only to God’s judgment, and are free from judicial authority. No inhabitant of the Nation will be obligated to do that which is not required by law, nor be deprived of what is not prohibited.” Article 43, enacted in 1994, provides a right of habeas data: “Every person may file an action to obtain knowledge of the data about them and its purpose, whether contained in public or private registries or databases intended to provide information; and in the case of false data or discrimination, to suppress, rectify, make confidential, or update the data. The privacy of news information sources may not be affected.”[1] Habeas data is also included in the constitutions of many provinces of Argentina. Several cases of habeas data have dealt with correction of commercial information. In 1999, the Supreme Court of Argentina ruled in two important cases on the scope of habeas data. The leading case is Urteaga v. Estado Nacional.[2] There, the Supreme Court allowed an individual access to personal information about his brother, who had disappeared during the military government, presumably in an armed conflict.[3] The lower courts dismissed the action of habeas data for lack of standing. The Court of Appeals reasoned that habeas data grants access only to personal information, and the claimant was trying to access data related to a third person. However, the Supreme Court reversed. The core of the judgment indicated an expanding approach to the interpretation of habeas data, granting a wide right of access to personal information. The other case is Ganora v. Estado Nacional,[4] where the Supreme Court of Argentina established that habeas data can be used against any kind of public database. The claim was initiated by two lawyers who were defending Adolfo Scilingo, an ex-navy official who confessed his participation in crimes during the military regime. Arguing investigation and surveillance from the Government, the lawyers requested access to data in official databases about them. The district court judge and the Court of Appeals refused access, even without hearing the government’s arguments based on a national security exception. The Supreme Court of Argentina restated its holding in Urteaga and the need to interpret habeas data in light of the international and foreign legislation.[5] They cited the European Human Rights case Leander[6] and also made a reference to Nixon v. US,[7] where the U.S. Supreme Court rejected the arguments of President Nixon, who alleged a confidential privilege over information. Finally they concluded that habeas data allowed access to government databases, and that an exception based on public interest should be subject to judicial review. This case shows the expanding interpretation of habeas data by the Supreme Court of Argentina. In April 1999, the Civil Court of Appeals of Buenos Aires ruled that processing of personal information was unlawful unless the data subject has given “consent” or he has been notified. The Supreme Court is currently reviewing this case. Another case decided that credit report agencies must place limits on the duration of storage of personal information. This is the first case in Argentina to recognize the “right to forget.” In November 1998, the Senate approved a Law for the Protection of Personal Data.[8] It is in conformance with Article 43 of the Constitution and based on the E.U. Data Protection Directive. The bill covers electronic and manual records. It requires express consent before information can be collected, stored, processed, or transferred. Collection of sensitive data is given additional protections and is prohibited unless authorized by law. International transfer of personal information is prohibited to countries without adequate protection. Individuals have an express right of habeas data to access information about themselves held by government or private entities. The bill sets up an independent commission within the Ministry of Justice to enforce the law. In July 2000, the bill was approved by two committees of the House of Representatives. It is expected that the Bill will be approved by the House of Representatives at the end of 2000. Update: The House of Representatives approved the Habeas Data Bill on September 14, 2000. The Senate is now expected to approve the revised bill in the next few weeks. The U.S. Direct Marketing Association launched a lobbying effort against the bill in December 1998 urging Argentinean companies to oppose the efforts to enact the law.[9] Previously, in December 1996, the Congress approved a data protection law.[10] However, upon request of the Central Bank, the law was subsequently vetoed by the President.[11] Under the Code of Penal Procedure, “A judge may arrange, for the purposes of building a case, the intervention of telephone communications or whatever other means of communication.” The Penal Code provides penalties for publishing private communications.[12] The National Defense Law prohibits domestic surveillance by military personnel. In April 1999, the Criminal Court of Appeals in Buenos Aires recognized a right to privacy in electronic mail communications applying a section of the Penal Code related to the protection of secrets. Although the criminal provision was drafted in 1921, the Court had an open approach to the interpretation of the statute.[13] Under this case, data such as stored files and e-mail, is not to be examined by anyone else without the user’s permission. The UN Human Rights Committee in 1995 expressed concern that the judicial authorization for wiretaps was too broad.[14] In Argentina the Penal Code, dating from the year 1921, does not punish wiretapping. Several cases of wiretapping were dismissed because of the lack of a criminal statute. Two Army colonels and two non-commissioned officers were relieved of duty in May 1999 after testifying that they conducted domestic surveillance on “orders from above” to interfere with investigations into human rights abuses during the dictatorship.[15] Illegal wiretapping has been common since the transition to civilian rule. In 1990, the entire telephone switchboard of the President’s official residence was extensively bugged and a major government scandal ensued.[16] In 1996, the telephones of the Archdiocese of Formosa were found to be wiretapped.[17] Also that year, former Economy Minister Domingo Cavallo accused Interior Minister Carlos Corach of ordering the telephone bugging of a federal prosecutor.[18] In 1998, the Mayor of Buenos Aires and 1999 presidential candidate Fernando de la Rua lodged a criminal complaint against two city councilors and another party member, accusing them of tapping his family’s telephone for years and recording 3000 hours of conversation.[19] He also accused the secret police, known as SIDE, of complicity with the wiretaps.[20] The same two city councilors have been wiretapping the Prosecutor Attorney of the Criminal Chamber of Appeals in 1996. The Civil Code prohibits “that which arbitrarily interferes in another person’s life: publishing photos, divulging correspondence, mortifying another’s customs or sentiments or disturbing his privacy by whatever means.”[21] This article has been applied widely to protect the privacy of the home, private letters and a number of situations involving intrusive telephone calls, and neighbor’s intrusions into one’s private life. In 1998, the Argentine Congress enacted the Credit Card Act.[22] The object of this bill is to regulate credit card contracts between consumers and financial institutions and specifically the interest rates that banks charge to consumer credit cards. Article 53 restricts the possibility of transferring information from banks or credit card companies to credit reporting agencies.[23] There is also a specific right of access to personal data of a financial character. The Central Bank of Argentina, whose jurisdiction includes the overview of the monetary policy in the Argentine financial market has authority to regulate banks. Under that authority it created a public debtor’s database,[24] requiring financial entities and banks to collect and classify debtors within a range of risk and to send the information to the database. Under Article 8.1 of the regulation[25] the data subject (a client of a bank) has a right of access to his information and to know the reason why she was included in the database.[26] In 1996, the national government began a new crackdown on tax evaders. Measures included reviewing citizens’ credit cards, insurance, and tax records. One bill allowed citizens whose credit card records had been obtained to sue for invasion of privacy.[27] The same year, the Argentina Passport and Federal Police Identification System, developed by Raytheon E-Systems, was inaugurated at the Buenos Aires airport. The system combines personal data, color photos and fingerprints.[28] In November 1998, the City of Buenos Aires approved a law on access to information. The law gives all persons the right to ask for and to receive information held by the local authorities and creates a right of judicial review. Individuals have the right under habeas data to updating, rectification, confidentiality or suppression of information.[29] But critics say that government agencies jealously keep public records and that it is very difficult to obtain information.[30] In 1984, Argentina adopted the American Convention on Human Rights into domestic law. Since 1994, the Convention was “constitutionalized” and is used by the Argentine Supreme Court to determine domestic cases.[31]

Commonwealth of Australia

While privacy issues are now featured prominently in the daily news in Australia, the legal safeguards for personal information remain limited. Neither the Australian Federal Constitution nor the Constitutions of the six States contain any express provisions relating to privacy. There is periodic debate about the value of a Bill of Rights, but no current proposals.[32]http://www.republic.org.au/const/cconst.html The principal federal statute is the Privacy Act of 1988.[33]http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/longtitle.html It creates a set of eleven Information Privacy Principles (IPPs), based on those in the OECD Guidelines, that apply to the activities of most federal government agencies. A separate set of rules about the handling of consumer credit information, added to the law in 1989, applies to all private and public sector organizations. The third area of coverage is the use of the government issued Tax File Number (TFN), where the entire community is subject to Guidelines issued by the Privacy Commissioner, which take effect as subordinate legislation. The origins of the Privacy Act were the protests in the mid-1980s against the Australia Card scheme – a proposal for a universal national identity card and number. The controversial proposal was dropped, but use of the tax file number was enhanced to match income from different sources with the Privacy Act providing some safeguards. The use of the tax file number has been further extended by law to include benefits administration as well as taxation. Some controls over this matching activity were introduced in 1990.[34] After several policy reversals, the re-elected conservative government introduced legislation to extend privacy protection to the private sector in April 2000. The Privacy Amendment (Private Sector) Bill 2000 applies a set of National Privacy Principles developed by the Privacy Commissioner during 1997 and 1998, originally as a self-regulatory substitute for legislation. The National Principles impose a lower standard of protection in several areas than the EU Directive. For example, organizations are required to obtain consent from customers for secondary use of their personal information for marketing purposes where it is “practicable”; otherwise, they can initiate direct marketing contact, providing they give the individual the choice to opt out of further communications. Controls on the transfer of personal information overseas are also limited, requiring only that organizations take “reasonable steps” to ensure personal information will be protected, or “reasonably believes” that the information will be subject to similar protection as applied in the Australian law. Nevertheless, the Bill includes an innovative principle of anonymity. Principle 8 states that: “Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering into transactions with an organisation.” The Government has described the Bill as a “light touch legislative regime” which establishes a minimum standard of privacy protection which can be substituted by approved industry codes, which must meet at least the minimum standards in the National Principles. The Bill attracted controversy and widespread debate, with privacy and consumer groups and some business groups expressing concern at its failure to meet international standards of privacy protection. For example, it appeared that the Bill would have a limited effect on the massive database being built by Acxiom Australia, a joint business of U.S.-based Acxiom and PBL, the media conglomerate owned by Australia’s richest man, Kerry Packer. When details of the Acxiom database became public in late 1999, a storm of protect ensued, with concerns heightened by the appointment of Andrew Robb as CEO of Acxiom. Robb was previously the Federal Director of the Liberal Party and was widely credited as playing a major role in the electoral success of the Liberals in the late 1990s with the use of sophisticated campaign techniques. The Bill provided broad exemptions for employment-related use of employee records; small businesses (under $A3m annual turnover) that do not disclose personal information for a benefit; and media organizations, broadly defined to include organizations which provide information to the public and political parties. The Bill was also criticized for weaknesses in its enforcement regime, including allowing privacy complaints to be handled by an industry-appointed code authority with limited oversight by the Privacy Commissioner. The House of Representative Legal and Constitutional Affairs Committee conducted an inquiry into the Bill and released its report in June 2000.[35] The Committee, the majority of which consisted of government members, acknowledged many of the criticisms and made 23 recommendations for amendments. The legislation is expected to reach the Senate, where government members are in a minority and opposition parties have indicated their plan to strengthen the legislation, by late 2000. Public sector privacy issues continue to raise concerns. As part of reforms to the Australian tax system from July 2000, the Australian Taxation Office required all enterprises to obtain an Australian Business Number. The ATO collected registration details including address and email contact, and planned to make this available to the public through the Australian Business Register and through selling it to database companies. A storm of protest occurred in June 2000 when it was realized that the register would include the home address and other details of almost 2 million individuals, who were sole traders, contractors or even had just a minor income from a hobby or some other activity. The Government agreed to amend the legislation, limit the content of the Australian Business Register and allow individuals to suppress their details. At the same time, the Government was forced into another backdown after receiving legal advice that the Australian Electoral Commission had illegally disclosed information on around 10 million registered Australian voters, after the Prime Minister had asked for this information in order to conduct a targeted direct mailing campaign outlining the benefits of the tax reform package. The Office of Privacy Commissioner[36]http://www.aph.gov.au/house/committee/laca/PrivacyBill/contents.htm>. has a wide range of functions, including handling complaints, auditing compliance, promoting community awareness, and advising the government and others on privacy matters. The Commissioner’s office, which was initially well funded, suffered major budget cutbacks in 1997, at the same time as the Commissioner’s range of responsibilities under several laws and in response to government requests was expanding. In the period of 1998-99, the Commissioners Office received 8,980 calls, of which 3,142 or 35 percent related to matters falling within the Privacy Commissioner’s jurisdiction. Of the remaining calls, 3,212 related to privacy issues outside of the scope of the Privacy Act. Some 718 written inquiries were received, of which 131 were formally investigated as complaints. Ninety-one complaints were closed and 11 audits conducted.[37] The Commissioner released a strategic plan in 2000 outlining his office’s role under forthcoming private sector legislation. Guidelines were also released for employee use of email and for government websites. The Commissioner also released a report on the application of the National Privacy Principles to personal health information in December 1999, proposing modifications to the National Privacy Principles to take account of specific issues relating to the handling of health care information. These suggestions were largely implemented in the Bill released in April 2000. The Telecommunications (Interception) Act of 1979[38]<http://www.privacy.gov.au/pdf/99annrep.pdf>. http://www.austlii.edu.au/au/legis/cth/consol_act/ta1979350/ regulates the interception of telecommunications. A warrant is required under the Act, which also provides for detailed monitoring and reporting, but in 1997 the authority for issuing warrants was extended from federal court judges to designated members of the Administrative Appeals Tribunal, who are on term appointments rather than tenured. Significant loopholes exist within the legislation, such as section 6(2) which some experts argue allows the recording and monitoring of communications in specific circumstances such as when the equipment is provided by a telecommunications carrier. The Interception Act safeguards also need to be read alongside Part 15 of the Telecommunications Act of 1997, which places obligations on telecommunications providers to provide an interception capability and to positively assist law enforcement agencies with interception. In November 1999, the Australian Security Intelligence Organisation Legislation Amendment Act 1999 was passed by the Commonwealth Parliament. The Act gives ASIO new powers to access e-mails and data inside computers, use tracking devices on vehicles, obtain tax and cash transaction information and intercept mail items carried by couriers. ASIO is authorized to modify private computer files as long as there is reasonable cause to believe that it is relevant to a security matter.[39]“ The Parliament approved the Telecommunications (Interception) Legislation Amendment Bill 2000 on June 7, 2000. The legislation will allow for the issuing of “named person” warrants based on a name of person only, not specifying the location of the tap to allow for the interception of multiple services without a new warrant. The bill also expands the use of wiretap information in other proceedings. Intelligence agencies can get a “foreign communications warrant” to “enable ASIO, operating ‘within Australia,’ to intercept communications ‘sent or received outside Australia’ for the purposes of collecting foreign intelligence.” Taps increased substantially in the last year reported. In 1998-1999, there were 1,284 warrants issued, up from 675 warrants issued in the year 1997-1998.[40] This excludes an undisclosed number of interception warrants issued to the Australian Security Intelligence Organisation by the Attorney General. The Crimes Act[41]http://www.austlii.edu.au/au/legis/cth/consol_act/ca191482/s85zl.html also contains a range of other privacy related measures, such as offenses relating to unauthorized access to computers, unauthorized interception of mail and telecommunications and the unauthorized disclosure of Commonwealth government information.[42] It also contains provisions relating to “spent” convictions, allowing individuals convicted of minor offenses to lawfully “deny” them in most circumstances after a period of time. A mix of privacy standards apply to the telecommunications sector. Part 13 of the Telecommunications Act of 1997[43] contains a general prohibition on the disclosure of telecommunications-related personal information. However, this principle contains a detailed list of exceptions.[44]http://www.austlii.edu.au/au/legis/cth/consol_act/dpata1990349/ The telecommunications industry is regulated through voluntary codes of practice which are developed by the Australian Communication Industry Forum (ACIF), but, once they are registered by the Australian Communications Authority (ACA), the Authority can direct a company to comply with certain provisions of a code. Early in 2000 the ACA registered the Code of Practice for the Protection of the Personal Information of Customers of Telecommunications Providers[45]http://www.aca.gov.au/codes/abtem8.htm and Code of Practice on Calling Number Display.[46]http://www.aca.gov.au/codes/abtem9.htm During 2000, Commonwealth and State governments have announced plans to move towards unique patient identifiers in the health sector, likely to be centered around a health smart card. Health services are primarily delivered by the public sector in Australia, with only around a third of the population having private health insurance. The responsibility for delivery of health services is shared between the Commonwealth Government, which is responsible for much of the funding of the health system, and the States, which operate hospitals and community health services. The Commonwealth’s proposal, HealthConnect, is intended as a voluntary national health information network under which health-related information about an individual would be collected in a standard, electronic format at the point of care.[47]http://www.health.gov.au/healthonline/connect.htm The New South Wales Government established a committee to review health privacy issues, which is intended to report at the end of 2000. The Victorian Government released a draft Health Records Bill in mid-2000.[48] The Australian States and Territories have varying privacy laws. The New South Wales Privacy and Personal Information Protection Act of 1998 recently came into effect. It is based on a set of OECD-style Information Protection Principles and requires all government departments and agencies to develop a Privacy Management Plan demonstrating their compliance plans. It also allows government agencies to weaken the Information Protection Principles which form the foundation of the legislation.[49]http://www.dhs.vic.gov.au/ahs/healthrecords In Victoria, an information privacy bill was introduced in May 2000 and is expected to be enacted later in the year.[50] It covers the public sector with principles similar to the National Privacy Principles. The Australian Capital Territory (ACT) enacted a health privacy law in 1997,[51] and the Queensland government has committed to implement the April 1998 recommendation of a Parliamentary Committee for a public sector privacy law,[52] but with no timetable yet announced. Specific privacy provisions are also found in many State laws dealing with such diverse matters as health, adoption, drug controls and registration of births, deaths and marriages. Most States and Territories also have laws relating to listening devices, although these are generally recognized as being badly in need of updating to cope with new technologies.[53]http://www.lawlink.nsw.gov.au/lrc.nsf/pages/IP12TOC The federal Freedom of Information Act of 1982[54] provides for access to government records. The Commonwealth Ombudsman promotes the Act and handles complaints about procedural failures. Merits review (appeal) of adverse FOI decisions is provided by the Administrative Appeals Tribunal, with the possibility of further appeals on points of law to the Federal Court. Budget cuts have severely restricted the capacity of the AGs Department and Ombudsman to support the Act and there is now little central direction, guidance or monitoring. All of the States and the ACT (but not the Northern Territory) also have Freedom of Information laws which include rights for individuals to access and correct personal information about themselves.[55]

Republic of Austria

The Austrian Constitution does not explicitly recognize the right of privacy.[56] Some sections of the data protection law (Datenschutzgesetz – DSG) have constitutional status. These rights may only be restricted under the conditions of Article 8 of the European Convention of Human Rights (ECHR). The entire ECHR has constitutional status and Article 8 is often cited by the constitutional court in privacy matters. A new data protection bill (Datenschutzgesetz 2000)[57] which incorporates the EU Directive into Austrian law was approved in December 1999 and went into force in January 2000. However, experts criticize the new bill as being inadequate because it retains the cumbersome structure of the original 1978 Act[58] rather than replacing it.[59] The Act is enforced by the Data Protection Commission. The Commission reports that there are 100,000 Data Controllers registered. It also handles around 85 formal complaints and 1,200 informal requests each year. The Commission has 21 staff members (six legal professionals, two IT experts and 13 support staff). Wiretapping, electronic eavesdropping and computer searches are regulated by the code of criminal procedure.[60] Telephone wiretapping is permitted if it is needed for investigating a crime punishable by more than one year in prison. Electronic eavesdropping and computer searches are allowed if they are needed to investigate criminal organizations or crimes punishable by more than ten years in prison. The provision concerning electronic eavesdropping and computer searches became effective between October 1, 1997, and July 1, 1998. Due to long and intensive discussion, the provisions are in effect only until December 31, 2001. Criticism of the drafts for this law has led to a number of restrictions, but whether or not these provisions can effectively prevent eavesdropping on innocent persons remains unresolved. There are also a number of specific laws relating to privacy. The telecommunication law contains special data protection provisions for telecommunication systems, particularly problems like phone directories, unsolicited calls or ISDN calling line identification.[61] The Genetic Engineering Act of 1994 requires prior written consent for information to be used for purposes other than the original purpose. Austrians can have an anonymous “Sparbuch” bank account. The Financial Action Task Force, an anti-money laundering group coordinated by the OECD, has been pressuring Austria to change its laws to require that each account be personally identified.[62] In June 2000, the First Chamber of the Parliament approved legislation to identify anyone who withdraws or deposits from an account by 2002.[63] The Auskunftspflichtgesetz is a Freedom of Information law that obliges federal authorities to answer questions regarding their areas of responsibility.[64] However, it does not permit citizens to access documents, just to receive answers from the government on the content of information. The nine Austrian Provinces have laws that place similar obligations on their authorities. Austria is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[65] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[66] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Kingdom of Belgium

The Belgian Constitution recognizes the right of privacy and private communications.[67] Article 22 states, “Everyone has the right to the respect of his private and family life, except in the cases and conditions determined by law. . . . The laws, decrees, and rulings alluded to in Article 134 guarantee the protection of this right.” Article 29 states, “The confidentiality of letters is inviolable. . . . The law determines which nominated representatives can violate the confidentiality of letters entrusted to the postal service.” Article 22 was added to the Belgian Constitution in 1994. Prior to the constitutional amendment, the Cour de Cassation ruled that Article 8 of the European Convention applied directly to the law and prohibited government infringement on the private life of individuals.[68] The processing and use of personal information is governed by the Data Protection Act of 1992. Amending legislation to update this Act and make it consistent with the EU Directive was approved by the Parliament in December 1998.[69] A Royal Decree to implement the Act was approved in July 2000. There was concern among independent experts that the amended Act may not be fully consistent with the Directive, especially in areas relating to government files. The Decree may remedy some of the defects of the Act, including reducing exceptions in favor of the social security institutions. In September 1998, the state security office announced that it was “cleaning” the files on 570,000 individuals that it had been collecting since 1944 to bring the files into compliance with the 1992 law.[70] In 1995, the Belgian Government admitted spying on the peace and environmental movements.[71] The Commission de la Protection de la Vie Privée oversees the law.[72] The Commission investigates complaints, issues opinions and maintains the registry of personal files. In 1999, the Commission answered approximately 6,000 complaints and requests for information. According to the Commission, this number is much larger than in previous years as now it is its policy to answer all complaints rather than only those which were “formally” filed. It is currently handling about 1,000 formal investigations.[73] The commission has also issued a number of recommendations relating to workplace privacy, and video surveillance.[74] Under the old law, there were 24,000 processings registered. As of July 2000, there are 21 permanent members on the staff. Surveillance of communications is regulated under a 1994 law.[75] Prior to its enactment, there was no specific law. The law requires permission of a juge d’instruction before wiretapping can take place. Orders are limited to a period of one month. There were 114 orders issued in 1996.[76] The law was amended in 1997 to remove restrictions on encryption.[77] The Parliament also amended the law in 1998 to require greater assistance from telecommunications carriers.[78] In spring 2000, the Chamber of Deputies of the Belgian Parliament approved a bill on computer-related crime.[79] The bill would amend the Criminal Procedure Code, adding a paragraph giving the Juge d’Instruction the authority to request the cooperation of experts or network managers to help decrypt telecommunications messages which have been intercepted. The experts, network managers, etc. could not refuse providing cooperation; criminal sanctions would be possible in cases of refusal. The bill would also require that Internet Service Providers retain records for law enforcement purposes. The Bill is currently being debated in the Senate. In December 1999 the Commission de la Protection de la Vie Privée issued an opinion on the bill, in which it raised serious concerns about it’s potential impact on the privacy of personal data. It recommended certain amendments to the Bill including the establishment of a “police monitoring system,” which would report back to the Commission, and a three year review provision.[80] There are also laws relating to consumer credit,[81] social security,[82] electoral rolls,[83] the national ID number,[84] professional secrets,[85] and employee rights.[86] There are Freedom of Information laws on the right of access to administrative documents on the national[87] and local and regional levels.[88] Each jurisdiction has a Commission d’accès aux documents administratifs which oversees the act. Belgium is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[89] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[90] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Federative Republic of Brazil

Article 5 of the 1988 Constitution of Brazil provides, in part: “the privacy, private life, honor and image of persons are inviolable, and the right to compensation for property or moral damages resulting from the violation thereof is ensured; . . . the home is the inviolable asylum of the individual, and no one may enter it without the dweller’s consent, save in the case of ‘in flagrante delicto’ or disaster, or to give help, or, during the day, by court order; . . . the secrecy of correspondence and of telegraphic, data and telephone communications is inviolable, except, in the latter case, by court order, in the events and in the manner established by the law for purposes of criminal investigation or criminal procedural discovery; . . . access to information is ensured to everyone and confidentiality of the source is protected whenever necessary for the professional activity.”[91] A bill promoting the privacy of personal data in conformance with the OECD guidelines, to affect both public and private sector databases, was proposed in the Senate in 1996 and has yet to be voted on. The bill provides that, “No personal data nor information shall be disclosed, communicated, or transmitted for purposes different than those that led to structuring such data registry or database, without express authorization of the owner, except in case of a court order, and for purposes of a criminal investigation or legal proceedings . . . It is forbidden to gather, register, archive, process, and transmit personal data referring to: ethnic origin, political or religious beliefs, physical or mental health, sexual life, police or penal records, family issues, except family relationship, civil status, and marriage system . . . Every citizen is entitled to, without any charge; access to his/her personal data, stored in data registries or databases, and correct, supplement, or eliminate such data, and be informed by data registry or database managers of the existence of data regarding his/her person.”[92] It is widely expected that the law will move forward following the approval of legislation in neighboring countries such as Argentina and Chile. The 1990 Code of Consumer Protection and Defense[93] allows all consumers to “access any information derived from personal and consumer data stored in files, archives, registries, and databases, as well as to access their respective sources. Consumer files and data shall be objective, clear, true, and written in a manner easily understood, and shall not contain derogatory information for a period over five years. Whenever consumers find incorrect data and files concerning their person, they are entitled to require immediate correction, and the archivist shall communicate the due alterations to the incorrect information within five days. Consumer databases and registries, credit protection services, and similar institutions are considered entities of public nature. Once the consumer has settled his/her debts, Credit Protection Services shall not provide any information which may prevent or hinder further access to credit for this consumer.” The Informatics Law of 1984[94] protects the confidentiality of stored, processed and disclosed data, and the privacy and security of physical, legal, public, and private entities. Citizens are entitled to access and correct their personal information in private or public databases. Individuals have a constitutional right of Habeas Data to access information about themselves held by public agencies which has been adopted into law.[95] In 1996, a law regulating wiretapping was enacted.[96] Official wiretaps are permitted for 15 days, renewable on a judge’s order for another 15 days, and can only be resorted to in cases where police suspect serious crimes punishable by imprisonment, such as drug smuggling, corruption, contraband smuggling, murder and kidnapping. The granting of judicial eavesdropping permits by judges was previously an ad hoc process without any legal basis.[97] Illegal wiretapping by police and intelligence agencies is still ongoing. The Agencia Brasileira de Informacoes (Abin) was suspected of wiretapping President Cardoso after tapes of his conversations were leaked to the press in May 1999.[98] Several ministers resigned in 1998 after tapes of wiretapped conversation involving the Brazilian Development Bank were disclosed in what was called the “Telegate scandal.” In 1992, amid a scandal that toppled President Fernando Collor de Mello, it was discovered that Vice President Itamar Franco’s phones at his official residence in Brasilia and in a Rio de Janeiro hotel room had been tapped.[99] In 1996, Abin was put under military control with the task of evaluating the background of people appointed to government posts. According to the new director, “every instrument authorized by the courts will be used to keep the president well informed, including wiretapping of phones, opening of personal mail, and infiltration of Abin agents into social movements such as the Landless Peasant’s Movement (Movimento sem Terra).” Abin is the central body of an intelligence system that is spread out through federal, state, municipal and even private organizations. The intelligence system operates under the name of Sisbin (Brazilian Intelligence System).[100] The Agency’s guidelines prevent it from performing police operations, and require it to obtain a judicial order to perform wiretaps.[101] A computer crimes act was approved in July 2000. A candidate for mayor of São Paulo, Celso Pitta, discovered wiretaps on two of his telephone lines in 1996.[102] A man with AIDS charged the city of Morretes, Paraná of discrimination and invasion of privacy after a city government proclamation identifying him and his HIV status was posted in public buildings.[103] Brazil signed the American Convention on Human Rights on September 25, 1992.

Republic of Bulgaria

The Bulgarian Constitution of 1991 recognizes rights of privacy, secrecy of communications and access to information. Article 32 states, “(1) The privacy of citizens shall be inviolable. Everyone shall be entitled to protection against any illegal interference in his private or family affairs and against encroachments on his honor, dignity and reputation. (2) No one shall be followed, photographed, filmed, recorded or subjected to any other similar activity without his knowledge or despite his express disapproval, except when such actions are permitted by law.” Article 33 states, “(1) The home shall be inviolable. No one shall enter or stay inside a home without its occupant’s consent, except in the cases expressly stipulated by law. (2) Entry into, or staying inside, a home without the consent of its occupant or without the judicial authorities’ permission shall be allowed only for the purposes of preventing an immediately impending crime or a crime in progress, for the capture of a criminal, or in extreme necessity.” Article 34 states, “(1) The freedom and confidentiality of correspondence and all other communications shall be inviolable. (2) Exceptions to this provision shall be allowed only with the permission of the judicial authorities for the purpose of discovering or preventing a grave crime.” Article 41 states, “(1) Everyone shall be entitled to seek, obtain and disseminate information. This right shall not be exercised to the detriment of the rights and reputation of others, or to the detriment of national security, public order, public health and morality. (2) Citizens shall be entitled to obtain information from state bodies and agencies on any matter of legitimate interest to them which is not a state or other secret prescribed by law and does not affect the rights of others.”[104] There are currently efforts to enact comprehensive data protection legislation in Bulgaria. In 1996, the government began developing data protection legislation in preparation for integration into the EU Internal Market under the Treaty for Association of Bulgaria to the EU. Data protection is also a key element of the information legislation which is a priority in the National Assembly’s legislative activities. The draft Personal Data Protection Act closely follows the EU Data Protection Directive. It sets rules on the fair and responsible handling of personal information by the public and private sector. Entities collecting personal information must do the following: inform people why their personal information is being collected and what it is to be used for; allow people reasonable access to information about themselves and the right to correct it if it is wrong; ensure that the information is securely held and cannot be tampered with, stolen or improperly used; and limit the use of personal information, for purposes other than the original purpose, without the consent of the person affected, or in certain other circumstances. The draft law creates a the State Commission for the Protection of Personal Data to oversee the act. The European Commission stated in 1997 that “considerable efforts are still needed to adopt and implement measures to meet Community requirements on data protection.”[105] Electronic surveillance used in criminal investigations is regulated by the criminal code and requires a court order.[106] The Telecommunications Law also requires that agencies must ensure the secrecy of communications.[107] The 1997 Special Surveillance Means Act regulates the use of surveillance techniques by the Interior Ministry for investigating crime but also for loosely defined national security reasons. A court order is generally required but in cases of emergency, an order from the Interior Minister is sufficient.[108] The U.S. State Department in its 1999 human rights report said, “One nongovernmental organization (NGO) complained that the Minister of Interior’s discretionary authority to authorize telephone wiretaps without judicial review is excessive, although it is unknown to what extent this authority is employed. It is also alleged that warrants to investigate suspects’ private financial records sometimes are abused to give police broad and openended authority to engage in far-ranging investigations of a suspect’s family and associates. There are regular, albeit not conclusive or systematic, reports of mail, especially foreign mail, being delayed and/or opened.”[109] In August 2000, listening devices were found in the apartment of the Prosecutor General Nikola Filchev and several politicians. Filchev blamed the bugs on the Interior Ministry’s Criminal Intelligence Service (CIS) and a Parliamentary session was held after 53 Democratic Left Parliamentarians demanded a hearing.[110] The head of the National Security Service, Col. Yuli Georgiev, resigned in February 1997 after allegations of wiretapping politicians.[111] Bulgaria’s military prosecutor filed a suit in December 1996 against an unidentified state official for illegally bugging telephones at the offices of the main opposition, Union of Democratic Forces (UDF), including those of president-elect Petar Stoyanov.[112] In December 1998, the Bulgarian Committee for Post and Telecommunications issued an executive decree to license Internet Service Providers. The decree gave governmental employees the authorization to enter ISPs’ offices at any time and obtain any documentation, including user names and passwords, as well as other private information.[113] The decision was extensively crticized by Internet users, service providers and others, including German Chancellor Shroeder who said that licensing was not appropriate. The Bulgarian Internet Society (ISOC) chapter filed a case at the Supreme Administrative Court to stop the decree in January 1999.[114] The Court ordered a temporary restraint of the decree on June 17, 1999. In November 1999, the Bulgarian Prime Minister ordered the Minister of Telecommunications to negotiate an out of court agreement with ISOC. A few weeks later, the decree was changed, and the ISPs were removed from the licensing requirements and placed in the “free regime” category. There are additional provisions relating to privacy in laws such as the Statistics Law, Tax Administration Law, Insurance Law,[115] and Social Assistance Law.[116] The Radio and Television Act sets limits[117] on broadcasting of personal information. In conjunction with the preparation of the Law on Protection of Citizens’ Personal Data, analyses of Bulgarian legal acts related to personal data of individuals are planned. Proposals of reforms and supplements in the relevant acts also can be made, if necessary. The Law for Access to Information to provide access to government records was enacted in June 2000 and went into force in July.[118] The law allows for access to records except in cases of state security or personal privacy. Minor fines are anticipated against officials who unlawfully withhold documents.[119] The Bulgarian National Bank announced in July 1999 that it would be the first state institution to open up its archive of documents from the Communist era, starting in September.[120] The 1997 Access to Documents of the Former State Security Service Act regulates the access, proceedings of disclosure and use of information kept in the documents of the former State Security Service. Bulgaria is a member of the Council of Europe and has signed but not ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[121] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[122]

Canada

There is no explicit right to privacy in Canada’s Constitution and Charter of Rights and Freedoms.[123] However, in interpreting Section 8 of the Charter, which grants the right to be secure against unreasonable search or seizure, Canada’s courts have recognized an individual’s right to a reasonable expectation of privacy.[124] Senator Sheila Finestone proposed a “Charter of Privacy Rights” in March 2000.[125] The Charter would create a broad constitutional right of privacy for all Canadians in all spheres and prevail over acts of Parliament. According to Senator Finestone: Under the bill, every individual would be given the right to privacy. This right would include, but not be limited to, personal privacy, which includes physical and psychological privacy; privacy of space, which includes freedom from surveillance; privacy of communication, which includes freedom from monitoring and interception; privacy of information, which includes freedom from collection, use and disclosure of their personal information by others. Any interference with an individual’s privacy would be an infringement of the individuals right to privacy unless the interference is reasonably justified and unless it is impossible or inappropriate to do so, the individual’s informed consent has been obtained. A four-part test is required to determine if interferences are reasonably justified. The only permissible interferences would be: 1) where lawful; 2) where necessary to achieve a compelling societal interest that warrant’s limiting an individual’s privacy; 3) where no other lesser measure will accomplish this objective; and 4) where both the importance of the objective and the beneficial effects of the interference outweigh the privacy loss. The Federal Parliament approved Bill C-6, the Personal Information Protection and Electronic Documents Act in April 2000.[126] The Act adopts the CSA International Privacy Code (a national standard: CAN/CSA-Q830-96) into law for enterprises that process personal information “in the course of a commercial activity,” and for federally regulated employers with respect to their employees. It does not apply to information collected for personal, journalistic, artistic, literary, or non-commercial purposes. The law will go into effect for companies that are under federal regulation, such as banks, telecommunications, transportation and businesses that trade data interprovincially and internationally in January 2001, except with respect to medical records, which are exempted from the new law until 2002 (most medical records, however, fall under provincial jurisdiction). In three years, the Act will cover provincially regulated sectors unless the province enacts “substantially similar” laws, such as Quebéc’s law. The scope of the act is still limited. As noted by the federal Privacy Commissioner Bruce Phillips, “it is by no means the whole answer. Still missing is an adequate legal regime covering such things as video surveillance, physical privacy, biomedical privacy, drug and DNA testing, to mention a few.” The European Commission said in July 2000 that it would begin a review of the Canadian law to determine that it provides adequate protection to allow for transborder data flows.[127] The federal Privacy Act[128] provides individuals with a right of access to personal information held by the federal public sector. In addition, the Privacy Act contains provisions regulating the confidentiality, collection, correction, disclosure, retention and use of personal information. Individuals may request records directly from the institution that has the custody of the information. The Act establishes a code of fair information practices that apply to government handling of personal records. However, its provisions can be ignored when another federal Act allows for the processing of personal information. Individuals can appeal to a federal court for review if access to their records is denied by an agency, but are not authorized to challenge the collection, use or disclosure of information. In the Fall of 1998, the Commissioner asked a court to review the matching of the Customs declarations of returning travelers against the Employment Insurance database. The Federal Privacy Commissioner asked the court to decide whether the Customs Act overrides the government’s obligation in the Privacy Act to use personal information only for the purpose for which it is collected unless the individual consents. In February 1999, the court ruled that the matching could not be conducted without ministerial approval and the program was suspended. This was overturned by the Court of Appeals and the Privacy Commissioner has appealed the case to the Supreme Court. The Privacy Commissioner finished an extensive review of the Act in 1999 and has recommended over 100 changes to the law to improve and update it including giving it primary authority over all information collecting by the federal government, extending its coverage beyond “recorded” information, increasing notices of disclosures, expanding court reviews, creating rules on data matching, controlling “publicly available” information and expanding the mandate of the Privacy Commissioner.[129] Both the Personal Information Protection and Electronic Documents Act and the Privacy Act are overseen by the independent Privacy Commissioner of Canada.[130] Under the Privacy Act, the Commissioner has the power to investigate, mediate and make recommendations, but cannot issue binding orders. The office received 1,584 complaints in 1999-2000, down from 3,105 in 1998-1999 and completed 1,399 complaint investigations in 1999-2000.[131] In ten years, the Office has received 15,526 complaints. The Office also received 11,256 calls and letters in 1999-2000. The commission has received 82,422 inquiries in ten years. The Commissioner can initiate a Federal Court review in limited circumstances relating to denial of access to records. In May 2000, the Commissioner called for an update of the Federal Privacy Act and expressed concern about the misuse of the Social Insurance Number, health privacy and the release of census records. The Commissioner’s 1999-2000 report revealed the existence of a government database called the Longitudinal Labour Force File, managed by Human Resources Development Canada, which contained over 2,000 pieces of information on each Canadian. The information was gleaned from other government data banks and includes details from tax returns, child tax benefit files, provincial and municipal welfare files, federal jobs, job training and employment programs and services, employment insurance files and the social insurance master file. HRDC announced on May 29, 2000 that it was dismantling the Longitudinal Labour Force File and said it was scrapping the software that allowed sharing with other agencies and returning information following a public outcry.[132] Privacy legislation covering government bodies exists in almost all provinces and territories.[133] In the province of Québec, the Charter of Rights specifically mentions the right to privacy and the law regulates the collection and use of personal information held by private sector businesses operating in the province of Québec.[134] This law sets rules for the collection, confidentiality, correction, disclosure, retention and use of personal information by these businesses. It also provides individuals with a right of access and correction. Nearly every province has some sort of oversight body, but their powers vary. The Québec Commission d’accès à l’information has broad powers over the public and private sectors. The Information and Privacy Commissioners of British Columbia and Ontario have been very active in promoting privacy through their oversight powers of public bodies and public education efforts. A number of provinces are now looking into adopting privacy legislation based on the Personal Information Protection and Electronic Documents Act. Part VI of Canada’s Criminal Code makes the unlawful interception of private communications a criminal offense.[135] Police are required to obtain a court order. In 1998, there were 157 orders for warrants under the Criminal Code, a decrease from 187 in 1997, 281 in 1996 and 266 in 1995.[136] Amendments to the Radiocommunication Act[137] also forbid the divulgence of intercepted radio-based telephone communications. The Canadian Security Intelligence Service Act[138] authorizes the interception of communications for national security reasons. A federal court in Ottawa ruled in 1997 that the Canadian Security Intelligence Service was required to obtain a warrant in all cases.[139] In October 1998, Industry Minister John Manley announced a new liberal government policy for encryption that allows for broad development, use and dissemination of encryption products.[140] Other federal legislation also has provisions related to privacy. The Telecommunications Act[141] has provisions to protect the privacy of individuals, including the regulation of unsolicited communications. Also, the Bank Act,[142] Insurance Companies Act,[143] and Trust and Loan Companies Act[144] permit regulations to be made governing the use of information provided by customers. There are sectoral laws for pensions,[145] video surveillance,[146] immigration,[147] and Social Security.[148] The Young Offenders Act[149] regulates what information can be disclosed about offenders under the age of eighteen while the Corrections and Conditional Release Act[150] speaks to what information can be disclosed to victims and victims’ families. In addition, most provinces have some form of legislation protecting consumer credit information. However, the vast majority of information collected by the private sector is on the provincial level and is not currently protected by any provincial laws. A poll in April 1999 found that 88 percent of people said the government should “not allow banks to use information about their customer’s bank accounts and other investments to try to sell customers insurance.”[151] Identity issues are currently under debate in Canada. There is great concern about the use of the Social Insurance Number (SIN) by the private sector and identity theft. A Parliamentary committee recommended in May 1999 that an Act setting out limitations on the use of the SIN be developed and that agencies use of the SIN should be documented.[152] Human Resources Development Canada released it recommendations in November 1999 recommending that the SIN not become a national client identifier because of “severe privacy concerns” and costs but it also recommending against new laws to prevent its use and expanding access to the Social Insurance Register by users of the SIN to prevent fraud.[153] The Committee was critical of these recommendations.[154] Québec considered creating a mandatory ID card but dropped the idea in 1998. In April 1999, it hired DMR Consulting Group to examine the possibility of creating a central database of all government records on residents.[155] In Toronto, a system to fingerprint all welfare recipients was dropped in March 1999 after Citibank, the contractor, was unable to create a working system.[156] The Ontario government continues to discuss a smart card system for all citizens to access government services. The UN Human Rights Commission was critical of the increasing use of fingerprinting in Canada and recommended in April 1999 “that Canada take steps to ensure the elimination of increasingly intrusive measures which affected the right of privacy of people relying on social assistance, including identification techniques such as fingerprinting and retinal scanning.”[157] The federal Access to Information Act[158] provides individuals with a right of access to information held by the federal public sector. The Act gives Canadians and other individuals and corporations present in Canada the right to apply for and obtain copies of federal government records. “Records” include letters, memos, reports, photographs, films, microforms, plans, drawings, diagrams, maps, sound and video recordings, and machine-readable or computer files. About 12,000 requests are made annually for government records.[159] The Act is overseen by the Office of the Information Commissioner of Canada.[160] The Commissioner can investigate and issue recommendations but does not have power to issue binding orders. The Office handed 1,670 complaints in 1998-99. It also released report cards on several agencies and issued seven subpoenas to government officials. The Canadian Federal Court has ruled that government has an obligation to answer all access requests regardless of the perceived motives of the requesters. Similarly, the commissioner must investigate all complaints even if the government seeks to block him from so doing on the grounds that the complaints are made for an improper purpose. Each of the provinces also has a Freedom of Information law.[161] A new coalition formed in March 2000 to promote freedom of information in Canada.[162]

Republic of Chile

Article 19 of Chile’s Constitution secures for all persons: “Respect and protection for public and private life, the honor of a person and his family. The inviolability of the home and of all forms of private communication. The home may be invaded and private communications and documents intercepted, opened, or inspected only in cases and manners determined by law.”[163] Recently, Chile become the first Latin American country to enact a data protection law. The Act No. 19628, titled “Law for the protection of Private Life,”[164] came into force on October 28, 1999. The law has 24 articles, covering processing and use of personal data in the public and the private sector and the rights of individuals (to access, correction, and judicial control). The law contains a chapter dedicated to the use of financial, commercial and banking data, and specific rules addressing the use of information by government agencies. The law includes fines and damages for the unlawful denial of access and correction rights. Only databanks in the government must be registered. There is no data protection authority, and enforcement of the law is done individually by each affected person. There is no case law yet interpreting the law. Another deficiency is that the law does not contain restrictions on transfers to third countries. Chile’s transition to democratic rule in 1990 did not eliminate personal privacy violations by government agencies. The Investigations Police – a plainclothes civilian agency that functions in close collaboration with the International Criminal Police Organization (Interpol) and with the intelligence services of the army, navy, and air force – keeps records of all adult citizens and foreign residents and issues identification cards that must be carried at all times.[165] The personal data compiled during military rule was never destroyed. In January 1998, former dictator Gen. Augusto Pinochet threatened to use “compromising information” from secret military intelligence files against those who were trying to keep him from becoming a Senator for Life, a position which would provide immunity from civil suits and public accountability for crimes which took place during his dictatorship.[166] Under current law, the voter registration list is publicly disclosed and used for direct marketing purposes. In 1999, the UN Human Rights Committee criticized the requirement that hospitals report all women who receive abortions.[167] A 1995 law bars the collection of information by undisclosed taping, telephone intercepts, and other surreptitious means, and bars the dissemination of such information, except by judicial order in narcotics-related cases.[168] In August 1996, the head of the Direccion de Inteligencia Policial (Dipolcar), the police intelligence service, was charged with authorizing a surveillance operation against the defense ministry official responsible for Carabineros, the militarized national police force. His resignation in disgrace allowed a greater role for the civilian security police, Investigaciones, in anti-drug operations.[169] In 1992, a surveillance center with 24-hour scanning devices was uncovered in downtown Santiago. It was run by an active army intelligence unit (DINE, incorporating former members of the secret police, the CNI) and, among other incidents, was found to have tapped into presidential candidate Sebastian Pinera’s cellular phone[170] and taped the calls of President Patricio Aylwin.[171] The Army admitted to tapping telephones in order to comply with its mission, but reaffirmed that it “does not tap phones in an attempt to interfere with peoples’ privacy.”[172] The scandal provoked the retirement of General Ricardo Contreras, head of the Army Telecommunications Command.[173] Chile signed the American Convention on Human Rights on August 20, 1990.

People’s Republic of China

There are limited rights to privacy in the Chinese Constitution. Article 37 provides that the “freedom of the person of citizens of the People’s Republic of China is inviolable,” and Article 40 states: “Freedom and privacy of correspondence of citizens of the People’s Republic of China are protected by law. No organization or individual may, on any ground, infringe on citizens’ freedom of privacy of correspondence, except in cases where to meet the needs of state security or of criminal investigation, public security or prosecutorial organs are permitted to censor correspondence in accordance with procedures prescribed by law.”[174] There is no general data protection law in China and few laws that limit government interference with privacy. China has a long-standing policy on keeping close track of its citizens. According to expert W.J.F. Jenner, “Chinese states by the fourth century BC at latest were often remarkably successful in keeping records of their whole populations so that they could be taxed and conscripted. The state had the surname, personal name, age and home place of every subject and was also able to ensure that nobody could move far from home without proper authorization.”[175] Concerns with the growing use of the Internet has led to technical and legal restrictions. With the assistance of American companies such as Bay Networks, China has developed a “Great Firewall” which limits traffic to the Internet outside China to only three gateways.[176] The firewall also blocks some western news web sites such as the BBC, New York Times and the Voice of America. In February 1999, the government announced the creation of the State Information Security Appraisal and Identification Management Committee which, according to the official Xinhua state news agency, “will be responsible for protecting government and commercial confidential files on the Internet, identifying any net user, and defining rights and responsibilities... The move is intended to guard both individual and government users, protect information by monitoring and keep them from being used without proper authorization.”[177] In December 1998, a Chinese businessman was handed a two-year jail sentence for subversion for supplying 30,000 e-mail addresses of Chinese computer users to a U.S.-based electronic dissident magazine.[178] Under Article 7 of the Computer Information Network and Internet Security, Protection and Management Regulations, “the freedom and privacy of network users is protected by law. No unit or individual may, in violation of these regulations, use the Internet to violate the freedom and privacy of network users.”[179] Article 8 states that “units and individuals engaged in Internet business must accept the security supervision, inspection, and guidance of the public security organization. This includes providing to the public security organization information, materials and digital documents, and assisting the public security organization to discover and properly handle incidents involving law violations and criminal activities involving computer information networks.”[180] Articles 10 and 13 stipulate that Internet account holders must be registered with the public security organization and lending or transferring of accounts is strictly prohibited. Sections 285 to 287 of the Criminal Code prohibit intrusions into computer systems and punish violations of the regulations. In August of 1999, under orders from China’s Ministry of Information and Industry, Intel agreed to disable the “Processor Serial Number” function of its Pentium III chips, which makes it possible to identify and track Internet users as they engage in e-commerce.[181] The secrecy of communications is cited in the constitution and in law, but apparently with little effect. In practice, authorities often monitor telephone conversations, fax transmissions, electronic mail, and Internet communications of foreign visitors, businessmen, diplomats, and journalists, as well as Chinese dissidents, activists, and others.[182] British Prime Minister Tony Blair was reported to be upset by the bugging and wiretapping of his rooms during his state visit to China in October 1998.[183] The U.S. State Department said in a 1999 report: “Chinese authorities often monitor telephone conversations, fax transmissions, electronic mail, and Internet communications of foreign diplomats and journalists, as well as Chinese dissidents, activists, and others.” The report also noted that the government has created “special Internet police units to increase control over Internet content and access.” Frank Lu, the head of the Hong Kong-based Information Center of Human Rights and Democratic Movement in China, reported in November 1999 that 300 computer graduates had been recruited by Shanghai security officials to carry out cyber-surveillance in 1999 alone.[184] Canadian, American, and British members of the Falun Gong movement claimed to be targets of such surveillance in fall of 1999, reporting assaults on their websites by various means commonly used to block or penetrate sites. [185] The Chinese government announced and then retracted a broad-sweeping rule that required all entities other than embassies to register any software using encryption or including encryption technology. The original rule was announced on November 10, 1999 by the PRC State Encryption Management Commission and required registration by January 31, 2000.[186] However, after few companies registered by the due date, and under increasing pressure due to successful China’s WTO bid, officials reversed the hugely unpopular law, which would have banned foreign encryption software and likely would have delayed or prevented the launch of Microsoft’s Office 2000 and Cisco’s installation of new mobile phone networks.[187] Postal enterprises and postal staff are prohibited from providing information to any organization or individual about users’ dealings with postal services except as otherwise provided for by law.[188] However, Article 21 of the Postal Law permits postal staff to examine, on the spot, the contents of non-letter postal materials. Mail handed in or posted by users must be in accordance with the stipulations concerning the content allowed to be posted; postal enterprises and their branch offices have the right to request users to take out the contents for examination, when necessary. The Practicing Physician Law requires that doctors not reveal health information obtained during treatment. Doctors who violate the law face criminal penalties. In May of 1999, the Ministry of Health, with the approval of the State Council, published an administrative order declaring that personal information about HIV/AIDS sufferers be kept secret, and that the legal rights and interests of those people and their relatives should not be infringed. The Ministry of Health order asked all units and individuals in charge of diagnosis, treatment, and management work not to publish any personal information about HIV/AIDS sufferers, such as the name and the family address.[189] Since 1984, all Chinese citizens over the age of 16 have been required to carry identification cards issued by the Ministry of Public Security. Identification cards include name, sex, nationality, date of birth, address and term of validity, of which there are three. Between the ages of 16 and 25, it is 10 years, between the ages of 25 and 45, it is 20 years and for those aged 45 and over it is permanent. In carrying out their duties, public security organs have the right to ask citizens to show their ID cards. In handling political, economic and social affairs, which involve rights and interests, government offices, people’s organizations and enterprises may also ask citizens to show their ID cards.[190] Failure to register for an identification card, forging or otherwise altering a residence registration, or assuming another person’s registration are all prohibited by law and punishable by fine. Failure to notify local authorities concerning visiting guests is also punishable by fine.[191] In 1997, the State Bureau of Technical Supervision began working on a new number system that will be used for Social Security and ID cards.[192] Smart card development is reportedly underway in China, with both domestic and international players competing to develop chips and modules to meet design and regulatory specifications.[193] In December 1998, authorities began a test program requiring five hotels in Guangzhou to fax copies of the data of all customers to the Public Security Bureau to capture “unwanted elements.”[194] Special Administrative Region of Hong Kong Following the People’s Republic of China’s resumption of sovereignty over Hong Kong on July 1, 1997, the constitutional protections of privacy are contained in the Basic Law of the Hong Kong Special Administrative Region of the People’s Republic of China. Article 29 provides “The homes and other premises of Hong Kong residents shall be inviolable. Arbitrary or unlawful search of, or intrusion into, a resident’s home or other premises shall be prohibited.” Article 30 provides, “The freedom and privacy of communications of Hong Kong residents shall be protected by law. No department or individual may, on any grounds, infringe upon the freedom and privacy of communications of residents except that the relevant authorities may inspect communications in accordance with legal procedures to meet the needs of public security or of investigation into criminal offenses.” Also relevant is Article 17 of the International Covenant on Civil and Political Rights, which was incorporated into Hong Kong’s domestic law with the enactment of the Bill of Rights Ordinance.[195] Article 39 of the Basic Law provides that the Covenant as applied to Hong Kong shall remain in force and implemented through the laws of Hong Kong. In 1995, Hong Kong enacted its Personal Data (Privacy) Ordinance,[196] and most of its provisions took effect in December 1996. The legislation enacts most of the recommendations made by the Hong Kong Law Reform Commission following its six-year comparative study.[197] The statutory provisions adopt features of a variety of existing data protection laws and the draft version of the EU Directive is also reflected in several provisions. It sets six principles to regulate the collection, accuracy, use and security of personal data as well as requiring data users to be open about data processing and conferring on data subjects the right to be provided a copy of their personal data and to effect corrections. The Ordinance does not differentiate between the public and private sectors, although many of the exemptions will more readily apply to the former. A broad definition of “personal data” is adopted so as to encompass all readily retrievable data recorded in all media that relates to an identifiable individual. It does not attempt to differentiate personal data according to its sensitivity. The Ordinance imposes additional restrictions on certain processing, namely data matching, transborder data transfers, and direct marketing. Data matching requires the prior approval of the Privacy Commissioner. The transfer of data to other jurisdictions is subject to restrictions that mirror those of the EU Directive. Also based on the directive is the requirement that upon first use of personal data for direct marketing purposes, a data user must inform the data subject of the opportunity to opt-out from further approaches. The Commissioner had informal discussions with the EU over the question of adequacy but has not received a formal note on the adequacy of the statute. The Ordinance establishes the Office of the Privacy Commissioner to promote and enforce compliance with statutory requirements.[198] The Commissioner is given strong enforcement powers based on those contained in the UK Data Protection Act. In addition to investigating complaints, the commissioner may initiate his own investigations of reasonably suspected contraventions. He may also conduct audits of selected data users. A contravention of any provision other than a data protection principle is a criminal offense. A contravention causing the data subject damage (including injured feelings) is a basis for claiming compensation. The Commissioner is empowered to designate classes of data users required to publicly register the main features of their data processing. The Commissioner may issue codes of conduct to provide guidance on compliance with the Ordinance’s necessarily general provisions. The provisions of a code are legally subordinate but have evidentiary relevance in determining whether a contravention of the Ordinance has occurred. To date the Commissioner has issued two codes: The code on the use of personal identifiers[199] and of credit information[200] and is currently developing a code of practice for human resources management. In 1999, the offce received 15,243 inquiries and 541 complaints. Ten percent of the complaints related to direct marketing. The office has 33 staff members.[201] It also released “Privacy.SAFE” -- a privacy compliance self-assessment kit, to assist organizations in assessing whether their personal data management practices and procedures meet with the requirements of the Ordinance. A Hong Kong court ruled in June 1999 against attempts to subject Xinhua, the Chinese News agency which acted as the Chinese government representative in Hong Hong, to the Privacy Ordinance. In December 1996, pro-democracy legislator Emily Lao demanded access to the secret dossier that Xinhua maintained on her. Xinhua refused to respond and the HK government declined to take action. She filed suit but the court quashed her attempt to subpoena the director.[202] The interception of communications is presently regulated by the Telecommunications Ordinance[203] and the Post Office Ordinance.[204] These enactments provide sweeping powers of interception upon public interest grounds. The vagueness of the powers and the lack of procedural safeguards are inconsistent with the International Covenant of Civil and Political Rights and the Basic Law. No official figures are released on the number of intercepts, which are believed to be widespread and efforts to make the numbers public have been rebuffed in the name of confidentiality.[205] A detailed set of reform proposals released by the Hong Kong Law Reform Commission[206] in 1996 resulted in two legislative initiatives. In early 1997, the government released a draft bill for public consultation regulating the interception of communications. When that initiative stalled, James To, an independent legislator, introduced a private members bill, the last enactment to be passed by the colonial legislature prior to July 1, 1997. That enactment has yet to be brought into force and to date the government has declined to indicate when any legislation regulating the interception of communications will take effect. In January 1999, Mr. To introduced another bill to force the ordinance to go into effect. According to the HK government in its report to the UN Human Rights Commission, “It was drawn up without consultation with the administration and contained provisions which, if implemented, would seriously affect the ability of the law enforcement agencies to combat crime. For example, one provision allows the law enforcement agencies to renew warrants for interceptions once only, that single renewal being valid for just 90 days. This would seriously incapacitate the law enforcement agencies in tackling certain serious crimes, such as kidnapping and money laundering, that usually entail protracted operations. Therefore, the Government is carefully assessing the implications of the Ordinance before deciding on the way forward and has not appointed a commencement date for this Ordinance.”[207] The Law Reform Commission’s sub-committee on privacy released consultation papers on “Civil Liability For Invasion Of Privacy”[208] and “The Regulation Of Media Intrusion” in 1999.[209] The Hong Kong Legislative Council voted 39-0 against the media intrusion proposal in a non-binding vote in November 1999.[210] The Commission is expected to complete its consultation on the proposal by the end of 2000. The Code on Access to Information[211] requires civil servants to provide records held by government departments unless there are specific reasons for not doing so. Departments can withhold information if it relates to 16 different categories including defense, external affairs, law enforcement and personal privacy. Formal complaints of denials can be filed with the Ombudsman.

Czech Republic

The 1993 Charter of Fundamental Rights and Freedoms provides for extensive privacy rights. Article 7(1) states, “Inviolability of the person and of privacy is guaranteed. It may be limited only in cases specified by law.” Article 10 states, “(1) Everybody is entitled to protection of his or her human dignity, personal integrity, good reputation, and his or her name. (2) Everybody is entitled to protection against unauthorized interference in his or her personal and family life. (3) Everybody is entitled to protection against unauthorized gathering, publication or other misuse of his or her personal data.” Article 13 states, “Nobody may violate secrecy of letters and other papers and records whether privately kept or sent by post or in another manner, except in cases and in a manner specified by law. Similar protection is extended to messages communicated by telephone, telegraph or other such facilities.”[212] The new Act “On Personal Data Protection” went into effect on June 1, 2000.[213] The new law is based on the EU Data Protection Directive as part of the Czech Republic’s efforts for accession into the EU. It implements the basic requirements of the Directive, but the police and intelligence services are exempt from many of the key provisions. The EU had been pressuring the Republic to move more quickly in adopting new legislation for several years.[214] The new act replaces the 1992 Act on Protection of Personal Data in Information Systems.[215] The new act creates an Office for Personal Data Protection as an independent oversight body.[216] The new office will register databases, conduct audits, and impose fines for violations. The Office also has authority over the certificate authorities for digital signatures. The previous bill was considered to be quite weak and there were a number of high profile scandals involving abuse of personal information. In 1992, the Interior Ministry sold the addresses of all children under the age of two and all women between 15 and 35 – a total of two million people – to Procter & Gamble. The company used the information for a direct marketing campaign for Pampers diapers and Always brands. One official was charged with violating the law. In 1995, Prague City Police Chief Rudolf Blazek admitted his men had access to information about criminal suspects that is by law available only to the Czech Republic Police.[217] In 1996, a black-market CD-ROM that listed all telephone numbers in the Czech Republic, including President Vaclav Havel’s home number, appeared on the market. Also in 1996, Internet service providers handed over data about their users in response to a police investigation of a bomb found inside a ketchup bottle. Police believe the information was obtained from the Internet and were attempting to determine who accessed it.[218] In September 1999, a 21-year-old bank employee was arrested for stealing confidential client information from Ceska sporitelna, the largest bank in the Czech Republic. He offered to sell lists of accounts or “the name, address, the account number, balance and transactions at the account” for any of the 2.5 million members via the Internet.[219] A poll conducted in January 1997 found that seventy-nine percent of Czechs cite undisturbed privacy as a top personal priority,[220] while one released in October 1998 found that 75 percent believe that their personal data is misused and two thirds consider data protection a serious problem.[221] Wiretapping is regulated under the criminal process law.[222] Police must obtain permission from a judge to conduct a wiretap. The judge can approve an initial order for up to six months. There are special rules for intelligence services. In 1996, the Czech secret service (BIS) was accused of monitoring politicians, civic and environmental groups such as Greenpeace, including the use of illegal wiretaps.[223] In 1993, Justice Minister Jiri Novak’s telephone was reportedly tapped. A secret service employee found a bugging device in the ministry’s central telephone switchboard in the middle of September 1993. The Penal Code covers the infringement of the right to privacy in the definitions of criminal acts of infringement of the home,[224] slander[225] and infringement of the confidentiality of mail.[226] There are also sectoral acts concerning statistics, medical personal data, banking law, taxation, social security and police data. Unauthorized use of personal data systems is considered a crime.[227] The Ministry of Interior is currently working on a draft on the Czech police which will contain data protection provisions lacking in the Data Protection Act. The Parliament approved the Freedom of Information Law in May 1999.[228] The law is based on the U.S. FOIA and provides for citizens’ access to all government records held by State bodies, local self-governing authorities and certain other official institutions, such as the Chamber of Lawyers or the Chamber of Doctors, except for classified information, trade secrets or personal data.[229] A 1998 act governs access to environmental information.[230] In April 1996, the Parliament approved a law that allows any Czech citizen to obtain his or her file created by the Communist-era secret police (StB). Non-Czech citizens are not allowed to access their records. The Interior Ministry holds 60,000 records but it is estimated that many more were destroyed in 1989. In October 1998, there was a controversy over the rumors that the records showed that former Vienna Mayor Helmut Zilk, who was about to receive an award from Czech President Vaclav Havel, was a collaborator with the StB. It was suspected that the Office for the Documentation and Investigation of the Crimes of Communism was the source of the documents. The Czech Republic is a member of the Council of Europe but has not signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[231] In May 2000, the cabinet approved a proposal to sign and ratify the Convention. The Czech Republic has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[232] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Kingdom of Denmark

The Danish Constitution of 1953 contains two provisions relating to privacy and data protection. Section 71 provides for the inviolability of personal liberty. Section 72 states, “The dwelling shall be inviolable. House searching, seizure, and examination of letters and other papers as well as any breach of the secrecy to be observed in postal, telegraph, and telephone matters shall take place only under a judicial order unless particular exception is warranted by Statute.”[233] The European Convention on Human Rights was formally incorporated into Danish law in 1992. The Act on Processing of Personal Data entered into force on July 1, 2000.[234] The act implements the EU Data Protection into Danish law. The new act replaces the Private Registers Act of 1978, which governed the private sector,[235] and the Public Authorities’ Registers Act of 1978, which governed the public sector.[236] An independent agency, the Data Surveillance Agency (Registertilsynet), enforces the act.[237] The Agency supervises registries established by public authorities and private enterprises in Denmark. It ensures that the conditions for registration, disclosure and storage of data on individuals are complied with. It mainly deals with specific cases on the basis of inquiries from public authorities or private individuals, or cases taken up by the agency on its own initiative. According to the Registertilsynet, 11,500 public data bases, 75 large national databases, and 5,000 private databases were registered between January 1994 and July 2000. Of the 5,000 private databases, 500 were run by private firms such as credit bureaus, data-processing bureaus, headhunters and recruitment agencies.[238] The agency handled 1,171 complaints in 1999 under the Private Registers Act and 269 under the Public Authorities Registers Act. It also conducted 14 inspections. Wiretapping is regulated by the Penal Code.[239] There were calls for an investigation in 1998 into whether the security service (Politiets Efterretningstjeneste - PET) conducted illegal surveillance of leftist activists between the 1960s and 1980s even though a 1968 law outlawed the practice. A former PET agent admitted in 1998 that the Conservative government in 1983 authorized PET to infiltrate and monitor leftist political parties, peace organizations, trade unions, solidarity committees and right wing groups.[240] Danish Justice Minister, Frank Jansen ordered an investigation in 1998 but insisted that some of the investigation be conducted in secret.[241] He later widened the investigation to examine surveillance occurring since 1945. There was an increased interest in Echelon in Denmark in the past year. In 1999, it was revealed that there is a listening post at Sandagergard on the island of Amager, south of Copenhagen. Ekstra Bladet, a major paper, ran a series of 50 articles on Echelon prompting calls in the Parliament for an investigation.[242] In April, U.S. Ambassador Richard Swett responded to reports by a former Canadian spy that the U.S. Embassy in Copenhagen was spying on Danes, saying “The U.S. government does not spy on the government of Denmark. I am outraged by these allegations.”[243] The Minister of Defense in December 1999 declined suggestions to ask the U.S. not to spy on Denmark, saying “In my opinion, this would merely involve a false sense of security for Danish companies and citizens if we -- and I’m being totally hypothetical now -- were even able to enter into agreements of this kind, because there would still be a great number of countries and organizations that would be able to monitor Danish communication.”[244] Two police detectives in Hjorring were charged in December 1999 with conducting illegal surveillance to discover the source of an anonymous tip about police corruption. The police reportedly spent more time attempting to identity the source, including taking a DNA sample from the letter’s stamp and demanding the phone records of a local attorney, than they did investigating the allegations.[245] Other pieces of legislation with rules relating to privacy and data protection include the Criminal Code of 1930,[246] Act on Video Surveillance,[247] the Administrative Procedures Act of 1985,[248] the Payment Cards Act of 1994,[249] and the Access to Health Information Act of 1993.[250] All citizens in Denmark are provided with a Central Personal Registration (CPR) number that is used to identify them in public registers. The Access to Information Act and the Access to Public Administration Files Act[251] govern access to government records. Denmark is a member of the Council of Europe and has signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[252] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[253] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Greenland The original unamended Danish Public and Private Registers Acts of 1979 continue to apply within Greenland, a self-governing territory. The 1988 amendments that brought Denmark into compliance with the Council of Europe’s Convention 108 do not apply to Greenland. Greenland is not part of the European Union and therefore has not adopted the EU Privacy Directive. Greenland’s data protection requirements are much less stringent than those of Denmark and the other nations of the EU.

Republic of Estonia

The 1992 Estonia Constitution recognizes the right of privacy, secrecy of communications, and data protection. Article 42 states, “No state or local government authority or their officials may collect or store information on the persuasions of any Estonian citizen against his or her free will.” Article 43 states, “Everyone shall be entitled to secrecy of messages transmitted by him or to him by post, telegram, telephone or other generally used means. Exceptions may be made on authorization by a court, in cases and in accordance with procedures determined by law in order to prevent a criminal act or for the purpose of establishing facts in a criminal investigation.” Article 44 (3) states, “Estonian citizens shall have the right to become acquainted with information about themselves held by state and local government authorities and in state and local government archives, in accordance with procedures determined by law. This right may be restricted by law in order to protect the rights and liberties of other persons, and the secrecy of children’s ancestry, as well as to prevent a crime, or in the interests of apprehending a criminal or to clarify the truth for a court case.”[254] The Riigikogu – Estonia’s Parliament – enacted the Personal Data Protection Act in June 1996.[255] The Act protects the fundamental rights and freedoms of persons with respect to the processing of personal data and in accordance with the right of individuals to obtain freely any information which is disseminated for public use. The Personal Data Protection Act divides personal data into two groups – non-sensitive and sensitive personal data. Sensitive personal data are data which reveal political opinions, religious or philosophical beliefs, ethnic or racial origin, health, sexual life, criminal convictions, legal punishments and involvement in criminal proceedings. Processing of non-sensitive personal data is permitted without the consent of the respective individual if it occurs under the terms that are set out in the Personal Data Protection Act. Processed personal data are protected by organizational and technical measures that must be documented. Chief processors must register the processing of sensitive personal data with the data protection supervision authority. In April 1997, the Riigikogu passed the Databases Act.[256] The Databases Act is a procedural law for the establishment of national databases. The law sets out the general principles for the maintenance of databases, prescribes requirements and protection measures for data processing, and unifies the terminology to be used in the maintenance of databases. Pursuant to the Databases Act, the statutes of state registers or databases that were created before the law took effect must be brought into line with the Act within two years. The Databases Act also mandates the establishment of a state register of databases that registers state and local government databases, as well as databases containing sensitive personal data which are maintained by persons in private law. The chief processor of the register has the right to make proposals to the government, to the chief processors of various databases, and to the state information systems. He or she would also be responsible for coordinating authority with respect to the expansion, merger or liquidation of databases, interbase cross-usage, or the organization of data processing or data acquisition in a manner aimed at avoiding duplication of effort or substantially repetitive databases. The Data Protection Inspectorate is the supervisory authority for the Personal Data Protection Act and the Databases Act. The Inspectorate, a division of the Ministry of Internal Affairs, monitors compliance, issues licenses, takes complaints, and settles disputes. The agency can conduct investigations and demand documents, impose fines, and impose administrative sanctions.[257] As of October 1999, there were only 8 staff members. The EU called for an increase in the size of the authority, “In order to ensure the proper implementation of the EU rules in this area, the administrative capacity of the inspectorate needs to be increased.”[258] Following a complaint by the Inspectorate, the Estonian Statistics Office announced in June 2000 that it had reached an agreement with the Inspectorate to modify its population and housing database to remove personally identifiable information. The Inspectorate demanded in May 2000 that the Office stop the creation of the database as a violation of the Databases Act. The Inspectorate also asked the police to start a criminal investigation into the Census’ head.[259] The Parliament enacted a new law on June 1, 2000 on the Census to ensure that privacy is protected.[260] According to Estonian press reports in November 1996, databases of the financial and police records of thousands of Estonians are easily available on the black market. The records were available on CD-ROM and sold for $4,000 each, and included details of individual’s bank loans and police files.[261] The Digital Signatures Act was approved in March 2000.[262] In August 2000, the Cabinet approved a bill to create a national genetic database to be used for research into disease. The database would hold genetic samples on two-thirds of the population of Estonia.[263] The 1994 Surveillance Act regulates the interception of communications, covert surveillance, undercover informants and police and intelligence data bases.[264] Surveillance can be approved by a “reasoned decision made by the head of a surveillance agency.” “Exceptional surveillance” requires the permission of a judge in the Tallinn Administrative Court for serious crimes. The punishment for illegal surveillance is a fine and three years imprisonment for general surveillance activity, and five years imprisonment for special measures like opening correspondence or telephone bugging.[265] In October 1999, the Estonian Police Department refused to grant the Tallinn city police authority the right to plant eavesdropping devices in apartments, offices and telephones to combat organized crime.[266] The law was amended in May 2000 to allow the tax police to conduct surveillance.[267] Under the Telecommunications Act approved in February 2000, surveillance agencies can obtain information on the sender and receiver of messages by written or oral request.[268] Telecommunications providers are also required to delete data within one year and prevent unauthorized disclose of users’ information. In May 1996, the Estonian Intelligence Service started an inquiry on the involvement of former Vice Prime Minister Edgar Saavisar in a politically motivated wiretapping scandal. It eventually led to a change of government.[269] Swedish papers reported in January 2000 that the Estonian secret services had spied on Swedish diplomats.[270] The Parliament ordered the government to draft a FOIA bill in 1997. A draft Access to Public Information Act is pending before the Parliament and is expected to be approved by the end of 2000.[271] The bill also includes significant provisions on electronic access. Government departments and other holders of public information will have a duty to post information on the web, and e-mail requests must be treated as official requests for information. Citizens have a right under the Surveillance Act to obtain access to information held about them by surveillance agencies. Agencies must respond within three months if the agency maintains information about them.[272] Estonia is a member of the Council of Europe and signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) on January 21, 2000.[273] Estonia has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[274]

Republic of Finland

Section 8 of The Constitution Act of Finland states, “The private life, honor and home of every person shall be secured. More detailed provisions on the protection of personal data shall be prescribed by Act of Parliament. The secrecy of correspondence and of telephone and other confidential communications shall be inviolable. Measures impinging on the sphere of the home which are necessary for the protection of fundamental rights or the detection of crime may be prescribed by Act of Parliament. Necessary restrictions on the secrecy of communications may also be provided by Act of Parliament in the investigation of offenses which endanger the security of society or of the individual or which disturb domestic peace, in legal proceedings and security checks as well as during deprivation of liberty.”[275] The Personal Data Protection Act 1999[276] went into effect on June 1, 1999. The law replaced the 1987 Personal Data File Act[277] to make Finnish law consistent with the EU Data Protection Directive. The Data Protection Ombudsman (DPO) enforces the Act and receives complaints. The office conducted 450 complaints and 10 investigations in 1998. It also receives 5,000 to 8,000 requests for advice each year.[278] A Data Protection Board resolves disputes and hears appeals of decisions rendered by the DPO. It also determines if personal information can be exported.[279] The Finnish government has enacted special ordinances that apply to particular personal data systems. These include those operated by the police such as criminal information systems,[280] the national health service, passport systems, population registers,[281] farm registers, and the agency responsible for motor vehicle registration.[282] Electronic surveillance and telephone tapping are governed by the Criminal Law. A judge can give permission to tap the telephone lines of a suspect if the suspect is liable for a jail sentence for crimes that are exhaustively listed in the Coercive Criminal Investigations Means Act. Transactional data of a suspect’s telecommunications activity can be obtained if the suspect faces at least four months of jail. Electronic surveillance is possible, with the permission of the judge, if the suspect is accused of a drug related crime or a crime that can be punished with more than four years in jail. There were 12 orders for wiretapping in 1997. Although cases of political telecommunications eavesdropping are rare in Finland, there have been published reports that the Finnish military has either supported Western signals intelligence operations (via its large base at Santahamina on the outskirts of Helsinki), or acquiesced to a Swedish/U.S. eavesdropping collaborative effort from the Swedish embassy in downtown Helsinki.[283] In 1996, the PENET anonymous remailer was forced to shut down after Scientologists demanded that the identity of users posting critical messages be revealed to the Church. The court order was later enjoined by the Court of Appeals.[284] The Finnish government in December 1999 began issuing new national id cards (FINEID) based on smart card technology.[285] The cards will include digital signatures to communicate online with government agencies and companies. The Finnish Population Register Centre will be the digital signature certificate authority. The cards can be used in smart card readers in PCs and there are plans to put them in the SIM cards in mobile phones and interactive television systems. In 1998, there were a series of controversial raids on animal rights activists by police. The Finnish League for Human Rights raised concerns in its 1998 report on police raids on NGOs including animal rights organizations and journalists and the seizure of their equipment and documents without a search warrant.[286] The Publicity (of Public Actions) Act[287] went into effect in 1999 replacing the Publicity of Official Documents Act of 1951.[288] It provides for a general right to access any document created by a government agency, or sent or received by a government agency, including electronic records. Finland is a country that has traditionally adhered to the Nordic tradition of open access to government files. In fact, the world’s first Freedom of Information act dates back as far as the Riksdag’s (Swedish Parliament) 1766 “Access to Public Records Act.” This Act also applied to Finland, then a Swedish-governed territory.[289] Finland is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[290] Finland has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[291] Finland is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Aland Islands The Parliament of the self-governing Aland Islands (Landsting) passed its own Data Protection Act in 1991 and independently ratified the Council of Europe’s Convention 108.[292] Although the Aland act makes reference to the Finnish Data Protection Act, there has always been some resistance by the Aland Swedish-speaking majority to following orders from Helsinki. Constitutionally, the Aland Parliament may nullify Finnish laws on its territory.[293]

French Republic

The right of privacy is not explicitly included in the French Constitution of 1958. The Constitutional Court ruled in 1994 that the right of privacy was implicit in the Constitution.[294] The Data Protection Act was enacted in 1978 and covers personal information held by government agencies and private entities.[295] Anyone wishing to process personal data must register and obtain permission in many cases relating to processing by public bodies and for medical research. Individuals must be informed of the reasons for collection of information and may object to its processing either before or after it is collected. Individuals have rights to access information being kept about them and to demand the correction and, in some cases, the deletion of this data. Fines and imprisonment can be imposed for violations. As a member of the EU, France should have amended this Act to make it consistent with the European Data Protection Directive (95/46/EC) by October 1, 1998. In August 1997, Prime Minister Lionel Jospin ordered Guy Braibant, president of a government advisory council, to issue a report setting out a plan for the changes to be made in the law. This report was issued in February 1998.[296] On January 19, 1999, in a press conference held by the Interministerial Committee on the Information Society, the Prime Minister announced that a proposal for a new legislative framework on data protection was being sent to the national Parliament.[297] This framework, he stated, would amend the 1978 Act to incorporate the European directive in law and strengthen the role of the national data protection agency (CNIL). During the press conference, the Prime Minister also announced the relaxation of controls on encryption in France and the intended introduction of a new law on electronic signatures. In January 2000, the European Commission initiated a case before the European Court of Justice against France and four other countries for failure to implement the data directive on time.[298] Draft legislation to update the law is currently being reviewed by the Commission Nationale de L’informatique et des Libertés. The Commission Nationale de L’informatique et des Libertés (CNIL) is an independent agency which enforces the Data Protection Act and other related laws.[299] The Commission takes complaints, issues rulings, sets rules, conducts audits and issues reports. It reported in its 1999 annual report that the number of complaints received annually has more than doubled in the last five years.[300] In 1999 it received a total of 3,508 complaints, 3,538 requests for advice and approximately 100,000 phone calls. The report notes that there was a 67 percent increase in the number of requests for access to police records and credits this increase to the public concern over the creation of the Système de Traitement des Infractions Constatées (STIC), an initiative by the Minister of Interior to merge police and other records. The report also addresses personal identification numbers, electronic commerce and online profiling, genetic and DNA databases, workplace monitoring, tracking of wireless devices, recruitment practices and the registration of HIV patients. In October 1999 the Commission issued a report on spamming and privacy rights.[301] In April 2000 it published a survey on the top 100 commercial web-sites and their compliance with data protection laws.[302] Electronic surveillance is regulated by a 1991 law that requires permission of an investigating judge before a wiretap is installed. The duration of the tap is limited to four months and can be renewed.[303] The law created the Commission National de Contrôl des Interceptions de Sécurité, which sets rules and reviews wiretaps each year. The number of wiretaps has been between 4,500 and 4,700 since 1995. There were 4,687 requests for wiretaps in 1999. In total, 4,577 wiretaps (2,978 new and 1,599 renewals) were authorized by the Commission.[304] The interception of cellular telephones rose from 12 percent of all wiretaps in January 1999 to 27.5 percent in December 1999. The European Court of Human Rights has ruled against France a number of times for violations of Article 8 of the Convention. The Court’s 1990 decision in Kruslin v. France resulted in the enactment of the 1991 law.[305] Most recently, the court fined France FF 25,000 for wiretap law violations.[306] There have been many cases of illegal wiretapping, including most notably a long running scandal over an anti-terrorist group in the office of President Mitterand monitoring the calls of journalists and opposition politicians.[307] The CNCIS estimated that there were over 100,000 illegal taps conducted by private companies and individuals in 1996, many on behalf of government agencies. A decree was issued in 1997 to limit the dissemination of tapping equipment.[308] The tort of privacy was first recognized in France as far back as 1858[309] and was added to the Civil Code in 1970.[310] There are additional specific laws on administrative documents,[311] archives,[312] video surveillance,[313] correspondence,[314] and employment.[315] There are also protections incorporated in the Penal Code.[316] The French Liberty of Communication Act was adopted on June 28th, 2000.[317] The Act requires all persons wishing to post content on the Internet to identify themselves, either to the public, by publishing their name and address on their web-site (in the case of a business) or to their host provider (in the case of a private individual). Earlier provisions, which would have imposed large penalties and jail sentences on anybody violating this requirement and required Internet Service Providers (ISPs) to check the accuracy of the personal details given to them, were dropped in the final version of the legislation.[318] The law requires ISPs to keep logs of all data which could be used to identify a content provider in the case of later legal proceedings. ISPs are subject to the “professional secret” rule regarding this data, meaning that they cannot disclose it to anyone except a judge. The law, as passed, also held ISPs liable for failing to delete content once ordered to do so by a judge or for failing to “take appropriate actions” once informed by a third party that they are hosting illegal or harmful content. The passage of this law provoked widespread criticism from civil liberties groups and privacy advocates who argued that it would restrict rights to anonymity and free speech. In June 2000, IRIS, a French civil liberties group, drew up a petition in opposition to the law.[319] In a review of this law, brought before it on June 29, 2000 by 60 opposition members of Parliament,[320] the French Constitutional Council struck down this provision as contrary to Art 34 of the Constitution.[321] This article states that any measures which could impact upon civil liberties must be detailed in the law. In this case, the Council ruled that the “appropriate actions” to be taken by ISPs should have been specified in the law. Two laws in France provide for a right to access government records.[322] The Commission d’accèss aux documents administratifs is charged with enforcing the acts.[323] According to the CADA, it handled 4,000 inquiries per year between 1996 and 1999. The law was amended in April 2000 to clarify access to legal documents and also identify the civil servant processing the request.[324] France is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[325] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[326] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Federal Republic of Germany

Article 10 of the Basic Law states: “(1) Privacy of letters, posts, and telecommunications shall be inviolable. (2) Restrictions may only be ordered pursuant to a statute. Where a restriction serves to protect the free democratic basic order or the existence or security of the Federation, the statute may stipulate that the person affected shall not be informed of such restriction and that recourse to the courts shall be replaced by a review of the case by bodies and auxiliary bodies appointed by Parliament.” Attempts to amend the Basic Law to include a right to data protection were discussed after reunification when the constitution was revised and were successfully opposed by the then-conservative political majority. In 1983, the Federal Constitutional Court, in a case against a government census law, acknowledged formally an individual’s “right of informational self-determination” which is limited by the “predominant public interest.” The central part of the verdict stated, “Who can not certainly overlook which information related to him or her is known to certain segments of his social environment, and who is not able to assess to a certain degree the knowledge of his potential communication partners, can be essentially hindered in his capability to plan and to decide. The right of informational self-determination stands against a societal order and its underlying legal order in which citizens could not know any longer who what and when in what situations knows about them.”[327] This landmark court decision derived the “right of informational self-determination” directly from Article 2 of the German Constitution which declares protective personal rights (Persönlichkeitsrechte). The world’s first data protection law was passed in the German Land of Hessen in 1970. In 1977, a Federal Data Protection Law followed, which was reviewed in 1990.[328] The general purpose of this law is “to protect the individual against violations of his personal right (Persönlichkeitsrecht) by handling person-related data.” The law covers collection, processing and use of personal data collected by public federal and state authorities (as long as there is no state-regulation), and of non-public offices, as long as they process and use data for commercial or professional aims. All of the 16 Länder have their own specific data protection regulations that cover the public sector of the Länder administrations. Germany has been slow to update its law to make it consistent with the EU Directive. The European Commission announced in January 2000 that it was going to take Germany to court for failure to implement the directive. The Government on June 14 approved a draft bill.[329] The bill will be heard by the Parliament in the fall and will likely not go into force until early 2001. Observers are skeptical that the bill will be determined to be sufficient. The government has also expressed an intention to draft a second bill which will more fundamentally change the law to modernize it. The Länders of Berlin, Brandenburg, Schleswig-Holstein and Baden-Württenberg have updated their laws to be consistent with the Directive. The Federal Data Protection Commission (Bundesbeauftragte für den Datenschutz) is responsible for supervision of the Data Protection Act.[330] There are between 10,000 and 20,000 data controllers registered by the agency and the office estimates that that will increase when the new federal legislation is approved.[331] The office also handles around 3,000 complaints each year and carries out on average 45 investigations. There are 60 persons on staff. There are also commissions in each of the Länders who enforce the Länder data protection acts.[332] Supervision, however, is carried out for the private sector by the Land authority designated by the Land data protection law (usually the Land Data Protection Commissioner). In 1996, the Berlin Data Protection Commissioner reached an agreement with Citibank on the use of RailwayCards as Visa cards. The agreement may be an important precursor for transborder dataflows to the U.S. and other countries without privacy laws.[333] Wiretapping is regulated by the “G10-Law” and requires a court order for criminal cases.[334] In July 1999, the Constitutional Court issued a decision on a 1994 law which authorizes warrantless automated wiretaps (screening method) of international communications by the intelligence service (BND) for purposes of preventing terrorism and the illegal trade in drugs and weapons.[335] The court ruled that the procedure did violate privacy rights protected by the Basic Law but that screening could continue as long as the intelligence service did not pass on the information to the local police and the Parliament must enact new rules by June 2001. It was reported that the BND has 1,400 operatives listening in on satellite communications.[336] The Constitutional Court ruled in December 1999 that the government could conduct surveillance of political parties if it is believed that they are hostile to the constitution and information can not be obtained by public means.[337] After a fiercely fought six-year political debate, a two-third majority of the German parliament eventually approved a change to Section 13 of the Constitution in April 1998, which makes it legal for police authorities to place bugging devices even in private homes (provided there is a court order). The change was the provision for the “Law for the enhancement of the fight against organized crime,” which became effective in 1999. In addition, wherever they deal with the handling of personal information on natural persons either directly or by amendments, nearly all German laws contain references to the respective data protection law or carry special sections on the handling of personal data that reflect the right to privacy. Most recently there have been a number of laws relating to communications privacy. The Telecommunications Carriers Data Protection Ordinance of 1996 protects privacy of telecommunications information.[338] The Information and Communication Services (Multimedia) Act of 1997 sets protections for information used in computer networks.[339] The Act also sets out the legal requirements for digital signatures. The German Federal Supreme Court ruled in March 1999 that Commerzbank AG could not include a clause in their contracts that clients agree to receive telephone “consulting.” In April 1998, a law was passed that allows the Bundeskrimalamt to run a nationwide databank of genetic profiles related to criminal investigations and convicted offenders. One month later, the Bundesgrenzschutz, originally a para-military border police force, and now responsible among other tasks for railways and stations, received permission to check persons’ identities and baggage without any concrete suspicion. [340] There is no general Freedom of Information act in Germany. The Land of Brandenberg adopted a Freedom of Information law in 1998 to allow citizen access to government records.[341] The act is enforced by the Information and Data Protection Commissioner. More recently, Berlin[342] and Schleswig Holstein[343] have also adopted FOI laws. Since 1990, a law allows for access to the files of the Stasi, the former East Germany’s security service, by individuals and researchers. The law created a Federal Commission for the Records of the State Security Services of the Former GDR (the Gauck Authority) which has a staff of 3,000 piecing together shredded documents and making files available.[344] There have been 1.6 million requests from individuals for access to the files and 2.7 million requests for background checks since the archives became available.[345] Many of the files were destroyed in 1989, but sometime in 1990, the U.S. Central Intelligence Agency was able to obtain the names, aliases and payment histories of 4,000 spies who worked in various countries for Stasi or informers from the Soviet Union. The U.S. Government refused to give the files to the German government until December 1999, claiming that it would harm the people in the files.[346] In May 2000, files about former Chancellor Helmut Kohl’s telephone calls were found to be missing from the archives when they were going to be used to investigate corruption. The Stasi had conducted extensive wiretapping of Kohl for years.[347] Germany is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[348] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[349] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Hellenic Republic (Greece)

The Constitution of Greece recognizes the rights of privacy and secrecy of communications. Article 9 states, “(1) Each man’s home is inviolable. A person’s personal and family life is inviolable. No house searches shall be made except when and as the law directs, and always in the presence of representatives of the judicial authorities. (2) Offenders against the foregoing provision shall be punished for forced entry into a private house and abuse of power, and shall be obliged to indemnify in full the injured party as the law provides.” Article 19 states, “The privacy of correspondence and any other form of communication is absolutely inviolable. The law shall determine the guarantees under which the judicial authority is released from the obligation to observe the above-mentioned right, for reasons of national security or for the investigation of particularly serious crimes.”[350] The Law on the Protection of Individuals with regard to the Processing of Personal Data was approved in 1997.[351] Greece was the last member of the European Union to adopt a data protection law and its law was written to directly apply the EU Directive into Greek law. The law was also necessary for Greece to join the Schengan Agreement. There were major protests during the ratification of the Schengen Agreement for border controls and information sharing. According to news reports, police used tear gas to disperse a group of about 1,000 protesters, including Orthodox priests, when they tried to push their way into Parliament as the pact was being debated.[352] The Protection of Personal Data Authority is an independent public authority set up under the law. Its mission is to supervise the implementation of the law and the other rulings pertaining to the protection of individuals against the processing of personal data.[353] It also exercises other powers delegated to it from time to time. The Agency ruled on May 14, 2000 that religious affiliations must be removed from state identity cards. The agency also ordered that fingerprints, profession and spouses’ names also be removed. The decision was opposed by Archbishop Christodoulos, the leader of the powerful Greek Orthodox Church who said, “These changes are being put forward by neo-intellectuals who want to attack us like rabid dogs and tear at our flesh.”[354] Prime Minister Costas Simitis announced on May 24 that new Greek identity cards would not include religion, not even on a voluntary basis. Greece is the only member of the European Union that requires citizens to list their religious beliefs on police identity cards. The European Parliament passed a resolution in 1993 calling on the Greek government not to place religion on its national ID cards.[355] The law requires that police wishing to conduct telephone taps must obtain court permission.[356] However, there are continuing reports of government surveillance of human rights groups, Orthodox religious groups, and activist members of minority groups by government agents who are conducting illegal wiretapping and interception of mail.[357] In June 1994, a parliamentary investigation committee recommended the indictment of former Prime Minister Mitsotakis and 30 persons from his administration on charges of wiretapping political opponents from 1989 to 1991. In January 1995, the Parliament voted to drop all charges against Mitsotakis, and the Supreme Court ordered the dismissal of other charges in April 1995. The late Greek Prime Minister Andrea Papandreou was also investigated for illegally wiretapping his political opponents.[358] The law of 1599/1986 regulates the use of the Single Register Code Number (EKAM).[359] The number is the official national ID number for the population register, ID card, voting register, passport number, tax number, drivers license number, and other registers. Until the 1997 data protection law was enacted, this protected the privacy of information in those registers. Article 5 of the Greek Code of Administrative Procedure (Law No. 2690/1999)[360] is a new Freedom of Information act that provides citizens the right to access administrative documents created by government agencies. It replaces Law 1599/1986. Greece is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[361] Greece has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[362] Greece is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. [1] Constitucion de la Nacion Argentina (1994), <http://www.constitution.org/cons/argentin.htm>. [2] Supreme Court of Argentina, Urteaga c. Estado Nacional (October 15, 1998), in Derecho y Nuevas Tecnologias No. 1-2 (2000), at 193. [3] This case was decided one month after a case where the Supreme Court denied a mother the right to access to information about her daughter, who had also disappeared during the military regime. In “Aguiar de Lapaco,” the Court based its opinion in the principle of non bis in idem or guarantee against double prosecution (double jeopardy) because the right of access was used being claimed criminal proceedings and the defendants were benefited by a Presidential pardon. But the Court opinion was the object of strong political and scholarly criticism, and the high tribunal distinguished “Aguiar de Lapaco” from “Urteaga” since the last one was a civil case. Justice Boggiano’s dissidence in “Aguiar de Lapaco” stated that habeas data could be used in the case to access to any kind of information held by government. [4] Ganora, Mario c/ Estado Nacional y otrs s/habeas corpus y habeas data (Supreme Court of Argentina, September 16 1999), 1-2 Derecho y Nuevas Tecnologías, at 229 (2000). [5] The Habeas Data clause in the Spanish, Peruvian and Brazilian constitutions and the U.S. Freedom of Information Act were cited. [6] Leander Case, 116 Eur. Ct. H.R. (ser. A) at 9 (1987). Digest of Strasbourg case law relating to the European Court of Human Rights, section 8.1.2.2.1.(a) and (b). [7] 418 U.S. 683 (1974). [8] S. 577/98, Ley de Protección de los Datos Personales, 26 November 1998. Also see S.0684/98, S.1582/98, S.1094/98, S. 277/98. [9] Argentina wars on the direct practice, Precision Marketing, January 11, 1999. See also See Damian Kantor, Habeas Data:Traba en Diputados, in Clarin, June 25, 2000. [10] Law No. 24.745 of December 23, 1996, <http://www.privacyexchange.org/legal/ppl/nat/argpending.html>. [11] Decree No. 1616/96, Comment by Supreme Court of Argentina Comparative Law Research and Library Secretary. [12] Código Penal de la República Argentina, Art 153-157, <http://www.codigos.com.ar/penal/indice.htm>. [13] Criminal Court of Appeals in Buenos Aires (Sixth chamber), 4.3.99 “Lanata c. Dufau”, in El Derecho, (E.D.) 17.5.99. [14] United Nations, 19th Annual Report of the Human Rights Committee, A/50/40, 3 October 1995. [15] “Two army officers, others relieved of duty over intelligence scandal,” BBC Summary of World Broadcasts, May 1999. [16] Reuters News Service - Central and South America, January 29, 1990. [17] La Nacion, Buenos Aires, Sept. 8, 1996. [18] “Cavallo lashes out against corruption,” Latin American Weekly Report, October 31, 1996. [19] “Argentine candidate says own party men bugged him,,” Reuters World Report, June 2, 1998. [20] “Argentine security services accused over phone tap,” Reuters World Report, June 2, 1998. [21] Código Civil, Art. 1071bis, incorporated by Law No. 21.173. See www.codigos.com.ar [22] Law 25.065 of December 7, 1998 (Official Bulletin of January 14, 1999). [23] Credit Card Act, Article 53 (“Bar to inform. Credit Card entities, companies and banks and other finacial entities shall not transfer information about credit card debts to credit report agencies when the data subject has not paid its debts or is having financial problems, without prejudice of personal data that must be transferred to the Central Bank under current regulations. Those who transfer this information to third parties shall be liable for the damages produced by the release of the personal data.”) [24] See Financial System Debtors Database “Central de Deudores del Sistema Financiero,” regulated by the Central Bank Circular A 2729 (consolidated version by Circular 2930). [25] Article 8.1, Central Bank Circular A 2729 (consolidated version by Circular 2930). [26] The information is published also on the Internet <http://www.bcra.gov.ar> and on CD-ROMs. The last CD-ROM contained a list with 1,950,000 individuals including data on their financial status. [27] New York Times, June 10, 1996. [28] Business Wire, September 12, 1996. [29] See Pablo Andrés Palazzi, El derecho de acceso a la información pública en la ley N° 104 de la Ciudad Autónoma de Buenos Aires. REDI, Número 11 - Junio de 1999 <http://publicaciones.derecho.org/redi/index.cgi?/N%FAmero_11_-_Junio_de_1999>. [30] See La Nación, “Es de difícil cumplimiento la ley de acceso a la información,” 11 de Julio de 2000. [31] See Janet Koven Levit, “The Constitutionalization of Human Rights in Argentina: Problem or Promise?” 37 Columbia Journal of Transnational Law 281. See also Néstor Pedro Sagues, Judicial Censorship of the Press in Argentina, 4 Sw. J. Of L. & Trade Am 45 (1997) (explaining the importance of understanding the make-up of both the Inter-American Court and the Inter-American Commission on Human Rights because the Argentine Supreme Court relies on their opinions as a guide for interpreting personal rights issues). [32] The Commonwealth of Australia Constitution Act, <>. [33] Privacy Act 1988 (Cwth), <>. [34] The Data-matching program (Assistance and Tax) Act 1990. <http://www.austlii.edu.au/au/legis/cth/consol_act/dpata1990349/>. [35] Parliament of the Commonwealth of Australia, House of Representative Standing Committee on Legal and Constitutional Affairs, Advisory Report on the privacy Amendment (Private Sector) Bill 2000 < [36] Homepage: http://www.privacy.gov.au/ [37] Eleventh Annual Report, Office of the Federal Privacy Commissioner, 1998-99 [38] Telecommunications (Interception) Act 1979, <>. [39] Orwellian Nightmare Down Under?” Wired News, December 4, 1999. [40] Attorney General's Department, Report on the Telecommunications (Interception) Act for the year ending 30 June 1998. [41] Crimes Act, 1989 <>. [42] See http://www.austlii.edu.au/au/legis/cth/consol_act/ca191482/index.html#s85m. [43] See http://www.austlii.edu.au/au/legis/cth/consol_act/ta1997214/. [44] The Data-matching program (Assistance and Tax) Act 1990, <>. [45] [46] [47] [48] [49] See http://www.lawlink.nsw.gov.au/pc.nsf/pages/index. [50] See http://www.dms.dpc.vic.gov.au/. [51] See http://www.austlii.edu.au/au/legis/act/consol_act/hraaa1997291/ [52] See http://www.parliament.qld.gov.au/comdocs/legalrev/lcarc9.PDF [53] See the NSW Law Reform Commission's Issues Paper <> and the ACIF Guideline on Participant monitoring at <http://www.acif.org.au/>. [54] Freedom of Information Act 1982 <http://www.austlii.edu.au/au/legis/cth/consol_act/foia1982222/>, Freedom of Information (Fees and Charges) Regulations 1982, <http://www.austlii.edu.au/au/legis/cth/consol_reg/foiacr432/index.html>, Freedom of Information (Miscellaneous Provisions) regulations 1982. <http://www.austlii.edu.au/au/legis/cth/consol_reg/foipr612/index.html>. [55] For an overview of FOI laws in Australia and links to relevant government sites, see the University of Tasmania's FOI Review web pages at http://www.comlaw.utas.edu.au/law/foi/. [56] Constitution of Austria <http://www.uni-wuerzburg.de/law/au00t___.html>. [57] See <http://www.ad.or.at/office/recht/dsg2000.htm>. [58] Datenschutzgesetz – DSG, BGBl 1978/565 changed by 1981/314, 1982/228, 1986/370, 1987/605, 1988/233, 1989/609, 1993/91, 1994/79, 1994/632. <http://www.ad.or.at/office/recht/dsg.htm>. [59] See Viktor Mayer-Schoenberger and Ernst Brandl, Datenschutzgesetz 2000, (Line Publishing Vienna, 1999). [60] § 149a to § 149p Strafprozeßordnung – StPO. [61] § 87 to § 101, Telekommunikationsgesetz – TKG, BGBl I 1997/100. [62] Financial Action Task Force on Money Laundering Issues: a Warning about Austrian Anonymous Savings Passbooks, February 11, 1999. [63] Financial Action Task Force, FATF welcomes proposed Austrian legislation to eliminate anonymous passbooks, 15 June 2000. [64] BGBl 1987/285 (15 May 1987). <http://www.rz.uni-frankfurt.de/~sobotta/Austria.htm>. [65] Signed 28/01/81, Ratified 30/03/88, Entered into force 01/07/88, <http://conventions.coe.int/>. [66] Signed 13/12/57, Ratified 03/09/58, Entered into force 03/09/58, <http://conventions.coe.int/>. [67] Constitution of Belgium,<http://www.fed-parl.be/constitution_uk.html.>. [68] Cour de Cassation, 26 September 1978. [69] Act concerning the protection of privacy with regard to the treatment of personal data files, December 8, 1992., as amended by the Act of December 11, 1998 transposing EU Directive 95/46/CE of October 24, 1995. <http://www.law.kuleuven.ac.be/icri/papers/legislation/privacy/tabel/index.html>. An unofficial English translation is available at http://www.law.kuleuven.ac.be/icri/papers/legislation/privacy/engels/. [70] La Sûreté de l'Etat trie 570.000 fiches individuelles, Le Soir, September 19, 1998. [71] Statewatch Bulletin, Vol. 5 No 6, November-December 1995. [72] Commission de la protection de la vie privée homepage: http://www.privacy.fgov.be/ [73] E-mail from the Commission de la Protection de la Vie Privée, July 11, 2000. [74] Avis n° 34/99 d'initiative relatif aux traitements d'images effectués en particulier par le biais de systèmes de vidéo-surveillance <http://www.privacy.fgov.be/av034def.pdf>, Avis n° 3/2000 d'initiative relatif à l'utilisation de systèmes de vidéo-surveillance dans les halls d'immeubles à appartements, <http://www.privacy.fgov.be/av003def.pdf>. [75] loi de 30 juin 1994 relative à la protection de la vie privée contre les écoutes, la prise de connaissance et l'enregistrement de communications et de télécommunications privées. [76] Ecoutes: une pratique décevante et. flamande! Le résultat judiciaire des écoutes téléphoniques est médiocre. La Chambre va modifier la donne, Le Soir, December 12, 1997. [77] Chapitre 17, Loi modifiant la loi du 21 mars 1991 portant réforme de certaines entreprises publiques économiques afin d'adapter le cadre réglementaire aux obligations en matière de libre concurrence et d'harmonisation sur le marché des télécommunications découlant des décisions de l'Union européenne, 19 Decembre 1997. [78] Loi modifiant la loi du 30 juin 1994 relative à la protection de la vie privée contre les écoutes, la prise de connaissance et l'enregistrement de communications et de télécommunications privées, 10 Juin 1998. See “Le GSM en toute sécurité ? Pas sûr”, Le Soir, 20 Feb. 1998. [79] Projet de loi relative à la criminalité informatique, <http://www.law.kuleuven.ac.be/icri/papers/comcrimefr.html>. [80] Opinion 33/99 de la Commission de la Protection de la Vie Privée. Available at http://www.privacy.fgov.be/. [81] La loi du 12 juin 1991 relative au crédit à la consommation. l'arrêté royal du 11 janvier 1993 modifiant l'arrêté royal du 20 novembre 1992 relatif à l'enregistrement par la Banque Nationale de Belgique des défauts de paiement en matière de crédit à la consommation. <http://www.privacy.fgov.be/loicrÈdit.PDF>. [82] La loi du 15 janvier 1990 relative à l'institution et à l'organisation d'une banque-carrefour de la sécurité sociale. Modified by la loi du 29 avril 1996. <http://www.privacy.fgov.be/loicarrefour.PDF>. [83] La loi du 30 juillet 1991. [84] La loi du 8 août 1993: le registre national. <http://www.privacy.fgov.be/loiregistre.PDF>. [85] Article 458 of the Penal Code. [86] See Roger Blanpain, Employee Privacy Issues: Belgian Report, 17 Comp. Lab. L. 38, Fall 1995. [87] 11 avril 1994 relative à la publicité de l'administration Law, la loi du 12 novembre 1997 relative à la publicité de l'administration dans les provinces et les communes. <http://perso.infonie.fr/ledru.b/citoyen/info/cig01.htm>. [88] Commission Communautaire Commune de Bruxelles-Capitale, Ordonnance relative à la publicité de l'administration, 26 Juin 1997; Flanders law of 23.10.1991. [89] Signed 07/05/82, Ratified 28/05/93, Entered into Force 01/09/93, <http://conventions.coe.int/>. [90] <http://conventions.coe.int/>. [91] The Constitution of Brazil, 1988. <http://www.uni-wuerzburg.de/law/br00t___.html>. [92] Federal Senate Bill No. 61, 1996 (in English) <http://www.privacyexchange.org/legal/ppl/nat/brazilpending.html>. [93] Law No. 8078, September 11, 1990. [94] Law No. 7.232, October 29, 1984. [95] Lei Nº 9.507, de 12 de Novembro de 1997. [96] Lei Nº 9.296, de 24 de Julho de 1996. [97] “Brazil makes police phone-taps legal,” Reuters World Service, July 24, 1996. [98] “Is Abin behind Telegate?,” Latin America Weekly Report, June 8, 1999. [99] “Brazil vice-president claims his phone was tapped,” Reuters North American Wire, September 9, 1992. [100] “’O Globo', Rio de Janeiro,” August 4, 1996, BBC Monitoring Service: Latin America, August 7, 1996. [101] “President transfers control of new intelligence agency to military,” Agencia Estado news agency, Sao Paulo, BBC Summary of World Broadcasts, April 11, 1996. [102] Reuters News Service, October 2, 1996. [103] SEJUP (Servico Brasileiro de Justica e Paz), Number 117, February 17, 1994. [104] Constitution of the Republic of Bulgaria of 13 July 1991, <http://www.uni-wuerzburg.de/law/bu00t___.html>. [105] <http://europa.eu.int/comm/dg1a/agenda2000/en/opinions/bulgaria/b1.htm>. [106] Art. 170-171 (1) (As amended - SG, Nos. 28/1982, 10/1993). [107] Telecommunications Law, Art. 5. [108] Bulgarian Helsinki Committee, Human Rights in Bulgaria in 1997. [109] 1999 Country Reports on Human Rights Practices: Bulgaria, U.S. Department of State, February 25, 2000. [110] “Buggate Scandalizes Bulgaria.” Transitions online, 31 July - 6 August 2000. [111] “Security chief resigns: reportedly was to be dismissed,” BBC Summary of World Broadcasts, February 7, 1997. [112] Reuters World Service, December 19, 1996. [113] Committee for Post and Telecommunications, “List of telecommunication services, Dec. 18, 1998. published at the State Gazette on Dec. 29. 1998. <http://www.cpt.acad.bg/BG/>. [114] See http://www.isoc.bg/kpd/legal3-eng.html [115] Insurance Law, Art.7 par. 1. [116] Social Assistance Law, Art. 32 par. 2. [117] Radio and Television Act, Articles 10, 15. [118] Access to Public Information Act (draft), <http://www.aip-bg.org/documents/access.htm>. [119] National Assembly Adopts Access to Public Information Bill, FBIS, 22 June 2000. [120] RFE/RL NEWSLINE Vol. 3, No. 142, Part II, 23 July 1999 [121] Signed 02/06/98, <http://conventions.coe.int/>. [122] Signed 107/05/92, Ratified 007/09/92, Entered into force 07/09/92, <http://conventions.coe.int/>. [123] Canadian Charter of Rights and Freedoms. <http://canada.justice.gc.ca/Loireg/charte/const_en.html>. [124] Hunter v. Southam, 2 Supreme Court Reports 2 (1984) 159-60. [125] The Hon. Sheila Finestone, P.C., Charting Our Future Together: Consultation On A Draft Charter Of Privacy Rights, March 9, 2000. <http://www.ltinc.net/fipa/finestone1.htm>. [126] Bill C-6, Personal Information Protection and Electronic Documents Act <http://www.parl.gc.ca/36/2/parlbus/chambus/house/bills/government/C-6/C-6_4/C-6_cover-E.html>. [127] European Commission, Data protection: Commission adopts decisions recognising adequacy of regimes in US, Switzerland and Hungary, July 27, 2000. <http://europa.eu.int/comm/internal_market/en/media/dataprot/news/safeharbor.htm>. [128] Privacy Act, c. P-21. <http://canada.justice.gc.ca/stable/EN/Laws/Chap/P/P-21.html>. [129] Privacy Commissioner, 1999-2000 annual report, May 2000. <http://www.privcom.gc.ca/english/02_04_08_e.htm>. [130]Privacy Commissioner of Canada, <http://www.privcom.gc.ca>. [131] See infra, Privacy Commissioner, 1999-2000 annual report. [132] Minister of Human Resources Development Canada, HRDC Dismantles Longitudinal Labour Force File Databank, May 29, 2000. <http://www.hrdc-drhc.gc.ca/common/news/dept/00-39.shtml>. [133] A list of state laws and commissions is available at <http://infoweb.magi.com/~privcan/other.html>. [134] <http://www.cai.gouv.qc.ca/commiss.htm>. [135] Criminal Code, c. C-46. ss. 184, 184.5, 193, 193.1. [136] Solicitor General Canada, Annual Report on the Use of Electronic Surveillance, 1998. <http://www.sgc.gc.ca/EPub/Pol/eESurveillanceAR98/eEsurveillanceAR1998%20.htm>. [137] Radiocommunication Act, R.S.C. 1985, c. R-2, s. 9. [138] CHAPTER C-23, Canadian Security Intelligence Service Act, <http://canada.justice.gc.ca/STABLE/EN/Laws/Chap/C/C-23.html>. [139] “CSIS has wiretap green light,” The Hamilton Spectator, October 1, 1997. [140] Industry Canada, Building Trust in the Digital Economy, <http://e-com.ic.gc.ca/english/crypto/631d1.html>. [141] Telecommunications Act, 1993, c. 38, s. 39, s. 41. [142] Bank Act, c. 46, ss. 242, 244, 459. [143] Insurance Companies Act, s. 489, s. 607. [144] Trust and Loan Companies Act, s. 444. [145] Canada Pension Plan, R.S.C. 1985, c. C-8, s. 104.07. [146] Criminal Code, c. C-46, s. 487.01. [147] Immigration Act, S.C. 1985, c. I-2, s. 110. [148] Old Age Security Act, c. O-9, s. 33.01. [149] Young Offenders Act, C. Y-1, s. 38. [150] Corrections and Conditional Release Act, 1992, c. 20, s. 26, 142. [151] “88% of Canadians Oppose Banks Target-Marketing Insurance: Compas Poll,” Canada NewsWire, April 27, 1999. [152] Report of the Standing Committee on Human Resources Development and the Status of Persons with Disabilities, “Beyond the Numbers: The Future of the Social Insurance Number System in Canada,” May 1999 <http://www.parl.gc.ca/InfocomDoc/36/1/HRPD/Studies/Reports/hrpdrp04-e.htm#TOC>. [153] HRDC, A Commitment to Improvement: The Government of Canada's Social Insurance Number, December 1999. [154] Hearing of the Standing Committee on Human Resources Development and the Status of Persons with Disabilities, November 18, 1999. [155] “Quebec hires DMR to study ID database,” Computing Canada, April 30, 1999. [156] “City Welfare Fingerprint Plan Flops,” The Toronto Star, May 21, 1999. [157] Human Rights Committee concludes sixty-fifth session held at headquarters from 22 March to 9 April, April 12, 1999. [158] Access to Information Act, C. A-1. <http://canada.justice.gc.ca/STABLE/EN/Laws/Chap/A/A-1.html>.(Annotated). [159] Office of the Information Commissioner of Canada, Annual Report 1998-9, July 21, 1999. <http://fox.nstn.ca/~smulloy/oic98_9e.pdf>. [160] Information Commissioner of Canada, <http://magi.com/~accessca/>. [161] See Alasdair Roberts, Limited Access: Assessing the Health of Canada's Freedom of Information Laws, April 1998. <http://qsilver.queensu.ca/~foi/foi.pdf. [162] Home Page: http://www.opengovernmentcanada.org/ [163] Constitution of Chile, 1980, <http://www.georgetown.edu/LatAmerPolitical/Constitutions/Chile/chile97.html>. [164] Law for the Protection of Private Life (Ley Sobre Proteccion de la Vida Privada), Law No.19628 of August 30, 1999, published in the Official Journal in August 28, 1999. [165] Chile: A Country Report, 1994: U.S. Library of Congress. [166] “Chile's Ex-Dictator Tries to Dictate His Future Role,” The New York Times, February 1, 1998. [167] United Nations, Human rights committee concludes consideration of Chile's fourth periodic report, March 25, 1999. [168] Ley No.19.423. [169] “Rows grow over security services,” Southern Cone Report, September 12, 1996. [170] “Television Nacional de Chile,” BBC Summary of World Broadcasts, September 26, 1992. [171] “Army's bugging centre uncovered,” Latin America Weekly Report, October 8, 1992. [172] “Navy, Air Force Deny Allegations of Telephone Tapping,” BBC Summary of World Broadcasts, September 28, 1992. [173] “Chile army to take action against servicemen involved in telephone-tapping case,” BBC Summary of World Broadcasts, November 27, 1992. [174] PRC Constitution from ChinaLaw Web - Constitution of the People’s Republic of China – 1993 (Adopted at the Fifth Session of the Fifth National People’s Congress and Promulgated for Implementation by the Proclamation of the National People’s Congress on December 4, 1982, as amended at the First Session of the Seventh National People’s Congress on April 12, 1988, and again at the First Session of the Seventh National People’s Congress on March 29,1993.) <http://www.qis.net/chinalaw/prccon5.htm>. [175] W.J.F Jenner “China and Freedom” in Kelly & Reid, Asian Freedoms (Cambridge University Press, 1998). [176] Gary Chapman, “China Represents Ethical Quagmire in High-Tech Age,” Los Angeles Times, January 27, 1997. [177] “China forms information security oversight committee,” Xinhua News Agency, February 12, 1999. [178] “Beijing convicts Internet dissident; Businessman sold Chinese e-mail addresses,” The Washington Times, January 21, 1999. [179] Computer Information Network and Internet Security, Protection and Management Regulations (Approved by the State Council on December 11, 1997 and promulgated by the Ministry of Public Security on December 30, 1997) <http://www.usembassy-china.gov/english/sandt/index.html>. [180] Charles D. Paglee, Chinalaw Web - Computer Information Network and Internet Security, Protection and Management Regulations (last modified April 7, 1998) <http://www.qis.net/chinalaw/prclaw54.htm>. [181] “China Security Blitz Bugs Intel PCs,” Australasian Business Abstracts, July 8, 1999. [182] U.S. Department of State, Bureau of Democracy, Human Rights, and Labor, China Country Report on Human Rights Practices for 1998, February 26, 1999; Amnesty International, 1999 World Report: China. [183] “Blair: I Never Want to Visit Beijing Again; Blair Claims He was Bugged by China's Secret Police,” The Mirror, October 12, 1998. [184] Kevin Platt, “China’s ‘cybercops’ clamp down,” Christian Science Monitor, November 17, 1999. [185] Michael Laris, “China sniffing out dissent on the Internet; Government accused of web sabotage,” The Washington Post, Aug 5, 1999. [186] State Council Order Number 273, October 22, 1999. [187] Matt Forney, “Ban Raised Fears Involving Privacy in Communications,” The Wall Street Journal, March 13, 2000. [188] Chinalaw Computer-Assisted Legal Research Center Peking University – Postal Law of the People’s Republic of China (Adopted at 18th Meeting of the Standing Committee of the National People’s Congress, promulgated by Order No. 47 of the President of the People’s Republic of China on December 2, 1986, and effective as of January 1, 1987) CHINALAW No. 396. [189] Xinhua news agency, Beijing, 20 May 1999. [190] Xinhua news agency, Beijing, in English, 7 May 1984, via BBC Summary of World Broadcasts; Regulations of the People’s Republic of China Concerning Resident Identity Cards (Adopted at the 12th Meeting of the Standing Committee of the Sixth National People's Congress, promulgated for implementation by Order No. 29 of the President of the People's Republic of China on September 6, 1985, and effective as of September 6, 1985) CHINALAW No. 304. [191] Chinalaw Computer-Assisted Legal Research Center Peking University – Regulations of the People’s Republic of China on Administrative Penalties for Public Security (Adopted at the 17th Meeting of the Standing Committee of the Sixth National People's Congress, promulgated by Order No. 43 of the President of the People's Republic of China on September 5, 1986, and effective as of January 1, 1987) CHINALAW No. 368 [192] China: Numbering system aids social security, China Daily, November 27, 1997. [193] “With eye on Security, China nurtures domestic IC cards,” Electronic Engineering Times, August 9, 1999. [194] Guangzhou Hotels Send Personal Data on Guests To Police, Hong Kong Standard, 30 Dec 1998. [195] Chapter of Laws (Cap) 383: 288: <http://www.justice.gov.hk>. [196] Chapter of Laws (Cap) 486: <http://www.justice.gov.hk>. See generally Berthold M. & Wacks R., Data Privacy Law in Hong Kong (FT Law & Tax, 1997). [197] Hong Kong Law Reform Commission, 1994 Report on the Law Relating To The Protection Of Personal Data. Website information on the Hong Kong Law Reform Commission is available at <http://www.info.gov.hk>. [198] Home Page: http://www.pco.org.hk [199] The Code of Practice on the Identity Card Number and other Personal Identifiers was gazetted on 19 December 1997 and took effect in 1998. [200] The Code of Practice on Consumer Credit Data was issued on 27 February 1998 and took effect on 27 November 1998. A summary is available at the commissioner’s website at <http://www.pco.org.hk>. [201] Operations Division, Office of the Privacy Commissioner for Personal Data, May 1999. [202] “HK Court Blocks Lawsuit Against China News Agency,” Reuters, Jun 8, 1999. [203] Section 33, Chapter of Laws (Cap) 106. [204] Section 13 Chapter of Laws (Cap) 98. [205] “Phone tap figures to remain secret,” South China Morning Post, October 1, 1998. [206] Hong Kong Law Reform Commission, Hong Kong Law Reform Commission’s 1996 Report on Privacy: Regulating the Interception of Communications. <http://www.info.gov.hk/hkreform/reports/intercept-e.pdf>. [207] Fifth periodic report : China. 16/06/99. CCPR/C/HKSAR/99/1. (State Party Report), 16 June 1999. [208] Law Reform Commission's sub-committee on Privacy, Civil Liability For Invasion Of Privacy, <http://www.info.gov.hk/hkreform/reports/privacy-e.pdf>. [209] Law Reform Commission's sub-committee on Privacy, The Regulation Of Media Intrusion. <http://www.info.gov.hk/hkreform/reports/media-e.pdf>. [210] Government-proposed press council loses vote in Hong Kong, Freedom Forum, November 24, 1999. [211] Code on Access to Information, March 1995 <http://www.info.gov.hk/access/code.htm>. [212] Charter of Fundamental Rights and Freedoms, 1993, <http://www.psp.cz/cgi-bin/eng/docs/laws/charter.html>. [213] Act no. 101 of 2000 “On Personal Data Protection.” [214] “E.U. warns applicants on slow preparations,” Financial Times, November 5, 1998. [215] Act of April 29, 1992 on Protection of Personal Data in Information Systems (No. 256/92). [216] Home Page: http://www.uoou.cz/ [217] “Information Protection Laws Must Be Passed Now,” The Prague Post, January 11, 1995. [218] “Ketchup-Bottle Bomb Sparks Internet Privacy Row,” The Prague Post, September 25, 1996. [219] CTK National News Wire, September 14, 1999. [220] “Undisturbed Privacy Top Priority -- Poll,” CTK National News Wire, January 23, 1997. [221] “Most People Believe that their Personal Data is Misused– Poll,” CTK National News Wire, October 6, 1998. [222] Article 88 of Criminal Process Law. [223] CTK National News Wire, November 8, 1996. [224] Penal Code, section 238. [225] Penal Code, section 206. [226] Penal Code, section 239. [227] Centre de Recherches Informatique et Droit, Legal Aspects of Information Services and Intellectual Property Rights in Central and Eastern Europe, Feb 1995. [228] Act no. 106/1999 Coll., on free access to information [229] “Freedom of info clears last hurdle,” The Prague Post, May 19, 1999. [230] Act no. 123/1998 Coll., on the right to information about the environment. [231] See <http://conventions.coe.int/>. [232] Signed 21/02/91, Ratified 18/03/92, Entered into Force 01/01/93. <http://conventions.coe.int/>. [233] Constitution of Denmark <http://www.uni-wuerzburg.de/law/da00t___.html>. [234] The Act on Processing of Personal Data, Act No. 429 of 31 May 2000 (Lov om behandling af personoplysninger). <http://147.29.40.90/_GETDOC_/ACCN/A20000042930-REGL>. [235] Private Registers Act of 1978 (Lov nr 293 af 8 juni 1978 om private registre mv), in force 1 January 1979. [236] Public Authorities’ Registers Act of 1978 (Lov nr 294 af 8 juni 1978 om offentlige myndigheders registre), also in force 1 January 1979. [237] Home Page: <http://www.registertilsynet.dk/eng/index.html>. [238] Letter from the Registertilsynet to EPIC, August 13, 1999. [239] Penal Code Section 263. [240] “Denmark: Surveillance of political activity admitted,” Statewatch bulletin, vol 8 no 2, March-April 1998. [241] “Denmark: PET involved in “illegal” surveillance,” Statewatch bulletin, vol 8 no 5, September-October 1998. [242] See http://www.eb.dk/netdetect/echelon/; http://www.cryptome.org/echelon-eb2.htm [243] “Envoy to Denmark: We're Not Spies,” Associated Press, April 3, 2000. [244] “HÆKKERUP: Many Are monitoring us,” Ekstra Bladet December 9. 1999. [245] “TVIVLSOM JAGT PAA ANONYM KILDE,” Politiken Weekly, March 1, 2000. [246] Borgerlig Straffelov. [247] Act No. 278 respecting the prohibiting against video surveillance by private persons, etc, 9 June 1982 (Lovtidende A, No. 44, 1982, p. 644). [248] lov nr 571 af 19 desember 1985 om forvaltning. [249] ovbekendtgørelse nr 811 af 12 september 1994 om betalingskort mv. [250] lov nr 504 af 30 juni 1993 om aktindsigt i helbredsoplysninger. [251] lov nr 572 af 19 desember 1985 om offentlighed i forvaltningen). <http://www.au.dk/da/regler/1985/lov572/index.html>. < http://www.vissenbjergkommune.dk/postli/offlov.htm>. [252] Signed 28/01/81, Ratified 23/10/89, Entered into Force 01/02/90, <http://conventions.coe.int/>. [253] Signed 21/02/91, Ratified 18/03/92, Entered into Force 01/01/93, <http://conventions.coe.int/>. [254] Constitution of Estonia, <http://www.uni-wuerzburg.de/law/en00t___.html>. [255] Law on the protection of personal data (RT I 1996, 48, 944). <http://www.dp.gov.ee/eng/Personal_Data_Protection_Act.html>. [256] Databases Act (RT* I 1997, 28, 423) <http://www.dp.gov.ee/eng/Databases_Act.html>. [257] Home Page: <http://www.dp.gov.ee:8020/>. [258] European Commission, Regular Report from the Commission on Progress towards Accession - Estonia - October 13, 1999 <http://europa.eu.int/comm/enlargement/estonia/rep_10_99/b4.htm>. [259] “Estonian Statistics Office to Bring Census Database Into Accordance With Law,” Baltic News Service, June 6, 2000. [260] “Estonian parliament adopts law on population register,” BBC Worldwide Monitoring, June 1, 2000. [261] The Baltics Worldwide, Spring 1997. [262] Digital Signatures Act, (RT I 2000, 26, 150), Passed 8 March 2000, entered into force 15 December 2000. <http://www.riik.ee/riso/digiallkiri/digsignact.rtf>. [263] “Estonia To Set Up One Of World's First Gene Banks,” Associated Press, August 10, 2000. See Estonian Genome Foundation Web site: http://www.genomics.ee/genome/ [264] Surveillance Act (RT* I 1994, 16, 290, 22 February 1994). <http://vlf.juridicum.su.se/master99/library2/teste/Surv.htm>. [265] Criminal Code article 134. [266] Baltic News Service, October 8, 1999. [267] Estonian government approves plans for tax police, BBC Worldwide Monitoring, May 16, 2000. [268] Telecommunications Act Passed 9 February 2000 (RT I 2000, 18, 116), entered into force 19 March 2000. <http://www.legaltext.ee/tekstid/X/en/X30063.HTM>. [269] Deutsche Presse-Agentur, “Estonian intelligence begins probe into former premier Saavisar,” May 16, 1996. [270] Estonian MP rejects reports that Estonian secret services spied on Swedes, BBC Worldwide Monitoring, January 13, 2000. [271] Draft Public Information Act. < http://www.netexpress.ee/eall/eelnou.html>. [272] Surveillance Act (RT* I 1994, 16, 290, 22 February 1994) <http://vlf.juridicum.su.se/master99/library2/teste/Surv.htm>. [273] <http://conventions.coe.int/>. [274] Ratified 14/05/93, Enacted 16/04/96, Entered into Force 16/04/96, <http://conventions.coe.int/>. [275] Constitution of Finland <http://www.eduskunta.fi/kirjasto/Lait/constitution.html>. [276] Personal Data Act (523/99). <http://www.tietosuoja.fi/uploads/hopxtvf.HTM>. [277] Personal Data Files Act (Law No. 471/87). [278] Home Page: <http://www.tietosuoja.fi/engl.html>. [279] <http://www.tietosuoja.fi/>. [280] Criminal Records Act (770/93). [281] Act on Population Information (1993/507). [282] Jorma Kuopus, “Data Protection Regulatory System,” Data Transmission and Privacy, D. Campbell and J. Fisher, eds., (Netherlands: Martinus Nijhoff Publishers, 1994). [283] See <http://www.qainfo.se/~lb>. [284] See <http://www.penet.fi/injuncl.html>. [285] See Finnish Population Register Centre, <http://www.vaestorekisterikeskus.fi/>. [286] Finnish League for Human Rights, Human Rights in Finland: 1998 Audit, December 1998. [287] http://www.om.fi/1184.htm. [288] Act 83/9/2/1951. [289] Wayne Madsen, Handbook of Personal Data Protection (New York: Stockton Press, 1992). [290] Signed 10/04/91, Ratified 02/12/91, Entered into force 1/04/92, <http://conventions.coe.int/>. [291] Signed 05/05/89, Ratified 10/05/90, Entered into force 10/05/90, <http://conventions.coe.int/>. [292] Kuopus, ibid. [293] Madsen, ibid. [294] Dècision 94-352 du Conseil Constitutionnel du 18 Janvier 1995. [295] Loi N° 78-17 du Janvier 1978 relative à l'informatique, aux fichiers et aux libertés. Journal officiel du 7 janvier 1978 et rectificatif au JO du 25 janvier 1978, modifiée par la loi n° 88-227 du 11 mars 1988, article 13 relative à la transparence financière de la vie politique (JO du 12 mars 1988), la loi n° 92-1336 du 16 décembre 1992 (JO du 23 décembre 1992) et la loi n° 94-548 du ler juillet 1994 (JO du 2 juillet 1994), <http://www.cnil.fr/textes/text02.htm>. [296] Guy Braibant, Donnees Personnelles et Societe De 'Information: Rapport au Premier Ministre sur la transposition en droit français de la directive no 95/46, le 3 mars 1998, [297] See <http://www.internet.gouv.fr/francais/index.html>. [298] ‘Data protection: Commission takes five Member States to court’, Press Release, 11 January 2000. <http://europa.eu.int/comm/internal_market/en/media/dataprot/news/2k-10.htm>. [299] Home Page: <http://www.cnil.fr>. [300] Commission nationale de l'informatique (CNIL), 20eme rapport d’activite 1999, July 5, 2000. [301] “Le publipostage électronique et la protection des données personnelles,” 14 octobre 1999. http://www.cnil.fr/actu/tactu.htm [302] ‘Protection des données personnelles et e-commerce en France’ 19 avril, 2000. <http://www.cnil.fr/actu/tactu.htm>. [303] La loi n° 91-636 du 10 juillet 1991 relative au secret des correspondances émises par la voie des télécommunications. [304] 8e rapport d' activité 1999, Commission national de contrôl des interceptions de sécurité, May 2000. [305] Kruslin v. France, 176-A, Eur. Ct. H.R. (ser. A) (1990). [306] la France condamnée par la Cour européenne des droits de l'homme, Le Monde, 27 Août 1998. [307] see Capitaine Paul Barril, Guerres Secrètes à L'Élysée, (Albin Michel, 1996), Francis Zamponi, Les RG à l'écoute de la France: Police et politique de 1981 à 1997, (La Découverte, 1998). [308] 5e rapport d' activité 1997, Commission national de contrôl des interceptions de sécurité, May 1998. [309] The Rachel affaire. Judgment of June 16, 1858, Trib. pr. inst. de la Seine, 1858 D.P. III 62. See Jeanne M. Hauch, Protecting Private Facts in France: The Warren & Brandeis Tort is Alive and Well and Flourishing in Paris, 68 Tul. L. Rev. 1219 (May 1994). [310] Civil Code, Article 9, Statute No. 70-643 of July 17, 1970. [311] Loi n° 78-753 du 17 juillet 1978 portant diverses mesures d'amélioration des relations entre l'administration et le public et diverses dispositions d'ordre administratif, social et fiscal. (Journal officiel du 18 juillet 1978, page 2851). <http://www.cnil.fr/textes/text05.htm>. [312] Loi n° 79-18 du 3 janvier 1979 sur les archives (Journal officiel du 5 janvier 1979, page 43, rectificatif au journal officiel du 6 janvier 1979, page 55). <http://www.cnil.fr/textes/text052.htm>. [313] Loi d'orientation et de programmation n° 95-73 du 21 janvier 1995 relative à la sécurité (Journal officiel du 24 janvier 1995, page 1249). <http://www.cnil.fr/textes/text054.htm>. Also see Décret n° 96-926 du 17 octobre 1996 relatif à la vidéo-surveillance pris pour l'application de l'article 10 de la loi n° 95-73 du 21 janvier 1995 d'orientation et de programmation relative à la sécurité (Journal officiel du 20 octobre 1996, page 15432). <http://www.cnil.fr/textes/text055.htm> and Circulaire du 22 octobre 1996 relative à l'application de l'article 10 de la loi n° 95-73 du 21 janvier 1995 d'orientation et de programmation relative à la sécurité (décret sur la vidéosurveillance) (Journal officiel du 7 décembre 1996, page 17835). <http://www.cnil.fr/textes/text056.htm>. [314] Code of Post and Telecommunications, L. 41. [315] Loi n° 92-1446 du 31 décembre 1992 relative à l'emploi, au développement du travail à temps partiel et à l'assurance chômage. (Journal officiel du 1er janvier 1993, page 19). <http://www.cnil.fr/textes/text053.htm>. [316] Penal Code, Article 368. [317] Loi no 553 du 28 juin 2000, modifiant la loi n° 86-1067 du 30 septembre 1986 relative à la liberté de communication. <http://www.assemblee-nationale.fr/2/pdf/ta0553.htm>. [318] A full history of the developments since the law was first introduced on May, 1999 is available (in French) at http://www.iris.sgdg.org/actions/loi-comm/index.html [319] Loi sur la liberté de communication, Déclaration des acteurs d'Internet. <http://www.iris.sgdg.org/actions/loi-comm/declaration.html>. [320] Saisine du Conseil constitutionnel par plus de 60 députés, 29 juin 2000. <http://www.conseil-constitutionnel.fr/decision/2000/2000433/index.htm>. [321] Conseil Constitutionnel, Décision n° 2000-433 DC du 27 juillet 2000, <http://www.conseil-constitutionnel.fr/decision/2000/2000433/2000433dc.htm>. [322] Loi no. 78-753 du 17 juillet 1978 de la liberté d’accès au documents administratifs <http://www.legifrance.gouv.fr/textes/html/fic197807170753.htm>; Loi no 79-587 du juillet 1979 relative à la motivation des actes administratifs et à l’amélioration des relations entre l’administration et le public. [323] Rapport d'activité - 9ème rapport Commission d'accès aux documents administratifs ( CADA) Edition 1999.<http://www.ladocfrancaise.gouv.fr/fic_pdf/cada.pdf>. [324] Loi n°2000-321 du 12 avril 2000 relative aux droits des citoyens dans leurs relations avec les administrations (J.O. du 13 avril 2000). <http://www.legifrance.gouv.fr/citoyen/jorf_nor.ow?numjo=FPPX9800029L>. Travaux préparatoires, see: <http://www.assembleenationale.fr/2/2dbc_2000.htm#loi2000_321>. [325] Signed 28/01/81, Ratified 24/03/83, Entered into Force 01/10/85, <http://conventions.coe.int/>. [326] Signed 04/11/50, Ratified 03/05/74, Entered into Force 03/05/74, <http://conventions.coe.int/>. [327] BverfGE 65,1. [328] Federal Act on Data Protection, 27 January 1977 (Bundesgesetzblatt, Part I, No 7, 1 February 1977), Amended 1990. <http://www.datenschutz-berlin.de/gesetze/bdsg/bdsgeng.htm>. [329] <http://www.datenschutz-berlin.de/ueber/aktuell.htm#topofnews>. [330] Home Page: <http://www.bfd.bund.de/>. [331] Fax from Ulrich Dammann, Bundesbeauftragte für den Datenschutz to EPIC, July 27, 2000. [332] Links to the Ländesbeauftragten für den Datenschutz are available at <http://www.datenschutz-berlin.de/sonstige/behoerde/ldbauf.htm>. [333] Dr.iur. Alexander Dix, Case Study: North America and the European Directive - The German RailwayCard: A model contractual solution of the “adequate level of protection” issue?, September 1996. <http://www.datenschutz-berlin.de/sonstige/konferen/ottawa/alex3.htm>. [334] “Gesetz zur Beschraenkung des Brief-, Post- und Fernmeldegeheimnisses - Gesetz zu Artikel 10 des Grundgesetzes (GG10)” (Law on restriction of the right of secrecy of letters, mail and telecommunication - Law applying to article 10 of the constitution). 13. August 1968 (G10 BGBl. I, p. 949) and was changed the last time by the bill of 28.10. 1994 (BGBl. I, p.3186ff) “Verbrechensbekaempfungsgesetz” ('Crime-fighting law'). [335] <http://www.uni-wuerzburg.de/glaw/bv093181.html>. [336] German Phone Taps are Routine, The Independent, July 10, 1999. [337] Constitutional Court Upholds Covert Investigation of Political Parties, The Week in Germany December 10, 1999. [338] Telecommunications Carriers Data Protection Ordinance (TDSV) As of: 12 July 1996 (Federal Law Gazette I p 982), Federal Ministry of Posts and Telecommunications. <http://www.datenschutz-berlin.de/gesetze/medien/tdsve.htm>. [339] Federal Act Establishing the General Conditions for Information and Communication Services - Information and Communication Services Act - (Informations- und Kommunikationsdienste-Gesetz - IuKDG) 13 June 1997 <http://www.datenschutz-berlin.de/gesetze/medien/iukdge.htm>. Also see Resolution of the Conference of Data Protection Commissioners of the Federation and the Länder of 29 April 1996 on key points for the regulation in matters of data protection of online services. <http://www.datenschutz-berlin.de/sonstige/konferen/sonstige/old-res2.htm>. [340] "New Powers For The Border Police: Checks Anywhere At Any Time," Fortress Europe, FECL 56 (December 1998). [341] Akteneinsichts- und Informationszugangsgesetz (AIG), 1998. [342] <http://www.datenschutz-berlin.de/recht/bln/ifg/ifg.htm>. [343] <http://www.rewi.hu-berlin.de/Datenschutz/DSB/SH/material/recht/infofrei/infofrei.htm>. [344] Web Site: <http://www.snafu.de/~bstu/ >. [345] “Gauck reports steady flow of inquiries about stasi records,” The Week in Germany, July 16, 1999 . [346] “U.S.-Held Files Seen Uncovering E. German Spies.” Reuters, February 4, 1999. [347] “Stasi files on Kohl's tapped calls vanish,” The Times, May 17, 2000. [348] <http://conventions.coe.int/>. [349] <http://conventions.coe.int/>. [350] Constitution of Greece, Adopted: 11 June 1975, <http://www.uni-wuerzburg.de/law/gr00t___.html>. [351]Law no. 2472 on the Protection of Individuals with regard to the Processing of Personal Data. [352] The Reuters European Community Report, June 10, 1997. [353] Home Page: <http://www.dpa.gr/>. [354] The Guardian, May 22, 2000. [355] The Reuters European Community Report, April 23, 1993. [356] Law no 2225/94. [357] U.S. Department of State, Greece Country Report on Human Rights Practices for 1997, January 30, 1998. See also Greece Report, Human Rights Watch World Report, 1998. [358] Reuters World Service, November 20, 1996. [359] Law no 1599/1986 on the relationship of a new type of identification card and other provisions. [360] See http://www.rz.uni-frankfurt.de/~sobotta/greecenew.htm [361] Signed 17/02/83, Enacted 11/08/95, Entered into Force 01/12/95, <http://conventions.coe.int/>. [362] Signed 28/11/50, Enacted 28/11/74, Entered into Force 28/11/74, <http://conventions.coe.int/>. < back to Privacy & Human Rights 2000