mkdir() [function.mkdir]: Permission denied in /home/admin/domains/pasidomek.lt/public_html/Ip/Lib/less.php/Cache.php:154file_put_contents(/home/admin/domains/pasidomek.lt/public_html/Theme/ZTA/assets/theme.css) [function.file-put-contents]: failed to open stream: Permission denied in /home/admin/domains/pasidomek.lt/public_html/Ip/Internal/Design/LessCompiler.php:180 II. Protection of Personal Data

Right to Private and Family Life

II. Protection of Personal Data

Since 1996, the protection of personal data in Lithuania has been comprehensively regulated by the special Law on Legal Protection of Personal Data,[1] which was adopted in order to implement EU Directive 95/46/EC.[2] Some aspects of the legal protection of personal data are covered by special legislation, such as the Law on Electronic Communications.[3] 

The regulation of the legal protection of personal data in the 2013-2014 period was marked by a fundamentally unsystematic approach. Data protection regulation initiatives were used to address isolated issues within the public sector, but the fundamental problems continued to be ignored. 

The new EU Regulation on the legal protection of personal data was not adopted during Lithuania's Presidency of the European Union in 2013; its adoption was postponed for an indefinite period. Lithuania also did not express a clear position on the issues surrounding the legal protection of personal data that became apparent in 2013-2014, relating to the massive surveillance of personal data and collection of other private information that was carried out by law enforcement authorities and special services, as revealed by Edward Snowden, during its Presidency or in the ensuing period.  

Protest in Vienna against data retention, 2012, npr.org photo.

Even though there were two important European Court of Justice judgments in 2013-2014 that were relevant to the legal protection of personal data – one relating to mass data retention[4] and the other relating to the right to be forgotten on the Internet[5] – these decisions were met with tepid reception at state level. On the contrary – the Law on Cyber Security, adopted at the end of 2014, provided for further exceptions to the legal protection of personal data, thus showing that there is no intention of abandoning the bulk collection of data. 

Despite complying with key EU rules, the protection of personal data in Lithuania is nominal at best. This is chiefly a result of three reasons: firstly, because low sanctions exist for infringing the right to protection of personal data, with insufficient administrative resources allocated to the defence of the right; secondly, due to the discrepancies between the protection of personal data in the public sector and the private sector; thirdly, due to the fact that society does not sufficiently understand and accept privacy as a public virtue and constitutional right.    

 

Sanctions for breaches of personal data protection are provided for in the Code of Administrative Infringements (CAI);[6] they were set in 1998 and have not been reviewed since. The maximum possible sanction is a fine of 2000 LTL (around 580 Euro),[7] which is insufficient for the defence of constitutional rights. It should be noted that civil liability for breaches of the legal protection of personal data (when the breach does not relate to the publication of private information in the media and/or defending honour and dignity) is essentially non-existent in practice. The fact that the sanctions in Lithuania are disproportionate is best demonstrated by comparing them to the sanctions proposed in the draft EU Regulation on personal data protection, which are several thousand times larger.  

Lithuania did not express a clear position on the issues surrounding the legal protection of personal data that became apparent in 2013-2014, relating to the massive surveillance of personal data and collection of other private information that was carried out by law enforcement authorities and special services, as revealed by Edward Snowden, during its Presidency or in the ensuing period.

The State Data Protection Inspectorate (SDPI), the designated personal data protection supervisory authority, does not have sufficient administrative resources or factual power; as such, the supervision of larger data processors (financial institutions, retail networks or internet service providers) within the private sector, and even more so within the public (especially in relation to law enforcement) sector, is limited and ineffective. Currently, SDPI plays a largely passive role, investigating breaches that become public or reacting to complaints. As such, it follows that the majority of personal data breaches in Lithuania remain under the hood, with persons responsible for interference with personal data evading punishment (especially in the public sector). SDPI also lacks the power to initiate legislation in the field of legal protection of personal data. 

The second issue is the discrepancy between personal data protection in the private sector and in the public sector. The public sector, which is in possession of the largest amounts of personal data and particularly sensitive personal data, is not sufficiently accountable for its protection. Furthermore, instead of strengthening the protection of personal data and demonstrating exemplary respect for privacy, various authorities create favourable legal exceptions for themselves. In Lithuania, incidents relating to the most severe breaches of personal data protection rights, or breaches that result in the most serious consequences, are in fact attributable to the public sector. Notably, they include repeat incidences of police officers potentially trading in personal data[8] and the personal details of minors involved in sexual abuse cases being made public through the fault of the court staff.[9] Despite getting a response from the media, the outcome of these incidents, together with the liability of the parties in the wrong, is up in the air. 

The decision of the Supreme Administrative Court on the breaches of privacy contained in the electronic signature certificates issued by the Centre of Registers,[10] which was not implemented in the 2013-2014 period, provides another illustration on how the public sector treats privacy. Instead of protecting the privacy of persons using electronic signatures, controversial legislation was adopted in 2013-2014 that distorted the legal framework for the protection of personal data (creating artificial conflicts between acts of law) and lead to the continuing publication of personal codes in public electronic signature certificates. 

The desire of the public sector to limit the legal protection afforded to personal data, by providing special exceptions and continuing the bulk processing of personal data, can be seen in the Law on Cyber Security,[11] adopted in 2014. The exceptionally wide powers to collect electronic personal data – that is, "information necessary for the prevention or investigation of potentially criminal breaches of the law in cyber space" – that this law granted to law enforcement agencies are not counterbalanced by corresponding proportional safeguards to privacy and the legal protection of personal data. The regulation of the procedure and conditions for providing such information has been relegated to the level of implementing legislation. A nearly-analogous case can be seen in the mass financial data provision to tax authorities, proposed by the amendments to the Law on Tax Administration.[12] Even though the latter proposals have not been adopted, their adoption procedures are well under way and they are expected to be passed in 2015. 

The aforementioned practices and legislation demonstrate a unilateral intervention by the state in the privacy of individuals, without even providing for judicial supervision or the ability to protect one's privacy when it is being infringed upon. The statement of the Article 29 Data Protection Working Party underscores that national legislation should not provide for bulk retention of data, instead providing rules for the differentiation, limitation and exception of data and also ensuring that competent national authorities are only able to access data when it is strictly necessary.[13] So far, these proposals have fallen on deaf ears in Lithuania. 

The private sector also retained its fair share of serious issues regarding the legal protection of personal data in 2013-2014, especially in relation to the use of personal data in marketing,[14] but it also manifested instances of good practice – for example, restricting the public dissemination of frequently negative information by hiding older comments in internet media. 

The attitudes of the public sector towards privacy are at the same time both an expression and one of the root causes of the general devaluation of privacy in society. Privacy is not respected, the education system or the family does not teach that it is a virtue, it is not understood to be an important constitutional right and as such people themselves often post private information on social networks or the internet. Parents are especially irresponsible in posting information about their children on social networks, setting a negative example to the younger generation. The restriction of privacy in the work place and in the living environment is tolerated for these very same reasons. 

Unfortunately, in a climate where privacy is rapidly depreciating in value, the state is also disinterested in its protection. As previously stated, the past two decades saw no initiatives to introduce harsher penalties for breaches of the legal protection of personal data, even in cases where it results in grievous harm or harm to minors; there were also no attempts to regulate privacy in social networks or in the work place. The legal framework is most often developed post factum, in reaction to widely-publicized cases, and furthermore is abstract, with the administrative practices being inconsistent. Lithuania is also slow to react to new EU practices in the field of privacy protection.  

Privacy is not respected, the education system or the family does not teach that it is a virtue, it is not understood to be an important constitutional right and as such people themselves often post private information on social networks or the internet. Parents are especially irresponsible in posting information about their children on social networks, setting a negative example to the younger generation. The restriction of privacy in the work place and in the living environment is tolerated for these very same reasons.

Findings and Recommendations 

  • In essence, the situation in Lithuania with regard to the protection of personal data deteriorated in 2013-2014, solely due to the fact that, in the context of ever-greater invasions of personal privacy committed by the state and private entities, the regulation of and practices relating to the protection of personal data and privacy have either remained static or sprouted new exceptions – exceptions that served narrow interests. The new national legal regulations adopted in this period (for example, the Law on Cyber Security) paid little attention to the constitutional imperative to ensure that interferences with privacy are justified and proportionate. Instead, the prevailing view was that public interests – without exception – trump personal privacy, with the practice of undifferentiated bulk processing of personal data continuing in this period.  
  • Lithuania is late in updating its sanctions for breaches of personal data protection law. Since the situation regarding the adoption of the new EU Regulation on data protection legislation is unclear, national legislation must resolve the issue of sanctions as soon as possible. At the same time, more resources must be allocated to the supervision of personal data protection, with a particular focus on major personal data processors and on actually punishing the parties in breach.  
  • The practice of providing special exceptions in individual cases involving the processing of personal data is deplorable, with efforts to expand the bulk collection and retention of data being particularly worthy of scorn. Even though the ECJ and the Article 29 Data Protection Working Party have harshly criticized the practice of undifferentiated bulk data processing, there is a reluctance to abandon it in Lithuania. 

[1] Law on Legal Protection of Personal Data, 11 June 1996, No. I-1374, http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=400103

[2] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, http://eur-lex.europa.eu/legal-content/LT/TXT/HTML/?uri=CELEX:31995L0046&from=EN

[3] Law on Electronic Communications, 15 April 2004, No. IX-2135, http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=463812

[4] ECJ judgment in joined cases C-293/12 and C-594/12 on bulk retention of data, delivered on 8 April 2014

[5] ECJ judgment in case C-131/12 on the right to be forgotten on the internet, delivered on 13 May 2014,

[6] Code of Administrative Infringements, 13 December 1984, No. X-4449, Articles 214(14)-214(17), http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=493978

[7]Code of Administrative Infringements, 13 December 1984, No. X-4449, Articles 214(14)-214(17), http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=493978

[8] "Alytus Police Officers Suspected of Illegally Collecting Personal Data", 15min.lt, 7 February 2013, http://www.15min.lt/naujiena/aktualu/lietuva/alytaus-policijos-pareigunai-itariami-neteisetai-rinke-asmens-duomenis-56-304478

[9] Inga Smaskienė, "Scandal: the Whole School Became Privy to the Details of a Student's Sexual Abuse", delfi.lt, 4 June 2014, http://www.delfi.lt/news/daily/law/skandalas-detales-apie-moksleives-patirta-seksualine-prievarta-nagrinejo-visa-mokykla.d?id=64964429

[10] 18 December 2012 judgment of the Supreme Administrative Court on the breaches of privacy contained in the electronic signature certificates issued by the Centre of Registers

[11] Law on Cyber Security, 11 December 2014, No. XII-1428, http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=492070&p_tr2=2

[12] Draft Law Amending Articles 28, 41, 55, 61, 68, 87, 89, 101, 104(1), 104(2), 110, 111, 129, 131, 154 of, Including Article 55(1) in and Repealing Articles 56, 57, 58, 59, 60 of Law No. IX-2112 on Tax Administration, 2014, Articles 3 and 4., http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=473864

[13] Statement of the Article 29 Data Protection Working Party, 1 August 2014, WP 220, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp220_en.pdf 

[14] State Data Protection Inspectorate, "On Direct Marketing Conducted by Mobile Phone Operators", 28 March 2014, https://www.ada.lt/go.php/lit/IMG/188


Cannot modify header information - headers already sent by (output started at /home/admin/domains/pasidomek.lt/public_html/Ip/Internal/ErrorHandler.php:62) in /home/admin/domains/pasidomek.lt/public_html/Plugin/ZTABase/Model.php:8 I. Reproductive Rights and Sexual Education III. Protection of Right to Private Life in Criminal Proceedings