II. Surveillance policies
National security, government surveillance and law enforcement
Under the Criminal Procedure Code (CPC) of 20061, search and seizure within private premises with the purpose of collecting evidence for criminal investigation is permissible only on request by a public prosecutor and subsequent to a warrant issued by a judge (Art. 161 therein).2. The grounds for permitting search and seizure are "presence of sufficient bases to suspect" that in certain premises there are "matters, papers or databases of significance to a case". In cases of pressing need, when no other opportunity for saving the evidence is available, search and seizure could be performed immediately, subject to approval by a judge within the following 24 hours.
With regard to access to private sector databases, Art. 159 of the CPC of 2006 states that all private sector bodies are obliged to keep and make available to law enforcement agencies on request documents, information stored in computer files, and data concerning computer service customers including traffic data. The necessary precondition for asking for such data is that a criminal investigation has been opened.
For the purpose of criminal investigations, the relevant bodies within the Ministry of Interior can compel private persons to grant cooperation. The Ministry of the Interior Act3 specifies the obligation of granting access to office premises, technical connections, or other possessions (Art. 148, paragraph 2). In practice, in some cases the authorities refer to this provision even for requesting access to electronic data. The same powers are awarded to the State Agency for National Security (Art. 27 of the State Agency for National Security Act).4
Policies regarding this issue are unclear. One could conclude that although in the 1990s there was a tendency to set higher requirements for access to premises or data, the last several years have seen the reverse. Security concerns are about to jeopardise the enjoyment of civil liberties. Regarding some issues, however, such as the data retention legislation, there has been strong public and political debate.
Wiretapping, access to, and interception of communications
Until the Constitution of 1991 was adopted, there were no legal guarantees for wiretapping, access and interception of communications in Bulgaria. As already noted, Article 34 of the Constitution allowed the interception of correspondence only for the prevention or investigation of serious crimes after a warrant has been issued by a judicial body.5
In 1997 Parliament passed a special law regulating the matter, namely the Special Intelligence Means Act (SIMA).6 It underwent minor amendments in August 1999 and June 2000, more extensive ones in February 2003, and some further minor changes in April 2006. Its essential provisions have, however, remained intact since its adoption, and the account which follows is based on the present version. There are two main groups of bodies authorised to use interception: law enforcement authorities and security services. Respectively, there are two main grounds for interception: to prevent or uncover a "serious criminal offence" or to protect national security. Article 93 paragraph 7 of the Criminal Code of 1968 defines a "serious criminal offence" as one punishable by more than five years' imprisonment. According to SIMA, in the case of the former special means of surveillance may be used when necessary if the requisite intelligence cannot be obtained through other means. "Special means of surveillance" are defined as technical devices that can be used for creating photographs, audio and video recordings, and marked objects, as well as the methods for operating these devices.7 They may be used against persons suspected – on the basis of the information available – of planning, committing, or having c, ommitted serious offences, or against persons whom the suspected perpetrators may unwittingly involve in the above. Such means may also be used against persons and objects relating to national security and in respect of persons who have agreed to it in writing in order to protect their lives or property.
The Act was found to be in violation of Art. 8 of the European Convention of Human Rights by the European Court of Human Rights (ECtHR).8
By 2009, practically speaking there was no effective oversight of security services with respect to wiretapping. In November 2000, the Movement for Rights and Freedoms (Dvizhenie za prava i svobodi or DPS), a party of ethnic Turks reported that its leaders were being monitored by the security services.9 Earlier, in August 2000, listening devices were found in the apartments belonging to the Prosecutor General, Nikola Filchev, and several politicians. Filchev blamed the bugs on the Interior Ministry's Criminal Intelligence Service (CIS). A Parliamentary session was held after 53 Democratic Left Parliamentarians demanded a hearing.10 Following the debate, members of the opposition Bulgarian Socialist Party (BSP) submitted draft amendments to put in place a system of judicial oversight for the use of surveillance.11 A Parliamentary Commission held hearings in 2001 on the activities of "public order" agencies, which include the National Intelligence Service, the National Bodyguard Service, and the National Security Service.12 In October 2001, the Interior Ministry reported that they had found illegal wiretapping devices, in recording mode, in the Central Telephone Exchange in Sofia and preparations for such devices in several of the city's other exchanges. The bugging of telephone subscribers has been taking place since 1994 and was said to be economically motivated.13 In November 2001, the director of the NSS resigned from his position. Several allegations were made that he wiretapped politicians, but they were never substantiated.14 In December 2002, the media reported allegations, partly confirmed by the Minister of the Interior, that the telephones of a number of public figures, including the former National Security Service director and the Minister of Justice, had been unlawfully tapped and that a person dubbed "Gnom" had been investigated.15
After the ECtHR judgement, the SIMA was amended several times in 2008 and 2009. According to the last of these amendments, in 2010 a Parliamentary sub-committee was entrusted with the oversight of wiretapping. So far there have been no practical results of its work, though this is partly due to the fact that the sub-committee was selected only few months ago.
The use of intercepts is subject to authorisation by a judge. However, judges are typically not informed in depth about the subject matter of the investigation and are never told the results of the surveillance. Telecommunication providers are required by law to provide "intercept capability". There are no official statistics available on the use of intercepts. In 2000. a leaked report from the Supreme Prosecution's Office said that over 10,000 warrants were issued over a period of a year and a half, beginning in January 1999. Of these, only 267 to 269 were used as evidence in criminal proceedings. It is highly expected that the new Parliamentary sub-committee will publish statistics.
National security legislation
No specific information has been provided under this section.
Soon after joining the EU, the Bulgarian government started drafting a regulation to implement Directive 2006/24/EC (the "Data Retention Directive").16 There was no substantial consultative process on the matter. On 7 January 2008, Regulation No. 40 on the categories of data and the procedure under which they would be retained and disclosed by companies providing publicly available electronic communication networks and/or services for the needs of national security and crime investigation was issued by the State Agency on Information Technologies and Communication (SAITC) and the Ministry of the Interior (MoI). On 29 January 2008, Regulation No. 40 was promulgated in the Bulgarian State Gazette. It allowed easy access to traffic data by law enforcement authorities, security services. and a directorate in the Ministry of the Interior that is responsible for technical operations. Direct technical public authorities' access to databases of private providers of e-communications was planned under the Regulation.17
The adoption of Regulation No. 40 triggered a massive wave of criticism and anger among the country's civil society and business community, as it implied serious intrusion into private life and correspondence. On 19 March 2008, Access to Information Programme (AIP), a prominent Bulgarian NGO working in the field of access to public information and personal data protection,filed an appeal to the Bulgarian Supreme Administrative Court (SAC) against Regulation No. 40. According to AIP, the adoption of this regulation was in violation of the Constitution of the Republic of Bulgaria, the European Convention on Human Rights, and European Union legislation.18 On 17 July 2008 a three-member panel of the Supreme Administrative Court rejected the complaint.19 AIP appealed the decision before a five-member panel of the SAC which, on11 December 2008, struck down the decision of the lower court and Art. 5 of the challenged Regulation No. 40. Article 5 provided for "passive access through a computer terminal" by the Ministry of the Interior, as well as access without court permission by security services and other law enforcement bodies, to all data retained by Internet and mobile communications providers. The Court held that data can be accessed only after a warrant has been issued by a judge based on a case-by-case assessment.
Currently, data retention is required by the Law on Electronic Communications.20 Traffic data should be kept by the providers of e-services for a period of 12 months. Warrants to access data must be issued by a judge, and providers should speedily grant access. The Parliamentary sub-committee responsible for wiretapping also oversees data retention issues.
Since then, there have been persistent attempts by two governments and some MPs to restore direct access. All these proposals failed. Most recently, a proposal to establish direct technical connection, made by the new government (elected in 2009) but after much public debate and strong resistance by NGOs and bloggers at both government and Parliamentary stages, the judicial warrant was retained in the law.
As a result of judgements of the ECHR and the Bulgarian Supreme Court, the government and Parliament were forced to make changes in the normative framework for wiretapping and data retention. For their part, NGOs had a crucial role in bringing these legal actions. There are still issues to be resolved, especially in the area of wiretapping, but the foundations for oversight by the Parliament have been created. Judges issue warrants for wiretapping or access to traffic data. NGOs are active in the field.
National databases for law enforcement and security purposes
The only national database containing data about all individuals is the citizens' register. It is kept electronically by a Directorate in one of the ministries and data are filled in by the municipalities. There are no law enforcement data in this register.
The police maintain a register of suspects against whom criminal charges have been raisedex officio. It is provided for by the Regulation on the Order for Carrying out Police Registration of 2007.21 Minors are not subject to registration. Suspects' biometric data (fingerprints) are also gathered. The register is kept in compliance with the principles of the LPPD, to which the regulation specifically refers. The purpose of the registration is not specifically stated in the law. It is obvious that it is connected with the role of the police in law enforcement and the protection of public order.
There is also a register of the people with criminal convictions. This register is kept with the courts. Data about convictions are kept as long as the effects of rehabilitation are incomplete. For years there have been policy plans to create a unified register of individuals connected with organised crime that can be used by all the bodies. The positive effect of such a register is not clear.
Bulgaria's Interior Minister, Tsvetan Tsvetanov, has officially opened the National Supplementary Information Request at the National Entry (SIRENE) Bureau. Its main task," established in all Schengen States, is the exchange of additional or supplementary information on alerts between the States. The Bulgarian National SIRENE Bureau is a specialised operational unit in the International Operational Police Cooperation Directorate in the Ministry of the Interior. The final evaluation of Bulgaria's readiness to enter the Schengen zone, at the beginning of December 2010, depends upon the Schengen Information System (SIS) and the SIRENE Bureau.22
National and international data disclosure agreements
No specific information has been provided under this section.
In August 2004, the Appeal Prosecution of the city of Plovdiv issued an order stating that all Internet clubs and cafés in Plovdiv should require and keep records of customers' social security numbers and personal data, as well as thetimes when they accessed the Internet.23 On 24 March 2005, the National Service for combating organised crime for the Ministry of the Interior delivered a "Direction for action" to Bulgarian Web site hosting companies. It was issued and signed by the Chief of the Department of Intellectual Property, Trademark, Computer Crimes, and Gambling. The document imposed an obligation on ISPs' executives, stating: "…in seven days from the date of issuing this order you must terminate free hosting Web space with a quota bigger than 100MB to anonymous users. More than 100MB of Web space should be given only to customers with a signed user contract accompanied by a copy of their ID card or other relevant document for identification"24
Under the Bulgarian Penal Code, sanctions can only be imposed on individuals, not companies. This "Direction for action" is considered by the Internet community as an attempt to make ISPs liable for the content they host. Such actions may result in lawsuits in cases where content that the ISPs have mistakenly considered illegal has been removed. ISPs cannot be held liable unless the individual in question has been properly informed by the police about illegal content and the individual refuses to remove it. This warning should be in writing so the interests of all users are protected. The case was widely reviewed in Bulgarian and foreign media.25
No specific information has been provided under this section.
Specific provisions regulating the use of video surveillance can be found in different, sector-based laws.26
According to a statement issued by the Commission for Personal Data Protection on 21 July 2010, personal data controllers shall inform the physical persons about video surveillance by using visible on-site notices to immediately alert the public to the fact that monitoring is taking place and provide essential information about the processing and the relevant personal data controller, including contact information.27
Location privacy (GPS, mobile phones, location based services, etc.)
No specific information has been provided under this section.
Travel privacy (travel identification documents, biometrics, etc.) and border surveillance
On 10 March 2010, the Commission for Personal Data Protection – acting on request of Deputy Minister of the Interior V. Vuchkov – issued a statement about the admissibility of the collection and processing of Passenger Name Records (PNR)/Advanced Passengers Information (API) by the UK Border Agency with regard to the e-Borders electronic system.28
Pursuant to the Law for the Bulgarian Identification Documents29, all Bulgarian identification documents contain biometric data. The law sets forth special measures for protection with regard to the processing of these data, as well as guarantees for the citizens in respect of their rights.
No specific legal framework dealing with processing personal data through this kind of technology exists in Bulgaria. The general standards for personal data protection set forth in the ECA shall be applied. In 2007, the Communications Regulation Commission adopted a list of radio equipment using frequency bands harmonised throughout the EU and electronic communications terminal equipment– adopted with Decision No. 1472 as of 20 December 2007 of the Communications Regulation Commission and promulgated in the State Gazette, issue 8 as of 25 January 2008.
Bulgarian legislation stipulates a limited number of cases where medical examinations may be made obligatory. For example, under the Code of Labour (Art. 140(a) and Art. 302) employees starting their first job should undergo mandatory medical examination. Bulgarian legislation does not stipulate cases in which obligatory genetic examination shall be undertaken. The Law on Health (Art. 57) stipulates a specific number of required immunisations, as well as the mechanism of implementation and control.30
In Bulgaria, DNA profiles made for the purposes of police registration are collected and processed by the National Criminology and Criminalities Research Institute to the Ministry of the Interior. Intwo decisions the CPDP has found violations by the Ministry of the Interior with regard to the holding of data from police registration.31
- 1. Available in English at http://www.mjeli.government.bg/Npk/docs/CRIMINAL_PROCEDURE_CODE.pdf .
- 2. The former Criminal Procedure Code of 1974 allowed search and seizure on permission of the public prosecutor. A substantial amendment in force from 2000 changed this to the current regime. The amendment was reflected in the new CPC of 2006.
- 3. Available in English at http://www.mvr.bg/NR/rdonlyres/5F939B72-40AD-45AB-A78A-D09207DB695C/0/ZMVR_EN.pdf.
- 4. Available in English at http://www.dans.bg/index.php?option=com_content&view=category&layout=blog&id=12&Itemid=10&lang=en.
- 5. See Constitution of the Republic of Bulgaria, supra Art. 34.
- 6. In SG No. 95 of 21 October 1997, supplemented SG No. 70 of 6 August 1999, in force from 1 January 2000, amended SG No. 49 of 16 June 2000, SG. No 17 of 21 February 2003, supplemented SG No. 86 of 28 October 2005, in force from 29 April 2006, amended SG No. 45 of 2 June 2006, SG No. 82of 10 October 2006, amended and supplemented SG No. 109 of 20 December 2007, in force from 1 January 2008, SG No. 43 of 29 April 2008, SG No. 109 of 23. December 2008, SG No. 88 of 6 November 2009, available in English at http://www.dans.bg/index.php?option=com_content&view=category&layout=blog&id=12&Itemid=10&lang=en.
- 7. Special Intelligence Means Act, Section 2(1).
- 8. ECHR, Application No. 62540/00, Association of European Integration and Human Rights and Ekimdzhiev v. Bulgaria, Judgement of 28 June 2007 (final on 30 January 2008), available at http://cmiskp.echr.coe.int/tkp197/view.asp?item=1&portal=hbkm&action=html&highlight=62540/00&sessionid=61882562&skin=hudoc-en.
- 9. "Security Services Bugged Ethnic Turk's Leaders," BBC Worldwide Monitoring, 26 November 2000.
- 10. "Buggate Scandalises Bulgaria," Transitions online, 31 July – 6 August 2000.
- 11. "Courts Should Be Involved in Controlling Bugging Devices," BBC, 9 August 2000.
- 12. United States Department of State, Country Reports on Human Rights Practices 2001, 4 March 2002, available at http://www.state.gov/g/drl/rls/hrrpt/2001/eur/8238.htm.
- 13. "Bugging Affair 'Economically Motivated', Interior Ministry Says," BBC Worldwide Monitoring, 4 October 2001.
- 14. "Security Chief Says 'Low Confidence' in Office Led to Resignation," BBC Worldwide Monitoring, 28 November 2001.
- 15. "Bulgarian Government Faces New Bugging Scandal," RFE/RL, 23 December 2002, available at http://www.rferl.org/content/article/1142824.html.
- 16. OJ L 105, 13 April 2006, at 54–63, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:01:EN:HTML.
- 17. See more at http://www.aip-bg.org/documents/data_retention_campaign_11122008eng.htm.
- 18. Id.
- 19. Id.
- 20. Law on Electronic Communications, supra at Artt. 250(a-f) ,251 and 251(a).
- 21. Regulation on the Order for Carrying out Police Registration, SG No. 56 of 10 July 2007, in force from 11 October 2007.
- 22. "Bulgaria Wired into SIRENE-Schengen Information System," Novinite.com, 22 October 2010, available at http://www.novinite.com/view_news.php?id=121405.
- 23. Order No. 30 of 27 July 2004 issued by Plovdiv Appeal Prosecution.
- 24. This order has been issued and sent personally to the ISP executives. Not available online.
- 25. See German Edition of "Heise.de" available at http://www.heise.de/newsticker/meldung/58114.
- 26. See, for example, Private Security Business Act in SG No. 15 of 24 February 2004, amended SG No. 105 of 29 December 2005, amended SG No. 30 of 11 April 2006, amended SG No. 34/25 April 2006, amended SG No. 82 of 10 October 2006, available inEnglish at http://www.naftso.org/?current=documents&lang=en&id_sess=pta9qcip2viflrrbdkn6fi9ld4.
- 27. Available in Bulgarian at http://www.cpdp.bg/index.php?p=home&aid=0.
- 28. More information available in Bulgarian at http://www.cpdp.bg/index.php?p=rubric&aid=15.
- 29. Law for the Bulgarian Identification Documents, SG No. 93 of 11 August 1998, in force as of 01 April 1999, amend. SG No. 53 of 11 June 1999, SG No. 67 of 27 July 1999, SG No. 70 of 06 August 1999, SG No. 113 of 28 December 1999, SG No. 108 of 29 December 2000, SG No. 42 of 27 April 2001, SG No. 45 of 30 April 2002, SG No. 54 of 31 May 2002, SG No. 29 of 31 March 2003, SG No. 63 of 15 July 2003, SG No. 96 of 29 October 2004, SG No. 103 of 23 November 2004, SG No. 111 of 21 December 2004, SG No. 43 of 20 May 2005, SG No. 71 of 30 August 2005, SG No. 86 of 28 October 2005, SG No. 88 of 04 November 2005, SG No. 105 of 29 December 2005, SG No. 30 of 11 April 2006, SG No. 82 of 10 October 2006, SG No. 105 of 22 December 2006, SG No. 29 of 06 April 2007, SG No. 46 of 12 June 2007, SG No. 52 of 29 June 2007, SG No. 66 of 25 July 2008, SG No. 88 of 10 October 2008, SG No. 110 of 30 December 2008, SG No. 35 of 12 May 2009, SG No. 47 of 23 June 2009, SG No. 82 of 16 October 2009, SG No. 102 of 22 December 2009, SG No. 26 of 06 April 2010.
- 30. Law on Health, supra.
- 31. CPDP, Decision No. 8 of 21 March 2007 and Decision No. 16 of 5 July 2006.