The Constitution of Greece recognizes the rights of privacy and secrecy of communications. Article 9 states: "(1) Every person's home is a sanctuary. The private and family life of the individual is inviolable. No home search shall be made, except when and as specified by law and always in the presence of representatives of the judicial power. (2) Violators of the preceding provision shall be punished for violating the home's asylum and for abuse of power, and shall be liable for full damages to the sufferer, as specified by law."[1253] A Constitutional amendment in 2001 added a new provision to this article granting individuals a direct right to protection of their personal information. The new provision, Article 9A, states: "All persons have the right to be protected from the collection, processing and use, especially by electronic means, of their personal data, as specified by law. The protection of personal data is ensured by an independent authority, which is established and operates as specified by law."[1254] Article 19 of the Constitution protects the privacy of communications. It states: "Secrecy of letters and all other forms of free correspondence or communication shall be absolutely inviolable. The guaranties under which the judicial authority shall not be bound by this secrecy for reasons of national security or for the purpose of investigating especially serious crimes, shall be specified under law." The 2001 amendment, in addition to adding two new provisions to this article, establishes an independent authority, to supervise matters relating to telecommunications.[1255] Article 19(2) now states: "The matters relating to the establishment, operation and powers of the independent authority ensuring the secrecy of paragraph 1 shall be specified by law." Article 19 (3) states: "The use of evidence acquired in violation of the present article and of articles 9 and 9A is prohibited."[1256]
The Law on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act) was approved in 1997.[1257] Greece was the last member of the EU to adopt a data protection law and its law was written to directly adopt the EU Directive. The Act was also necessary for Greece to join the Schengen Agreement. There were major protests during the ratification of the Schengen Agreement for border controls and information sharing. According to news reports, police used tear gas to disperse a group of about 1,000 protesters, including Orthodox priests, when they tried to push their way into Parliament as the pact was being debated.[1258]
The Hellenic Data Protection Authority (DPA) was established in November 1997 as an independent authority set to monitor privacy violations in Greece. It was created to supervise the implementation of the Data Protection Act and all regulations referring to the protection of personal data.[1259] It also exercises other powers delegated to it from time to time.
The DPA is responsible for archival audits, issuing regulatory acts arising from legislation on data protection, and providing information and recommendations to interested parties to ensure compliance with data protection regulations. Its mandate includes issuing directives to enhance uniformity in implementation and to protect personal data vis-à-vis technological developments; assisting controllers in drafting codes of conduct; examining complaints; reporting violations; and issuing decisions related to the right to access information. The DPA grants permits for the collection and processing of sensitive personal data and is accountable for the interconnection of files, including sensitive data and the trans-boundary flow of personal data. The DPA's communications office is in charge of all public relations and communication with private and public services and institutions, the media, foreign data protection authorities, European Union authorities, and international organizations and institutions.[1260]
On December 16, 2002 the head of the DPA, and its first President, Mr. Dafermos, resigned from his post when it had been made clear that the Parliament would not support him for a new term. Mr. Dafermos had just completed his first term and was replaced by Mr. Gourgourakis, a former high court judge. Although Mr. Dafermos had generally kept a low profile, he had aroused criticism from the Greek church and the right-wing party (New Democracy) after repeatedly getting involved with religious issues that remained undiscussed until now. Mr. Dafermos has now been appointed General Controller for the Public Administration.[1261]
The DPA has issued some twenty-two decisions during the discussed period, ranging from issues of the Olympics games to the ISDN Caller-ID issue. Some of the more important issues currently being worked on by the Greek DPA include: (1) the credit-reporting system's (TEIRESIAS) white-list. The official bank-run credit-reporting system purports to make a list not only for bad-debtors, but also for good-payers; (2) the processing of personal information during the Olympics; (3) data-matching among the Ministries of Public Transport, of Finance and of Public Security (the actual collection of fines is a Greek first); (4) ISDN Caller-ID; (5) The decision on the inclusion of the religion in the elementary and high school curicula (the "final straw" that outraged the Church and ended Mr. Dafermos' chances for a new term).[1262]
In Decision 55/2002, the DPA ruled on videophone practices which were used between a bank and another company, and involved clients talking to the bank's employees from the other company's premises. After filling in the relevant documents and before signing them, the client was asked to contact the competent bank employee by videophone in order to receive some clarifications about the documents and, then, to sign them. The complainant refused and the transaction was cancelled. The bank argued that the videophone was necessary to verify the customer's signature on the documents. The system involved a bi-directional communication with picture transmission, using a dial up ISDN line. The DPA held that the transmission of the picture did not entail the storage of sound and image data. The system did further not constitute a CCTV system since the nature of the communication line did not allow for continuous surveillance of the place. The DPA concluded that the data protection law was not violated for the reasons that (1) the personal data would not be processed to assemble a file and (2) that the data subject had given his prior consent.[1263]
Over the previous year, the DPA ran nine "controls" altogether: five at banks, one at the Ministry of Defense, one at a nursery clinic, one at an NGO, and one at an internet provider (private enterprise). It found that banks are doing well in protecting privacy, but they need to inform their customers better in the future. (A lot of discussion is taking place regarding some "instant loans" for a relatively small amount (maximum EUR3,000), that are practically given automatically by machines, although the machines have to record the customer's picture and electronically save his or her signature). Other areas also did well. The Internet company case related to an installed web-camera. The camera was intended to show the weather and not persons, therefore the company was allowed to keep it, but it was forced to register, as a "data controller."[1264]
Some examples of judicial actions include: (1) a case where a spam mailer (by post, not e-mails) was forced to pay a substantial amount as damage to a person who had inserted his data in the "Robinson" list[1265]; and (2) another case where it was determined that data pertaining to the detection of a crime can be examined in court, despite privacy implications.[1266]
In 2001, the DPA received 944 complaints and inquiries.[1267] From September 2001 to June 2002, there were approximately 500 requests referring mainly to unlawful collection and processing of personal data by companies involved in direct marketing, banks and financial institutions, debt recording and telecommunications companies, maternity hospitals, closedcircuit television systems/communication of data to third parties and entries in the Schengen information system.[1268] Since the entry into force of Greek law on the protection of personal data, the DPA has performed 51 audits on privacy policies and standards. During 2001, the DPA conducted 15 audits of files held by general hospitals and clinics, data banks, and debt-recording companies.[1269]
In the past few years, the DPA has issued directives relating to state identity cards, direct marketing, CCTV, DNA testing, and workplace surveillance. The DPA has also issued guidelines covering data protection in the workplace in particular surveillance of phone calls and e-mails.[1270] On May 4, 2000 in a controversial ruling, the Agency ruled that religious affiliations must be removed from state identity cards. The decision was opposed by the Greek Orthodox Church and led to massive protests and challenges to the ruling.[1271] In March 2001 Greece's highest administrative court upheld the ruling finding that stating citizens' religious affiliation on the compulsory identity cards was unconstitutional.[1272] Prior to the ruling, Greece was the only member of the European Union that required citizens to list their religious beliefs on citizen identity cards. The new Greek identity cards do not include religion, even on a voluntary basis. In addition to the removal of religious affiliation, new identity cards also no longer include fingerprints, names and surnames of the cardholder's spouse, maiden names, profession, home addresses, or citizenship.
The DPA considers the trading of personal data for direct marketing or sales to be lawful under specific conditions and only with the consent of the individual or when the data is collected from public sources. It has specific guidelines for the ascertainment of credibility of information and only for specific purposes.[1273] In May 2000, the DPA issued a directive regarding direct marketing companies that were collecting personal data directly from mothers in maternity hospitals. The directive required that hospitals act as controllers by drafting a consent form for mothers who wanted to receive advertising literature to fill out. The hospital would then forward the consent form to marketing firms.[1274]
In September 2000, the Authority set out guidelines prohibiting the recording, use, monitoring, and retention of personal information through the use of CCTV on a regular, continuous, or permanent basis.[1275] Recording is only lawful when it is done for the protection of individuals or goods or for traffic violations and only under the principles of necessity and proportionality. In these exceptional cases, the DPA must grant permission, and the rules on accuracy and notification must be followed. With respect to crime prevention or repression, the DPA must grant special permission to judicial and legal authorities to use cameras, with strict guidelines for use and retention. In the course of the past year, the authority received five complaints concerning CCTV systems in the private sector, two of which were infractions. The authority upon examining these infractions ordered the relocation of the cameras and the prior notification of individuals entering the area monitored by CCTV.[1276]
With respect to DNA analysis for the purpose of criminal investigation and prosecution, the DPA issued an opinion in 2001 expressing concern with the method and effects of collection of citizens' sensitive data. According to the opinion, the genetic analysis of DNA must be limited to the "non-codified section of DNA" and identity verification.[1277] The DPA advised that any methods that allow any conclusions about the personality traits of individuals from their DNA should be forbidden, including personality profiling.[1278] This method of investigation should only be used for verification of offenders' and victims' identity and for criminal investigations and should be destroyed once the fulfillment of the intended aim is achieved. Finally, the Authority does not support any effort to collect and analyze genetic material for preventative purposes.[1279]
According to the Human Rights Watch 2002 World Report, in August 2001, the DPA asked the government to discard a provision of the law compelling hospital staff and hotel employees to notify the police if undocumented migrants sought their services because it violated Greece's privacy protection laws.[1280]
In May 2001, there was a public outcry when it was revealed that Megalos Adelfos, the local version of the television show, Big Brother, was soon to be aired in Greece. The National Council for Radio and Television requested details of the show to determine whether it would breach the country's privacy regulations.[1281] In July, the DPA issued an order for the termination of the processing of personal data for the show.[1282] The show aired nonetheless. Citing privacy concerns, journalists and media students staged a protest outside the private Antenna network headquarters.
According to the Hellenic Bank Association, a nonprofit legal entity, that represents banks and other financial institutions operating in Greece and sets codes of banking ethics for its members, there are voluntary standards of confidentiality and banking secrecy that protect customers' financial records. These records can only be disclosed with the consent of the customers. However, the code also states that the exchange of consolidated information between banks relating to "groups of customers, as part of the electronic transfer of quantitative data on transactions and/or for statistical purposes, does not constitute a breach of confidentiality."[1283]
While Law no. 2225/94 requires police who wish to conduct telephone taps to obtain court permission,[1284] in the past there were continuing reports of government surveillance, including illegal wiretapping and interception of mail of human rights groups, Orthodox religious groups, and activist members of minority groups.[1285] Although monitored in the past, this year the Greek Helsinki Monitor reported that it was not monitored by security services.[1286]
In April 2001 the European Court of Human Rights, in the case of Donald Peers v. Greece, found that Mr. Peers was entitled to compensation for breach of privacy, under Article 8 of the European Convention, when prison administrators opened his mail while he was incarcerated for drug offences in Greece in 1994.[1287]
While the current Greek Penal Law does address some cyber-crimes, the penalties for violators are generally not severe, and when Greece tries to reduce cyber-crime, the laws it passes generally do not correct the problem.[1288]One example of this can be seen in the attempt of the Greek government, during the summer of 2002, to restrict electronic games. This was primarily done to stem the flow of illegal online gambling, but led to economic hardship for many arcade owners, Internet cafes and computer game stores. Many of them closed or were forced to pay big fines for violations of the law. A side effect of these closures was the even bigger support for illegal distribution of pirated copies of games. This ultimately led to its repeal.[1289]
In an interview, in June 2002, the Minister of Public Order, Mr. Michales Chrysocoidis stated that although cybercrime has not reached a top level in Greece, the Ministry of Public Order has received warning signs that have forced it to consider the creation of a National Center with the aim of protecting public and private electronic infrastructures from cyber-crimes performed through the use of the Internet.[1290]
Public organizations such as the Greek Telecommunications Organization and the Greek Electricity Organization, carrier organizations like Service of State Airways, and government organizations such as the National Intelligence Agency and the Greek police will all be involved in the National Center project. The Minister also added that private organizations should participate in the project as well and admitted that other European countries are ahead of Greece in similar activities.[1291]
Tough security measures, including military patrols, special commando units and more than 1,000 surveillance cameras are being put in place for the 2004 Olympic Games in Athens.[1292] Greek law enforcement authorities are being provided training and intelligence assistance from seven countries: Australia, Britain, France, Germany, Israel and Spain, and the United States.[1293] There appears to be little concern over the violation of citizen privacy through the use of these cameras.
In 1999, Greece created Article 5 of the Greek Code of Administrative Procedure (Law No. 2690/1999)[1294] which is a new Freedom of Information Act that provides citizens the right to access administrative documents created by government agencies. It replaces Law 1599/1986, which regulated the use of the Single Register Code Number (EKAM).[1295]
Greece is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108)[1296] and the EU Convention for the Protection of Human Rights and Fundamental Freedoms.[1297] In November 2001, Greece signed the CoE Convention on Cybercrime.[1298] Greece is also a member of the Organization for Economic Cooperation and Development and has adopted the OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.