Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

II. Surveillance policies

National security, government surveillance and law enforcement

Wiretapping, access to, and interception of communications

Law No. 2225/94 requires police wishing to conduct telephone taps to obtain court permission.1 In accordance with Law No. 3666/2008 (Article 2 paragraph 7(a)), the list of crimes for which lawful interception of electronic communications is permitted is amended to include child pornography and its preliminary acts, bribery for the election of members of the parliament and other superior civil officers, civil servants, and judges, and coercion of minors to lechery and its preliminary acts.2

The Hellenic Authority for the Information and Communication Security and Privacy (ADAE) was established pursuant to the constitutional revision of 2001 under the second paragraph of Article 19.3 The ADAE replaced the erstwhile National Commission for the Protection of Communication Security and Privacy. The ADAE is charged with safeguarding the privacy and security of communications according to its founding Law No. 3115/2003.4 The ADAE also issued regulations that protect communication privacy relating to electronic communications and postal services. In addition to these duties, the ADAE's responsibility includes supervising the Hellenic National Intelligence Service and carrying out audits of intelligence installations and archives as well as areas of the civil sector.5 ADAE is subject to parliamentary examination in ways and procedures that follow current parliamentary rules.6

ADAE came under the spotlight in early 2006, when it became public that the mobile phones of a number of ministers and politicians (including the Prime Minister) were tapped for a period from the 2004 Olympic Games through March 2005.7 All together, more than 100 mobile phones were tapped, all of them numbers operated by Vodafone Greece using Ericsson's software. These same companies first revealed the case, when "they were made aware of it". The antennas through which the above mobile phones were tapped were all located in the area around the American Embassy in Athens, but no Embassy connection was established. The case received a  tremendous amount of publicity. A Parliamentary Special Committee was also established, but none of the investigations or state initiatives produced any tangible results. ADAE fined Vodafone €76 million for failing to protect the network from the unknown hackers8 and fined Ericsson Hellas €7.36 million. This decision was, however, overturned in 2010 by the Constitutional Court's (Conseil d'Etat) decisions No. 3319 and No. 3320/2010.

Following this case, Law No. 3674/2008 was introduced in 2008 to reinforce the privacy of telephone calls.9 According to the main provisions of this law each telecommunications service provider must adopt a security policy whose content must be approved by the ADAE and also communicated to the HDPA and the Regulatory Authority for Telecommunications and Post (EETT). The telecommunications service provider has a duty to take all necessary measures to ensure the privacy of all communications, and to carry out regular audits of their systems and infrastructure. All voice communications taking place by means located outside the provider's direct supervision must be protected by encryption. ADAE should perform regular inspections/audits of the provider's hardware and software infrastructure of the provider regulatory compliance. In the case of a security breach or risk of a security breach, the employee charged with ensuring secrecy must notify the provider or its legal representative, the public prosecutor, the ADAE and any subscribers who may be affected. The notification should be made in writing, and where direct communication is not possible, any other convenient method may be used.

The new law required amendments to the Greek Penal Code. Violations of the secrecy of telephone calls, including content, traffic, and location data, are considered summary offences, while the evidence obtained through these violations is not admissible in court in criminal matters.10 Also, a new article was added to the Penal Code, which refers to crimes relating to the security of telecommunications. Under the new article 292A users illegally accessing a network or software system used for telecommunications purposes will be sentenced to at least one year and subject to a €20.000 to €50.000 fine. Telecommunications service providers may be held liable if they do not undertake all necessary measures to protect the telecommunication services they provide.11

Finally, a National Security Plan will be developed to protect electronic communications (not only telephone calls) of the public sector and the providers of networks and services for electronic communications. Those affected are required to implement these measures within six months. The Security Plan also provides for a legislative committee for this purpose, on which the HDPA is also represented. However, so far no action has been taken by the Greek Government.

National security legislation

Nonetheless, the Greek government has adopted certain measures to enhance its own surveillance capabilities.12 On 22 December 2008, the Greek government contracted Science Applications International Corporation ("SAIC") to design a security command system to enhance the security capabilities of the Greek police, Fire Brigade, Coast Guard, and Ambulance Service.13 The system was originally delivered in July 2004 in time for the 2004 Summer Olympics in Athens. SAIC has since improved the system, "addressing Greek post-Olympic security needs." The contract has a value of $322 million.14 In addition to providing the system, under its contract SAIC will provide integrated logistics support for the security command system along with cellular network services until 2014.15

Data retention

Pursuant to Article 15(3) of the EU Data Retention Directive, Greece postponed the application of the Directive in respect of the retention of communications data relating to Internet access, Internet telephony, and Internet email until 18 months after the expiration of the period provided for in Article 15(1).16 This Directive obligates member states to enact legislation requiring electronic communications services or public communications networks to retain traffic and location data for a minimum of six months up to a maximum of two years to assist law enforcement in serious crimes cases.17 As of mid-2010, Greece has not yet harmonised its national law with the Data Retention Directive. Presently, the retention periods for mobile, fixed telephony, and Internet data vary drastically from two to five years.18

National databases for law enforcement and security purposes

In 2001, the HDPA issued an opinion expressing concern about the methods and effects of the collection of citizens' sensitive data, especially with respect to DNA analysis for the purpose of criminal investigation and prosecution. . According to this opinion, genetic analysis must be limited to the "non-codified section of DNA" and identity verification.19 The HDPA also advised that any methods allowing conclusions to be drawn about the personality traits of individuals from their DNA should be forbidden, including personality profiling.20 DNA should only be used to verify offenders' and victims' identities and for criminal investigations, and should be destroyed as soon as the intended aim has been achieved. Finally, the HDPA does not support any effort to collect and analyse genetic material for preventive purposes.21

In 2009 the HDPA issued Opinion No. 2/2009 on DNA analysis and the creation of a database of DNA profiles.22 In effect, the HDPA commented on a draft Bill amending the Greek Code of Criminal Procedure. The proposed amendment provided for the creation of a DNA database for crime investigation purposes, describing the conditions under which collection of a DNA sample would be mandatory. The same amendment also regulated the operation of the DNA database, in effect placing it outside the controlling power of the HDPA. In this opinion, the HDPA outlined its objections which, most notably, pertained to its authority in supervising the proposed DNA database as well as to the operation details of such database.

National and international data disclosure agreements

No specific information has been provided under this section.

Cybercrime

While the current Greek Penal Law does address some cybercrimes, the penalties for violators are generally not severe, and when Greece tries to reduce cybercrime, the laws it passes generally do not correct the problem.23 One example of this can be seen in the government's attempt in the summer of 2002 to restrict electronic games. The primary goal was to stem the flow of illegal online gambling, but the law as drafted led to economic hardship for many arcade owners, Internet cafés, and computer games stores. Many closed or were forced to pay big fines for violations of the law. A side effect was to increase support for the illegal distribution of pirated copies of games. This ultimately led to its repeal.24

On 25 January 2008, the Greek authorities arrested a hacker in Greece who broke into the computer systems of France's Dassault Group and stole sensitive weapons technology data and sold it to a variety of countries.25

In 2007 the Child's Rights Protection Protocol became law. According to its provisions, the names of individuals who have allegedly committed crimes relating to child pornography may be published upon General Attorney’s approval.26

In late 2009 General Attorney of Supreme Court published an expressed opinion; although it does not apply as law, it is followed in rem by the police authorities and the courts. According to this expressed opinion, in cases of  defamation or verbal assault, personal communications data must be declassified in order to uncover the offender, even though the law does not order declassification in such cases.27

Critical infrastructure

No specific information has been provided under this section.

Territorial privacy

Video surveillance

In September 2000, the HDPA set out guidelines prohibiting the recording, use, monitoring, and retention of personal information from CCTV on a regular, continuous, or permanent basis.28 Recording is only lawful when it is done to protect individuals or goods, or for traffic violations, and in any case only under the principles of necessity and proportionality. In these exceptional cases, the HDPA must grant permission, and the rules on accuracy and notification must be followed. With respect to crime prevention or repression, the HDPA must grant special permission to judicial and legal authorities to use cameras, with strict guidelines for the use and retention of the images.

In May 2004, the HDPA approved a police request to operate CCTV cameras on the streets during the "operational phase" of the Olympics, as long as the cameras are not used after the Games.29 According to the HDPA's decision, the cameras could legally operate only from 1 July until 4 October 2004. Other conditions were that the cameras not be set up in such a way that they film the entrances or interiors of homes or that they record the conversations of passers-by, that the HDPA also requires adequate signposting informing citizens they are entering surveillance areas. The legal preconditions to using the video cameras include: (a) there is no receipt or record of images of the entrance or the interior of private homes; (b) the receiving and hearing of conversations of inhabitants or passing people is not possible; (c) the person is informed in a convenient and adequate way before he enters the range of the video camera (there must be an adequate number of distinguishable signboards in visible places) both that he is entering a place that is video recorded and the purpose of the video recording; (d) the rules of both security system and data storage are strictly followed; and (e) the  data is only retained for seven days.30

Tough security measures, including military patrols, special commando units, and more than 1.000 surveillance cameras, were put in place for the 2004 Athens Olympic Games.31 Greek law enforcement authorities were provided with training and intelligence assistance from seven countries: Australia, Britain, France, Germany, Israel, Spain, and the United States.32 There was little concern about the violation of citizens' privacy through the use of these cameras.

In November 2004, the HDPA extended permission for the use of CCTV on the streets for another six months, as long as it was used only for traffic monitoring. All non-traffic uses were barred,  including crime control. The use of cameras was allowed only in high-traffic locations and not in areas of low traffic or at places, squares, parks, pedestrian-precincts, and public assembly areas (e.g. theatre entrances). The cameras were to be set up in such a way that they did not film the entrances or interiors of homes, and sound pick-up should not be possible.33

In 2006, the police asked the HDPA for yet another extension to the use of this same surveillance system that had been operating in Athens since the 2004 Olympic Games. The HDPA extended its use until 24 May 2007 (Decision 39/2006), but also imposed a penalty (of €3,000) when it established that the police had breached the terms set by the HDPA (Decision 57/2006).

As noted above, in 2007 an amendment excluding CCTV cameras from the scope of the Data Protection Act was passed as Law No. 3625/2007.

The HDPA was informed that CCTV systems had been installed in two secondary schools in the prefecture of Karditsa. The HDPA considered the processing of pupils' and teachers' personal data, which was taking place in the school courtyard and the corridors, as unlawful. It deemed that such processing did not conform to the principle of proportionality, as its purpose (securing the premises and controlling vehicle/third party access) could be achieved using less intrusive means.34

In 2009 after a surge of robberies, practically all Greek banks installed surveillance entrance control systems, some of which retained the photographs of all customers who entered a specific bank branch on a given date. When a relevant case was brought to the HDPA's attention, it granted the bank an evaluation period of 12 months in order for the bank to justify its actions with concrete data.

Location privacy (GPS, mobile phones, location based services, etc.)

In May 2009, the HDPA decided to prohibit Google from photographing areas of Greece for use in Street View.35 In doing so, the HDPA prohibited vehicles manned by Google Street View drivers from entering the country.36 The agency did, however, offer to allow Google to take photographs if it was supplied with information concerning the length of time Google planned to store the photographs taken for use in Street View and explain how it intended to notify individuals who were liable to be photographed of their privacy rights.37 The agency indicated that Google's previous attempts to inform residents that they might be photographed were inadequate.38 The HDPA cited the protection of privacy rights as the basis for its action against Google.39 For similar reasons, the HDPA also prohibited the Greek surveillance company ISP Kapou from surveilling areas within Greece.40

For the purposes of national security and serious crime prevention/investigation,  all anonymous mobile users were obliged to register with their mobile service providers by July 2010. Under the new law, anonymous users who refuse to register will have all mobile services terminated.41

Travel privacy (travel identification documents, biometrics, etc.) and border surveillance

No specific information has been provided under this section.

National ID and smart cards

On 4 May 2000, in a controversial but important ruling, the HDPA ruled that religious affiliations must be removed from State-issued identity cards. The decision was opposed by the Greek Orthodox Church and led to massive protests and challenges to the ruling.42 The strong connection between the Greek Orthodox Church and the State is notable as there is no separation between Church and State.43 In March 2001, Greece's highest administrative court upheld the ruling, finding that stating citizens' religious affiliation on the compulsory identity cards was unconstitutional.44 Prior to that, Greece was the only member of the European Union to require citizens to list their religious beliefs on citizen identity cards. The new Greek identity cards do not include religion, even on a voluntary basis. In addition to the removal of religious affiliation, new identity cards also no longer include fingerprints, names, or surnames of the cardholder's spouse, maiden names, professions, home addresses, or citizenship.

RFID tags

No specific information has been provided under this section.

Bodily privacy

In 2003, the HDPA struck down the use of biometric identity verification at Athens International Airport.45 The biometric system was intended to ensure that the passenger who checked in was the same  person who actually boarded the airplane. While observing that such cases should be decided on a case-by-case basis, the HDPA ruled that collecting and processing iris and fingerprint data to verify passengers' identity was not permissible. Under the Greek Data Protection Act, gathering biometric data  was unlawful because it exceeded its purpose. The HDPA noted that passenger identity could be ascertained in a "milder way" by requiring passengers to show an identity card along with their airplane tickets.46

Footnotes