The right to privacy appears in two forms in the 1991 Slovenian Constitution,[2337] as an individual right of a private character, and as a human right, meaning that it also has a public nature.[2338] Privacy rights are covered in the second section of the Constitution, which protects various aspects of privacy. Article 35 on the Protection of the Right to Privacy and of Personal Rights states, "The physical and mental integrity of each person shall be guaranteed, as shall be his right to privacy and his other personal rights." Article 37 on the Protection of Privacy of Post and other Means of Communication states, "The privacy of the post and of other means of communication shall be guaranteed. In accordance with statute, a court may authorize action infringing on the privacy of the post or of other means of communication, or on the inviolability of individual privacy, where such actions are deemed necessary for the institution or continuance of criminal proceedings or for reasons of national security."[2339]
Slovenia enacted in 1999 a Personal Data Protection Act (PDPA) based on the EU Data Protection Directive and the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). In this law, private entities may process personal data only if they have obtained individuals' written consent, or if the data processing is regulated by law. Article 38 of the Protection of Personal Data of the Constitution states, The protection of personal data relating to an individual shall be guaranteed. Any use of personal data shall be forbidden where that use conflicts with the original purpose for which it was collected. The collection, processing and the end-use of such data, as well as the supervision and protection of the confidentiality of such data, shall be regulated by statute. Each person has the right to be informed of the personal data relating to him which has been collected and has the right to legal remedy in the event of any misuse of that data.[2340]
In July 2001 a new Act[2341] amending the PDPA came into force. The primary purpose of the amendment was to establish an independent oversight mechanism in accordance with the requirements of the 1995 EU Data Protection Directive. Previously supervision of the Act was conducted by a single Inspector within the Ministry of Justice. The new Act created an independent agency, the Inspectorate for Personal Data Protection with in the Ministry of Justice. Supervision of the Act is divided between the Inspectorate and the Human Rights Ombudsman. The Inspectorate began work in September 2001 and, as of July 2002, employed three persons. The Human Rights Ombudsman employs two persons responsible for data protection. The Ministry of Justice remains responsible for maintaining the database registry. The Home Policy Committee within the National Assembly also performs oversight of the Act.[2342]
The PDPA applies the principles contained in Convention No. 108. The Convention and the PDPA provide that everything that is not explicitly allowed in connection with personal data collection and processing is prohibited. The first version of the PDPA was enacted in 1990, with amendments dating from 1999 and 2001. Public entities may only process personal data for which they have been granted legal authorization. Persons whose personal data are gathered must be informed in advance of the purpose of the collection of data (by giving their written consent, or where the purpose of collection is authorized by law). In principle, personal data can be gathered and stored for only as long as needed to meet that objective, and deleted or blocked once the objective is met. All exemptions must be defined in the law.
The PDPA also defines in detail the duties of the data controller. It is prohibited to use the same identifier in databases maintained in the areas of public safety, state security, defense, judiciary and health. The connection between these databases is allowed only if there is a legal basis or the individual has given his or her written consent. The data controller of such databases must enable access to the individual free of charge within fifteen days of receiving his or her request, as well as provide a copy of an individual's personal data within thirty days of receiving the request. If a data controller fails to fulfill this obligation, he or she must provide a motivation for doing so in writing. In case an individual's personal data are transferred to recipients, the data controller must supply, at that individualís request, the list of recipients within a thirty days deadline.
If an individual provides evidence that his or her personal data were gathered in breach of the law, the data controller must delete these data, or update and correct them if the data were inaccurate or incomplete. The data controller must bear those costs, and must also keep a separate catalogue for each database, which contains, among other things, a detailed description of the kind of data gathered and the manner in which they are gathered, the purpose of their use and the duration of storage, the list of their users and a description of how they are secured. Furthermore, the Ministry of Justice, which is responsible for the protection of personal data, must keep a register of all databases containing personal data. Information in this register is provided by data controllers and is publicly available on the Internet.
Special protections are set out for "sensitive data" which is defined as data on racial or other origins, political, religious or other beliefs, trade union membership, sexual behavior, criminal convictions and medical data. This data must be specially labeled and may only be transferred across telecommunications networks if it is protected by "encryption methods" and an "electronic signature" that can guarantee illegibility. The law also imposes cross-border restrictions providing that data may only be transferred to countries that have a data protection legal framework adequate with the Slovenian one.
Some experts argue that the current data protection legislation is probably too strong for use on the Internet, because the PDPA requires that the private sector be able to process personal data that are not covered in the law only with an individual's written consent, which is not an easy obligation to fulfill in practice, particularly in the case of the Internet.[2343]
The Penal Code specifies sanctions for an invasion of territorial privacy in Articles 149 and 152. Article 149 prohibits unauthorized recording or image taking of individuals or their premises if such an act entails a serious invasion of privacy. Article 152 specifies sanctions for the violation of dwellings through an unauthorized entry into, or search of private facilities, or an attempt to do so. Intrusion into a computer system is the subject of Article 242 of the Penal Code, but according to this article, such an intrusion is punishable only if it is connected with business dealings, and made with the aim of acquiring illegal property-related benefits or causing material harm to others.[2344] Furthermore, Article 154 of the Penal Code provides for sanctions and prohibits any use of personal data that is in breach of the law, or any intrusion into an electronic database for the purpose of obtaining some item of information for personal use or for a third party's use. Article 225 also prohibits unauthorized access to an unprotected database, the modification and copying of its content or the insertion of viruses. The conditions under which personal data may be gathered, processed and used are regulated by a separate law, the PDPA.
The right to privacy of communication is also covered by Article 150 of the Penal Code that prescribes sanctions for the violation of the secrecy of means of communication. This article prohibits unauthorized opening of letters and other post and interception of messages transmitted via telecommunications networks, or reading of their contents without opening a letter or other post. Similarly, it prohibits unauthorized acquaintance with the content of a message transmitted by telephone or other telecommunications equipment, as well as the unauthorized forwarding of someone's letter to a third party. Article 151 further prohibits the publication of private communications without consent by the authorized person.
Privacy of communication may only be invaded by a court order, and if such an invasion is deemed necessary for the purpose of criminal proceedings, or in order to protect the security of the state. In Slovenia, this area is regulated by the Criminal Proceedings Act and the Slovenian Intelligence and Security Agency Act (SISAA) and carried out by the police and Slovenian Intelligence and Security Agency (SOVA).
The Criminal Proceedings Act includes a detailed list of criminal offences and cases in which the privacy of communications may be invaded (with a court order), but the SISAA is not as specific. For example, it stipulates that state security is threatened by "activities aimed against...the strategic interests of the Republic of Slovenia," but experts draw attention to the problems potentially arising from such a wording which enables broad interpretations of "strategic interests" in contrast to other more well-defined criminal offences. However the SOVA does not prosecute criminal offenders. If it deals with a suspected criminal offence, it must provide information about it to the director general of the police force and the public prosecutor. SOVA is compelled to inform the Prime Minister about its activities and findings, as well as the President of the Republic, the President of the National Assembly and other ministers if these activities are related to their fields of competence.
In general, a judge's warrant must be issued prior to a house search or telephone tapping. A new Law on the Police, adopted in 1998, allows secret observation and following and secret police collaboration, to be authorized under special circumstances by a General Police Director.[2345] However, the wording of the SISAA allows for potential abuse on the part of the SOVA, because it could result in SOVA acquiring too easily a court warrant for communications interception.
Other regulations partially or indirectly relate to privacy. Unlawful invasions of the privacy of communications are prohibited and sanctioned. Article 130 of the Telecommunications Act deals with surveillance of telecommunications. A court order is always required, but the legislation follows EU trends by requiring that telecommunications service providers gather extensive information. A proposal of ordinance about interfaces and software for lawful interception of telecommunications and rules about software applications and interfaces for lawful interception of communications that requires from mobile operators that they supply on request information about the location of a mobile telephone user, was prepared by the Ministry of Information Society and submitted to public consultation on December 20, 2002.[2346] The Law on Telecommunications requires telecommunications service providers to "guarantee the confidentiality of transmitted messages and of personal and non-personal data known only to them." The Law on National Statistics regulates the privacy of information collected for statistical purposes.[2347] In July 2000, the Health Insurance Data Collections Act came into force. The Act sets out restrictions on the collection, use and exchange of health data.[2348]
Article 50 of the Postal Services Act prescribes that providers of postal services should enable an authorized body to access, on the basis of a court order, the content of post. Both telephone operators and providers of postal services must ensure an indelible record of such moves.
The revised Consumer Protection Act that was enacted in January 2003 incorporates the EU E-Commerce Directive. Article 45a states that companies (e.g., direct marketing companies) may use the automatic telephone dialing system only with consumer's previous consent. The same holds for fax messages and e-mail messages (i.e. spam). The company must also exclude the consumer from the contact list if he or she expresses such request. The fines average EUR 4,200 for physical persons and EUR 12,600 for companies.
Slovenia is a member of the Council of Europe and has signed and ratified Convention No. 108.[2349] It has also signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[2350]
Although informational privacy is relatively well regulated by existing legislation although not prevailing in reality as most companies are not aware yet of the PDPA, even though the field is subject to supervision by inspection agencies. Inspectors have noted several types of violations: the failure on the part of database owners to supply required information to the Ministry of Justice (e.g., a review of the registry of databases containing personal data on the web site of the Ministry of Justice at the end of 2002 showed that only one Internet access provider supplied information about personal databases, and was only later joined by another one); the protection of personal data is inadequate; the forwarding of personal data to other users is improperly recorded; there is an occasional supply of personal data to unauthorized users (e.g., in hospitals or medical centers). The Inspectorate has further identified several cases of unauthorized gathering of data that breach current laws, or that are carried out without obtaining first the individual's written consent. Inspectors have also noted several specific types of violations: e.g., the storage and use of images to build a database of personal data when using video surveillance in public facilities; the excessively long storage of personal data; the collection of personal data using extortion;[2351] and the fact that data controllers frequently infringe data subjects' rights by preventing them from accessing, copying, printing out, or correcting or deleting, their personal data upon request.
In late 1998, a Slovenian journalist Tomaz Ranc wrote some articles based on confidential information. Police obtained a list of phone numbers he had dialed and a list of the telephone numbers of the people who called him to identify his sources of confidential information. The police obtained that list without court order. Ranc then complained and the court ruled that authorities had violated his human rights when they had attempted to establish his sources by acquiring the list of the telephone numbers he had called.[2352]
It was reported in October 2001 that, in response to the September 11, 2001 attacks on the United States, the SOVA began monitoring the e-mails and telephone communications of prominent academics and NGO activists.[2353] In June 2002, the Parliamentary Commission for the Supervision of Work of Security and Intelligence Services started inquiring into allegations that the Slovene police and SOVA were secretly wiretapping Peter Ceferin, the lawyer of a man accused of human trafficking.[2354] It also seems that SOVA is secretly wiretapping some political activists for political purposes.[2355]
Probably one of the biggest recent privacy abuses took place in April 2003. Someone set up a website (www.udba.net) and published the personal data of about 1.5 million individuals from Slovenia. The information published was part of archives of the previous communist regime's secret service (the UDBA), later renamed National Security Service (SDV). In that archive (called "Central Active File") were persons' names, surnames, dates of birth, nationalities, secret service dossier number, and all criminal offenses that a person had only been suspected of. The persons listed were not only SDV agents, but also individuals who came in contact with the repressive organs of the previous communist regime: political opponents, traffic offenders, criminals, and even people who were just put under surveillance because of their employer's request. Among them were prominent politicians and public persons. On April 17, 2003, the Inspector for Personal Data Protection ordered Slovenian Internet Service Providers to block access to the udba.net web site. In a few days almost all the media had published how to avoid the blocking and started a wide public debate about Internet censorship. Some legal experts also claimed that the Inspector's action was unlawful,[2356] because it ordered ISPs to block the access to, rather than close, the controversial web site. The Inspectorate's decision results from the fact that the website is not located on a server based in Slovenia but in a country (Thailand) over which the Inspectorate does not have any jurisdiction. After a few days the Inspectorate repealed its order, explaining that it could not be enforced, and is void as a result. Regardless of the fact that the Inspectorate's action has probably been problematic in a legal sense, because inspectors ordered ISPs to block the access and not shut down the web site itself,[2357] and despite censorship debate it is obvious that there has been a great abuse of individuals' personal data.