Article 59 of the Constitution of the Republic of Hungary reads, “Everyone in the Republic of Hungary shall have the right to good reputation, the inviolability of the privacy of his home and correspondence, and the protection of his personal data.”[1] In 1991, the Supreme Court ruled that a law creating a multi-use personal identification number violated the constitutional right of privacy.[2]

Act No. LXIII of 1992 on the Protection of Personal Data and Disclosure of Data of Public Interest covers the collection and use of personal information in both the public sector and private sector. It is a combined Data Protection and Freedom of Information Act. Its basic principle is informational self-determination.[3] Hungary is an applicant for EU membership and it is anticipated that only minor changes are required to make the Act compliant with the EU Directive. In June 1999, the Parliament amended the Act to treat “data controllers” and “data processors” differently to make it more consistent with the EU Directive.[4]

The Article 29 Working Group of the European Commission recommended in September 1999 that “the Commission and the Committee established by Article 31 of Directive 95/46/EC note that Hungary ensures an adequate level of protection within the meaning of Article 25(6) of this directive.”[5] In July 2000, the European Commission formally adopted this position, thereby approving all future transfers of personal data to Hungary.[6] The Parliament is currently working on more extensive revisions to the act to ensure compliance with the EU Directive, but the changes are not expected to be approved this year.

The Parliamentary Commissioner for Data Protection and Freedom of Information oversees the 1992 Act.[7] Besides acting as an ombudsman for both data protection and freedom of information, the Commissioner’s tasks include maintaining the Data Protection Register, and providing opinions on DP and FOI-related draft legislation, as well as each category of official secrets. Under the Secrecy Act of 1995, the Commissioner is entitled to change the classification of state and official secrets as well. The Commissioner (along with the two other Parliamentary Commissioners – one for human rights in general, the other for the ethnic minorities) was elected for the first time on June 30, 1995, for a six year term.

The Commission has been very active reviewing cases involving personal information.[8] When reviewing unlawful national security controls in 1995, unlawful information gathering practices were found in 797 cases and files had to be destroyed. In 1995, the names and addresses of the winners of the largest lottery jackpot were broadcast on television against the will of the individuals. In a case involving unlawful gathering of personal data of patients at voluntary drug treatment institutions in 1997, the police had to return the lists to the hospital. In June 2000, the Commission ruled that a large company can not give personal information to debt collectors without the person’s consent.[9] In March, the Commissioner expressed concern about U.S. FBI agents based in Hungary having access to personal information while being given diplomatic immunity.[10] The Commission has registered 19,376 databases and conducts about 900 examinations each year. [11] There are 27 people on the staff.

Surveillance by police requires a court order and is limited to investigations of crimes punishable by more than five years imprisonment.[12] Surveillance by national security services requires the permission of a specially appointed judge or the Minister of Justice, who can authorize surveillance for up to 90 days.[13] There have been a number of scandals involving secret service spying on political opponents, environmental activists and ethnic minorities. The Parliamentary National Security Committee is still investigating the illegal surveillance of members of the then-opposition political party Fidesz by the intelligence services.[14] Prime Minister Viktor Orbán said in 1998 the surveillance was conducted by former members of the secret service then employed by private companies.[15] In April 1998, the government issued a decree ordering phone companies that offer cellular service to modify their systems to ensure that they could be intercepted. The cost was estimated to be HUF10 billion.[16]

Many laws contain rules for handling personal data including addresses,[17] universal identifiers,[18] medical information,[19] police information,[20] public records,[21] employment,[22] telecommunications,[23] and national security services.[24] The Direct Marketing Act provides for opt-out, but only for name and address information.[25] There is no sectoral legislation covering the Internet. The Criminal Code also has provisions on privacy.[26]

Hungary is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[27] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[28] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Section 72 of the Constitution states, “The dwelling shall be inviolable. House searching, seizure, and examination of letters and other papers as well as any breach of the secrecy to be observed in postal, telegraph, and telephone matters shall take place only under a judicial order unless particular exception is warranted by Statute.”[29]

The Act on Protection of Individuals with regard to the Processing of Personal Data is a new law on the processing of personal information for government agencies and corporation enacted to ensure compliance with the EU Directive.[30] The act covers both automated and manual processing of personal information. It also covers video surveillance and limits the use of National Identification Numbers. The Statistical Bureau of Iceland shall maintain a registry of individuals not willing to allow the use of their names in product marketing. It replaces the 1979 Act on the Registration and Handling on Personal Data.[31]

The Act is enforced by the Icelandic Data Protection Commission (Datatilsynet). The Commission maintains the registry of activities and can investigate and issue rulings. It can also impose fines for non-compliance and can seek criminal sanctions. The Authority can also prohibit or mandate the use of the National Identification Numbers and is in charge of overseeing the Schengen Information System. In 1998, the Commission registered 509 activities.

In December 1998, the Parliament approved a bill to create a nationwide centralized health database to be used for genetic research.[32] The Government gave an exclusive 12-year license for the database to American bio-tech company deCODE Genetics, which will create a nationwide genetic database of the entire Icelandic population based on 30 years of patients’ records. The company is spending $200 million over the next five years for research. Patients were originally required to opt out of the database by June 1999. After that date, their information could not be removed. DeCode plans to register on the U.S. NASDAQ stock market in the summer of 2000.

This proposal has been very controversial both in Iceland and with medical and privacy experts around the world. As of May 2000, over 18,000 people have opted out of the database. The Icelandic Medical Association is opposing the effort and many doctors are refusing to hand over their patients’ records without consent. The World Medical Association in April 1999 supported the Icelandic Medical Association’s opposition to the database.[33] Security experts have examined the database and have found that its encryption does not protect the identities of individuals.[34] At their annual meeting in Santiago de Compostela, Spain in September 1998, the other European Data Protection Commissioners recommended that the Icelandic authorities reconsider the project in light of the fundamental principles laid down in the European Convention on Human Rights, the Council of Europe Convention and Recommendation (97)5 on medical data, and the EC Directive.

Responding to the protests, the Government enacted the Act on Biobanks on May 13, 2000.[35] The act sets rules for the “collection, keeping, handling and utilization of biological samples from human beings” to ensure confidentiality and prohibit discrimination. The Act requires informed consent from the person for the collection of samples. However, under the Act “if samples have been collected for the purpose of clinical tests or treatment, the consent of the patient may be assumed for the storage of the biological sample in a biobank” if the doctor gives general information to the patient. The Data Protection Authority is to set the procedures on the linking of the sample with the patient’s identification.

Under the Law on Criminal Procedure, wiretapping, tape recording or photographing without consent requires a court order and must be limited to a short period of time. After the recording is complete, the target must be informed and the recordings must be destroyed after they are no longer needed.[36] There were 42 wiretaps authorized between 1992 and February 1996.[37] Complaints against the orders can be submitted to the Supreme Court. Chapter XXV of the Penal Code also penalizes violations of privacy such as violating the secrecy of letters and revealing secrets to the public.

The Freedom of Information Act of 1996 (Upplysingalög) governs the release of records.[38] Under the Act, individuals (including non-residents) and legal entities have a legal right to documents without having to show a reason for the document. There are exceptions for national security, commercial and personal information. Copyrighted material can be provided to requestors but it is then their responsibility if they republish the materials in a manner inconsistent with the copyright. Denials can be appealed to the Information Committee.

Iceland is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[39] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[40] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Iceland is not an EU member state but has been granted associate status.

The Constitution of 1950 does not expressly recognize the right to privacy.[41] However, the Supreme Court first recognized in 1964 that there is a right of privacy implicit in the Constitution under Article 21 of the Constitution, which states, “No person shall be deprived of his life or personal liberty except according to procedure established by law.”[42]

There is no general data protection law in India. The National Task Force on IT and Software Development, established by the Prime Minster’s Office in May 1998, submitted an “IT Action Plan” to Prime Minister Vajpayee in July 1998 calling for the creation of a “National Policy on Information Security, Privacy and Data Protection Act for handling of computerized data.” It examined the UK Data Protection Act as a model and recommended a number of cyber laws including ones on privacy and encryption.[43] The Act was expected to be drafted by the end of 1998 but has not been introduced.[44]

In May of 2000, the government passed the Information Technology Act, a set of laws intended to provide a comprehensive regulatory environment for electronic commerce. [45] Chapter III of the bill gives electronic records and digital signatures legal recognition, and Chapter X creates a Cyber Appellate Tribunal to oversee adjudication of cybercrimes such as damage to computer systems (Section 43) and breach of confidentiality (Section 72). After strong criticism, sections requiring cybercafes to record detailed information about users were dropped. The legislation gives broad discretion to government law enforcers through a number of provisions – Section 69 allows for interception of any computer resource and requires that users disclose encryption keys or face a jail sentence up to seven years. Section 80 allows deputy superintendents of police to conduct searches and seize suspects without a warrant; Section 44 imposes stiff penalties on anyone who fails to provide requested information to authorities; and Section 67 imposes strict penalties for involvement in the publishing of materials deemed obscene in electronic form.

Wiretapping is regulated under the Indian Telegraph Act of 1885. An order for a tap can be issued only by the Union home secretary or his counterparts in the states. A copy of the order must be sent to a review committee established by the high court. Tapped phone calls are not accepted as primary evidence in India’s courts. There have been numerous phone tap scandals in India, resulting in a 1996 decision by the Supreme Court which required the government to promulgate rules regulating taps. The Court ruled that wiretaps are a “serious invasion of an individual’s privacy.”[46] However, illegal wiretapping by government agencies appears to be continuing. According to prominent Non-Government Organizations, the mail of many NGOs in Delhi and in strife-torn areas continues to be subjected to interception and censorship.[47] There was considerable discussion in 1998 about a rumored new government proposal on Internet surveillance. The plan would have required Internet service providers to connect their routers to state security agencies such as the Intelligence Bureau and the Research and Analysis Wing so their traffic could be monitored.[48]

ISPs are barred from violating the privacy rights of their subscribers by virtue of the license to operate they are granted by the Department of Telecommunications.[49]

There is also a right of privacy guaranteed by Indian laws. Unlawful attacks on the honor and reputation of a person can invite an action in tort and/or criminal law.[50] The Public Financial Institutions Act of 1993 codifies India’s tradition of maintaining confidentiality in bank transactions.

The Supreme Court ruled in 1982 that access to government information was an essential part of the fundamental right to freedom of speech and expression[51] A draft Freedom of Information Act was introduced into the Parliament in July 2000.[52] The bill would provide a general right to access information and create a National Council for Freedom of Information and State Councils. It contains seven broad categories of exemptions. The draft was heavily criticized by campaigners who said that the bill provided only limited access to government records.[53] The National Centre for Advocacy Studies said, “Many of the aspects towards information availability have been left completely in the hands of bureaucrats, which defeats the very purpose of the bill.” In 1997, the state of Tamil Nadu adopted the Act for Right to Information and the states of Gujarat and Rajasthan have administratively provided access to records. The state of Madhya Pradesh enacted a Right to Information Bill in March 1998

Although there is not an express reference to a right to privacy in the Irish Constitution, the Supreme Court has ruled an individual may invoke the personal rights provision in Article 40.3.1 to establish an implied right to privacy. This article provides that “The State guarantees in its laws to respect, and, as far as practicable, by its laws to defend and vindicate the personal rights of the citizens.” It was first used to establish an implied constitutional right in the case of McGee v. Attorney General,[54] which recognized. the right to marital privacy. This case has been followed by others such as Norris v. Attorney General[55] and Kennedy and Arnold v. Ireland.[56] In the latter case the Supreme Court ruled that the illegal wiretapping of two journalists was a violation of the constitution, stating:

Ireland has also signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[58] Unlike every other European signatory country, Ireland has not incorporated this Convention into national law. However, there have been announcements by the Government that the Convention will soon be written into Irish law as part of the Anglo-Irish peace talks. This will, for the first time, allow the provisions of the Convention (including the right to privacy) and the case law of the European Court of Human Rights to be relied on in Irish courts.

In 1988, the Data Protection Act was passed in order to implement the 1981 Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. The Act regulates the collection, processing, keeping, use and disclosure of personal information processed by both the private and public sectors, but it only covers information which is automatically processed. Individuals have a right to access and correct inaccurate information. Information can only be used for specified and lawful purposes and cannot be improperly used or disclosed. Additional protections can be ordered for sensitive data. Criminal penalties can be imposed for violations. There are broad exemptions for national security, tax, and criminal purposes. Misuse of data is also criminalized by the Criminal Damage Act 1991.

As a member of the EU, Ireland is obliged to amend this Act and extend its scope in order to implement the European Data Protection Directive. Under the terms of the Directive, Ireland should have completed this by October 1, 1998. A consultation paper was released by the Department of Justice in November 1997.[59] However, as of July 2000, draft legislation has not been published. According to the Department of Justice, Equality and Law Reform a draft Data Protection Bill is now in the final stages of its preparation and should be introduced in the fall of 2000.[60] In January 2000, the European Commission initiated a case before the European Court of Justice against Ireland and four other countries for failure to implement the Data Directive on time.[61]

The 1988 Act established the office of the Data Protection Commissioner to oversee enforcement of its principles. The Commissioner can investigate complaints, prosecute offenders, sponsor codes of practice, and supervise the registration process. The Commission generally deals with about 80 to 100 formal complaints each year, together with approximately 1,500 telephone-based queries from the public. In his Annual Reports, the Commissioner has consistently expressed the need for additional resources and staff in order to continue to “provide any reasonable level of service to the public, whether they be data controllers or individual data subjects.”[62]

According to a recent survey, conducted by Rits IT Consultants, of the top 500 Irish companies, only 29 per cent undertake an audit on a regular basis to ensure compliance with the Data Protection Act.[63] In addition, an informal Irish Times survey of the top Irish websites, including Government institutions and leading private companies, found that these sites routinely breach the terms of the Data Protection Act and the principles laid down in the EU Data Protection Directive. Of the 100 sites studied, it was found that almost none post even the most basic privacy policy explaining to the public what is done with personal information gathered on the site.[64]

In an effort to combat fraud and abuse of public services, the Government passed the Social Welfare Act of 1998 creating a “Public Service Card” which is to carry a unique personal public service number. What was once the “Revenue and Social Insurance” (RSI) number, and used for social welfare and tax purposes only, will now be used as a unique personal identifier in all communications between an individual and specified State Agencies. The Act allows for the exchange of personal data between these bodies in certain circumstances, and its provisions are expressly exempt from the Data Protection Act. The only privacy safeguard laid down by the Act is a provision making it an offence for anyone other than a State agency to attempt to obtain an individual’s PPSN. The Data Protection Commissioner criticized this scheme while it was being debated, stating that “the proposed sharing of personal data, obtained and kept by legally separate entities, for such diverse purposes is fundamentally incompatible with ... the basic tenets of data protection law.”[65] His views were ignored, and the scheme, known as the REACH program, is expected to be fully implemented by 2002.[66]

Proposals by the Minister of Justice to introduce new law enforcement powers have gained recent support in Ireland. A bill to restrict the right to silence, lengthen detention terms and to facilitate the police obtaining search warrants and DNA samples won the approval of the Government in February 2000.[67] The Irish Council for Civil Liberties has criticized all such proposals, claiming them to be contrary to the European Convention on Human Rights.[68] A draft Bill has not yet been introduced in the Dail.

Wiretapping and electronic surveillance is regulated under the Interception of Postal Packets and Telecommunications Messages (Regulation) Act. The Act followed a 1987 decision of the Supreme Court ruling that wiretaps of journalists violated the constitution (see above). In April 1998, the Gardai investigated allegations that several journalists who had uncovered a scandal at the National Irish Bank had their cellular phone conversations intercepted.[69] In its June 1998 Report on “Privacy, Surveillance and the Interception of Communications,” the Law Reform Commission recommended legislation to make illegal the invasion of a person’s privacy through secret filming, taping and eavesdropping and the publication of information received from such surveillance. News stories this year carried reports of Ireland joining the controversial surveillance system known as ECHELON.[70] The issue of employee monitoring is also causing growing concern in Ireland and the Manufacturing, Science and Finance Union (MSF) recently called for national and EU legislation to limit the use of electronic surveillance in the workplace.[71]

There were protests in the Irish Parliament in June 1999 after reports that the British government tapped all telephone calls, email, telexes and faxes between Ireland and Britain from a 13-story tower in Capenhurst, Cheshire, from 1989 until 1999. The Irish government asked its ambassador in the UK to demand more information on the activity. [72] In January 2000, the Irish Minister for Foreign Affairs held meetings with the British Foreign Secretary to investigate these allegations.[73] Three English and Irish civil liberties groups, namely the Irish Council for Civil Liberties, Liberty, and British Irish Rights Watch, have brought a case against the UK Government before the European Court of Human Rights alleging breaches of Articles 8 and 13 of the European Convention on Human Rights.[74] The UK Government has neither confirmed nor denied the allegations.

Other incidental causes of action open to those who suffer privacy intrusions in Ireland include claims under the laws of Trespass, Nuisance, Defamation, Negligence and Confidence.

The Freedom of Information Act was approved in 1997 and went into effect in April 1998.[75] The act creates a presumption that the public can access documents created by government agencies and requires that government agencies make internal information on their rules and activities available. The Office of the Information Commissioner enforces the act. According to the Information Commissioner’s 1999 Annual Report, over 11,000 FOI requests in total were made to public bodies in 1999. The Commissioner accepted 443 cases for review, of which 141 were completed.[76]

Ireland is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. It is also a member of the Council of Europe and as mentioned above it introduced the 1988 Data Protection Act to give effect to Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [77]

Section 7 of The Basic Law: Human Dignity and Freedom (1992) states, “(a) All persons have the right to privacy and to intimacy. (b) There shall be no entry into the private premises of a person who has not consented thereto. (c) No search shall be conducted on the private premises or body of a person, nor in the body or belongings of a person. (d) There shall be no violation of the secrecy of the spoken utterances, writings or records of a person.”[78] According to Supreme Court Justice Mishael Cheshin, this elevated the right of privacy to the level of a basic right.[79]

The Protection of Privacy Law regulates the processing of personal information in computer data banks.[80] The law set out 11 types of activities that violated the law and could subject violators to criminal or civil penalties. Holders of data banks of over 10,000 names must register. Information in the database is limited to purposes for which it was intended and must provide access to the subject. There are broad exceptions for police and security services. It also sets up basic privacy laws relating to surveillance, publication of photographs and other traditional privacy features. The law was amended in 1996 to broaden the databases covered such as those used for direct marketing purposes, and also increased penalties.[81]

The Act is enforced by the Registrar of Databases within the Ministry of Justice. The Registrar maintains the register of databases and can deny registration if he believes that a database is used for illegal activities. The registrar can also investigate and enforce the Act.[82] As of mid-1998, 5,200 databases were registered.[83] A public council for the protection of privacy has also been set up to advise the Justice Minister on legislative matters related to the Protection of Privacy Law and its subsidiary regulations and orders. The council sets guidelines for the protection of computerized databases, and guides the Registrar of Databases in his work. Under the 1996 amendments, the Registrar is to be given more independence.

Interception of communications is governed by the Secret Monitoring Law of 1979, which was amended in 1995 to tighten procedures and to cover new technologies such as cellular phones and email. It also increased penalties for illegal taps and allowed interception of privileged communications such as those with a lawyer or doctor.[84] The police must receive permission from the President of the District Court in order to intercept any form of wire or electronic communications or plant microphones for a period up to three months, which can be renewed. According to the Israeli government, the number of wiretap orders, “has averaged roughly 1,000 to 1,100 annually over the last several years. Roughly half of these wiretap permits are given in connection with drug-related offences.”[85] Intelligence agencies may wiretap people suspected of endangering national security, after receiving written permission from the Prime Minister or Defense Minister. The agencies must present an annual report to the Knesset. The Chief Military Censor may also intercept international conversations to or from Israel for purposes of censorship.[86] The State’s Attorney’s Office in May 2000 submitted a request to the Tel Aviv district court to force ISPs to hand over electronic mail.[87]

A 1991 report by the State Comptroller found that the police were abusing the procedures and that led to the 1995 amendments. In 1996 a Defense Forces employee was tried for misusing the phone records of a journalist.[88] Several people, including Ma’ariv publisher Opher Nimrodi, were convicted in 1998 of ordering wiretaps on business people and media personalities, including Science Minister Silvan Shalom in 1994.[89] In November 1998, wiretaps were discovered on the phone of Labor and Social Affairs Minister Eli Yishai. It was suspected that he was wiretapped by a rival political faction inside the Shas party.

Unauthorized access to computers is punished by the 1995 Computer Law.[90] The Postal and Telegraph Censor, which operates as a civil department within the Ministry of Defense, has the power to open any postal letter or package to prevent harm to state security or public order.[91]

The 1996 Patient Rights Law imposes a duty of confidentiality on all medical personnel.[92] A Genetic Privacy Bill was approved for a first reading by the Knesset’s subcommittee on science in March 1998 and is expected to be approved shortly. The bill will limit disclosure of private DNA information.[93] In August 1999, the Cabinet called on the Ministry of Justice to develop legislation creating a national DNA database for police investigations.[94] The Health Ministry issued regulations on the use of video surveillance in hospitals in September 1998 after it was disclosed that cameras had been moved to watch patients undressing.[95]

Criminal records are governed by the Criminal Register and Rehabilitation Law that allows 30 government agencies to access the records.[96]

Finance Minister Yaakov Ne’eman issued an authorization in March 1998 giving the director of the Bureau for Counterterrorism full access to the databases of all Israeli taxation authorities, including the Income Tax Authorities and Customs. It gives the Bureau access to the financial records of any citizen in Israel, including the status of their bank account “for urgent cases of preventing terrorist acts.”[97]

The Supreme Court ruled in the Shalit case that there was a fundamental right for citizens to obtain information from the government.[98] The Freedom of Information Law was approved unanimously by the Knesset in May 1998. It provides for broad access to records held by government offices, local councils and government-owned corporations. Requests for information must be processed within 30 days. A court can review decisions to withheld information. A Jerusalem Post survey in June 1999 found that many agencies had not began to prepare for the law.[99] According to the ACLI, there have now been several court decisions on the new law, which is being used “effectively.”

The 1948 Constitution has several limited provisions relating to privacy. Article 14 states, “(1) Personal domicile is inviolable. (2) Inspection and search may not be carried out save in cases and in the manner laid down by law in conformity with guarantees prescribed for safeguarding personal freedom. (3) Special laws regulate verifications and inspections for reasons of public health and safety, or for economic and fiscal purposes.” Article 15 states, “(1) The liberty and secrecy of correspondence and of every form of communication are inviolable. (2) Limitations upon them may only be enforced by decision, for which motives must be given, of the judicial authorities with the guarantees laid down by law.”[100]

The Italian Data Protection Act was enacted in 1996 after twenty years of debate.[101] The Act is intended to fully implement the EU Data Protection Directive. It covers both electronic and manual files, for both government agencies and the private sector. There have also been decrees approved relating to processing of personal information for journalistic purposes,[102] for scientific or research purposes,[103] health,[104] and processing by public bodies.[105]

The Act is enforced by the Supervisory Authority (“Garante”) for Personal Data Protection.[106] The Garante maintains a register of databases, conducts audits and enforces the laws. It can also audit databanks not under its jurisdiction, such as those relating to intelligence activities. The Decree on the internal organization of the Authority was published in the Official Journal on February 1, 1999. The decree establishes the procedures for keeping the Register of Data Processes, access to the register by citizens, investigations, registrations and inspections.[107] The Garante ruled in October 1998 that phone companies need not mask the phone numbers on bills and that phone companies should allow for anonymous phone cards to protect privacy.[108] The Guarante has also held investigations into the Echelon surveillance system.

A Milan court ruled in September 1999 that the Data Protection Act only is concerned with the controls on the processing of personal information and is not a general privacy act. The court reversed the Garante ruling against a newpaper for publishing incorrect details about a countess.[109]

Wiretapping is regulated by articles 266-271 of the penal procedure code and may only be authorized in the case of legal proceedings.[110] Government interceptions of telephone and all other forms of communications, must be approved by a court order. They are granted for crimes punishable by life imprisonment or imprisonment for more than five years; for crimes against the administration punishable by no less than five year imprisonment; for crimes involving the trafficking of drugs, arms, explosives, and contraband; and for insults, threats, abusive activity and harassment carried out over the telephone. The law on computer crime includes penalties on interception of electronic communications.[111] Interception orders are granted for 15 days at a time and can be extended for the same length of time by a judge. The judge also monitors procedures for storing recordings and transcripts. Any recordings or transcripts which are not used must be destroyed. The conversations of religious ministers, lawyers, doctors or others subject to professional confidentiality rules can not be intercepted. There are more lenient procedures for anti-Mafia cases. Some 44,000 orders were approved in 1996, up from 15,000 in 1992.[112] In March 1998, the Parliament issued a legislative decree adopting the provisions of the E.U. Telecommunications Privacy Directive.[113]

There are also sectoral laws relating to workplace surveillance,[114] statistical information, and electronic files and digital signatures.[115] The Workers Charter prohibits employers from investigating the political, religious or trade union opinions of their workers, and in general on any matter which is irrelevant for the purposes of assessing their professional skills and aptitudes.[116] The 1993 computer crime law prohibits unlawfully using a computer system and intercepting computer communications.[117]

Italy is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[118] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[119] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Article 21 of the 1946 Constitution states, “Freedom of assembly and association as well as speech, press and all other forms of expression are guaranteed. 2) No censorship shall be maintained, nor shall the secrecy of any means of communication be violated.” Article 35 states, “The right of all persons to be secure in their homes, papers and effects against entries, searches and seizures shall not be impaired except upon warrant issued for adequate cause and particularly describing the place to be searched and things to be seized . . . 2) Each search or seizure shall be made upon separate warrant issued by a competent judicial officer.”[120]

The 1988 Act for the Protection of Computer Processed Personal Data Held by Administrative Organs governs the use of personal information in computerized files held by government agencies.[121] It is based on the OECD guidelines and imposes duties of security, access, and correction. Agencies must limit their collection to relevant information and publish a public notice listing their files systems. Information collected for one purpose cannot be used for a purpose “other than the file holding purpose.”

The Act is overseen by the Government Information Systems Planning Division of the Management and Coordination Agency. The agency reports that there have been 1,700 notices filed. The agency does not have any powers to investigate complaints.

The Prefecture of Kanagawa also has legislation that protects privacy in both the public and private sectors.[122]

The Japanese government has followed a policy of self-regulation for the private sector, especially relating to electronic commerce. In June 1998, former Prime Minister Ryutaro Hashimoto announced that he had signed an agreement with U.S. President Clinton for self-regulation for privacy measures on the Internet except for certain sensitive data. “If data in a certain industry is highly confidential, legal methods can be considered for that industry.”[123] On March 4, 1997, the Ministry of International Trade and Industry (MITI) issued Guidelines Concerning the Protection of Computer Processed Personal Data in the Private Sector.[124]

Several committees have been set up to develop legislation for the private sector. In July 1999, government set up the Working Party on Personal Data Protection” under the Advanced Information and Telecommunications Society Promotion Headquarters. In January 2000, the government convened the Expert Committee for Drafting Law of Personal Data Protection under the Advanced Information and Telecommunications Society Promotion Headquarters to develop a comprehensive basic law to protect personal information on the basis of the Interim Report of the Working Party. The panel released an interim report in June 2000 urging the adoption of legal protections for the processing of personal information by businesses and the creation of a government office to handle complaints and investigations. It also recommended changes to laws on information held by government agencies. The panel is scheduled to release its final report in September 2000 and the government will introduce a bill into Parliament in 2001.[125]

The Ministry of Finance and Ministry of International Trade and Industry announced plans to introduce legislation to protect individuals credit data in 2000 after a task force issues proposals.[126] Japan’s Ministry of Posts and Telecommunications (MPT) announced plans in June 1998 to study privacy in telecommunications services, establishing a study group to look into the matter.[127] An October 1999 survey by the MPT found that 92 percent of respondents believed that their personal information had been disclosed without their consent. Eighty-three percent believed that organizations and individuals who hold personal information should be regulated.[128]

In February 1998, MITI established a Supervisory Authority for the Protection of Personal Data to monitor a new system for the granting of “privacy marks” to businesses committing to the handling of the personal data in accordance with the MITI guidelines, and to promote awareness of privacy protection for consumers. The “privacy mark” system is administered by the Japan Information Processing Development Center (JIPDEC) – a joint public/private agency.[129] Companies that do not comply with the industry guidelines will be excluded from relevant industry bodies and not granted the privacy protection mark. It is assumed that they will then be penalized by market forces. However, in addition, the new Supervisory Authority will investigate violations and make suggestions as necessary to the relevant administrative authorities.[130] An analysis of the marks done for the European Union by four academic privacy experts found that there were serious shortcomings in the system.[131] In the first two years of the JIDPEC program, companies seeking certification were dominated by businesses that handle personal information like marriage bureaus; in total, the JIPDEC awarded about 140 licenses.[132] In May 2000, the JIPDEC agreed with BBBOnline, a division of the U.S.-based Better Business Bureau, to mutually recognize each other’s privacy protection marks.

Wiretapping is considered a violation of the Constitution’s right of privacy and has only been authorized only a few times. A controversial bill to authorize wiretapping for cases involving narcotics, gun offenses, gang-related murders and large-scale smuggling of foreigners was approved by the Diet in August 1999 following strong pressure by the United States government.[133] Under the new law, which went into effect in August 2000, the use of wiretaps is restricted to prosecutors and police officers at the rank of superintendent and above, and requires police officers to obtain warrants from district court judges in order to use wiretaps. The warrants are good for 10 days and can only be extended for a total of 30 days. Further, the presence of a third, independent party, for instance an employee of Nippon Telegraph and Telephone company, is required during monitoring. Finally, police and prosecutors must in principle notify individuals who have been monitored within 30 days after the investigation. Strict penalties are possible for those who abuse the wiretap policy.[134]

The wiretap law was opposed by the Federation of Bar Associations, journalists and trade unions.[135] Nobuto Hosaka, a Social Democratic Party lawmaker filed a suit in July 1999 alleging that the police had intercepted his phone calls after a transcript of a conversation he had with a TV reporter about the wiretap bill was delivered anonymously to two newspapers by someone claiming to have tapped the phone from the police facilities.[136] Over 180,000 people have signed a petition for the repeal of the wiretapping law. The signature-collecting Committee for the Repeal of the Wiretapping Law submitted the petition to the Diet on May 24, 2000.[137] In August, NTT asked that its employees not be required to be present when taps are installed, saying it would likely have a detrimental effect on company performance.[138]

Wiretapping is also prohibited under article 104 of the Telecommunications Business Law and article 14 of the Wire Telecommunications Law.[139]

In June 1997, the Tokyo High Court upheld a lower court’s finding that the Kanagawa Prefectural Police had illegally wiretapped the telephone at the home of a senior member of the Japanese Communist Party. The court awarded damages of four million yen.[140] A number of NTT employees have also been caught recently selling information about customers.[141] In March 2000, a district court sentenced a former assistant police inspector at the Nara Prefectural Police to two years in prison after finding him guilty of passing information on cellular phone users to a gang informant.[142] A number of companies that provide for pre-paid cellular phone service announced in May 2000 that they would start requiring users to provide identification before they could use the services to prevent crime. [143]

In the same anti-crime package of bills under which the wiretapping law was passed, the Diet also provisionally approved the Basic Resident Registers Law, granting Tokyo the authority to issue a 10-digit number to every Japanese citizen and resident alien, and requiring all citizens and resident aliens to provide basic information – name, date of birth, sex, and address – to the local police. Due to privacy concerns, the bill will be put into effect within three years of its passage on the condition that new privacy-protection legislation is enacted. [144]

The Ministry of Transportation announced in June 1999 a plan to issue “Smart Plates” license plates with embedded IC chips by 2001. The chips will contain driver and vehicle information and be used for road tolls and traffic control.[145] The National Police Agency has operated a comprehensive video surveillance system called the “N-system” with 400 locations on expressways and major highways throughout the country, which has been automatically recording the license plate number of every passing car for the last 11 years. Whenever a “wanted” car is detected, the system immediately issues a notice to police.[146] Eleven motorists filed a lawsuit challenging the system in 1997.

In March 2000, it was discovered that a research company had secretly conducted genetic tests on 1,000 blood samples obtained from people who had donated blood to the Japanese Red Cross Society. The Health and Welfare Ministry launched an investigation in November 1999 into reports that a dealer was selling private information on people receiving medical treatment, including their clinical histories. Several months later, Tohoku University in Sendai and the National Cardiovascular Center in the Osaka Prefecture city of Suita also disclosed that they had studied the genes of blood donors without obtaining their consent. A poll conducted by the Mainichi newspaper suggests that this is standard practice, finding that 70 percent of medicine faculties in 64 universities around Japan are conducting gene tests.[147] Health and Welfare Minister Yuya Niwa said that the ministry is investigating the case and will consider setting up laws regulating such leakage of patients’ medical data.

The Law Concerning Access to Information Held by Administrative Organs was approved by the Diet in May 1999 after 20 years of debate.[148] The law allows any individual or company to request government information in electronic or printed form. A nine-person committee in the Office of the Prime Minster will receive complaints about information which the government refuses to make public and will examine whether the decisions made by the ministries and agencies were appropriate. Government officials will still have broad discretion to refuse requests but requestors will be able to appeal decisions to withhold documents to one of eight different district courts. The law goes into effect in 2001. A survey by Kyodo News in May 1999 found that 31 city and prefectural governments are in the process of adopting legislation consistent with the new law. Sixteen of them are including a principle of “right to know.”[149]

Japan is a member of the Organization for Economic Cooperation and Development and a signatory to the OECD Guidelines on Privacy and Transborder Dataflows.

The Constitution provides for protection of privacy and secrecy of communications. Article 16 states, “All citizens are free from intrusion into their place of residence. In case of search or seizure in a residence, a warrant issued by a judge upon request of a prosecutor has to be presented.” Article 17 states, “The privacy of no citizen may be infringed.” Article 18 states, “The privacy of correspondence of no citizen shall be infringed.”[150]

The Act on the Protection of Personal Information Managed by Public Agencies of 1994 sets rules for the management of computer-based personal information held by government agencies and is based on the OECD privacy guidelines.[151] Under the Act, government agencies must limit data collected, ensure their accuracy, keep a public register of files, ensure the security of the information, and limit its use to the purposes for which it was collected. The Act is enforced by the Minister of Government Administration.

Interest in promotion of electronic commerce has been a major impetus for recent developments. In May 1998 the Ministry of Commerce, Industry and Energy (MoCIE) proposed a set of guidelines for electronic commerce legislation, including protecting privacy in the digital trade environment.[152] The Basic Act on Electronic Commerce was approved in January 1999. Chapter III of the Act requires that “electronic traders shall not use, nor provide to any third party, the personal information collected through electronic commerce beyond the alleged purpose for collection thereof without prior consent of the person of such information or except as specifically provided in any other law.” Individuals also have rights of access, correction and deletion and data holders have a duty of security.[153]

The Ministry of Information and Communication (MIC) set up a Cyber Privacy Center in April 2000.[154] The Ministry issued guidelines in May 2000 on privacy. The guidelines requires consent before collecting “sensitive information” such as political orientation, birthplace, and sexual orientation, and ISPs wishing to collect information about users under 14 must obtain parental consent. ISPs must display their privacy policies and establish security policies. The Ministry said it was planning to develop legislation in late 2000 that would incorporate the guidelines.[155] A study by the Korea Information Security Agency in November 1999 found that most sites were collecting information but were lacking adequate privacy policies.[156] The existing national ID card number is widely used on the Internet by e-commerce sites and free web sites.[157]

The cabinet approved a bill in March 1999 creating a National Human Rights Commission which would, among its powers, investigate illegal wiretapping. The proposal was criticized by Amnesty International and local groups who held a week-long hunger strike to protest the bill. Amnesty said that the bill “seems designed to set up a commission which lacks independence and has weak investigative powers over a limited range of violations.”[158] The bill has still not been approved by the Parliament because of the controversy.

Wiretapping is regulated by the Law on Protection of Communications Secrecy Act.[159] It requires a court order to place a tap. Intelligence agencies are required to obtain permission from the Chief Judge of the High Court or approval from the President for national security cases. Article 54 of the Telecommunication Business Act prohibits persons who are (or have been) engaged in telecommunication services from releasing private correspondence.[160] There were 2,103 cases of wiretapping in the first half of 1999, down from the 6,638 taps in 1998, of which 1,073 were “emergency taps” conducted without prior court permission; 6,002 taps in 1997; and 2,067 in 1996.[161] The police also issued 93,000 requests for information to telecommunications providers in the first half of 1999, up from 63,000 in the same period in 1998.[162]

Rep. Kim Hyong-o of the opposition Grand National Party (GNP) stated that he believed that over 10,000 taps were actually placed in 1998.[163] Under previous administrations, there were widespread surveillance and wiretapping abuses by intelligence and police officials. In October 1998, President Kim Dae-jung ordered a full-scale probe into illegal wiretapping. The government proposed amendments to the Telecommunications Law in November 1999 which would allow victims of illegal wiretapping to sue in court, limit the number of crimes for which wiretapping is allowed, and provide for notice to targets of wiretapping. The government set up a wiretapping complaint center under the Ministry of Information and Communication in October 1999.[164] The United Nations Human Rights Commission heard testimony on Korean wiretapping at its meeting in October 1999.[165]

Credit reports are protected by the Act Relating to Use and Protection of Credit Information of 1995.[166] Postal privacy is protected by the Postal Services Act.[167]

In 1997, the government proposed an “Electronic National Identification Card Project.” The plan was based on a smart card system and according to a local human rights group would “include universal ID card, driver’s license, medical insurance card, national pension card, proof of residence, and a scanned fingerprint, among other things.”[168] The government was scheduled to issue cards to all citizens by 1999.[169] In November 1997, a law on the ID card project passed the National Assembly. In December 1997, Kim Dae Jung, a former dissident, won the Presidential election. He had publicly opposed the ID card project in his campaign and the project was publicly withdrawn. However, activists believe that government agencies are continuing to quietly develop the proposals. In 1999, the government began replacing existing cards with a plastic card.

The Act on Disclosure of Information by Public Agencies is a freedom of information act that allows Koreans to demand access to government records. It was enacted in 1996 and went into effect in 1998. The Supreme Court ruled in 1989 that there is a constitutional right to information “as an aspect of the right of freedom of expression, and specific implementing legislation to define the contours of the right was not a prerequisite to its enforcement.”[170]

South Korea is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Article 17 of the Constitutional Law on Rights and Obligations of a Citizen and a Person states, “(1) The State guarantees the confidentiality of correspondence, telephone conversations, telegraph and other communications. (2) These rights may be restricted by a judge’s order for the investigation of serious crimes.”[171]

The Law on Personal Data Protection was adopted by the Parliament on March 23, 2000. The law is based on the EU Data Directive and the Council of Europe Convention No. 108.[172] The bill will also create a Data Protection Inspectorate. The approval follows several years of EU pressure to adopt the law.

The Law on Freedom of Information was adopted by the Saiema in October 1998 and signed into law by the State President in November 1998.[173] It guarantees public access to all information in “any technically feasible form” not specifically restricted by law. Individuals may use it to obtain their own records. Information can only be limited if: there is a law authorizing withholding; the information is for internal use of an institution; it constitutes trade secrets; or concerns the private life of an individual.

In January 1999, the National Human Rights Office (NHRO) threatened to sue the National Compulsory Health Insurance Central Fund (NCHICF) over the mandatory use of personal identification codes by doctors, alleging a violation of the right to privacy in the European Convention on Human Rights.[174]

Under the Penal Code, it is unlawful to interfere with correspondence.[175] Wiretapping or interception of postal communications requires the permission of a court.[176] On November 16, 1995, it was reported that telephones in the Latvian Defense Ministry were tapped. The Latvian Defense Ministry responded by stating Latvia’s “military counterintelligence service reserves the right to ensure the security of communications at the Ministry of Defense and structures of the national armed forces.”[177] In April 1994, a bugging device was found on the switchboard of the “Dienas Bizness” newspaper.[178]

Latvia is a member of the Council of Europe and signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) on February 11, 2000.[179] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[180]

Article 22 of the Constitution states, “The private life of an individual shall be inviolable. Personal correspondence, telephone conversations, telegraph messages, and other intercommunications shall be inviolable. Information concerning the private life of an individual may be collected only upon a justified court order and in accordance with the law. The law and the court shall protect individuals from arbitrary or unlawful interference in their private or family life, and from encroachment upon their honor and dignity.”[181]

Lithuania enacted its Law on Legal Protection of Personal Data in 1996[182] and amended it in March 1998 to extend it to computerized information held by private controllers.[183] The Law regulates the processing of all types of personal data, not just in state information systems. It defines the time and the general means of protecting personal data and sets rights of access and correction. It also sets rules on the collecting, processing, transferring and using of data. The Administrative Code defines various monetary penalties in cases of the infringement of the processing and use of data.[184] There is also a Law on State Registers[185] which governs the use and legitimacy of state data registers that contain personal information. The law also mandates that data registers may only be erased or destroyed in cooperation with the State Data Protection Inspectorate.

The Seimas is currently reviewing extensive amendments to the law.[186] The amendments would ensure the law’s compliance with the EU Directives on Data Protection and Telecommunications. It will cover not just the processing of personal information by computers, but also by other means. It also adopts the Council of Europe recommendations on direct marketing, health care, science research, telecommunications and statistics. The bill is expected to be approved in the summer of 2000.

The State Data Protection Inspectorate was established in 1996 to enforce the provisions of the Law on Legal Protection of Personal Data and the Law on State Registers.[187] It registers data controllers, supervises processing, handles appeals for denial of access to records, and approves transborder data flows. The Inspectorate has eight staff members and has registered 622 data controllers.[188] It has conducted 21 physical inspections and over 400 in writing. It has also drafted 13 legal acts. Under the 1998 Law, it is subordinated to the Minister of Public Administration Reforms and Local Authorities from July 1998. Under the draft act, the office would be reorganized into an independent organization.

Wiretapping requires a warrant issued by the Prosecutor General.[189] On October 27, 1995, the Lithuanian State Security Department Chief, Jurgis Jurgialis, denied opposition charges that his department bugged telephones for political reasons. He said, “we resort to such actions only on the basis of the law and after receiving the prosecutor’s authorization in each particular case.” Jurgialis denied that his department was involved in widespread bugging but conceded such activities were conducted throughout Lithuania “by quite different structures, including foreign intelligence services.”[190] In May 1998, Lietuvos rytas, the country’s largest daily, revealed that a top-secret surveillance unit was monitoring the media, the prosecutor general, cabinet ministers, the Prime Minister, and the President. The unit was shut down after the revelations.[191] The International Helsinki Committee raised concerns about the prosecution of Audrius Butkevicius, a member of the Lithuanian parliament, on corruption charges in 1997 based on wiretaps conducted without a court order.[192]

There are specific privacy protections in laws relating to telecommunications,[193] radio communications,[194] statistics,[195] the population register,[196] and health information.[197] The Penal Code of the Republic of Lithuania provides for criminal responsibility for violations of the inviolability of a residence, infringement on secrecy of correspondence and telegram contents, on privacy of telephone conversations, persecution for criticism, secrecy of adoption, slander, desecration of graves and impact on computer information. Civil laws provide for compensation for moral damage because of dissemination of unlawful or false information demeaning the honor and dignity of a person in the mass media.[198]

The 1996 Law on the Provision of Information to the Public provides for a limited right of access to official documents and to documents held by political parties, political and public organizations, trade union and other entities.[199] A more comprehensive “Law on the Right to Receive Information from the State and Municipal Institutions” drafted by the Lithuanian Centre for Human Rights is currently being reviewed by the Parliament.[200]

Lithuania is in the process of preparing for membership in the EU and has a National Program for the Adoption of EU Regulations. It is a member of the Council of Europe but has not yet signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[201] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[202]

Article 28 of the Constitution states, “(1) The secrecy of correspondence is inviolable. The law determines the agents responsible for the violation of the secrecy of correspondence entrusted to the postal services. (2) The law determines the guarantee to be afforded to the secrecy of telegrams.” [203]

Luxembourg’s Act Concerning the Use of Nominal Data in Computer Processing was adopted in 1979.[204] The law pertains to individually identifiable data in both public and private computer files. It also requires licensing of systems used for the processing of personal data. The law considers all personal data to be sensitive, although special provisions may be applied to medical and criminal information. For personal data processing by the private sector, an application must first be made to the Minister for Justice who thereafter issues an authorization for such processing to take place.

As a member of the EU, Luxembourg should have amended this law by October 1, 1998, in order to implement the European Data Protection Directive (95/46/EC). An amending bill was introduced in the Parliament in 1997, but withdrawn in 1998 and not reintroduced due to Parliamentary elections.[205] In January 2000, the European Commission initiated a case before the European Court of Justice against Luxembourg and four other countries for failure to implement the Directive on time.[206] A finalized bill has now been drafted but has yet to be approved by the Government and submitted to Parliament.[207] A project on electronic commerce that will implement the EU Telecommunications Privacy Directive is also currently pending.[208]

The Commission à la Protection des Données Nominatives, under the Ministry of Justice, oversees the law. If an application for personal data processing is granted, and there is an objection raised or if the application is refused or the original authorization is withdrawn for some reason, an appeal can be made to the Disputes Committee of the Council of State. A national register of all systems containing personal information is maintained by the Minister for Justice. Public sector personal data systems can only be established upon the issuance of a special law or regulation. Such proposed laws or regulations are reviewed by the Advisory Board. In 1992, the law was amended to include special protection requirements for police and medical data.

Telephone tapping is regulated by articles 88-1 and 88-2 of the Criminal Code.[209] Judicial wiretaps are authorized if it can be shown: that a serious crime or infringement, punishable by two or more years imprisonment, is involved; that there is sufficient evidence to suspect that the subject of the interception order committed or participated in the crime or received or transmitted information to/from or concerning the accused; and that ordinary investigative techniques would be inadequate under the circumstances. Orders are granted for 1 month periods and may be extended repeatedly as long as the cumulative period does not exceed one year. Administrative wiretaps may also be authorized for national security reasons by a special tribunal appointed by the head of government. These interceptions are granted for three months at a time must stop once the requested information is received. The communications of persons bound by professional secrecy rules cannot be intercepted and any recordings of such must be destroyed immediately. Information, gathered during judicial and administrative interceptions but not subsequently used must be destroyed. In the case of judicial warrants persons who formed the subject of the warrant will sometimes be informed of the action taken. This law was highly criticized by human rights activists and the socialist workers party when it was first introduced. In fact the law was challenged on numerous occasions before the European Court of Human Rights. That Court, however, ruled that the law violated neither article 8 (concerning the right to private and family life) nor article 13 (concerning the right to due process) of the European Convention on Human Rights.[210]

The Numerical Identification of Natural and Legal Persons Act of 1979[211] provides for the introduction of an identity number, consisting of 11 digits (including digits to represent date of birth and sex) for every person resident in the country. The law contains specifications for use of this number. These specifications are loosely drafted, however, and leave it open for the number to be widely circulated. The data protection authority is said to be monitoring the adoption of this number closely.[212] There are also sectoral laws on privacy relating to telecommunications,[213] and banking secrecy. Luxembourg’s status as a financial haven ensures that unwarranted surveillance of individuals is forbidden. This may change as Luxembourg comes under increasing pressure to amend its financial confidentiality laws to permit greater access to personal financial records by European and American investigators.

There is no general freedom of information law in Luxembourg. Under the 1960 decree on state archives, the archives are to be open to the public, but citizens must make a written request explaining why they want access and ministers have broad discretion to deny requests.[214] The government announced in August 1999 that it was planning to develop a new press bill including a right to access records.[215]

Luxembourg is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[216] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[217] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

The Constitution of Malaysia does not specifically recognize the right to privacy.[218]

The Ministry of Energy, Communications and Multimedia is drafting a Personal Data Protection Act that will create legal protections for personal data as part of the “National Electronic Commerce Master Plan.” Secretary-general Datuk Nuraizah Abdul Hamid said the purpose of the Bill was to ensure secrecy and integrity in the collection, processing and utilization of data transmitted through the electronic network.[219] The Ministry is looking at the OECD Guidelines, EU Data Directive and the UK, Hong Kong and New Zealand legislation as models for the act. The bill has been delayed for several years as the Ministry has watched international developments such as the U.S./EU Safe Harbor negotiations.

The government appears to be moving towards embracing a mix of self-regulation and government intervention. At a conference in April 2000, Deputy Prime Minister Datuk Seri Abdullah Ahmad Badawi stressed the role of the private sector in creating a safe and private environment in which electronic commerce could flourish. In likening on-line privacy protection to the steps banks had to take to make ATMs safe, the Deputy Prime Minister characterized privacy safeguards as a cost of doing business rather than a public good.[220]

In 1998, the Parliament approved the Communications and Multimedia Act, which has several sections on telecommunications privacy. Section 234 prohibits unlawful interception of communications. Section 249 sets rules for searches of computers and includes access to encryption keys. Section 252 authorizes police to intercept communications without a warrant if a public prosecutor considers that a communication is likely to contain information that is relevant to an investigation.[221] There are regular reports of illegal wiretapping, including on the former deputy premier Anwar Ibrahim. Police detained four people under the Internal Security Act on suspicion of spreading rumors of disturbances in Kuala Lumpur in August 1998. Inspector-General of Police Tan Sri Abdul Rahim Noorsaid told the media then that the suspects were detained after police tracked their activities on the Internet with the assistance of Internet service provider Mimos Berhad.[222] The provider said later that it did not screen private e-mail.[223]

Several other laws relating to technology were approved in 1997, including The Digital Signature Act of 1997[224] and the Computer Crime Act of 1997.[225] Section 8 of the Computer Crime Act allows police to inspect and seize computing equipment of suspects without a warrant or any notice. The suspect is also required to turn over all encryption keys for any encrypted data on his equipment. The act also outlaws eavesdropping, tampering with or falsifying data, sabotage through computer viruses or worms, among a host of cybercrimes.[226] The Energy, Communications and Multimedia Ministry announced in July 2000 that it is developing a National Policy Framework on Information Security to provide guidelines on computer security.[227] Malaysia’s Banking and Financial Institutions Act 1989, Pt XIII, also has provisions on privacy.

The pilot program for a Government Multi-Purpose Card will be launched in September 2000 for two million residents in the Multimedia Super Corridor.[228] The card will be used as a national identity card and drivers license, and will contain immigration and passport information, medical records, and eventually be usable as a debit card. It will contain both a photo and a thumbprint. It is planned to expand nationally starting in 2002. Besides the MPC, there are also initiatives for a Payment Multi-Purpose Card (PMPC) and a chip-based national passport. The government signed a contract in June 1999 with several companies including Unisys and Iris Technologies to develop these smart cards. All Malaysian over the age of 12 are issued national ID cards. It was announced in 1998 that if citizens do not carry their cards, they risk being detained by immigration police.[229] In January 1999, it was announced that Muslim couples married in the Malaysian capital will be issued cards with computer chips so Islamic police can instantly verify their vows and the police will be equipped with portable card readers. In December 1998, the government began requiring that cybercafes obtain name, address, and identity card information from patrons, but lifted the requirement in March 1999.[230]

Article 16 of the 1917 Mexican Constitution provides in part: “One’s person, family, home, papers or possessions may not be molested, except by virtue of a written order by a proper authority, based on and motivated by legal proceedings. The administrative authority may make home visits only to certify compliance with sanitary and police rules; the presentation of books and papers indispensable to verify compliance with the fiscal laws may be required in compliance with the respective laws and the formalities proscribed for their inspection. Correspondence, under the protective circle of the mail, will be free from all inspection, and its violation will be punishable by law.”[231]

On June 7, the Mexican E-Commerce Act took effect.[232] The law amends the Civil Code, the Commercial Code, the Rules of Civil Procedure and the Consumer Protection Act. It covers consumer protection, privacy and digital signatures and electronic documents. It includes a new article in the Federal Consumer Protection Act giving authority to the government “to provide for the effective protection of consumer in electronic transactions or concluded by any other means, and the adequate use of the data provided by the consumer” (Art. 1.VIII); and also to coordinate the use of Code of Ethics by providers including the principles of this law. The law also creates a new chapter in the Consumer Law titled: “Rights of Consumers in electronic transactions and transactions by any other means.” The new article 76 now provides, “This article will be applied to the relation between providers and consumers in transactions effectuated by electronics means. The following principles must be observed: I. Providers shall use information provided by consumers in a confidential manner, and shall not be able to transfer it to third parties, unless there is express consent from the consumer or a requirement from a public authority ... II. Providers must use technical measures to provide security and confidentiality to the information submitted by the consumer, and notify the consumer, before the transaction, of the characteristics of the system ... VI. Providers must respect consumer decisions not to receive commercial solicitations ...”

Article 214 of the Penal Code protects against the disclosure of personal information held by government agencies.[233] The General Population Act regulates the National Registry of Population and Personal Identification. The Registry’s purpose is to register all persons making up the country’s population using data enabling their identity to be certified reliably. The aim is ultimately to issue the citizen’s identity card, which will be the official document of identification, fully endorsing the data contained in it concerning the holder.[234]

Chapter 6 of Mexico’s Postal Code, in effect since 1888, recognizes the inviolability of correspondence and guarantees the privacy of correspondence.[235] The 1939 General Communication Law provides penalties for interrupting communications and divulging secrets.[236] The Federal Penal Code establishes penalties for the crime of revealing personal secrets by any means, including personal mail.[237] In 1981, the Penal Code was amended to include the interception of telephone calls by a third person.[238] The Law Against Organized Crime, passed in November 1996, allows for electronic surveillance with a judicial order.[239] The law prohibits electronic surveillance in cases of electoral, civil, commercial, labor, or administrative matters and expands protection against unauthorized surveillance to cover all private means of communications, not merely telephone calls.[240]

The Law has been widely criticized by Mexican human rights organizations as violating Article 16 of the Constitution.[241] They noted that telephone espionage had historically been used by the ruling PRI party “to keep the opposition in check.”[242] In 1997, the telephones of the Jalisco State Supreme Court were found to have been wiretapped.[243] In March 1998, a large cache of government electronic eavesdropping equipment which had been used since 1991 to spy on members of opposition political parties, human rights groups and journalists was discovered in Campeche.[244] Thousands of pages of transcripts of telephone conversations were uncovered along with receipts for $1.2 million in Israeli surveillance equipment. More than a dozen other cases of government espionage in four other states were exposed, ranging from hidden microphones and cameras found in government offices in Mexico City, to tapes of a state governor’s telephone calls. Every government agency identified with the electronic surveillance operations – the federal attorney general and interior ministry, the military, the national security agency and a plethora of state institutions – denied knowing anything about them.[245] The new President-elect, Vicente Fox, has promised to eliminate the security police division that is responsible for much of the illegal government wiretapping in Mexico.

The U.S.-Mexican border has been an area of increased surveillance. Mexican authorities now routinely perform “security sweeps” of homes in areas bordering the United States.[246] On the U.S. side, biometric facial feature recognition systems have been implemented by the Immigration and Naturalization Service at the Otay Mesa border crossing (San Diego-Tijuana) for frequent U.S. commuters to Mexican maquiladora factories. The biometric data is stored with driver’s license numbers, vehicle registration numbers and passport status information in an INS database. When a commuter in the program approaches the U.S. border, a transponder under his vehicle sends a signal to the checkpoint booth, activating the database and displaying the driver’s image. Other commuters use a voice-activated device in addition to the facial scan.[247]

Mexico is a member of the Organization for Economic Cooperation and Development, but does not appear to have adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Mexico has also signed the American Convention on Human Rights.

The Constitution grants citizens an explicit right to privacy.[248] Article 10 states, “(1) Everyone shall have the right to respect for his privacy, without prejudice to restrictions laid down by or pursuant to Act of Parliament. (2) Rules to protect privacy shall be laid down by Act of Parliament in connection with the recording and dissemination of personal data. (3) Rules concerning the rights of persons to be informed of data recorded concerning them and of the use that is made thereof, and to have such data corrected shall be laid down by Act of Parliament.” Article 13 states, “(1) The privacy of correspondence shall not be violated except, in the cases laid down by Act of Parliament, by order of the courts. (2) The privacy of the telephone and telegraph shall not be violated except, in the cases laid down by Act of Parliament, by or with the authorization of those designated for the purpose by Act of Parliament.”

In May 2000, the government-appointed commission for “Constitutional rights in the digital age” presented proposals for changes to the Dutch constitution.[249] The commission was set up after confusion about the legal status of e-mail under the constitutionally protected privacy of letters. The commission’s task was to investigate if existing constitutional rights should be made more technology-independent and if new rights should be introduced. According to this proposal, Article 10 will be expanded to the right of persons to be informed about the origin of data recorded about them and the right to correct that data. Article 13 is made technology-independent and gives the right to confidential communications. Breaches of this right can only be made by a judge or a minister.

The Personal Data Protection Act of 2000 was approved by the Parliament in June 2000.[250] This bill is a revised and expanded version of the 1988 Data Registration Act that will bring Dutch law in line with the European Data Protection Directive and will regulate the disclosure of personal data to countries outside of the European Union. The Act replaces the Data Registration Act of 1988.[251] The new law will go into effect in January 2001.

The Registration Chamber (Registratiekamer) serves as the Data Protection Authority and exercises supervision of the operation of personal data files in accordance with the Data Registration Act.[252] The Chamber advises the government, deals with complaints submitted by data subjects, institutes investigations and makes recommendations to controllers of personal data files. The Chamber receives around 6,000 inquiries and 300 complaints each year. It also mediated 160 cases in 1999. There are presently over 60,000 databases registered with the Chamber. It has also released several reports on privacy enhancing technologies jointly produced with the Office of the Information and Privacy Commissioner of Ontario, Canada. In June 2000, the Registration Chamber published a report on the privacy policies of Dutch ISPs. The Chamber concluded that policies and procedures of providers are often unclear, contradictory or unlawful.[253]

Two decrees were issued under the Data Registration Act. The Decree on Sensitive Data[254] sets out the limited circumstances when personal data on an individual’s religious beliefs, race, political persuasion, sexuality, medical, psychological and criminal history may be included in a personal data file. The Decree on Regulated Exemption[255] exempts certain organizations from the registration requirements of the Data Registration Act.

Interception of communications is regulated by the criminal code and requires a court order.[256] A new Telecommunications Act was approved in December 1998 which requires that Internet Service Providers have the capability by August 2000 to intercept all traffic with a court order and maintain users logs for three months.[257] The bill was enacted after XS4ALL, a Dutch ISP, refused to conduct a broad wiretap of electronic communications of one of its subscribers. The Dutch Forensics Institute has developed a so-called “black-box” that is used to intercept Internet traffic at an ISP. The black box is under control of the ISP and is turned on after receiving a court order. The box is believed to look at authentication traffic of the person to wiretap and divert the person’s traffic to law enforcement if that person is online.[258] In May 2000, Dutch Internet providers canceled a deal with the Justice Department to provide names and addresses of Internet users under criminal investigation without a court order if the case involves a serious crime. Dutch privacy law gives the holder of a data registry the right to give out personal data to third parties in “pressing cases.” The agreement between the providers and the Justice Department had to be halted nevertheless after a court ruled that the Justice Department was requesting information without a clear urgency.[259]

The new Telecommunications Act also implements the EU Telecommunications Privacy Directive. The Special Investigation Powers Act of 2000 regulates the use of bugging devices and directional microphones by law enforcement.

The Intelligence services do not need a court order for interception, but obtain their authorization from the responsible minister. A proposed new law on intelligence services (Wet op de Inlichtingenen Veiligheidsdiensten) gives a broad range of new powers to the services. If the law is adopted by Parliament, the BVD will be able to intercept all wireless communications (including mobile phones) without focusing on a particular person. The law gives power to store all intercepted data (including Internet traffic) for one year, and encrypted data can be stored for an unlimited time to facilitate possible decryption in the future. Under the proposal the BVD can also intrude (hack) into computer systems to intercept data or modify software on that system. Finally, the BVD can intercept wireless communications such as satellite traffic for economic espionage using keywords through the satellite interception facility at Zoutkamp.

A survey by the Dutch Ministry of Justice in 1996 found that police in the Netherlands intercept more telephone calls than their counterparts in the United States, Germany or Britain.[260] The Parliamentary Investigations Commission into police methods released a 4,700 page report in 1996. The report was critical of legal controls on police surveillance[261] and found that there was a failure among judges, prosecutors and other officials to limit police abuses. Some analysts say that the reason for the high number of taps is that the Netherlands prohibits other forms of investigations such as informers.

The Dutch government has refused to deny, confirm or investigate the existence of the Echelon system. A Parliament hearing on Echelon is scheduled in the autumn of 2000.

There are sectoral laws dealing with the Dutch police,[262] medical exams,[263] medical treatment,[264] social security,[265] entering private homes,[266] and the employment of minorities.[267]

The Government Information (Public Access) Act of 1991[268] is based on the constitutional right of access to information. It creates a presumption that documents created by a public agency should be available to everyone. Information can be withheld if it relates to international relations of the state, the “economic or financial interest of the state,” investigation of criminal offenses, inspections by public authorities or personal privacy. However, these exemptions must be balanced against the importance of the disclosure. Requestors can appeal denials to an administrative court which renders the final decision.

The Netherlands is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[269] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[270] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Article 21 of the Bill of Rights Act 1990 states, “Everyone has the right to be secure against unreasonable search or seizure, whether of the person, property, or correspondence or otherwise.”[271] The Human Rights Act 1994 prohibits discrimination.[272]

New Zealand’s Privacy Act was enacted in 1993 and has been amended several times.[273] It regulates the collection, use and dissemination of personal information in both the public and private sectors. It also grants to individuals the right to have access to personal information held about them by any agency. The Privacy Act applies to “personal information,” which is any information about an identifiable individual, whether automatically or manually processed. Recent case law has held that the definition also applies to mentally processed information.[274] The news media are exempt from the Privacy Act in relation to their news activities.

The Act creates twelve Information Privacy Principles generally based on the 1980 OECD guidelines and the information privacy principles in Australia’s Privacy Act 1988. In addition, the legislation includes a new principle that deals with the assignment and use of unique identifiers. The Information Privacy Principles can be individually or collectively replaced by enforceable codes of practice for particular sectors or classes of information. At present, there is only one complete sectoral code of practice in force, the Health Information Privacy Code 1994. There are several codes of practice that alter the application of single information privacy principles: the Superannuation Schemes Unique Identifier Code 1995, the EDS Information Privacy Code 1997, and the Justice Sector Unique Identifier Code 1998.[275]

In addition to the information privacy principles, the legislation contains principles relating to information held on public registers; it sets out guidelines and procedures in respect to information matching programs run by government agencies, and it makes special provision for the sharing of law enforcement information among specialized agencies.

The Privacy Commissioner conducted a five-year review in 1998 and recommended over 150 changes to the act, mostly minor. These included limiting use of information on public registers, creating a right to be taken off direct marketing lists, restricting requests by employers for criminal and medical records, limiting exceptions to the act, and providing for more funding for the Office of the Commissioner to enforce the act.[276]

The Office of the Privacy Commissioner is an independent oversight authority that was created prior to the Privacy Act by the 1991 Privacy Commissioner Act.[277] The Privacy Commissioner oversees compliance with the Act, but does not function as a central data registration or notification authority. The Privacy Commissioner’s principal powers and functions include promoting the objects of the Act, monitoring proposed legislation and government policies, dealing with complaints at first instance, approving and issuing codes of practice and authorizing special exemptions from the information privacy principles, and reviewing public sector information matching programs. The Commissioner has a 20-person staff.

Complaints by individuals are initially filed with the Privacy Commissioner who attempts to conciliate the matter. The office received 11,141 inquiries and 1,082 complaints in the year ending June 1998 and completed 804 of the complaints. In 121 cases, a final opinion was granted.[278] If conciliation fails, the Proceedings Commissioner[279] or the complainant (if the Proceedings Commissioner is unwilling) can bring the matter before the Complaints Review Tribunal, which can issue decisions and award declaratory relief, issue restraining or remedial orders, and award special and general damages up to NZ $200,000.

The New Zealand Court of Appeal decided its first case on the Privacy Act of 1993 in 2000.[280] The case concerned a defense barrister who secretly tape recorded a telephone conversation with a women complainant in a domestic assault case. The complaint was made to the Privacy Commissioner alleging a breach of information privacy principles concerning fair collection of personal information. The defendant was ordered to pay $7,500 damages by Complaints Review Tribunal. The respondent appealed to the High Court, which upheld the CRT decision but reduced damages to $2,750. The respondent appealed to the Court of Appeal, which by a 3-2 majority allowed the appeal and quashed the declarations and orders of the Tribunal.

The High Court ruled in July that the implementation of a nationwide drivers license system with a digitized photograph that was required by the 1998 Land Transport Act was legal. The law creates a national database of digitized photographs. The individual challenging the law has said she will appeal to the Court of Appeal.[281]

The New Zealand Crimes Act and Misuse of Drugs Act govern the use of evidence obtained by listening devices.[282] Judicial warrants may be granted for bugging premises or interception of communications. Emergency permits may be granted for the bugging of premises and, following the 1997 repeal of a prohibition, for telephonic interceptions. Those who illegally disclose the contents of private communications illegally intercepted face two years in prison. However, those who illegally disclose the contents of private communications lawfully intercepted are merely liable for a NZ$500 fine. In 1998/99 the New Zealand Police sought and obtained 15 interception warrants under the Misuse of Drugs Act and 11 interceptions warrants under the Crimes Act. A total of 128 warrants (new and renewed) were obtained under the Telecommunications Amendment Act 1997 for obtaining call data analyzers (pen registers and trap and trace devices that obtain call information but not the contents of communications). The devices operated for an average duration of 54 days.

The New Zealand Security Intelligence Service (NZSIS) is also permitted to carry out electronic interceptions under the New Zealand Security Intelligence Service Act of 1969. Under the provisions of this act, the Minister in Charge of the NZSIS is required to submit an annual report to the House of Representatives. The Act was amended in 1999 to allow for the service to enter premises to install taps following a Court of Appeal case that prohibited entering of premises without a warrant. The amendment also created a “foreign interception warrant.”[283] Another amendment created a Commissioner of Security Warrants to jointly issue warrants with the Prime Minister.[284] In 1999, the Minister reported six warrants issued to the NZSIS for intercepts and three continued for the previous 15 months.[285] This was up from three the previous reporting period. The average length of time for which these warrants were in force was 150 days. The report further states that “the methods for interception and seizure used were listening devices and the copying of documents.”[286]

One agency not governed by the restrictions imposed on law enforcement and the NZSIS is the Government Communications Security Bureau (GCSB), the signals intelligence (SIGINT) agency for New Zealand. Operating as a virtual branch of the U.S. National Security Agency, this agency maintains two intercept stations at Waihopai and Tangimoana. The Waihopai station routinely intercepts trans-Pacific and intra-Pacific communications and passes the collected intelligence to NSA headquarters. David Lange, a former Prime Minister of New Zealand, said he and other ministers were told very little about the operations of GCSB while they were in power. Of particular interest to GCSB and NSA are the communications of the governments of neighboring Pacific island states.[287] GCSB was specifically exempted from the provisions of the Crimes Act in 1997.[288]

The Broadcasting Amendment Act of 2000 amended the Broadcasting Act of 1989[289] to empower the Broadcasting Standards Authority (BSA) to encourage the development and observance by broadcasters of codes of broadcasting practice in relation to the privacy of the individual. This amendment came into effect on July 1, 2000. During the year there were a number of BSA privacy cases. Particular controversy surrounded several television broadcasts unreasonably intruding on the privacy of children with one program, widely publicized in advance, revealing the results of a DNA paternity test live on TV with mother, father and young child present.

During 1998/99, 2,954 blood samples were added by consent, and 748 samples by compulsion order, to the DNA databank maintained under the Criminal Investigations (Blood Samples) Act of 1995. The total number of DNA profiles stored on the DNA databank as of June 30, 1999, was 8,623.

The Official Information Act of 1982[290] and the Local Government Official Information and Meetings Act of 1987[291] are freedom of information laws governing the public sector. There are significant interconnections between this freedom of information legislation and the Privacy Act in subject matter, administration, and jurisprudence, so much so that the three enactments may be viewed, in relation to access to information, as complementary components of one overall statutory scheme. Enforcement is supervised by the Office of the Ombudsman.[292] The Ombudsman hears around 1,100 complaints each year under the Official Information Act and 170 each year under the Local Government Official Information and Meetings Act.

New Zealand is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. New Zealand is one of six countries involved in a European Commission study of methods of assessing whether laws of “third countries” meet the provisions of the EU data protection directive.[293]

The Privacy Act does not apply to self-governing territories associated with New Zealand, the Cook Islands and Niue. Nor does it apply to the soon-to-be self-governing territory of Tokelau.

There is no provision in the Norwegian Constitution of 1814 dealing specifically with the protection of privacy.[294] The closest provision is section 102, which prohibits searches of private homes except in “criminal cases.” More generally, section 110c of the Constitution places state authorities under an express duty to “respect and secure human rights.” The Norwegian Supreme Court has held that there exists in Norwegian law a general legal protection of “personality” which embraces a right to privacy. This protection of personality exists independently of statutory authority but helps form the basis of the latter (including data protection legislation), and can be applied by the courts on a case-by-case basis. This protection was first recognized in 1952.[295]

The Personal Data Registers Act of 2000 was approved on April 14, 2000.[296] It is designed to update Norwegian law and closely follows the EU Directive, even though Norway is not a member of the EU. The new law also sets specific rules on video surveillance and biometrics. It replaces the Personal Data Registers Act of 1978.[297]

The Data Inspectorate (Datatilsynet) is an independent administration body set up under the Ministry of Justice in 1980.[298] The Inspectorate accepts applications for licenses for data registers and evaluates the licenses, enforces the privacy laws and regulations, and provides information. The Inspectorate can conduct inspections and impose sanctions. Decisions of the Inspectorate can be appealed to the Ministry of Justice. As of 1999, the Inspectorate had issued 65,000 licenses. The Inspectorate had 22 staff members in 1999.

Wiretapping requires the permission of a tribunal and is initially limited to four weeks.[299] The total number of telephones monitored was 360 in 1990, 467 in 1991, 426 in 1992, 402 in 1993, 541 in 1994 and 534 in 1995.[300] A Supervisory Board reviews the warrants to ensure the adequacy of the protections. A Parliamentary Commission of Inquiry (The Lund Commission) was set up in 1994 to investigate the post-World War II surveillance practices of Norwegian police and security services. The Commission delivered a 600 page report in 1996, causing a great deal of public and political debate on account of its finding that much of the undercover surveillance practices, including wiretapping of left wing political groups up to 1989, had been instituted and/or conducted illegally and that the courts had not generally been strong enough in their oversight.[301] This included keeping files on children as young as 11 years old.

A new act to monitor the secret services was approved in 1995 following the Commission’s recommendations.[302] It created a new Control Committee to monitor the activities of the Police Security Services, the Defense Security Services and the Defense Intelligence Services. The former Minister of Justice and the head of the Norwegian security police (POT) were forced to resign from the government in 1996 after it was revealed that the POT had placed a member of the Lund Commission under surveillance and requested a copy of her Stasi file from the German authorities four times.[303] Later it was discovered that the POT had also investigated several key members of the Storting who have oversight over the agency.[304] In 1997, the Parliament agreed to allow people who were under surveillance by the POT to review their records and to obtain compensation if the surveillance was unlawful. The POT has records on over 50,000 people.[305]

The Telecommunications Act imposes a duty of confidentiality on telecommunications providers.[306] However, the Telecommunications Authority can demand information for investigations. The Norwegian police in January 2000 called for new laws requiring telecommunications providers and Internet Service Providers to keep extensive logs of usage for six months to one year.[307]

A large number of other pieces of legislation contain provisions relevant to privacy and data protection. These include the Administrative Procedures Act of 1967,[308] and the Criminal Code of 1902.[309] T