II. Surveillance policies
National security, government surveillance and law enforcement
Wiretapping, access to, and interception of communications
Electronic surveillance, wiretapping, and the interception of mail by the police are regulated under the criminal process law and require a court order.1 A judge can approve an initial wiretap order for up to four months â€“ the previously applied period of six months shortened in 2008 when criticisms of the extensive use of interception led to the adoption of stricter rules. For example, the authorities are now required to inform any person who was subject to wiretapping about the interception once the case is closed, and such persons have the right, within the six-month period, to ask the Supreme Court to review the legality of the interception.
Although there are special rules for intelligence services (for substantiation of the court order), the wiretapping must be always allowed by a judge of High Court in Prague.2
Another state authority that may use electronic surveillance, the tapping of telephones, and the interception of mail if approved by a court is the Customs Administration,3 due to the fact that Customs may use criminal techniques for the purpose of investigating financial crimes.
There is no comprehensive law on wiretapping; the Criminal Procedure Act is the most detailed and also contains remedies. The absence of proper public control of wiretapping, especially as conducted by intelligence services, is still often discussed as a concerning issue by politicians and media. In practice, the special commission of the Chamber of Deputies4 has almost no oversight power to deal with this issue. On the contrary, even such limited oversight is criticised due to the higher risk of leakage of confidential information.5 Unlike the recently strengthened individuals' rights concerning electronic communication interception â€“ as provided in the Criminal Procedure Act (requiring that the subject of telephone interception or remedial procedures with the Supreme Court be subsequently informed) â€“ other types of eavesdropping (such as recording audio and video in public spaces outside an individual's home) need only be approved by the state attorney, and no specific remedy is provided for in this stage of criminal proceeding.6
In 2006 the President of the Office for Personal Data Protection, Igor NÄ›mec, cited the expansion in wiretapping surveillance as a factor in the average privacy protection ranking Privacy International conferred on the Czech Republic. NÄ›mec stated that he hoped to devote increased resources to the issue of securing access to police documents and ensuring that police recordings were in full accord with the law. He noted that "an alarmingly high number of persons can access police recordings," making it impossible to prevent leaks to the media.7
That criticism found support from politicians, and in 2009 a new set of rules8 was enacted to strengthen the protection of individuals who were subject to interception. Any unauthorised publishing of wiretapping records (i.e., those that were not publicly heard before a court) was specifically banned. In addition to the criminal sanctions imposed by a court (up to five years, should the leak be considered as a crime of unauthorised personal data handling), the OPDP acquired new power to apply penalties â€“ anyone who breaks the ban may be fined up to CZK1 million (â‚¬50,000) or CZK5 million (â‚¬205,000) if committed via press, film, broadcasting, Internet, or any other similarly effective means. Given the fact that the OPDP has power to fine the breach only if it is not considered a crime, the maximum penalties are perceived as excessive due to non-discrimination rules between natural persons and companies. Initially the protective measure was nicknamed a â€œprotectionistâ€ measure known as a "muzzle law".9 This came about because the measure precludes any journalist from publishing information on serious criminal cases (such as corruption) if such information comes from intercepted communication and no court hearing has yet taken place, thus, according to some legal opinions, restricting freedom of speech. The newest proposals are intended to enable journalists to publish information about participants in criminal proceedings relating to corruption among politicians or other state officials'.10
There have been continuous attempts to legalise and expand secret service wiretaps. In 2001, there were attempts to add provisions granting the police and BIS powers to require telecommunications traffic and other information from public bodies to a bill that dealing with asylum law.11 This was prepared by members of the Lower Chamber's Security and Defence Committee and apparently coordinated by the secret services. The Senate did not approve this part of the proposed law.
In April 2003, the government proposed an amendment to the Act on Security Information Service (SIS), which would entitle SIS to require information on telecommunications traffic, and impose a duty on telecommunications service providers to have wiretapping equipment. The Chamber of Deputies rejected this bill.12
Under the 2005 Electronic Communications Act,13 telecommunication carriers are required to provide secure access to electronic communication information to the Czech Police (or Security Information Service and Military Intelligence Agency) in accordance with Article 88 of the Criminal Procedure Act. Under Section 97 of the Electronic Communications Act, such access includes the means by which the police may decrypt or decode messages (as encryption is used, for example, in GSM technology) in order to tap and record them. Section 97 of the Electronic Communications Act also requires carriers to retain operating and location data for a specified period of time,14 as well as a database holding information on all customers, and to permit the Czech police (or Security Information Service and Military Intelligence Agency) access upon legal request (granted by a court). Section 88 of the Electronic Communications Act requires telecommunications carriers to develop multiple means to protect the personal data of their users, and also requires that carriers inform their customers of specific disturbances in network security and, if necessary, ways to remedy data breaches. Without prejudice to Section 97 of the Electronic Communications Act, carriers must render anonymous any user operating and location data pursuant to Sections 90 and 91 once they are no longer necessary for the provision of communication services (unless further processing is necessary for the provision of supplemental services ordered by the user).
A new Police Act prepared during 2007 and adopted in 2008 contains several privacy-intrusive provisions, although fewer than originally proposed.15 The Police Act enables police to exchange personal data with intelligence services. In addition, the new Act fails to provide any improvement on the rules for handling DNA samples. The new act allows police to use video surveillance in public places, again without any rules. The law also broadens the way in which police obtain retained communication data (including 24/7 online access).16 A new competence to deactivate electronic communication channels (e.g., a mobile network) was given to the police. Only a last minute amendment made this power (as well as wiretapping and surveillance) subject to parliamentary control.
National security legislation
A document titled Analysis of Security System of the Czech Republic (AnalÃ½za bezpeÄnostnÃho systÃ©mu ÄŒR, here the Analysis) prepared by the Ministry of the Interior and based on the National Anti-terrorist Plan17 drafted by the Lower Chamber's Defence and Security Committee, recommends extending the powers of the police and security services. In particular, it calls for an obligation on individuals and companies to provide their personal data to security services. This programme document is to be implemented by legislative proposals. The document also plans for public-private partnership in investments into security projects. The threat of terrorism is stated as the main reason for creating the Analysis. The United Kingdom's "Anti-terrorism, Crime and Security Bill" and the U.S. "Patriot Act" are quoted in the Analysis, as examples of desirable strengthening of investigation powers.
The currently applicable Strategy against Terrorism (covering the years 2010 to 2012)18 reiterates the lack of necessary competence of law enforcement agencies in the Czech Republic compared to its foreign partner agencies. However, the only explicit proposal is to specify more clearly the obligation of email service providers to retain necessary operational data (but not the content of messages) and to implement the already enacted power granting police online access to data on the use of electronic payment devices (such as credit cards).19
The Czech Republic adopted data retention legislation in the middle of 2005, in anticipation of new EU legislation. It stipulates a maximum period of data retention for operating and location data of 12 months.20 The recent amendment to the Act in the first half of 2008 improved the initial implementation and provided also for a minimum period of data retention of six months. Nevertheless, the implementing regulation providing for the exact retention period kept the original six monthsâ€™ period,21 although@@ data on Uniform Resource Identifiers used during the communication are to be stored for only three months. After these obligatory retention periods carriers must destroy the data. However, the wording of the amendment allows use of the databases for purposes other than those specified in the directive. Also, the present form leaves to the Minister of the Interior the decision on the scope of the retained data, which are far above the conditions set by the Data Retention Directive.22
In 2007 the Police routinely used the data for investigations (including less serious offences); however, there are no publicly available statistics giving the number of investigations, neither of accesses nor of the efficiency of the measure,23 even though the Czech Telecommunication OPDP has received such information from all carriers annually since 2009.
National databases for law enforcement and security purposes
The Bill of law on Protection of Classified Information24 granted powers to secret services to require personal data from various public and even private databases (social security system, health insurance institutions, private insurance companies, banks, etc.) for purposes of "security proceedings."25 During 2004, a coalition of NGOs (Iuridicum remedium, Transparency International ÄŒR, and Open Society) raised objections to this provision in the phase of pre-parliamentary proceedings. In February 2005, the unchanged bill was submitted to Parliament. However, the coalition of above-named NGOs prepared proposals to omit these provisions and asked several MPs to raise these proposals in legislative procedure. They were partially successful in the Defence and Security Committee, but Section 58 of the final version of the Bill still permitted all members of the government access to otherwise classified information without a security clearance, although they must still keep the information confidential. The bill also allowed for some technical activities (certification of cryptographic or technical facility or electromagnetic rays measuring in order to qualify equipment to classified information disposal) to be done by private companies and sole entrepreneurs. The Act came into force on 1 January 2006.26
The OPDP also expects a continued emphasis on data mining by police and customs groups. The data processing of greatest interest is related to Europol, Eurodac, Schengen Information System (SIS), and technology development work for customs systems.27
The OPDP paid particular attention to the processing of DNA-related personal data. A control was carried out in 2008 targeting the Institute of Criminalistics of the Police of the Czech Republic, the operator of the National DNA Database.28 Violations of the Act on Personal Data Protection were found, as sensitive data were collected, processed and stored to an extent that went beyond the statutory authorisation. In such cases the law requires that the consent of the person concerned is obtained, but this had not occurred. One aspect of the control conclusions was the imposition of a fine and a remedy measure, namely the destruction of personal data processed in a manner contrary to the law.29
On 1 July 2010, the Act on Basic Registers took effect. The Act on Basic Registers provides for the interconnection of four core registers administered by public authorities (Elementary Register of Inhabitants of the Czech Republic; Elementary Register of Corporate Entities, Natural Persons and Authorities; Elementary Register of Territorial Identification, Addresses and Real Estates; Elementary Register of authorities' agendas and some of their powers and duties) that will be implemented through the special information system. Legislative process leading to adoption of the respective legal measures was unusually swift. Despite the short legislative process, the OPDP was consulted. Some of the comments of the OPDP were incorporated into the Act and the OPDP generally welcomed the final version of the bill.30
According to proponents, the new system will prevent some of the dysfunction of the present system of different registers that are used individually by state authorities (fragmentation, ambiguity, and multiplicity in the maintenance of key public administration databases). Thanks to the new system: citizens should be no longer be forced to repeatedly provide their personal data for each different database; the introduction of a system of agenda identifiers of natural persons derived from agenda code and the source identifiers should allow each officer to access only the personal data necessary for administration of his/her agenda; agenda of creation and distribution of the electronic identifiers (ensuring the inability of one authority to access other data relating to a particular individual or company processed by another authority) for basic registers will be administered by the OPDP. The system of basic registers is expected to enter full operational level in July 2012. Practical issues, including privacy concerns, are yet to be tested.
National and international data disclosure agreements
Security interests clashed strongly with privacy interests as the United States began to demand that the Czech air carrier CSA provide data on all its passengers. Terrorism was cited as the rationale for this demand, and there were threats of fines and denial of U.S. landing rights in case of non-compliance. CSA agreed to provide the requested data, but the release was likely to infringe existing privacy laws. CSA had been granted permission from the Data Protection Office to transfer the data, but its validity was limited by the Czech Republic's accession to the European Union in May 2004. CSA has also increased checks of airport property, passengers, luggage and transported goods.31
On 26 February 2008, the Czech Minister of Interior and U.S. Homeland Security Secretary signed the Memorandum of Understanding on Passenger Name Records.32 In exchange for continued access to the visa waiver programme, Czech authorities agreed to collect, use, analyse, and share Passenger Name Records (PNRs) as well as Advance Passenger Information (API). Neither the procedure nor the amount of data to be provided has been specified. The European Commission drafted the Memorandum independently of the recent EU-USA negotiations on this topic that resulted in sharp criticism. However, similar documents between the USA and five other EU member states, Lithuania, Latvia, Estonia, Slovakia, and Hungary, followed.33
Recently, the Government established the Joint Coordination Committee for Security in the Cyberworld, which should deal with various tasks related to cybercrime, mostly on the analysis level.34 Due to the very recent formation of the Committee, no output is yet known.
No specific information has been provided under this section.
Increasingly, video surveillance - closed circuit television (CCTV) systems - is being used by both private institutions and local governments. Although using CCTV and other camera systems for recording is considered to be processing personal data, few organisations using such systems have registered with the OPDP, although this is a legal duty imposed by the Personal Data Protection Act. The OPDP has very limited capacity for oversight and therefore, does not penalise those routine breaches of law. Although no particular legal duties concerning video surveillance conditions are embodied in any law (e.g., duty of notice, maximum period of storage of records, ban on data attachments, no discrimination on the basis of record), such obligations could be clearly deduced from the general principles stated in the Personal Data Protection Act; of course, it is not as illustrative as a special law or legal provision on CCTV could be.
The OPDP fielded inquiries from a wide variety of sources on the subject, including police bodies, courts, public administration, municipal government, economic entities, trade unions, apartment cooperatives, and many individuals. In 2005, the OPDP levied a fine on a housing co-operative that installed a camera monitoring system in the building without tenants' consent.35 The OPDP action was confirmed by a court's decision in 200736 stating that the video surveillance connected with electronic entrance system (logging and archiving each entry to a house) was not an appropriate and proportional method for achieving the purpose of the protection of property, although the initial installation of CCTV was driven by a series of vandalism including personal attacks. In January 2006, the OPDP issued Position No. 1/2006, reiterating that the operation of a video recording system is considered personal data processing if it can identify individuals, and thus must serve a legally protected interest and not excessively interfere with an individual's privacy.37
There have been two significant cases where the use of video surveillance has caused a public outrage. In 2006-2007 students of the private Skvoreckeho College in Prague launched a public protest against the constant video surveillance at all school premises including classes. Fully supported by their parents and media reports, the students managed to force the school management to remove the CCTV systems.
In 2007, the operator of the municipality CCTV system in Plzen used the cameras for monitoring car traffic that looked into the windows of a private flat opposite. The images were kept online through a public streaming site. The owner of the flat has complained. The case was well covered by the media and condemned as a misuse of the CCTV system. The OPDP launched an investigation.
In 2008, the OPDP released a position on the installation of camera systems in apartment buildings, stating that "[e]ach controller must demonstrate in his or her plan for the use of a camera system that the camera system is: demonstrably suitable for resolving the problem in question, demonstrably necessary for resolving the specific problem, appropriate given, for example, its contribution to security, regularly reviewed to ensure the above points are satisfied, and that it intrudes on privacy demonstrably less than the alternatives."38
In 2009, a representation from the Government's Council on Human Rights led to the adoption of an instruction to the Ministry of the Interior to prepare detailed rules on video surveillance during 2010.39
Location privacy (GPS, mobile phones, location based services, etc.)
No specific information has been provided under this section.
Travel privacy (travel identification documents, biometrics, etc.) and border surveillance
The Czech authorities launched a first version of the Czech electronic passport at full scale in September 2006. Issued in compliance with the requirements laid down in the European Union regulation regarding passport security and biometrics,40 the passports include new security features such as intricate designs and complex watermarks, as well as a chip and antenna. The chip stored the electronic facial scan of the owner along with his/her personal details. Facial recognition maps various features on the face, for example, the distances between eyes, nose, mouth and ears. It was planned to add fingerprint details on the chip at a later stage.41
As planned, on 1 April 2009, the Czech authorities started rolling out new electronic passports whose chip include, in addition to the existing information, two fingerprint images of the owner.
Since 2007, the project "Opencard" (electronic card used mostly as a ticket for the mass transit in Prague) has been regularly discussed in relation to the protection of personal data that should be used for the operation of the project, the most recent investigation being held in 2009.42 Due to the potential of collection of various personal data (including on movement) and the vulnerability of the card itself (RFID technology) the Prague Magistrate finally announced that anonymous cards will be used in the future (at the end of 2009, more than 350 thousand of cards have been issued).43
In August 2006 the OPDP issued Position No. 08/2006 with regard to the issuance of electronic cards. According to the position, such cards are being increasingly used in many areas of everyday life, including to gain entry to buildings and to obtain discounts and various services. The Position noted that personal data is collected in practically all instances in which such cards are produced, thus certainly bringing such activity within the competence of the OPDP's authority under the Personal Data Protection Act. The Position advised cardholders to exercise caution and card issuers to observe the law regarding privacy protection.44
No specific information has been provided under this section.
In 2005 the OPDP imposed a fine on a state body for scanning biometric data and pictures of fingerprints. The data was acquired in violation of law as a matter of routine.45
In 2007, there was a substantial expansion of the number of DNA samples and profiles up to 40,000 records. The amendment to the Police Act and Penal Code adopted in the first half of 2006 introduces new measures that boost the growth of the national DNA database and worsen privacy protection.46 Although the police had specific powers for DNA sampling since 2001, the amendment of 2006 enabled the use of force to obtain DNA samples (and such provision was kept also in the new Act on Police from 200847). Persons charged with criminal activity and prisoners serving sentences for committing deliberate crimes may be subject to DNA sampling for possible future identification. The latter caused new public debate on the extent of involuntary DNA sampling as during 2007, approximately 16,000 prisoners were (in some cases forcibly) coerced into providing their DNA samples. The media have questioned this practice, and the public ombudsman condemned it in his statement.48 The ombudsman questioned the constitutionality of this practice applied on a large scale without proper substantiation (DNA sampling also covered criminals who committed deliberate crimes, including, for example, economic frauds) and also of the very existence of the National DNA Database, which lacks appropriate legal backing. The ombudsman also initiated review of the case by the OPDP and Public Prosecution Office. The OPDP's investigation on the National DNA database led to more systematic activity on the part of the OPDP, including a special seminar on the topic in the Senate (the upper chamber of the Czech Parliament).49 The OPDP currently leads an expert working group with the aim of preparing a comprehensive law on handling DNA.50 The scientific community is also pursuing demands for a special law on the National DNA database and genetic testing.51
- 1. Act No. 141/1961 Coll on Criminal Procedure, Section 88.
- 2. Act No. 154/1994 Coll. on the Security Information Service; Act No. 289/2005 Coll. on Military Intelligence Agency.
- 3. Act No. 13/1993 Coll. on Customs.
- 4. Komise pro kontrolu zpravodajskÃ© techniky (Commission for Intelligence Technics Control).
- 5. Karel Zetocha, "Parliamentary supervision of Intelligence Agencies" (Institute for European Policy, 2008), available in Czech at http://www.europeum.org/doc/pdf/Karel_Zetocha_skupinaII.pdf.
- 6. Act No. 141/1961 Coll. on Criminal Procedure, supra at Section 158d.
- 7. Office of Personal Data Protection Annual Report 2006, supra at 3.
- 8. Act No. 52/2009 Coll.
- 9. More details on journalists' protests are available at http://prisonforjournalists.com/EN/.
- 10. "Coalition Vows to Soften 'Muzzle Law'," Prague Daily Monitor, 24 July 2010, available at http://www.praguemonitor.com/2010/07/26/coalition-vows-soften-muzzle-law.
- 11. Document of 30 April 2001, No. 921 of Chamber of Deputies, III election period.
- 12. Document of 29 April 2003, No. 308 of Chamber of Deputies, IV election period.
- 13. Act No. 127/2005 on Electronic Communications.
- 14. For more details, see Section "Data Retention", infra.
- 15. Act No. 273/2008 Coll. on Police, available in Czech at http://www.sagit.cz/pages/sbirkatxt.asp?zdroj=sb08273&cd=76&typ=r.
- 16. Description of the main features of the Act concerning privacy are available in Czech at http://www.slidilove.cz/en/node/482.
- 17. Governmental resolution No. 385 of 10 April 2002, available in Czech at http://kormoran.vlada.cz/usneseni/usneseni_webtest.nsf/0/3AE4ABCAC2919A8... .
- 18. Strategie boje proti terorismu, available at http://www.mvcr.cz/soubor/nap-2010-pdf.aspx.
- 19. Cfr. Section "Data Retention," infra in this report.
- 20. Act No. 127/2005 Coll. on Electronic Communications, supra.
- 21. Regulation No. 485/2005 Coll.
- 22. Helena Svatosova, "Czech Parliament - Close in Implementing Data retention Directive", EDRI-gram, 4 June 2008, available at http://www.edri.org/edrigram/number6.11/czech-data-retention.
- 23. Filip PospÃsil, Marek TichÃ½, "Key Privacy Concerns in Czech Republic 2007," EDRI-gram, 30 January 2008, available at http://www.edri.org/edrigram/number6.2/privacy-czech-2007.
- 24. Documents No. 880 and 881 of 27 January 2005 of Chamber of Deputies, IV. election period.
- 25. Proceedings according to Law on Protection of Classified Information, which include screening of person who applied for certificate allowing access classified information.
- 26. Act No. 412/2005 Coll. on the Protection of Classified Information, 2005.
- 27. See E-mail from Ivan ProchÃ¡zka, Head of Department of Foreign Relations for the Office for Personal Data Protection, Czech Republic, to Clifford Chen, Law Clerk, Electronic Privacy Information Center, 11 June 2004, (on file with EPIC). As far as SIS is particularly concerned see also http://www.uoou.cz/uoou.aspx?menu=133&lang=en.
- 28. 12th Annual Report of the Art. 29 Data Protection Working Party (2008), 16 June 2009, at 26, available at http://ec.europa.eu/justice/policies/privacy/workinggroup/annual_reports....
- 29. Id.
- 30. Office for Personal Data Protection, Press release, 29 April 2009, available in Czech at http://www.uoou.cz/uoou.aspx?menu=15&loc=768.
- 31. United Nations Security Council, Report by the Czech Republic to the Counter-Terrorism Committee, S/2001/1302, 9- 10.
- 32. Memorandum on Understanding between the Ministry of Interior of the Czech Republic and the Department of Homeland Security of the United States of America, 26 February 2008, available at http://www.poptel.org.uk/statewatch/news/2008/mar/us-czech-mou-visas-etc....
- 33. Id.
- 34. Governmental Resolution No. 380 of 24 May 2010, available in Czech at http://racek.vlada.cz/usneseni/usneseni_webtest.nsf/0/17A2B3E12781C958C1...$FILE/380%20uv100524.0380.pdf
- 35. Office for Personal Data Protection, Decision No. 01428/05-UOOU, 6 May 2005.
- 36. Municipal Court in Prague, Case No. 7 Ca 204/2005,, 28 February 2007.
- 37. Office for Personal Data Protection, Position No. 1/2006 (January 2006), available at http://www.uoou.cz/uoou.aspx?menu=22&loc=570.
- 38. Office for Personal Data Protection, Position No. 1/2008 (May 2008), available at http://www.uoou.cz/uoou.aspx?menu=22&loc=575.
- 39. Governmental Resolution No. 1454 of 30 November 2009, available in Czech at http://racek.vlada.cz/usneseni/usneseni_webtest.nsf/0/CFEEC5B0F51F2B43C1...$FILE/uv091130.1454.doc.
- 40. Council Regulation (EC) No 2252/2004 on standards for security features and biometrics in passports and travel documents issued by Member States, 13 December 2004, OJ L 385, 29 December 2004, at 1â€“6, available at http://eur-lex.europa.eu/Result.do?idRoot=4&RechType=RECH_typact&typact=....
- 41. ePractice, eGovernment Factsheet â€“ Czech Republicâ€“ National Infrastructure (April 2010), available at http://www.epractice.eu/en/document/288201.
- 42. Office for Personal Data Protection Annual Report 2009, supra.
- 43. "Fotka a jmÃ©no: koneÄnÄ› opencard bez zbyteÄnÃ½ch osobnÃch ÃºdajÅ¯?" ("Photo and First Name: Last Opencard without Unnecessary Personal Data?"), Econnect, 20 July 2010, available at http://zpravodajstvi.ecn.cz/index.stm?x=2237715.
- 44. Office for Personal Data Protection, Position No. 8/2006 (2006), available at http://www.uoou.cz/uoou.aspx?menu=22&loc=573.
- 45. See 9th Annual Report of Article 29 Working Party on Data Protection (2005), 14 June 2006, at 29, available at http://ec.europa.eu/justice/policies/privacy/workinggroup/annual_reports....
- 46. Act No. 321/2006 Coll.
- 47. Act No. 273/2008 Coll. on Police, supra Section 65.
- 48. Statement available in Czech at http://www.ochrance.cz/stanoviska-ochrance/zasadni-stanoviska/stanoviska....
- 49. Materials from the seminar available at http://www.uoou.cz/uoou.aspx?menu=15&loc=653.
- 50. Office for Personal Data Protection, Press release, 21 January, 2010 available in Czech at http://www.uoou.cz/uoou.aspx?menu=15.
- 51. E.g., Daniel VanÄ›k (genetic researcher and former forensic specialist) "PrÃ¡vo a DNA" ("Law and DNA"), Reflex Weekly, 28 May 2008.