The Constitution of the Russian Federation recognizes rights of privacy, data protection and secrecy of communications. Article 23 states, “1. Everyone shall have the right to privacy, to personal and family secrets, and to protection of one’s honor and good name. 2. Everyone shall have the right to privacy of correspondence, telephone communications, mail, cables and other communications. Any restriction of this right shall be allowed only under an order of a court of law.” Article 24 states, “1. It shall be forbidden to gather, store, use and disseminate information on the private life of any person without his/her consent. 2. The bodies of state authority and the bodies of local self-government and the officials thereof shall provide to each citizen access to any documents and materials directly affecting his/her rights and liberties unless otherwise stipulated under the law.” Article 25 states, “The home shall be inviolable. No one shall have the right to enter the home against the will of persons residing in it except in cases stipulated by the federal law or under an order of a court of law.”[1] The Russian Supreme Court ruled in 1998 that regulations requiring individuals to register and obtain permission from local officials before they could live in Moscow violated the Constitution.[2]

The Duma approved the Law of the Russian Federation on Information, Informatization, and Information Protection in January 1995.[3] The law covers both the government and private sectors and licenses the processing of personal information by the private sector. It imposes a code of fair information practices on the processing of personal information. It prohibits the use of personal information to “inflict economic or moral damage on citizens.” The use of sensitive information (social origin, race, nationality, language, religion or party membership) is also prohibited. Citizens and organizations have the right of access to the documented information about them, to correct it and supplement it.

The Russian law does not establish a central regulatory body for data protection and it is not clear that it has been effective. It application to the Internet has also been limited. The law specifies that responsibility for data protection rests with the data controllers. The law is overseen by the Committee of the State Duma on Information and Informatization and the State Committee on Information and Informatization under the Russian President Authority.

The Duma is reviewing the Law on Information of Personal Character bill to update the 1995 act to make it more compliant with the Council of Europe’s Convention 108 and the E.U. Directive. The bill has been pending for several years.

Secrecy of communications is protected by the 1995 Communications Act. The tapping of telephone conversations, scrutiny of electric-communications messages, delay, inspection and seizure of postal mailings and documentary correspondence, receipt of information therein, and other restriction of communications secrets are allowed only on the basis of a court order.[4] The Law on Operational Investigation Activity regulates surveillance methods of the secret services and requires a warrant.[5] This law was amended in December 1998 by the State Duma. Guarantees for the protection of privacy were stressed and additional controls imposed on prosecutors. In December 1999, the law was expanded to allow surveillance by the tax police, Interior Ministry, Border Guards, the Kremlin security service, the presidential security service, the parliamentary security services and the Foreign Intelligence Service.[6] It is widely accepted that the Federal Security Service (FBS) still conducts widespread illegal wiretapping. In July 2000, a tabloid newspaper posted files on hundred of prominent Russians including politicians, bankers, and journalists showing that they were under surveillance.[7]

In 1998, the FSB issued a secret ministerial act named the System for Operational Research Actions on the Documentary Telecommunication Networks (SORM-2) that would require Internet Service Providers to install surveillance devices and high speed links to the FSB which would allow the FSB direct access to the communications of Internet users without a warrant.[8] ISPs would be required to pay for the costs of installing and maintaining the devices. Most ISPs have not publicly resisted the FSB demands to install the devices but one ISP in Volgograd, Bayard Slavia Communication, challenged the FSB demands to install the system. The local FSB and Ministry of Communication attempted to have their license revoked but backed off after the ISP challenged their decision in court. A lawyer in Irkutsk sued, challenging the legality of the declaration and the Supreme Court ruled in May 2000 that the SORM-2 was not a valid ministerial act because it failed several procedural requirements. The case is now pending before a trial court.

There are also privacy protections in the Civil Code[9] and the Criminal Code.[10] The United Nations Human Rights Committee expressed concerns over the state of privacy in Russia in 1995 and recommended the enactment of additional privacy laws. It noted: “The Committee is concerned that actions may continue which violate the right to protection from unlawful or arbitrary interference with privacy, family, home or correspondence. It is concerned that the mechanisms to intrude into private telephone communication continue to exist, without a clear legislation setting out the conditions of legitimate interference with privacy and providing for safeguards against unlawful interference.....The Committee urges that legislation be passed on the protection of privacy, as well as strict and positive action be taken to prevent violations of the right to protection from unlawful or arbitrary interference with privacy, family, home or correspondence.”[11]

The Christian Orthodox Church issued an official protest about the new national Tax ID card in March 2000. The card, issued for tax collection, contained the series of numbers 666. Government officials have also proposed that the ID card be used as a social security card and eventually replace passports.[12]

Law of the Russian Federation on Information, Informatization, and Information Protection also serves as a Freedom of Information law. The scope of the law in generally limited. A more broad FOIA bill entitled “Federal Law on the Right to Access Information” is currently pending in the Duma. The bill creates a presumption that information is “available and open,” “reliable and complete” and “must be timely disclosed.” Agencies must respond within 30 days. Information can be withheld if it is a “national, commercial, official, professional or banking secret” or related to a “valid investigation and fact-finding proceedings.” If information is withheld, the person can appeal to the agency, then to a court and the Human Rights Ombudsman.

Russia is a member of the Council of Europe but has not signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[13] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[14]

Some of the twenty-two autonomous republics of the Russian Federation have constitutional provisions on privacy. In some cases, these republics claim that their constitutions take precedence within their territories over that of the Russian Federation.

The Act on Collection, Elaboration and Use of computerized personal data was enacted in 1983 and amended in 1995.[15] The Act applies to any computerized filing system or data bank, both private and public. It prohibits the collection of personal and confidential data through fraudulent, illegal or unfair means. It requires that information is accurate, relevant and complete. Any individual is entitled both to inquire whether his or her personal data have been collected or processed, to obtain a copy, and to require that inaccurate, outdated, incomplete or ambiguous data, or data whose collection, processing, transmission or preservation is forbidden, be rectified, integrated, clarified, updated or canceled. The creation of a data bank requires the prior authorization of both the State Congress (the Government) and the Guarantor for the Safeguard of Confidential and Personal Data. There are additional rules for sensitive information. Infringements can be punished by means of administrative sanctions or penalties. There were a number of Regency’s Decrees issued under the 1983 Act that remained in force after the 1995 revisions.[16] The Regulation on Statistical Data Collection and Public Competence in Data Processing[17] regulates data processing within the Public Administration.

The Act is enforced by the Guarantor for the Safeguard of Confidential and Personal Data, a judge of the Administrative Court. The Guarantor can examine any claim or petition relating to the application of the above-mentioned law and pass judgment whenever the confidentiality of personal data is violated. His judgment can be appealed to a higher court. The release of information to other countries is conditioned on the prior authorization of the Guarantor, who must verify that the country to which confidential information is being transmitted ensures the same level of protection of personal data as that established in Sammarinese legislation.

San Marino is a member of the Council of Europe but has not signed or ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[18] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[19]

The Singapore Constitution is based on the British system and does not contain any explicit right to privacy.[20] The High Court has ruled that personal information may be protected from disclosure under a duty of confidences.[21]

There is no general data protection or privacy law in Singapore. The government has been aggressive in using surveillance to promote social control and limit domestic opposition.[22] In 1986, then-Prime Minister and founder of modern Singapore Lee Kwan Yew proudly described his stance on privacy:

I am often accused of interfering in the private lives of citizens. Yet, if I did not, had I not done that, we wouldn’t be here today. And I say without the slightest remorse, that we wouldn’t be here, we would not have made economic progress, if we had not intervened on very personal matters – who your neighbor is, how you live, the noise you make, how you spit, or what language you use. We decide what is right, never mind what the people think. That’s another problem.[23]

In September 1998, the National Internet Advisory Board released an industry-based self-regulatory “E-Commerce Code for the Protection of Personal Information and Communications of Consumers of Internet Commerce.”[24] The code encourages providers to ensure the confidentiality of business records and personal information of users, including details of usage or transactions, would prohibit the disclosure of personal information, and would require providers not to intercept communications unless required by law. The code would also limit collection and prohibit disclosure of personal information without informing the consumer and giving them an option to stop the transfer, ensure accuracy of records and provide a right to correct or delete data. According to the Singapore Broadcast Authority, in 1999, the Code was adopted by CaseTrust and incorporated into its Code of Practice as part of an accreditation scheme promoting good business practices among store-based and web-based retailers. CaseTrust is a joint project operated by the Consumers Association of Singapore, CommerceNet Singapore Limited and the Retail Promotion Centre in Singapore. The Infocomm Development Authority announced in March 2000 that it would endorse the TRUSTe system as “an industry ‘trustmark’ seal.”[25]

The Singapore Broadcasting Authority is the regulatory authority for the electronic medium in Singapore. It is a statutory board under the Ministry of Information and the Arts (MITA). The IDA is also developing a “Model Code for the Protection of Personal Information.”

In July 1998, the Singapore government enacted three major bills concerning computer networks. They are the Computer Misuse (Amendment) Act, the Electronic Transactions Act and the National Computer Board (Amendment) Act. The CMA prohibits the unauthorized interception of computer communications.[26] The CMA also provides the police with additional powers of investigations. Under the amended Act, it is now an offense to refuse to assist the police in an investigation. Amendments also widened the provisions allowing the police lawful access to data and encrypted material in their investigations of offenses under the CMA as well as other offenses disclosed in the course of their investigations. Such power of access requires the consent of the Public Prosecutor. The Electronic Transactions Act imposes a duty of confidentiality on records obtained under the act and imposes a maximum SG$10,000 fine and 12 month jail sentence for disclosing those records without authorization. Police have broad powers to search any computer and to require disclosure of documents for an offence related to the act without a warrant.[27]

Electronic surveillance of communications is governed by the Telecommunications Authority of Singapore (TAS). The government has extensive powers under the Internal Security Act and other acts to monitor anything that is considered a threat to “national security.” The U.S. State Department in 1998 stated, “Divisions of the Government’s law enforcement agencies, including the Internal Security Department and the Corrupt Practices Investigation Board, have wide networks for gathering information. It is believed that the authorities routinely monitor citizens’ telephone conversations and use of the Internet. While there were no proven allegations that they did so in 1997, it is widely believed that the authorities routinely conduct surveillance on some opposition politicians and other critics of the Government.”[28] All of the Internet Services Providers are operated by government-owned or government-controlled companies.[29] Each person in Singapore wishing to obtain an Internet account must show their national ID card to the provider to obtain an account.[30] ISPs reportedly provide information on users to government officials without legal requirements on a regular basis. In 1994, Technet – then the only Internet provider in the country serving the academic and technical community – scanned through the email of its members looking for pornographic files. According to Technet, they scanned the files without opening the mails, looking for clues like large file sizes. In September 1996, a man was fined US$43,000 for downloading sex films from the Internet. It was the first enforcement of Singapore’s Internet regulation. The raid followed a tip-off from Interpol, which was investigating people exchanging pornography online. Afterwards, the SBA assured citizens that it does not monitor e-mail messages, chat groups, what sites people access, or what they download.[31]

In 1999, the Home Affairs Ministry scanned 200,000 users of SingNet ISP at the request of the company looking for the “Back Orifice” program without telling the subscribers. The Telecommunications Authority of Singapore said that the ISP had violated no law but SingNet apologized for the scans and the National Information Technology Committee announced that it would create new guidelines.[32] The Infocomm Development Authority released guidelines in January 2000.[33] Under the guidelines, a subscriber’s explicit consent must be obtained before scanning can occur. The scanning must be minimally intrusive and must not intercept web browsing or electronic communications. A November 1999 study by the Singapore Polytechnic’s business administration revealed 60 percent of consumers who stated they were unready for virtual shopping cited privacy concerns.[34]

The Minister for Home Affairs announced in March 2000 that it was creating a “Speakers Corner” based on the one in London. However, speakers will be required to register with the local police station and show their national ID card or passport. The personal information will be held for five years.[35] Home Affairs Minister Wong Kan Seng said that the records will be kept for investigative purposes to ensure that the speaker had registered.[36]

The Ministry of Health announced in August 1999 that it was creating a central medical database.[37] The database will hold all patients’ records from all hospitals and clinics in Singapore and be available to government and private doctors.

An extensive Electronic Road Pricing system for monitoring road usage went into effect in 1998. The system collects information on an automobile’s travel from smart cards plugged into transmitters in every car and in video surveillance cameras.[38] The service claims that the data will only be kept for 24 hours and does not maintain a central accounting system. Video surveillance cameras are also commonly used for monitoring roads and preventing littering in many areas.[39] It was proposed in Tampines in 1995 that cameras be placed in all public spaces including corridors, lifts, and open areas such as public parks, car parks and neighborhood centers and broadcast on the public cable television channel.[40] A man was prosecuted under the Films Act in May 1999 for filming women in bathrooms.[41]

The Banking Act prohibits disclosure of financial information without the permission of the customer.[42] Numbered accounts can also be opened with the permission of the authority. The High Court can require disclosure of records to investigate drug trafficking and other serious crimes. The Monetary Authority of Singapore issued new “Know Your Customer” guidelines to banks in May 1998 on money laundering. Banks are required to “clarify the economic background and purpose of any transactions of which the form or amount appear unusual in relation to the customer, finance company or branch office concerned, or whenever the economic purpose and the legality of the transaction are not immediately evident.[43] Banks must report suspicious transactions to the MAS.

The 1992 Constitution provides for protections for privacy, data protection and secrecy of communications. Article 16 states, “(1) The inviolability of the person and its privacy is guaranteed. It can be limited only in cases defined by law.” Article 19 states, “(1) Everyone has the right to the preservation of his human dignity and personal honor, and the protection of his good name. (2) Everyone has the right to protection against unwarranted interference in his private and family life. (3) Everyone has the right to protection against the unwarranted collection, publication, or other illicit use of his personal data.” Article 22 states “(1) The privacy of correspondence and secrecy of mailed messages and other written documents and the protection of personal data are guaranteed. (2) No one must violate the privacy of correspondence and the secrecy of other written documents and records, whether they are kept in private or sent by mail or in another way, with the exception of cases to be set out in a law. Equally guaranteed is the secrecy of messages conveyed by telephone, telegraph, or other similar means.”[44]

The Act on Protection of Personal Data in Information Systems was approved in February 1998 and went into effect in March 1998.[45] The Act replaces the previous 1992 Czechoslovakian legislation.[46] The new act closely tracks the EU Data Protection Directive and limits the collection, disclosure and use of personal information by government agencies and private enterprises either in electronic or manual form. It creates duties of access, accuracy and correction, security, and confidentiality on the data processor. Processing of information on racial, ethnic, political opinions, religion, philosophical beliefs, trade union membership, health, and sexuality is forbidden. Transfers to other countries are limited unless the country has “adequate” protection. All systems are required to be registered with the Statistical Office of the Slovak Republic.[47]

The Act creates a new office for a Commissioner for the Protection of Personal Data in Information Systems who will supervise and enforce the Act. The Commission monitors the protection of personal data in information systems and their registration, inspects the processing of personal data in information systems, receives and handles complaints concerning the violation of personal data protection in information systems, and initiates corrective actions whenever a breach of legal obligations is ascertained. The Commission has an Inspection Unit for Personal Data Protection which carries out supervision of tasks. The unit has 12 staff. The Office has conducted 20 investigations in the past year.[48]

Under the Code of Criminal Procedure, the police are required to obtain permission from a court or prosecutor before undertaking any telephone tapping.[49] However, the communist-era secret police still remain in positions of power and there have been many public revelations of illegal wiretapping of opposition politicians, reporters and dissidents.[50] In 1997, the UN Human Rights Committee recommended that the government: “ensure control, by an independent judicial authority, of the interception of confidential communications – related to, for example, wire-tapping and protection of the right to privacy.”[51]

There are also other legal protections. Article 11 of the Civil Code states “everyone shall have the right to be free from unjustified interference in his or her privacy and family life.” There are also computer-related offenses linked with the protection of a person (unjustified treatment of a personal data).[52] The Slovak Constitutional Court ruled in March 1998 that the law allowing public prosecutors to demand to see the files or private correspondence of political parties, private citizens, trade union organizations and churches, even when not necessary for prosecution, was unconstitutional. Court chairman Milan Cic said this was “not only not usual, but opens the door to widespread violation of peoples’ basic rights and their right to privacy.”[53]

The Act on Free Access to Information was approved by the Parliament in May 2000. It sets broad rules on disclosure of information held by the government. There are limitation on information that is classified, a trade secret, would violate privacy, was obtained “from a person not required by law to provide information, who upon notification of the Obligee instructed the Obligee in writing not to disclose information,” or “concerns the decision-making power of the courts and law enforcement bodies.” Appeals are made to higher agencies and can be reviewed by a court. There are separate requirements for disclosure of environmental information that covers private organizations. It will become effective January 1, 2001.[54] Act 171/1998 of the National Council on Free Access to Environmental Information is revoked.

Slovakia is a member of the Council of Europe and signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) in April 2000.[55] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[56]

The 1991 Constitution recognizes many privacy rights. Article 35 on the Protection of the Right to Privacy and of Personal Rights states, “The physical and mental integrity of each person shall be guaranteed, as shall be his right to privacy and his other personal rights.” Article 37 on the Protection of Privacy of Post and Other Means of Communication states, “The privacy of the post and of other means of communication shall be guaranteed. In accordance with statute, a court may authorize action infringing on the privacy of the post or of other means of communication, or on the inviolability of individual privacy, where such actions are deemed necessary for the institution or continuance of criminal proceedings or for reasons of national security.” Article 38 on the Protection of Personal Data states, “The protection of personal data relating to an individual shall be guaranteed. Any use of personal data shall be forbidden where that use conflicts with the original purpose for which it was collected. The collection, processing and the end-use of such data, as well as the supervision and protection of the confidentiality of such data, shall be regulated by statute. Each person has the right to be informed of the personal data relating to him which has been collected and has the right to legal remedy in the event of any misuse of same.”[57]

A new Law on Personal Data Protection went into effect in August 1999.[58] The new law is based on the EU Data Protection Directive and the COE Convention No 108. It replaces the 1990 act.[59] The new act will create an ‘Inspectorate’ to supervise and enforce. The previous law had a limited oversight of personal data protection practices. However, the Human Rights Ombudsman had issued numerous decisions on data protection.[60]

A judge’s warrant must be issued prior to a house search or telephone tapping. A new Law on the Police was adopted in 1998 allows for surveillance to be authorized under special circumstances by a General Police Director.[61] In 1994, Parliament fired the country’s defense minister, Janez Jansa, following claims that he tapped journalists’ phones.[62] Defense Minister Tit Turnsek resigned in February 1998 after two military intelligence officers were arrested by Croatian authorities while driving a vehicle filled with electronic surveillance equipment.[63]

The Law on National Statistics regulates the privacy of information collected for statistical purposes.[64] The Law on Telecommunications requires telecommunications service providers to “guarantee the confidentiality of transmitted messages and of personal and non-personal data known only to them.”[65] The Electronic Commerce and Electronic Signature Act was approved in June 2000.[66]

Slovenia is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[67] It has also signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[68]

Section 14 of the South African Constitution of 1996 states, “Everyone has the right to privacy, which includes the right not to have – (a) their person or home searched; (b) their property searched; (c) their possessions seized; or (d) the privacy of their communications infringed.” Section 32 states, “(1) Everyone has the right of access to – (a) any information held by the state, and; (b) any information that is held by another person and that is required for the exercise or protection of any rights; (2) National legislation must be enacted to give effect to this right, and may provide for reasonable measures to alleviate the administrative and financial burden on the state.”[69] The interim Constitution contained an essentially similar provision to Section 14, in Section 13.[70] It is clear that both sections are written in a way that directly responds to the experiences during the apartheid era of gross interferences with peoples’ right to privacy.

The South African Constitutional Court has delivered a number of judgments on the right to privacy relating to the possession of indecent or obscene photographs,[71] the scope of privacy in society,[72] and searches.[73] All the judgments were delivered under the provisions of the Interim Constitution as the causes of action arose prior to the enactment of the Final Constitution. However, as there is no substantive difference between the privacy provisions in the Interim and Final Constitutions, the principles remain authoritative for future application.

The Access to Information Act was approved in February 2000.[74] The bill covers both public and private sector entities and allows for access, rights of correction and limitations on disclosure of information. Originally introduced as the Open Democracy Bill, the proposed legislation also included comprehensive data protection provisions.[75] However, those provisions were removed by the Parliamentary committee in November 1999. The Committee wrote that, “it would be dealing with the right to privacy in section 14 of the Constitution in an ad hoc and undesirable manner...it is intended that South-Africa, in following the international trend, should enact separate privacy legislation. The Committee, therefore, requests the Minister for Justice and Constitutional Development to introduce Privacy and Data Protection legislation, after thorough research on the matter, as soon as reasonably possible.”[76] The Privacy and Data Protection Bill is still in its early stages of development.

The Department of Communications is planning to release its long awaited green paper on a draft e-commerce bill in August 2000. After public discussion, a white paper is expected to be released by the end of the year and legislation will be introduced next year. A July 1999 discussion paper raised a number of questions about new legislation:

Should South Africa adopt specific requirements for database owners and others collecting personal information, with regard to the treatment of such data?

South Africa does not have a privacy commission but has a Human Rights Commission which was established under Chapter 9 of the Constitution and whose mandate is to investigate infringements on and to protect the fundamental rights guaranteed in the Bill of Rights, and to take steps to secure appropriate redress where human rights have been violated. The Commission has limited powers to enforce the Access to Information Act.

The Interception and Monitoring Act of 1992 regulates the interception of communications.[78] This Act prohibits the interception of certain and monitoring of communications and also provides for the interception of postal articles and communications and for the monitoring of conversations in the case of a serious offense, or if the security of the country is threatened. In November 1998, the South African Law Commission recommended changes to the Interception and Monitoring Act to facilitate monitoring of cellular phones and Internet Service Providers.[79] The Ministry of Justice is now working on a draft bill to implement the recommendations of the SALC. The bill would require that all telecommunications services including ISPs make their services capable or being intercepted before they could offer the service to the public. Providers would be required to pay for the costs of making their systems wiretap-enabled. The National Intelligence Agency announced in February 2000 that it was creating a signals intelligence service based on the model of the UK’s GCHQ.[80]

In 1996, it was revealed that the South African Police Service was monitoring thousands of international and domestic phone calls without a warrant.[81] In February 2000, the government apologized to the German Government after it was found that an intelligence operative had placed spy cameras outside the Germany Embassy.[82] The opposition Democratic Party announced in November 1999 that it found surveillance devices at its parliamentary offices and national headquarters.[83]

There are no other specific pieces of legislation on general data protection law. Other than the Constitutional right to privacy, the South African common law protects rights of personality under the broad umbrella of the actio injuriarum. The elements of liability for an action based on invasion of privacy are the same as any other injury to the personality, namely an unlawful and intentional interference with another’s right to seclusion and to private life. The Law Commission is currently drafting a new computer crimes law.

Financial privacy is covered by a weak code of conduct for banks issued by the Banking Council in March 2000. Credit bureau Experian accidentally made available on its web site the records on 1.5 million clients in July 1999.[84] The information was from cell phone company Vodac and banks Nedcor, Standard Bank, Mercantile, Teljoy and Homechoice and included names, addresses and identity, telephone and cellphone numbers, and bank account details. In February 2000, it was discovered that First National Bank’s (FNB) telephone banking service allowed callers to obtain a balance statement and available credit level for the accounts of any client. The service was reported to get 170,000 calls a month.[85]

The Cabinet approved a plan in March 1998 to issue a multi-purpose smart card that combines access to all government departments and services with banking facilities. This is part of the information technology strategy formulated by the Department of Communications to provide kiosks for access to government services.[86] In the long term, the smart card is intended to function as passport, driver’s license, identity document and bank card. The driver’s license will include fingerprints. The new ID cards are to be issued in the second half of 2001.[87]

The Access to Information Act is a comprehensive Freedom of Information Act.[88] It was reported that the apartheid-era security police maintained 314,000 files on individuals and 9,400 on organizations.[89] Many documents were reported destroyed in 1993 by military intelligence.

The Constitution recognizes the right to privacy, secrecy of communications and data protection. Article 18 states, “(1). The right of honor, personal, and family privacy and identity is guaranteed. (2) The home is inviolable. No entry or search may be made without legal authority except with the express consent of the owners or in the case of a flagrante delicto. (3) Secrecy of communications, particularly regarding postal, telegraphic, and telephone communication, is guaranteed, except for infractions by judicial order. (4) The law shall limit the use of information, to guarantee personal and family honor, the privacy of citizens, and the full exercise of their rights.”[90]

The Spanish Data Protection Act (LORTAD) was enacted in 1992 and amended in December 1999 to implement the EU Data Protection Directive.[91] It covers files held by the public and private sector. The law establishes the right of citizens to know what personal data is contained in computer files and the right to correct or delete incorrect or false data. Personal information may only be used or disclosed to a third party with the consent of the individual and only for the purpose for which it was collected. Questions still remain about citizens who do not wish to be included in the “promotional census.” Consumer groups are also concerned about the law provisions allowing use of information without consent unless the consumer has opted out of the use.

The Agencia de Protección de Datos is charged with enforcing the LORTAD.[92] The Agency maintains the registry and can investigate violations of the law. The agency has issued a number of decrees setting out in more detail the legal requirements for different types of information.[93] It can also impose penalties. In June 1997, it fined Telefonica, the Spanish telephone company, 110 million pesetas for providing information from their subscriber database to banks, direct marketing companies and Reader’s Digest.[94] The agency issued a total ES1.5 billion in fines in 1999.[95] The Agency fined Microsoft ES10 million (US $60,000) in May 1999 for misusing personal information. It fined the General Council of Official Medical Colleges US$333,000 and Banco Espanol de Credito Banesto $67,000 for using confidential information about doctors to offer mortgage and pension services.[96] The agency in 1997 registered 3,312 new databases, received 682 complaints, conducted over 10,000 telephone consultations, and issued 20 reports.[97] As of December 1997, 229,000 databases were listed in the Register.

Interception of communications requires a court order.[98] The 1997 Telecommunications Act amended the law and restricts the use of cryptography but that provision has not been enforced.[99] There have been a number of scandals in Spain over illegal wiretapping by the intelligence services. In 1995, Deputy Prime Minister Narcis Serra, Defense Minister Julian Garcia Vargas and military intelligence chief Gen. Emilio Alonso Manglano were forced to quit following revelations that they had monitored the conversations of hundreds of people, including King Juan Carlos.[100] In May 1999, Gen. Manglano, the former director of the CESID, and Col. Juan Alberto Perote, a former operations chief were convicted and sentenced to six months jail time for their role in the wiretappings. Five other ex-agents who did the actual surveillance were given four-month terms.[101] Defence Minister Eduardo Serra was called before Parliament in April 2000 after an illegal CESID bugging operation was revealed above the offices of Herri Batasuna (HB) coalition.[102]

There are also additional laws in the penal code,[103] and relating to credit information[104] video surveillance,[105] and automatic tellers.[106] The government issued a decree on digital signatures in September 1999.[107] The Spanish Supreme Court ruled in March 1999 that a Spanish reporter who disclosed the initials of two AIDS-infected inmates working in a prison kitchen would be given a one-year suspended sentence, fined $26,000 and be barred from journalism for a year.[108] The Minister of Justice is expected to submit a bill on DNA databases and testing to the Parliament.

The law of 30/26/11/1992 provides for access to government information.[109] The law was amended in 1998 by Ley 29/1998, de 13 de julio. Under Article 37.2, the right of access and correction can be denied if reasons of public interest prevail.

Spain is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[110] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[111] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Sweden’s Constitution, which consists of several different legal documents, contains several provisions which are relevant to data protection. Section 2 of the Instrument of Government Act of 1974[112] provides, inter alia, for the protection of individual privacy. Section 13 of Chapter 2 of the same instrument states also that freedom of expression and information – which are constitutionally protected pursuant to the Freedom of the Press Act of 1949[113] – can be limited with respect to the “sanctity of private life.” Moreover, Section 3 of the same chapter provides for a right to protection of personal integrity in relation to automatic data processing. The same article also prohibits non-consensual registration of persons purely on the basis of their political opinion. It is also important to note that the European Convention on Human Rights has been incorporated into Swedish law as of 1994. The ECHR is not formally part of the Swedish Constitution but has, in effect, similar status.

Sweden enacted the Personal Data Act of 1998 to bring Swedish law into conformity with the requirements of the EC Directive on data protection.[114] The new Act essentially adopts the EU Data Protection Directive into Swedish law. It regulates the establishment and use, in both public and private sectors, of automated data files on physical/natural persons. The Act replaced the Data Act of 1973, which was the first comprehensive national act on privacy in the world.[115] The 1973 Act shall continue to apply until October 2001 with respect to processing of personal data which is initiated prior to October 24, 1998. Section 33 of the Act was amended in 1999 to adopt the EU Directive standards on the transfer of personal data to a third country. According to the Data Inspection Board, the amendment will facilitate transfer of data through international communication networks, such as the Internet. There may be situations where a third country - despite not having any data protection rules at all - still can be considered having an adequate level of protection. This would be depending on the other circumstances. It is also possible that the level of protection in a third country may be assessed as adequate in some areas but not in others. The amendment entered into force in January 2000

The Data Inspection Board (Datainspektionen) is an independent board that oversees the enforcement of the Data Act.[116] In 1999, under the new act, the board received 409 complaints and conducted 298 investigations. In 1998, the board received 269 complaints according and conducted 199 investigations. In 1997, it received 250 complaints and made 302 investigations. There are 29,464 registered databases and 855 processings under section 36 of the Act.[117] The Board has been active in trying to limit the use of the personal identity number.[118] One of their most publicized cases was against SABRE, the airline reservation system, for transferring medical information of passengers without adequate controls. The Supreme Administrative Court recently declined to hear the case following decisions by lower courts upholding the Board’s ruling.

Numerous other statutes also contain provisions relating to data protection. These include the Secrecy Act of 1980,[119] Credit Information Act of 1973,[120] Debt Recovery Act of 1974,[121] and Administrative Procedure Act of 1986.[122]

A court order is required to obtain a wiretap.[123] The law was amended in 1996 to facilitate surveillance of new technologies.[124] According to the Office of the Prosecutor-General, wiretapping has declined in the last several years from 397 court orders in 1996, to 339 in 1997 and 312 in 1998. At the same time, court orders for “monitoring of electronic traffic” has increased substantially from 99 in 1996 to 165 in 1997 to 333 in 1998. Court orders for video surveillance has remained constant, from 40 in 1996, 43 in 1997 to 45 in 1998.[125] Swedish press reported in September 1999 that the Swedish Minister of Justice Laila Freivalds was planning to ask for the power to use hidden microphones and expand surveillance.[126] The International Helsinki Federation for Human Rights noted, “State interference in the private lives of its citizens lacked in legal rights and transparency.”[127]

The DIB released a report in December 1998 revealing that Sweden’s police/security services carried out, over a long period, covert surveillance of thousands of Swedish citizens, mostly politically leftists, often on highly tenuous or trivial grounds from 1969 until 1998. The surveillance had been repeatedly denied to exist by high government officials such as the Justice Chancellor, who at the same time wrote secret reports about the investigations.[128] The Lund/McDonald commission was set up in early 1999 in order to investigate these surveillance practices, which were demanded by the United States as a condition to receiving military technology. The intelligence agency also used their files to attempt to prevent journalists critical of them from being hired by the national television and radio networks. Observers are skeptical that the commission will be effective because of a lack of expertise in intelligence matters.

Previously, it was also discovered that the Swedish statistical agency, Statistika, was monitoring 15,000 Stockholm residents born in 1953 in intimate detail. The information included statistics on drinking habits, religious beliefs, and sexual orientation. The DIB subsequently ordered the destruction of the master tape containing the data.[129]

Sweden is a country that has traditionally adhered to the Nordic tradition of open access to government files. The world’s first freedom of information act was the Riksdag’s (Swedish Parliament) “Freedom of the Press Act of 1766.” The Act required that official documents should “upon request immediately be made available to anyone making a request” at no charge. The Freedom of the Press Act is now part of the Constitution and decrees that “every Swedish citizen shall have free access to official documents.” Decisions by public authorities to deny access to official documents may be appealed to general administrative courts and ultimately, to the Supreme Administrative Court. The Parliamentary Ombudsman has some oversight functions for freedom of information.

Sweden is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[130] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[131] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Article 36(4) of the 1874 Constitution guaranteed, “[t]he inviolability of the secrecy of letters and telegrams.”[132] This Constitution was repealed and replaced by public referendum in April 1999. The new constitution, which entered into force on January 1, 2000, greatly expanded the older privacy protection provision. Article 13 of the Constitution now states: “All persons have the right to receive respect for their private and family life, home, mail and telecommunications. All persons have the right to be protected against abuse of their personal data.” [133]

The Federal Act of Data Protection of 1992 regulates personal information held by government and private bodies.[134] The Act requires that information must be legally and fairly collected and places limits on its use and disclosure to third parties. Private companies must register if they regularly process sensitive data or transfer the data to third parties. Transfers to other nations must be registered and the recipient nation must have equivalent laws. Individuals have a right of access to correct inaccurate information. Federal agencies must register their databases. There are criminal penalties for violations. There are also separate data protection acts for the Cantons (states).

In June 1999, the E.U. Data Protection Working Party determined that Swiss law was adequate under the E.U. Directive.[135] In July 2000, the European Commission formally adopted this position, thereby approving all future transfers of all personal data transfers to Switzerland. [136]

The 1992 Act created a Federal Data Protection Commission.[137] The commission maintains and publishes the Register for Data Files, supervises federal government and private bodies, provides advice, issues recommendations and reports, and conducts investigations. The commissioner also consults with the private sector. Its most recent report recommended improvements in telecommunications privacy, controls on workplace monitoring, legal limitations on DNA databases, the development of strong privacy enhancing technologies and greater consumer protections in the areas of unwanted telemarketing, Caller-ID, spam, on-line profiling and data mining. It also recommended increased co-operation at international level to protect privacy and the introduction of legislation, similar to that in Germany, providing an explicit right to anonymity.[138] There are currently 20 people employed by the Commission.

Telephone tapping is governed by the Penal Code and Penal Procedure Code amended by the 1997 Telecommunication Act that came into effect on January 1, 1998.[139] This Act established a specialized agency, Le Service des Taches Speciales (STS), within the Department of the Environment, Transport, Energy and Communications to administer wiretaps. A court order is required for every wiretap. There were 2,138 wiretaps requested by the federal and cantonal authorities in 1996.[140] A Department of Justice working group has been developing revisions for the wiretap legislation for several years. A proposal to modify wiretapping and mail interception was introduced in July 1998.[141] In 1999, the Privacy Commission withdrew its support after the working group expanded the number of offenses to include many minor offenses.[142] In December 1999, the Conseil National approved the draft law by a majority vote of 128 to 3, but laid down certain restrictions on the categories of crimes for which surveillance may be authorized and the use of surveillance as a preventative measure.[143] In the Spring of 2000, the Conseil des Etats amended the proposal to directly include surveillance of cellular telephone and prepaid calling card users.[144] The law will now return to the Conseil National for reconsideration. In February 2000, the Department of the Environment Transport, Energy and Communications introduced a project to create a national security agency.[145] The agency is intended to update surveillance concerning technical security issues arising solely within the activities of the Department itself.

There have been numerous public revelations of illegal wiretapping. A 1993 inquiry found that phones used by journalists and ministers in the Swiss Parliament were tapped.[146] The Data Protection Commissioner also accused the Telecom PTT, the state telephone company, of illegally wiretapping telephones. There were considerable protests in 1996 when it was revealed that the federal government was wiretapping journalists to discover their sources after which Swiss President Arnold Koller described the taps as “excessive.”[147] In December 1997, the newspaper Sonntags Zeitung reported that Swisscom, (formerly PTT), was tracking the location of cellular phone users and maintaining those records for an extended period.[148] The Data Protection Commissioner issued a report on this subject in July 1998.[149] In February 1998, an agent for Israel’s Mossad Secret Service was arrested by the Swiss authorities for attempting to tap the phone of a Lebanese immigrant whom he believed had links to the Hizbollah. On July 7, the Swiss court handed down a one year sentence to be suspended for two-years.[150]

Besides the Data Protection Act, there are also legal protections for privacy in the Civil Code[151] and Penal Code,[152] and special rules relating to workers’ privacy from surveillance,[153] telecommunications information,[154] health care statistics,[155] professional confidentiality including medical and legal information,[156] medical research,[157] police files,[158] and identity cards.[159] In 1989, a Parliamentary inquiry revealed that the Federal Police had collected files on about 900,000 people, most of whom were not suspected of having committed any offence. Banking records are protected by the Swiss Federal Banking Act 1934. This Act was passed to guarantee strong protections for the privacy and confidentiality of bank customers, especially those subject to persecution for racial, political or religious reasons.[160] Switzerland has come under increasing pressure from the EU and OECD to weaken these laws and provide greater access to bank records for the purposes of tax collection. Swiss Finance Minister, Kaspar Villiger, has so far rejected these calls, maintaining that the banking secrecy laws are essential for Switzerland’s role as an important financial center.[161]

Switzerland is a member of the Council of Europe and signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) in 1997.[162] Switzerland has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[163] Switzerland is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Switzerland is not an EU member state but has been granted associate status.

Article 12 of the 1994 Taiwanese Constitution states, “The people shall have freedom of privacy of correspondence.”[164]

The Computer-Processed Personal Data Protection Law was enacted in August 1995.[165] The Act governs the collection and use of personally identifiable information by government agencies and many areas of the private sector. The Act requires that “The collection or utilization of personal data shall respect the rights and interests of the principal and such personal data shall be handled in accordance with the principles of honesty and credibility so as not to exceed the scope of the specific purpose.” Individuals have a right of access and correction, the ability to request cessation of computerized processing and use, and the ability to request deletion of data. Data flows to countries without privacy laws can be prohibited.[166] Damages can be assessed for violations. The Act also establishes separate principles for eight categories of private institutions: credit information organizations, hospitals, schools, telecommunication businesses, financial businesses, securities businesses, insurance businesses, mass media, and “other enterprises, organizations, or individuals designated by the Ministry of Justice and the central government authorities in charge of concerned end enterprises.”

There is no single privacy oversight body to enforce the Act. The Ministry of Justice enforces the Act for government agencies. For the private sector, the relevant government agency for that sector enforces compliance. The Criminal Investigation Bureau (CIB) arrested several people in November 1998 for selling lists of more than 15 million voters and personal data of up to 40 million individuals in violation of the Act.[167]

The Parliament approved the Communication Protection and Surveillance Act in June 1999 to impose stricter guideline on when and how wiretaps can be used. However taps can still be approved for broad reasons such as “national security” and “social order.” It also requires telecommunications providers to assist law enforcement and sets technical requirements for interception, which is being opposed by mobile phone providers.[168] The Act replaces the martial law-era Telecommunications Surveillance Act. Article 315 of Taiwan’s Criminal Code states that a person who, without reason, opens or conceals a sealed letter or other sealed document belonging to another will be punishable under the law. The 1996 Telecommunications Law states “Unauthorized third parties shall not receive, record or use other illegal means to infringe upon the secrets of telecommunications enterprises and telecommunications messages. A telecommunications enterprise should take proper and necessary measures to protect its telecommunications security.”[169] The Act was amended in October 1999 to increase penalties for illegal telephone taps to NT1.5 million and up to five years in prison. In 1998, the Supreme Court ruled that evidence obtained through illegal wiretaps was not admissible in a criminal trial.

The Prosecutor General’s Office revealed in 1999 that over 15,000 people were subject to wiretapping in the just the first half of 1999 including for “political intelligence.”[170] In January 2000, a wiretap was found at the campaign office of presidential candidate Chen Shui-bian.[171] Independent presidential candidate James Soong alleged in November 1999 that the government was tapping his campaign and home phones.[172] The U.S. State Department was also critical of the government stating “Wiretapping of telephones also is a serious problem. The Telecommunication Law and the Code of Criminal Procedure provide that judicial and security authorities may file a written request to a prosecutor’s office to monitor telephone calls to collect evidence against a suspect involved in a major crime. According to media reports this practice is commonplace, with more than 106,000 successful applications for wiretapping in 1997. Moreover, the intelligence services have their own wiretapping capabilities, which are not subject to supervision by the judicial branch. Ministry of Justice authorities have stated that such steps are required in view of the threat Taiwan faces from Mainland China.”[173]

Under the HIV Prevention Law, the government can demand that foreigners who have been in Taiwan for over three months provide an HIV test.[174] If they are found to have HIV, they are immediately deported. The legislature amended the law in July 2000 to allow for a change for debate their cases.[175]

In May 2000, the Ministry of Justice proposed that all banks link their customer databases to a central database at the Ministry of Finance. The proposal is being opposed by the Ministry of Finance. Deputy Finance Minster Chen Chung said at a hearing in May, “This proposal takes aim at the vast majority of people, who are not criminals, before a crime has even taken place. Is this really necessary? Shouldn’t there be more serious consideration.”[176]

In 1997, the Taiwanese government proposed a new national ID card called the “National Integrated Circuit (IC) Card.” The plan called for a smartcard based system with over 100 uses for the card including ID, health insurance, driver’s license, taxation and possibly small-value payments. The card would be issued and operated by Rebar Corporation, a private company which would have set up and paid for the system on its own but would have kept any profits from its creation. The entire system was estimated to cost NTD 10 billion (USD 357 million). There were hearings to evaluate privacy concerns after protests about the plan arose.[177] The government dropped the plan and is now creating a paper-based card, which may include a fingerprint. A smartcard-based system just for health information is also being developed which will use the national ID number.

Section 34 of the 1997 Constitution states, “A persons family rights, dignity, reputation or the right of privacy shall be protected. The assertion or circulation of a statement or picture in any manner whatsoever to the public, which violates or affects a person’s family rights, dignity, reputation or the right of privacy, shall not be made except for the case which is beneficial to the public.” Section 37 states, “Persons have the freedom to communication with one another by lawful means. Search, detention or exposure of lawful communication materials between and among persons, as well as actions by other means so as to snoop into the contents of the communications materials between and among persons, is prohibited unless it is done by virtue of the power vested in a provision of the law specifically for the purpose of maintaining national security or for the purpose of maintaining peace and order or good public morality.” Section 58 states, “A person shall have the right to get access to public information in possession of a State agency, State enterprise or local government organization, unless the disclosure of such information shall affect the security of the State, public safety or interests of other persons which shall be protected as provided by law.” [178]

The National Information Technology Committee (NITC) approved plans in February 1998 for a series of information technology (IT) laws. Six sub-committees under the National Electronics and Computer Technology Centre (Nectec) were set up to draft the following bills: E-Commerce Law, EDI Law, Privacy Data Protection Law, Computer Crime Law, Electronics Digital Signature Law, Electronics Fund Transfer Law and Universal Access Law. All six bills were reportedly submitted to the Cabinet in January 2000.[179] A combined electronic commerce and digital signature law was approved by the Cabinet in July 2000 and is expected to be approved by the Parliament this year. The rest of the bills, including the data protection act, are still awaiting Cabinet approval. The Association of Thai Computer Industry (ATCI) called on the government in May 2000 to adopt the data protection law to promote trust in e-commerce.[180]

The Official Information Act was approved in 1997.[181] The Act sets a code of information practices on personal information system run by state agencies. The agency: must ensure that the system is relevant to and necessary for the achievement of the objectives of the operation of the State agency; make efforts to collect information directly from the subject; publish material about its use in the Government Gazette; provide for an appropriate security system; notify such person if information is collected about them from a third party; not disclose personal information in its control to other State agencies or other persons without prior or immediate consent given in writing by the person except in limited circumstances; and provide rights of access, correction and deletion.

The Official Information Commission oversees the Act.[182] The Commission is under the Office of the Prime Minister. In August 1999, Director Surasi Kosolnawin was removed from the post after fighting with Minister Supatra Masdit over his aggressive efforts to force government agencies to implement the Act.

Phone tapping is a criminal offense under the 1934 Telegraph and Telephone Act.[183] Wiretaps can be conducted for security reasons. Violators can face up to five years in jail. The Narcotics Control Board recently proposed legislation that would authorize tapping in drug cases with a court order. Illegal wiretapping is common in Thailand. Communications Minister Suthep Thuagsuban told reporters in June 2000, “Tapping telephones is not new in Thailand, everybody knows there is telephone tapping...When you return home you should check your line.”[184] In April 1997, tapes and transcripts from wiretaps of Sanan Kachornprasart, the opposition party Democrat secretary-general, were found in the compound of Government House.[185] The Armed Forces Security Centre was accused of being behind the tapping.[186] Wiretaps were found on the telephone of the chairperson of the Civil Rights and Freedom Protection Group, an anti corruption group in June 2000. After a technician from the Telephone Organisation of Thailand (TOT) was charged with the tap, the president of the TOT resigned. The National Counter Corruption Commission has taken over the investigation.[187]

In 1997, Thailand began issuing a new national ID card with a magnetic strip. The computer system will be linked with other government departments including the Revenue Department, the Ministry of Foreign Affairs, the Ministry of Defense and the Office of the Narcotics Control Board. The government also plans to link the system with other governments to allow holders to travel in Asian countries without the need for a passport, using only the new card. Bank customers who carry the new ID card can use it as an ATM card as well.[188] In 1995, Control Data Systems was awarded a $11.5 million contract by the Bangkok Metropolitan Administration (BMA) project to install the Computerized National Census and Services Project. The system includes names, addresses, national ID card numbers, and census information such as birth and death records and address changes. It will be used for checking individual tax returns and compiling census statistics.[189] It is expected to be completed by next year for elections.

The Official Information Act allows for citizens to obtain government information such as the result of a consideration or a decision which has a direct effect on a private individual, work-plan, project and annual expenditure estimates, and manuals or order relating to work procedure of State officials which affects the rights and duties of private individuals. Individuals can appeal denials to the Official Information Commission. According to the OIC, in 1999, there were 191 complaints, 80 of which were solved during the year. There were 32 cases in 1998. [190] The OIC is currently reviewing the government’s withholding of most of the official report on the 1992 bloody Black May military crackdown on political protests.

Section Five of the 1982 Turkish Constitution is entitled, “Privacy and Protection of Private Life.”[191] Article 20 of the Turkish constitution deals with “Privacy of the Individual’s Life,” and it states, “Everyone has the right to demand respect for his private and family life. Privacy of individual and family life cannot be violated. Exceptions necessitated by judiciary investigation and prosecution are reserved. Unless there exists a decision duly passed by a judge in cases explicitly defined by law, and unless there exists an order of an agency authorized by law in cases where delay is deemed prejudicial, neither the person nor the private papers, nor belongings of an individual shall be searched nor shall they be seized.” Article 22 states, “Secrecy of communication is fundamental. Communication shall not be impeded nor its secrecy be violated, unless there exists a decision duly passed by a judge in cases explicitly defined by law, and unless there exists an order of an agency authorized by law in cases where delay is deemed prejudicial. Public establishments or institutions where exceptions to the above may be applied will be defined by law.”

The Turkish Ministry of Justice as of summer of 2000 has been working on draft legislation on the protection of personal data. For this purpose, yet another working party has been established but there are currently no further details available in relation to the schedule of the working party or whether this time the efforts of such a working party will result with a Turkish Data Protection law. The Ministry has been working on this for several years without success. The proposals discussed within the May 1998 E-Commerce Laws Working Party Report[192] emphasize both the importance of facilitating the collection and processing of personal data and the protection of personal data of individuals in the information age.

Within the Turkish national legislation, the protection of personal rights is regulated in the Civil Code. Pursuant to Article 24 of the Civil Code, an individual whose personal rights are violated unjustly may request protection against the violation from the judge. Individuals can bring action for violation of their private rights. However, there is no criminal liability for such violations of personal rights and currently there is no protection for personal data (through data protection laws or any other laws) under the current Turkish Criminal Code.

Articles 195-200 of the Turkish Criminal Code on the freedom of communications govern communication through letters, parcels, telegram and telephone. Despite the existing laws and regulations, the right to privacy and to private communications seem to be rather problematic in Turkey. There is widespread illegal wiretapping by the government. According to acting Security Director Kemal Celik, all telephones in Turkey are bugged. The Turkish parliament’s telephone bugging committee, set up to investigate allegations of government phone taps, confirmed allegations that the Security Directorate listens in on all telephone communications, including cellular calls, according to a secret 50-page report documenting and confirming the bugging of telephones.[193] In December 1999, a Turkish court convicted the deputy head of Ankara’s police intelligence division Zafer Aktas of abuse of office for his part in a telephone tapping scandal, in which Ankara police were accused of bugging the prime minister’s telephones.[194] In March, Chairman of the Supreme Court’s 8th Department, Naci Unver, sued the Interior Ministry after finding out that his official phone is being bugged. The Interior Ministry defended the tapping saying that the claims of the suitor that the incident was a violation of personal freedom and of the independence of the juridical system were “obscure and pointless.” The Ministry demanded the withdrawal of the lawsuit for compensation, saying, “Or else there would be no end to lawsuits filed.” The Ministry also claimed that the police department had “just listened but not carried out a criminal recording and thus the events did not damage suitors in any concrete way. In the second report, it is also stated that if compensation were to be paid, it would result in an unnecessary wealth gain for the victim.[195] The Interior Minister said in March 2000 that new guidelines would be issued soon and punishment for illegal wiretaps would be forthcoming.[196]

A new bill to set up a “Council for the Security of National Information and its duties” is pending in the Parliament. The bill would set up the Council to address issues including data protection, encryption, and security of information systems. The Council will be part of the Prime Minister’s office and the Ministry of Justice, Ministry of Defense, MIT (Turkish CIA), the Army and other ministries will be involved. The draft Bill was heavily criticized and received only support from the General Staff (representing the Army). According to Vice-Admiral Taner Uzunay, the Head of the Electronic Communication department within the General Staff, the US government is listening to Turkish communications which it is why it is urgent to develop policies on protection of the information and communication infrastructure in Turkey.[197] TUBITAK-BILTEN, the Scientific and Technical Research Council Of Turkey - The Institute of Information Technologies recommended that the duties of the National Council for the Security of National Information need to be clarified.[198] According to their report, the Council cannot be an intelligence agency, research and development unit, a standards institute, a certification authority, and a public policy making body at the same time.[199] Industry groups and NGOs also expressed concern about the Council have control over information security.

In 1990, a parliamentary commission on human rights was established with the power to monitor the human rights situation in Turkey and abroad. Currently, the commission consists of 25 parliamentarians, three consultants and four secretaries. Since its inception, the commission has taken up some 20 cases on its own initiative. Most of these cases relate to alleged violations of physical integrity[200] and it is unknown whether the Commission has dealt with any cases of individual privacy.

Turkey is a member of the Council of Europe and has accepted the Council’s monitoring mechanism.[201] It signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) in 1981 but has not ratified the act.[202] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[203] Turkey has also been a member of the Organization for Economic Co-operation and Development since 1961.

The Constitution of Ukraine guarantees the right of privacy and data protection.[204] Article 31 states, “Everyone is guaranteed privacy of mail, telephone conversations, telegraph and other correspondence. Exceptions shall be established only by a court in cases envisaged by law, with the purpose of preventing crime or ascertaining the truth in the course of the investigation of a criminal case, if it is not possible to obtain information by other means.” Article 32 states “No one shall be subject to interference in his or her personal and family life, except in cases envisaged by the Constitution of Ukraine. The collection, storage, use and dissemination of confidential information about a person without his or her consent shall not be permitted, except in cases determined by law, and only in the interests of national security, economic welfare and human rights. Every citizen has the right to examine information about himself or herself, that is not a state secret or other secret protected by law, at the bodies of state power, bodies of local self-government, institutions and organizations. Everyone is guaranteed judicial protection of the right to rectify incorrect information about himself or herself and members of his or her family, and of the right to demand that any type of information be expunged, and also the right to compensation for material and moral damages inflicted by the collection, storage, use and dissemination of such incorrect information.” There is also a limited right of freedom of information. Article 50 states, “Everyone is guaranteed the right of free access to information about the environmental situation, the quality of food and consumer goods, and also the right to disseminate such information. No one shall make such information secret.”

There is currently an effort to enact a data protection act. The draft bill on Data Protection prepared by State Committee of Communications and Computerization was introduced to the Cabinet of Ministers for consideration in December 1999. The draft is loosely based on the Council of Europe Convention No. 108 and the State of Hesse’s (Germany) 1970 data protection act and focuses on property rights for privacy control. The original drafts proposed the establishment of a Data Protection Ombudsman but the most recent draft leaves out the office because of opposition by the State Security Service and Ministry of Justice. Observers note that it is not likely to be compliant with the COE convention or the EU Directive.

The Act “On Information” defines only general principles of citizens’ access to information personally related to them. Article 9 provides individuals with access to information concerning them. Exceptions are to be defined by Law. Article 23 of the Statute prohibits collection of personal data without consent of the data subject, and provides the right to know about data collection.[205] The Constitutional Court of Ukraine ruled in October 1997 that Article 23 prohibited not only the collection of information, but also the storage, use and dissemination of confidential personal information without the consent of the individual.[206] There are exceptions for national security, economic well-being, and information that would affect another’s rights and freedoms. Confidential information includes, in particular, information about a person such as education, marital status, state of health, date and place of birth, property status and other personal details.

The Act on the Operational Investigative Activity of February 18, 1992, and the Act on organizational and legal foundations of struggle with organized crime empowers law enforcement agencies to conduct surveillance. The agencies are obliged to obtain a warrant under the court procedure as implemented by the Act of the Supreme Court Plenary Session of November 1, 1996.[207] The Statute does not provide wiretapping procedure rules. Those are regulated by secret rules, adopted by the joint Ministry of Internal Affairs and State Committee as Communications Order No 745/90 of September 30, 1999. The applications are registered and include the names of officials, and the date and type of communications. Statistical data on wiretapping activity is not publicly available. Under article 11, priests, doctors, and lawyers can not be asked about information concerning their clients, and any such information cannot be used as evidence in court. However, in practice, the courts regularly use such information. The special services investigated the Kazakhstan Energy Grid Operating Company in June 2000 for the illegal tapping of employee conversations and charged one employee with a violation of the criminal code.[208]

The Department of Special Telecommunication Systems and Information Safeguarding of the Security Service of Ukraine is authorized under an April 2000 Presidential Order to adopt regulations on the protection of information in data transmitting networks, as well as to establish the “application of the tools for the protection of state information resources.”[209] In July 2000, President Kuchma signed a decree on “development of national content of the global informational network (Internet) and wide access to this network in Ukraine.” It sets rules on digital signatures, information security and protection of information “which can not be published according to the law.”[210]

In September 1999, President Leonid Kuchma proposed regulations requiring that Internet Service Providers install surveillance devices on their systems based on the Russian SORM system. The regulations had to be withdrawn because of a Constitutional issue and he proposed a bill to implement them. The bill was attacked by the Parliament and withdrawn. However, in August 1999, the security service visited a number of the large ISPs who were reported to have installed the boxes. In June 2000, several high government officials (including the deputy chair of the security service, the chair of the headquarters of the Ministry of Defense, and the chair of the Presidential Committee on informational security) held closed meetings with representatives of the major Ukrainian ISPs to discuss new SORM regulations. A working group released a document announcing that the group had agreed to implement surveillance capabilities based on ENFOPOL 98 and create a working group on filtering and monitoring of unlawful information.[211] The large ISPs are expected to support the regulations to eliminate competition from smaller ISPs who will not be able to afford the new systems.

There are a number of other laws that control personal information.[212] The cabinet approved the creation of a Single State Automated Passport System in January 1997 as a component of the State Register of Population.[213] The system will be used as an internal ID system and hold both textual and graphical data about every Ukrainian. The text data will include: first, patronymic and last name, date of birth, sex, identification number, date of registration and residence, data of another state citizenship, data of passport and its duplicates, data of job/study, matrimonial status, data of husband/wife and children, education, military draft status, date of documents for travelling abroad, and memorandums (disability care, restriction for travelling abroad). The graphical information will include: identifier, biometrics data and signature. There are also laws relating to tax information,[214] social insurance,[215] domicile registration,[216] retirement insurance,[217] unemployment insurance,[218] criminal investigations,[219] juvenile records,[220] former prisoners,[221] military service records,[222] medical records,[223] and HIV and AIDS records.[224]

Religious conservatives demonstrated in opposition to the application of personal identification numbers approved by the Act On State Register of Natural Persons – Taxpayers.[225] The Parliament approved an amendment to the statute in July 1999 allowing for an alternative system of registration to be used for persons with religious grounds for opposing identity numbers.[226]

In October 1998, a CD “All Kyiv-2” was offered for sale at markets in the city of Kiev. The CD contained all addresses and telephone directories of the City, including the phone numbers and addresses not only of residents but also of top state management, including the former and current President of Ukraine. It is clear that the release took place as a result of a violation of the access regime of the State Information Service.

The 1992 Act on Information provides a right of access to government records.[227] Article 21 sets out methods for making official information public, including disclosing it to interested persons orally, in writing or in other ways. Article 29 of the Statute prohibits the limitation of the right to obtain non-covert information. Article 37 sets out a long list of exceptions. The author of a rejected or postponed request has a right to appeal the decision to a higher echelon or court (Article 34). There is limited access to the files of the former secret police under the Act “on rehabilitation of victims of political repressions,” which gives the rehabilitated citizen or his heirs the right to read his personal file kept in the KGB archives.

Ukraine is a member of the Council of Europe but has not signed or ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[228] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[229]

The UK does not have a written constitution. In 1998, the Parliament approved the Human Rights Act that will incorporate the European Convention on Human Rights into domestic law, a process which will establish an enforceable right of privacy.[230] The Act will come into force on October 2, 2000.

The Parliament approved the Data Protection Act (1998) in July 1998.[231] The legislation, which came into force on March 1, 2000, updates the 1984 Data Protection Act in accordance with the requirements of the European Union’s Data Protection Directive.[232] The Act covers records held by government agencies and private entities. It provides for limitations on the use of personal information, access to records and requires that entities that maintain records register with the Data Protection Commissioner.

The Office of the Data Protection Commissioner is an independent agency that maintains the register and enforces the Act.[233] There are currently 237,146 data users registered with the Commission. In the 11 months prior to the end of February 2000, the agency received 4,570 complaints,[234] an increase of 36 percent over the previous year. Of these complaints, 145 resulted in prosecutions by the Data Commission and 130 guilty verdicts were issued by the courts. The Commissioner is also responsible for enforcing the Telecommunications (Data Protection and Privacy) Regulations. These regulations came into force on March 1, 2000, and fully implement the EU Telecommunications Directive.[235] They repeal and replace the Telecommunications (Data Protection and Privacy) (Direct Marketing) Regulations 1998 which came into effect on May 1, 1999. The Commissioner has already issued two enforcement notices against companies acting in breach of these regulations. The Commissioner issues a number of comprehensive reports for the public. She has published a Code of Practice for the use of Closed Circuit Television (CCTV),[236] a study of the availability and use of personal information in public registers,[237] and guidelines concerning employer/employee relationships.[238] A specially created internal working group of the Commission is currently preparing a comprehensive introductory paper to the new law in order to help individuals and organizations understand their new rights and obligations. An updated guidance on the Telecommunications (Data Protection and Privacy) Regulations will also be published soon.[239]

The Regulation of Investigatory Powers Act 2000 became law in July 2000.[240] It provides powers for the Home Secretary to warrant interception of communications and to require Communications Service Providers to provide a “reasonable interception capability” in their networks. It further allows any public authority designated by the Home Secretary to access “communications data.” This data includes the source, destination and type of any communication, such as mobile phone location information. Finally, powers are provided for senior members of the civilian and military police, Customs, and members of the judiciary to require the plaintext of encrypted material, or in certain circumstances decryption keys themselves. It replaces the Interception of Communications Act of 1985.[241] It also sets rules on other types of investigatory powers that had not been previously regulated under UK law. Many legal experts, including the Data Protection Commissioner, believe that many of the provisions violate the European Convention on Human Rights and a legal challenge is likely.

In 1998, 1,913 orders for intercepting telephone communications were approved, an increase of 25 percent from the previous year and nearly 400 percent over ten years. Telephone taps for national security purposes are authorized by the Foreign Minister. There were also 118 orders for interception of mail communications. The National Criminal Intelligence Service published a series of codes of practice on interception, surveillance, use of informants, undercover operations and use of intelligence materials in May 1999 to ensure adherence with the European Convention on Human Rights incorporation into UK law.[242]

There is a long history of illegal wiretapping of political opponents, labor unions and others in the UK.[243] In 1985, the European Court of Human Rights ruled that police interception of individuals’ communications was a violation of Article 8 of the European Convention on Human Rights.[244] The decision resulted in the adoption of the Interception of Communications Act 1985. Most recently, the European Court of Human Rights ruled in 1997 that police eavesdropping of a policewoman violated Article 8.[245] In the late 1970’s, MI5, Britain’s security service, tapped the phones of many left-leaning activists including the future Secretary of State for Trade and Industry Peter Mandelson, and kept files on Jack Straw, now Home Secretary, and Harriet Harman, former Social Security Secretary, as well as Guardian journalist Victoria Brittain. The High Court issued an injunction against the Mail on Sunday preventing the publication of further revelations. In September 1998, it was revealed that there were secret talks between the Association of Chief Police Officers (ACPO) and representatives for Internet Service Providers (ISPs) with the aim of reaching a “memorandum of understanding” to give the police access to private data held by ISPs.[246]

In late 1997, a report commissioned by the European Parliament and prepared by the UK-based research group Omega Foundation, confirmed that Britain was a key player in a vast global signals intelligence operation controlled by the U.S. National Security Agency (NSA).[247] According to the report, the U.S. and its UK partner, GCHQ, “routinely and indiscriminately” intercepted large amounts of sensitive data which had been identified through keyword searching. The eavesdropping was carried out from a number of spy bases in the UK, most notably the Menwith Hill base in the north of England. The European Parliament recently created a one-year temporary committee to investigate allegations that the Echelon surveillance system violates individual privacy rights and is used to conduct industrial espionage.[248]

There are also a number of other laws containing privacy components, most notably those governing medical records[249] and consumer credit information.[250] Other laws with privacy components include, the Rehabilitation of Offenders Act of 1974, the Telecommunications Act of 1984 (as amended by the Telecommunications Regulations of 1999), the Police Act of 1997, the Broadcasting Act of 1996, Part VI and the Protection from Harassment Act of 1997. Some of these acts are amended and may be repealed in part by the 1998 Data Protection Act. The Police and Criminal Evidence Act (1984) allows police to enter and search homes without a warrant following an arrest for any offense. And while police may not demand identification before arrest, they have the right to stop and search any person on the street on grounds of suspicion. Following arrest, a body sample will be taken for inclusion in the national DNA database.[251] The Crime and Disorder Act of 1998 provides for information sharing and data matching among public bodies in order to reduce crime and disorder. The Data Protection Commissioner has issued a report on the privacy implications of this Act.[252]

The privacy picture in the UK is mixed.[253] There is, at some levels, a strong public recognition and defense of privacy. Proposals to establish a national identity card, for example, have routinely failed. On the other hand, crime and public order laws passed in recent years have placed substantial limitations on numerous rights, including freedom of assembly, privacy, freedom of movement, the right of silence and freedom of speech.[254] There has been a proliferation of CCTV cameras in hundreds of towns and cities in Britain. The camera networks can be operated by police, local authorities or private companies, and are partly funded by a Home Office grant. Their original purpose was crime prevention and detection, though in recent years the cameras have become important tools for city center management and the control of “anti-social behavior.” Between 150 million and 300 million pounds a year is spent expanding the web of 200,000 cameras covering public spaces in Britain,[255] but despite the ubiquity of the technology, successive governments have been reluctant to pass specific laws to govern their use. Their use has come under greater criticism recently and recent research by the Scottish Centre for Criminology found that the cameras did not reduce crime, nor improved public perception of crime problems.[256] As mentioned above, the Data Protection Commission has also issued a code of practice for the use of these cameras.

There have been efforts for over 20 years to enact a Freedom of Information Act in the UK. A 1994 “Code of Practice on Access to Government Information” provides some access to government records but has 15 broad exemptions. Dissatisfied applicants can complain, via a Member of Parliament, to the Parliamentary Ombudsman if their request is denied.[257]

A Freedom of Information Bill was introduced into the House of Commons in November 1999. A draft of the legislation was released for public consultation in May 1999.[258] The Act was amended and approved by the House of Commons in April 2000. The Bill is currently pending before the House of Lords. It has received considerable criticism from by many politicians across the political spectrum and NGOs as being insufficient and weaker than the existing code of practice. Some 195 Members of Parliament signed a Parliamentary motion calling for major improvements. The law will create a new officer, the Information Commissioner, to oversee both the Freedom of Information regime and the Data Protection Act 1998. The Scottish Parliament is drafting a stronger Freedom of Information Law as one of their first actions.

The UK is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108)[259] along with the European Convention for the Protection of Human Rights and Fundamental Freedoms.[260] In addition to these commitments, the UK is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

The Isle of Man Data Protection Act of 1986 is based on the 1984 UK Data Protection Act. A Data Protection (Amendment) Bill is expected to be introduced in the 1999/2000 legislative programme. The Act is enforced by the Office of the Data Protection Registrar.[261]

The Guernsey Data Protection Law of 1986 is also based on the UK Act.[262] A committee recommended changes to the Act in June 2000 based on the revised UK Act. The Act is enforced by the Isle of Guernsey Data Protection Commissioner.[263]

The Data Protection (Jersey) Law came into force in 1987. The law is equivalent to the 1984 UK Data Protection Act. The Act is overseen by the Data Protection Registry who registers databases and conducts investigations. It registered 1,605 databases by the end of 1998. The Registrar currently works on a part time basis.

There is no explicit right to privacy in the U.S. Constitution. The Supreme Court has ruled that there is a limited constitutional right of privacy based on a number of provisions in the Bill of Rights. This includes a right to privacy from government surveillance into an area where a person has a “reasonable expectation of privacy”[264] and also in matters relating to marriage, procreation, contraception, family relationships, child rearing and education.[265] However, records held by third parties, such as financial records or telephone calling records, are generally not protected unless a legislature has enacted a specific law. The Court has also recognized a right of anonymity[266] and the right of political groups to prevent disclosure of their members’ names to government agencies.[267] In January 2000, the Supreme Court heard Reno v. Condon, a case addressing the constitutionality of the Drivers Privacy Protection Act (DPPA), a 1994 law that protects drivers’ records held by state motor vehicle agencies. In a unanimous decision, the Court found that the information was “an article of commerce” and can be regulated by the federal government.[268]

The Privacy Act of 1974 protects records held by U.S. Government agencies and requires agencies to apply basic fair information practices.[269] Its effectiveness is significantly weakened by administrative interpretations of a provision allowing for disclosure of personal information for a “routine use” compatible with the purpose for which the information was originally collected. Limits on the use of the Social Security Number have also been undercut in recent years for a number of purposes.

There is no independent privacy oversight agency in the U.S. The Office of Management and Budget plays a limited role in setting policy for federal agencies under the Privacy Act, but it has not been particularly active or effective. An office within the Office of Management and Budget to coordinate federal stances towards privacy was created in early 1999, and a Chief Counselor for Privacy was appointed. The Counselor has only a limited advisory capacity and most privacy advocates believe the position is ineffective in promoting privacy within the government. The Federal Trade Commission has oversight and enforcement powers for the laws protecting children’s online privacy, consumer credit information and fair trading practices but has no general authority to enforce privacy rights.[270] The FTC has received thousands of complaints but has issued opinions in only a few cases. It has also organized a series of workshops and surveys, which have found that industry protection of privacy on the Internet is poor, but the FTC had long said that the industry should have more time to make self-regulation work. In a shift from this historical position, the FTC recommended in this year’s report to the U.S. Congress that legislation is necessary to protect consumer privacy on the Internet due to the dismal findings in a survey of online privacy policies.[271]

The U.S. has no comprehensive privacy protection law for the private sector. A patchwork of federal laws covers some specific categories of personal information.[272] These include financial records,[273] credit reports,[274] video rentals,[275] cable television,[276] children’s (under age 13) online activities,[277] educational records,[278] motor vehicle registrations,[279] and telephone records.[280] However such activities as the selling of medical records and bank records, monitoring of workers, and video surveillance of individuals are currently not prohibited under federal law. There is also a variety of sectoral legislation on the state level that may give additional protections to citizens of individual states.[281] The tort of privacy was first adopted in 1905 and all but two of the 50 states recognize a civil right of action for invasion of privacy in their laws.

Surveillance of wire, oral and electronic communications for criminal investigations is governed by the Omnibus Safe Streets and Crime Control Act of 1968 and the Electronic Communications Privacy Act of 1986.[282] Police are required to obtain a court order based on a number of legal requirements. Surveillance for national security purposes is governed by the Foreign Intelligence Surveillance Act that has less rigorous requirements.[283] There were 1,350 orders for interceptions for criminal purposes[284] and 886 for national security purposes in 1999.[285] The use of electronic surveillance has more than tripled in the last ten years.

The federal wiretap laws were amended by a controversial bill entitled the Communications Assistance to Law Enforcement Act in 1994 that required telephone companies to redesign their equipment to facilitate electronic surveillance.[286] The Federal Communications Commission issued regulations in November 1998 implementing the law.[287] The regulations include several additional provisions including requiring that all mobile phone companies facilitate location tracking of users. The implementation of the law is currently being challenged in federal court by privacy groups and telecommunications companies, who argue that the regulations give the government more power than authorized under the law and the Constitution.[288]

The intelligence agencies have also pushed for more authority and funding to conduct surveillance of Internet communications, arguing that this is necessary to protect the nation’s infrastructure from “information warfare.” In July 2000, it was revealed that the FBI has developed a system called “Carnivore” that is placed at an Internet Service Provider’s offices and can monitor all traffic about a user including email and browsing.[289] Earthlink, a major ISP, announced that it refuses to install the system in its network.[290] After the system was discovered, Attorney General Reno promised to conduct a review of its privacy protections.[291] EPIC has filed suit demanding access to all information about the system.

There has been significant debate in the United States in recent years about the development of privacy laws covering the private sector. The White House and the private sector maintain that self-regulation is sufficient and that no new laws should be enacted except for a limited measure on medical information. There are currently efforts in Congress to improve financial privacy by prohibiting banks from selling personal information of customers without permission, but the proposal is strongly opposed by the banking industry. There is substantial activity in the states, particularly in California, New York and Minnesota. In Massachusetts and Hawaii comprehensive privacy bills for the private sector are now under consideration.

Internet privacy has remained the hottest issue of the past year. A series of companies, including Intel and Microsoft, were discovered to have released products that secretly track the activities of Internet users. A number of lawsuits have been filed by users under the wiretap and computer crime laws. In several cases, TRUSTe, an industry-sponsored self-regulation watchdog group ruled that the practices did not violate its privacy seal program.[292] Significant controversy arose around online profiling, the practice of advertising companies to track Internet users and compile dossiers on them in order to target banner advertisements. The largest of these advertisers, DoubleClick, set off widespread public outrage when it began attaching personal information from a marketing firm it purchased to the estimated 100 million previously anonymous profiles it had collected.[293] The company backed down due to public opposition, a dramatic fall in its stock price and investigations from the FTC and several state attorneys general. In July 2000 the Federal Trade Commission reached an agreement with the Network Advertisers Initiative, a group consisting of the largest online advertisers including DoubleClick, which will allow for online profiling and any future merger of such databases to occur with only the opt-out consent.[294] This agreement did not satisfy the state attorney generals and they have vowed to continue their investigation. Intel announced in May 2000 that it was dropping the incorporation of unique identifiers in its next