The Bulgarian Constitution of 1991 recognizes rights of privacy secrecy of communications and access to information. Article 32 states, "(1) The private life of citizens shall be inviolable. Everyone shall be entitled to protection against any illegal interference in his private or family affairs and against encroachments on his honor, dignity and reputation. (2) No one shall be followed, photographed, filmed, recorded or subjected to any other similar activity without his knowledge or despite his express disapproval, except when such actions are permitted by law." Article 33 states, "(1) The home shall be inviolable. No one shall enter or stay inside a home without its occupant's consent, except in the cases expressly stipulated by law. (2) Entry into, or staying inside, a home without the consent of its occupant or without the judicial authorities' permission shall be allowed only for the purposes of preventing an immediately impending crime or a crime in progress, for the capture of a criminal, or in extreme necessity." Article 34 states, "(1) The freedom and confidentiality of correspondence and all other communications shall be inviolable. (2) Exceptions to this provision shall be allowed only with the permission of the judicial authorities for the purpose of discovering or preventing a grave crime." Article 41 states, "(1) Everyone shall be entitled to seek, obtain and disseminate information. This right shall not be exercised to the detriment of the rights and reputation of others, or to the detriment of national security, public order, public health and morality. (2) Citizens shall be entitled to obtain information from state bodies and agencies on any matter of legitimate interest to them which is not a state or other secret prescribed by law and does not affect the rights of others."[758]
The Personal Data Protection Act (PDPA) was adopted by the National Assembly in December 2001 and came into effect in January 2002. Adoption of the law was a key part of the administrative reforms being undertaken in preparation for accession to the European Union. The law closely follows the European Union Data Protection Directive. It sets out rules for the fair and responsible handling of personal information by the public and private sector. Personal information is defined as "any information relating to a natural person, legal entity or group of individuals revealing physical, psychological, mental, economic, cultural or public identity, regardless of the form or method used for its recording."[759] Entities collecting personal information must inform people why their personal information is being collected and what it is to be used for; allow people reasonable access to information about themselves and the right to correct it if it is wrong; ensure that the information is securely held and cannot be tampered with, stolen or improperly used; and limit the use of personal information, for purposes other than the original purpose, without the consent of the person affected, or in certain other circumstances. Sensitive information, including information concerning racial or ethic origin, political or religious affiliation, health, sexual life, and beliefs, is given special protection and can only be processed with the express written consent of an individual.[760] Some concerns have been raised that the law has too broad a scope. The Bulgarian Access to Information Programme notes that the definition of "personal data" includes information relating to the performance of government officials and management or supervisory bodies of legal entities and as such may have a negative impact on access to information rights and government accountability.[761]
The law creates a Commission on Protection of Personal Data, to supervise compliance and implementation; maintain a national register of data controllers; examine complaints and take legal action for violations. The members of the Commission and the Chairperson serve a five-year term and may be re-elected once. They are nominated by the President and approved by the National Assembly. The first Commission was established by a parliamentary decision in May 2002 and started work in June 2002.
The PDPA provides that special rules could be introduced to regulate the processing of personal data for the purposes of defense, national security, law enforcement and criminal justice. Electronic surveillance used in criminal investigations is regulated by the Code of Criminal Procedure and requires a court order.[762]Failure to follow this procedure resulting in unlawful wiretapping is a crime.[763] The Telecommunications Law also requires that agencies must ensure the secrecy of communications.[764] Unlawful opening of e-mail correspondence is a criminal offense.[765] The 1997 Special Surveillance Means Act regulates the use of surveillance techniques by the Interior Ministry for investigating crime but also for loosely defined national security reasons. A court order is generally required but the Ministry of the Interior has a discretionary power to authorize wiretaps without judicial review.
The full extent of this power is not well known but there are regular complaints of abusive and illegal bugging of individuals.
In January 2001, it was announced that approximately 10,000 wiretaps were authorized during the year 2000. According to the Bulgarian Helsinki Federation, only two to three percent of the intercepts were ever used in criminal proceedings.[766] No reasons for this surveillance were given.[767] These statistics have not been updated since then, as the Prosecutor General denied public access to his 2001 report on the surveillance used. The case is still pending. In another case, the Supreme administrative court decided that the denial by the president of a district court to disclose the annual statistic of orders for intercepts was lawful. A Parliamentary Commission held hearings in 2001 on the activities of "public order "agencies which includes the National Intelligence Service, the National Bodyguard Service and the National Security Service.[768] In October 2001, the Interior Ministry reported that they had found illegal wiretapping devices, in recording mode, in the Central Telephone Exchange in Sofia and preparations for such devices in several the city's other exchanges. The bugging of telephone subscribers had been taking place since 1994 and was said to be economically motivated.[769] In November 2001, the director of the National Security Service (NSS) resigned his position. Several allegations of wiretapping politicians had been made against him but these were never substantiated.[770] In August 2000, listening devices were found in the apartment of the Prosecutor General Nikola Filchev and several politicians. Filchev blamed the bugs on the Interior Ministry's Criminal Intelligence Service (CIS). A parliamentary session was held after 53 Democratic Left Parliamentarians demanded a hearing.[771] Following the debate members of the opposition Bulgarian Socialist Party (BSP) submitted draft amendments to put in place a system of judicial oversight for the use of surveillance.[772] In November 2000, the Movement for Rights and Freedoms (DPS), a party of Ethnic Turks, reported that its leaders were being monitored by the security services.[773] In December 2002, the media reported information about possibly unlawful telephone-tapings of public figures including the former NSS director and the Minister of Justice, and about the investigation of a person dubbed "Gnom".[774] Interior Minister partly confirmed the information.
In December 1998, the Bulgarian Committee for Post and Telecommunications issued an executive decree to license Internet Service Providers. The decree gave governmental employees the authorization to enter ISPs' offices at any time and obtain any documentation, including user names and passwords, as well as other private information.[775] The decision was extensively criticized by Internet users, service providers and others, including German Chancellor Shröder who said that licensing was not appropriate. The Bulgarian Internet Society (ISOC) chapter filed a case at the Supreme Administrative Court to stop the decree in January 1999. The Court ordered a temporary restraint of the decree on June 17, 1999. In November 1999, the Bulgarian Prime Minister ordered the Minister of Telecommunications to negotiate an out of court agreement with ISOC. A few weeks later, the decree was changed, and the ISPs were removed from the licensing requirements and placed in the "free regime" category.
There are additional provisions relating to privacy in laws such as the Statistics Law, Tax Administration Law, Insurance Law,[776] and Social Assistance Law.[777] The Radio and Television Act sets limits[778] on broadcasting of personal information.
The Law for Access to Information to provide access to government records was enacted in June 2000 and went into force in July2000.[779]The law allows for access to records except in cases of state security or personal privacy. Amendment of the Act is currently underway in order to implement Council of Europe Recommendation R (2000)2 on Access to Official Documents, adopted in February 2001.[780] A new Archives Act is also pending. The Classified Information Protection Act was passed in April 2002 and went into force in May 2002. It regulates state and official secrets and establishes a Commission on the Security of Information. The law abolished the 1997 Access to Documents of the Former State Security Service Act regulating the access, proceedings of disclosure and use of information kept in the documents of the former State Security Service. The Constitutional court rejected the claim of a group of Members of Parliament that the abolition and some other provisions of the new law are unconstitutional.[781]
Bulgaria is a member of the Council of Europe and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[782] It has signed but not ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[783] In November 2001, Bulgaria signed but has not ratified the Council of Europe Cybercrime Convention (ETS No. 185).[784]