The 1993 Charter of Fundamental Rights and Freedoms provides for extensive privacy rights. Article 7(1) states, "Inviolability of the person and of privacy is guaranteed. It may be limited only in cases specified by law." Article 10 states, "(1) Everybody is entitled to protection of his or her human dignity, personal integrity, good reputation, and his or her name. (2) Everybody is entitled to protection against unauthorized interference in his or her personal and family life. (3) Everybody is entitled to protection against unauthorized gathering, publication or other misuse of his or her personal data." Article 13 states, "Nobody may violate secrecy of letters and other papers and records whether privately kept or sent by post or in another manner, except in cases and in a manner specified by law. Similar protection is extended to messages communicated by telephone, telegraph or other such facilities."[983]
On April 4, 2000, the new Act "On Personal Data Protection" was enacted and went into effect on June 1, 2000.[984] The act replaces the 1992 Act on Protection of Personal Data in Information Systems.[985] The act implements the basic requirements of the EU Data Protection Directive, however, it grants exceptions to the police and intelligence services from many of the key provisions.The EU had been pressuring the Republic to move more quickly in adopting this legislation for several years.[986] Negotiations between the European Commission's Article 29 Committee and the Czech Office for Personal Data Protection have already taken place on the question of adequacy and they have apparently made significant progress. The European Commission in its 2002 Regular Report on the Czech Republic's Progress towards Accession stated:
Legislation in the field of the protection of personal data is largely in line with the acquis. However, amendments to the 2000 Data Protection Act are still needed to make it fully compliant with the acquis. Furthermore, other relevant legislation must also respect the acquis. The Office for Personal Data Protection (OPDP) is an independent supervisory authority responsible for this area; it performs the standard activities of an independent supervisor and is empowered to impose financial sanctions. The Office is operational and it has achieved important progress in ensuring compliance with the Law and raising awareness. However, lack of office space and low salaries make it difficult to hire all the personnel allocated in the budget and thus the Office remains understaffed.[987]
Under the Act, data controllers were required to register their systems by December 1, 2000 and to fully comply with the other provisions of the law by June 1, 2001. In May 2001, the President signed an amendment to the Act exempting political parties, churches, sports clubs and other civic organizations from certain requirements of the Act. These organizations will no longer need to register their data protection activities or obtain the consent of individuals before collecting personal information.[988]
The act established an Office for Personal Data Protection as an independent oversight body.[989] The office is responsible for supervising the implementation of the act; maintaining a register of databases; investigating complaints; imposing fines for violations; conducting audits and providing consultations on data protection; and commenting on legislative proposals. Until January 1, 2003, the Office also had authority over the certificate authorities for digital signatures under Act No. 227 of June 29, 2000 on Electronic Signatures, but in January 1, 2003, this responsibility was transferred to the new Ministry of Informatics.[990]
In August 2000, Karel Neuwirt was appointed to a five-year term as President of the Office. Three independent inspectors were also appointed to the Office, effective October 1, 2000. Subsequently, the total number of independent inspectors has risen to seven, each with ten-year terms.[991]
In the President's first annual report, Neuwirt noted that during the period between June 1, and December 31, 2000, the office had received forty written complaints, had registered data 108 controllers, and had issued decisions on twenty nine cases.[992]
As of December 2001, a total of 17,082 notifications of personal data processing had been registered with the Office by 13,736 controllers. During the year 2001, the Office handled approximately 200 written complaints, ordered remedies for breaches of the Act in 25 cases, and issued decisions on 322 applications for the transfer of personal data abroad. The Office also received an average of 500 telephone inquiries a month and 195 requests for comment on legislative proposals.[993]
As of December 2002, the Office processed a total of 20,143 registrations submitted by 17,703 registered controllers. In 2002, the Control Department of the Office dealt with 755 complaints and petitions. The most frequent justified complaints were: (1) unclear sources of data used for addressing potential clients in direct marketing, (2) extensive use of birth certificate numbers, (3) systematic acquisition of video recordings of individuals, (4) publishing lists of debtors, (5) insufficiencies in the formulation of a data subject's consent and in the conditions under which consent is granted, etc. Justified complaints together with the plan of controls led to 354 investigations (inspections and other control actions). Investigations were related to: public administration (80 actions), banking (49 actions), marketing (32 actions), trade (31 actions), health and social services (26 actions), and others.[994]
In mid-March of 2001, the Data Protection Office asked the Czech Statistical Office (CSO) to stop processing the results of the national census (carried out earlier that month) because of doubts as to the ability of the CSO to safeguard the data and because of the involvement of a private company, DELTAX Systems, in the processing.[995]
Electronic surveillance, wiretapping, and the interception of mail is regulated under the criminal process law and requires a court order.[996] A judge can approve an initial wiretap order for up to six months. There are special rules for intelligence services. Electronic surveillance, the tapping of telephones, and the interception of mail require a court order, and violations are subject to effective legal sanction. During the year, security forces monitored the activities of the Patriotic Republican Party (see Section 3). In December 2000, the Interior Ministry publicly announced that it was conducting an investigation into the constitution of the far right Patriotic Republican Party to determine if the party should be deregistered, and the police and security services monitored the party's activities.Over the years, there have been many reports of illegal searches using wiretaps. In May 2001, the Foreign Ministry confirmed that bugging devices had been found in the Stirin conference center, which was used by the Ministry to host major negotiations during January 2000.[997] In December 1999, former Health Minister Ivan David alleged that a bugging device was installed in his office a few months prior to his resignation.[998] Also in 1999, following a letter Romani activists sent to the mayor protesting racial discrimination, there were complaints that the police conducted several searches without warrants of Romani homes.[999] In 1996, the Czech secret service (BIS) was accused of monitoring politicians and civic and environmental groups such as Greenpeace.[1000] In 1993, Justice Minister Jiri Novak's telephone was reportedly tapped. A secret service employee found a bugging device in the ministry's central telephone switchboard in the middle of September 1993.
The Penal Code covers the infringement of the right to privacy in the definitions of criminal acts of infringement of the home,[1001] slander,[1002] and infringement of the confidentiality of mail.[1003] There are also sectoral acts concerning statistics, medical personal data, banking law, taxation, social security and police data. Unauthorized use of personal data systems is considered a crime.[1004] The law on the Police of the Czech Republic was recently amended in order to bring it into conformity with the Council of Europe Recommendation R (87) 15. Compliance with this recommendation is one of the requirements for accession to EURPOL and to the Schengen Agreements. During the drafting period the President of the Data Protection Office submitted comments on the proposed amendments. The Constitutional Court received several complaints about police misconduct, including violations of privacy, following the September 2000 meetings of the International Monetary Fund (IMF) in Prague.[1005]
The Parliament approved the Freedom of Information Law in May 1999.[1006] The law is based on the US Freedom of Information Act and provides for citizens' access to all government records held by State bodies, local self-governing authorities, and certain other official institutions, such as the Chamber of Lawyers or the Chamber of Doctors, except for classified information, trade secrets, or personal data.[1007] However, on August 5, 2002, the government rejected a Senate-sponsored amendment to the law that would required applicants to pay only for material costs rather than having to pay for the costs associated with searching.[1008] A 1998 act governs access to environmental information.[1009]
In April 1996, the Parliament approved a law that allows any Czech citizen to obtain his or her file created by the Communist-era secret police (StB). Non-Czech citizens are not allowed to access their records. The Interior Ministry holds 60,000 records, but it is estimated that many more were destroyed in 1989. In October 1998, there was a controversy over rumors that the records showed that former Vienna Mayor Helmut Zilk, who was about to receive an award from Czech President Vaclav Havel, was a collaborator with the StB. It was suspected that the Office for the Documentation and Investigation of the Crimes of Communism was the source of the documents.
Also of note, the Interior Ministry decided to publish a list of Communist StB secret service collaborators. The Office for the Protection of Personal Data, which offered comments on the original legislation that allowed for the release of the information, stated that such a release would not be in conflict with the law on the protection of personal data. The list was published in March of 2003 on the Internet.[1010]
In May of 2003, the Office for Personal Data Protection opposed the Health Ministry's plan to require all people entering the Czech Republic to fill out a form stating their name, passport number, country of departure, the length of their stay in the Czech Republic, as well as the address where they will be staying in the country. The form requirement was presented by the Ministry of Health as a way to deal with a potential SARS outbreak and that all forms would be destroyed after the length of the SARS incubation period of ten to twenty days. The Office for Personal Data Protection maintained that the requirement was in opposition to the law.[1011]
The Czech Republic is a member of the Council of Europe and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[1012] In September 2000, the Czech Republic signed the Council of Europe Convention 108 on the Protection of Individuals with Regard to Automatic Processing of Personal Data.[1013] This Convention was finally ratified on July 9, 2001. The Czech Republic is also a member of the Organization for Economic Cooperation and Development. It has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.