Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

III. Privacy topics

Internet and consumer privacy

E-commerce

The Certain Information Society Services Act was approved at the end of 2004.1 It addresses spam and limits the liability of providers as far the content of communicated information is concerned.

The application of the new supervisory competence of the OPDP in the field of unsolicited commercial communications under the Certain Information Society Services Act, which implements provisions of the EU Directive on Privacy and Electronic Communications,2 brought considerable enlargement of the agenda of handled complaints. The Certain Information Society Services Act introduced new duties in the sphere of dissemination of commercial communications. The Act established the Office's Control Department as a supervisory body for commercial electronic communications, including email, faxes, texting, and telemarketing. Such communications must abide by an opt-in principle whereby the messages may only be sent to those who have given prior consent, unless the addressee is already a customer of the sender. An entity sending a commercial communication must be able to demonstrate the consent at any time, such provision not excluding also that the entity has to keep electronic records on obtained consent.

In 2007, the OPDP received 1,569 complaints regarding unsolicited commercial communications. The OPDP dealt with 1,012 complaints concerning 515 subjects. Of these, 466 subjects were asked to implement corrective measures, while 71 subjects were fined a total amount of CZK437,000 (€19,500).3 The OPDP found that most commercial entities did not consistently comply with the opt-in principle, nor were their communications clearly and plainly designated as commercial, as required by the Act. In 2008, the OPDP had to deal with 1,458 complaints on unsolicited commercial communications and investigated 155 cases. In 2009 the OPDP dealt with 2,261 complaints and investigated 145 cases. The overall amount of imposed fines rose to CZK797,000 (€32,500).

At the end of 2004 authorities endowed with anti-spam enforcement powers from 13 European countries including the Czech Republic (represented by the OPDP) established the CNSA – Contact Network of Spam Enforcement Authorities – as a common platform for cooperation in investigating complaints about cross-border spam within the EU, and enforcing Article 13 of the Privacy and Electronic Communication Directive 2002/58/EC.4 The CNSA meets three to four times per year, and it has set up a cooperation procedure that aims to facilitate the transmission of complaint information or other relevant intelligence between National Authorities. The CNSA is an active member of the StopSpamAlliance.5

Cybersecurity

No specific information has been provided under this section.

Online behavioural marketing and search engine privacy

No specific information has been provided under this section.

Online social networks and virtual communities

No specific information has been provided under this section.

Online youth safety

As previously mentioned, a programme prepared for teachers by the OPDP, which has received three-year accreditation from the Ministry of Education, Youth and Sports, has also been initiated.6 In addition, the second annual art and literature competition for children and young people "My privacy! Don't look, don't poke about!" was held. This time, children from SOS villages in the Czech Republic, Ukraine, Kazakhstan, Russia, and Bosnia-Herzegovina also successfully took part in the competition. The OPDP welcomed this cooperation because it considers it necessary that children preparing for their future life while growing up outside a family are also sufficiently informed about their rights.7

Workplace privacy

Employer monitoring of employees' email is an important issue. The Data Protection OPDP issued a legal opinion finding employers' reading of the content of employee's email to be illegal. However, the OPDP allowed monitoring the subject lines of employees' email correspondence. Scholars and practitioners broadly discussed this issue. The Electronic Communications Act of 2005 stipulates that the location and ownership of electronic equipment cannot compromise an individual's right to confidentiality in communications. However, little debate has occurred to date as to the precise line between an employee's right to privacy and an employer's authority and economic interests.8

Health and genetic privacy

Medical records

 The status of medical registries in the Czech Republic is a privacy issue of continued importance. The Czech Republic maintains a number of medical registries that consolidate information from groups such as oncology patients, expectant mothers, women who undergo abortions, people with professional diseases, and drug addicts.9 The legal status of these registries was uncertain, as they had existed on the basis of lower-level legal regulations that could not be maintained after January 2004. The Czech Medical Association advised doctors in February 2004 to refrain from providing data to the national registers to reduce the risk of liability for infringement of privacy laws.10 A bill allowing for the continued operation of the registries and use of birth identification numbers passed the Chamber of Deputies but was vetoed by President Vaclav Klaus, who preferred that registry data be entirely anonymous, citing privacy concerns echoed by the Data Protection Office. The Chamber of Deputies overrode President Klaus's veto in March 2004, however, creating the necessary legal basis for the medical registries.11

In 2009, the OPDP investigated and confirmed the illegal processing of patients' personal data by the State Institute for Drug Control when operating the central archive of prescriptions without proper legal background. Furthermore, the OPDP expressed its concerns regarding a new, related legislative proposal.12 The major objection to the bill was that it would exceed the purpose of the archive (initially intended to reduce the overall consumption or even misuse of drugs) by a wide margin, creating room for the advanced features of the archive to contravene patients' rights.

Genetic identification

Based on complaints and investigations, the OPDP inspected targeted private companies performing genetic paternity and kinship testing for identification for commercial purposes, as well as DNA analysis for research and for the testing of genetically conditioned types of illness and predicting the efficacy of their treatment.13 Violations of several provisions of the Act (the duty of notification, consent that did not cover all use of data, certain aspects of proportionality, etc.) were found and a fine and remedy measures were imposed.14

Financial privacy

The law-amending Act on Measures against Money Laundering (implementation of EU acquis),15 proposed by the government in March 2003, aimed to limit lawyer-client privilege and obliged solicitors to report their client's "suspicious" financial transactions to the Ministry of Finance. Resistance and lobbying by Czech Bar Association led to a less intrusive text of the Act. Suspicious activities are reported via the Czech Bar Association, which serves as the control body. This wording appears in the final text of the Act, which was approved in April 2004.16

Footnotes

  • 1. Act No. 480/2004 Coll.
  • 2. Email from Ivan Procházka, supra. See also Office for Personal Data Protection, Annual Report 2004, supra at 41.
  • 3. Jiří Malich, "Spam v ÄŒesku: ÚOOÚ si nemyslí, že je to tak hrozné," ("Spam in the Czech Republic: The Office for Personal Data Protection Does Not Find It that Grave,"), Lupa.cz, 6 July 2008, at http://www.lupa.cz/clanky/spam-v-cesku-uoou-si-nemysli-ze-je-to-tak-hrozne/.
  • 4. See email from Ivan Procházka, supra.
  • 5. StopSpamAlliance information page, at http://stopspamalliance.org/?page_id=11. The StopSpamAlliance is a joint international effort initiated by APEC, the CNSA, ITU, the London Action Plan, OECD and the Seoul-Melbourne Anti-Spam group.
  • 6. Cfr. Section "Data Protection Authority," supra.
  • 7. 12th Annual Report of the Art. 29 Data Protection Working Party (2008), supra.
  • 8. European Industrial Relations Observatory Online, "New Technology and Respect for Privacy at the Workplace,” 10 April 2007, available at http://www.eurofound.europa.eu/eiro/2007/02/articles/cz0702029i.html .
  • 9. "Chamber Approves Medical Registers, Overriding Klaus's Veto," CTK National News Wire, 24 March 2004.
  • 10. "CLK Appeals to Doctors not to Send Data Statements to Register," CTK National News Wire, 20 February 2004.
  • 11. Act No. 156/2004 Coll., amending Act on Public Health Care (2004).
  • 12. Document No. 1056 of 24 February 2010, Chamber of Deputies, V. election period. The bill was not adopted.
  • 13. 12th Annual Report of the Art. 29 Data Protection Working Party (2008), supra.
  • 14. Cfr. Section "National databases for law enforcement and security purposes," supra.
  • 15. See Directive 2001/97/EC of the European Parliament and of the Council amending Council Directive 91/308/EEC on prevention of the use of the financial system for the purpose of money laundering, 4 December 2001, Official Journal L 344, 28 December 2001, at 76–82.
  • 16. Act No. 284/2004 Coll., amending Act on Measures against Money Laundering and other laws (2004).