II. Surveillance policies
National security, government surveillance and law enforcement
Wiretapping, access to, and interception of communications
Law No. 2225/94 requires police wishing to conduct telephone taps to obtain court permission.1 In accordance with Law No. 3666/2008 (Article 2 paragraph 7(a)), the list of crimes for which lawful interception of electronic communications is permitted is amended to include child pornography and its preliminary acts, bribery for the election of members of the parliament and other superior civil officers, civil servants, and judges, and coercion of minors to lechery and its preliminary acts.2
The Hellenic Authority for the Information and Communication Security and Privacy (ADAE) was established pursuant to the constitutional revision of 2001 under the second paragraph of Article 19.3 The ADAE replaced the erstwhile National Commission for the Protection of Communication Security and Privacy. The ADAE is charged with safeguarding the privacy and security of communications according to its founding Law No. 3115/2003.4 The ADAE also issued regulations that protect communication privacy relating to electronic communications and postal services. In addition to these duties, the ADAE's responsibility includes supervising the Hellenic National Intelligence Service and carrying out audits of intelligence installations and archives as well as areas of the civil sector.5 ADAE is subject to parliamentary examination in ways and procedures that follow current parliamentary rules.6
ADAE came under the spotlight in early 2006, when it became public that the mobile phones of a number of ministers and politicians (including the Prime Minister) were tapped for a period from the 2004 Olympic Games through March 2005.7 All together, more than 100 mobile phones were tapped, all of them numbers operated by Vodafone Greece using Ericsson's software. These same companies first revealed the case, when "they were made aware of it". The antennas through which the above mobile phones were tapped were all located in the area around the American Embassy in Athens, but no Embassy connection was established. The case received a tremendous amount of publicity. A Parliamentary Special Committee was also established, but none of the investigations or state initiatives produced any tangible results. ADAE fined Vodafone â‚¬76 million for failing to protect the network from the unknown hackers8 and fined Ericsson Hellas â‚¬7.36 million. This decision was, however, overturned in 2010 by the Constitutional Court's (Conseil d'Etat) decisions No. 3319 and No. 3320/2010.
Following this case, Law No. 3674/2008 was introduced in 2008 to reinforce the privacy of telephone calls.9 According to the main provisions of this law each telecommunications service provider must adopt a security policy whose content must be approved by the ADAE and also communicated to the HDPA and the Regulatory Authority for Telecommunications and Post (EETT). The telecommunications service provider has a duty to take all necessary measures to ensure the privacy of all communications, and to carry out regular audits of their systems and infrastructure. All voice communications taking place by means located outside the provider's direct supervision must be protected by encryption. ADAE should perform regular inspections/audits of the provider's hardware and software infrastructure of the provider regulatory compliance. In the case of a security breach or risk of a security breach, the employee charged with ensuring secrecy must notify the provider or its legal representative, the public prosecutor, the ADAE and any subscribers who may be affected. The notification should be made in writing, and where direct communication is not possible, any other convenient method may be used.
The new law required amendments to the Greek Penal Code. Violations of the secrecy of telephone calls, including content, traffic, and location data, are considered summary offences, while the evidence obtained through these violations is not admissible in court in criminal matters.10 Also, a new article was added to the Penal Code, which refers to crimes relating to the security of telecommunications. Under the new article 292A users illegally accessing a network or software system used for telecommunications purposes will be sentenced to at least one year and subject to a â‚¬20.000 to â‚¬50.000 fine. Telecommunications service providers may be held liable if they do not undertake all necessary measures to protect the telecommunication services they provide.11
Finally, a National Security Plan will be developed to protect electronic communications (not only telephone calls) of the public sector and the providers of networks and services for electronic communications. Those affected are required to implement these measures within six months. The Security Plan also provides for a legislative committee for this purpose, on which the HDPA is also represented. However, so far no action has been taken by the Greek Government.
National security legislation
Nonetheless, the Greek government has adopted certain measures to enhance its own surveillance capabilities.12 On 22 December 2008, the Greek government contracted Science Applications International Corporation ("SAIC") to design a security command system to enhance the security capabilities of the Greek police, Fire Brigade, Coast Guard, and Ambulance Service.13 The system was originally delivered in July 2004 in time for the 2004 Summer Olympics in Athens. SAIC has since improved the system, "addressing Greek post-Olympic security needs." The contract has a value of $322 million.14 In addition to providing the system, under its contract SAIC will provide integrated logistics support for the security command system along with cellular network services until 2014.15
Pursuant to Article 15(3) of the EU Data Retention Directive, Greece postponed the application of the Directive in respect of the retention of communications data relating to Internet access, Internet telephony, and Internet email until 18 months after the expiration of the period provided for in Article 15(1).16 This Directive obligates member states to enact legislation requiring electronic communications services or public communications networks to retain traffic and location data for a minimum of six months up to a maximum of two years to assist law enforcement in serious crimes cases.17 As of mid-2010, Greece has not yet harmonised its national law with the Data Retention Directive. Presently, the retention periods for mobile, fixed telephony, and Internet data vary drastically from two to five years.18
National databases for law enforcement and security purposes
In 2001, the HDPA issued an opinion expressing concern about the methods and effects of the collection of citizens' sensitive data, especially with respect to DNA analysis for the purpose of criminal investigation and prosecution. . According to this opinion, genetic analysis must be limited to the "non-codified section of DNA" and identity verification.19 The HDPA also advised that any methods allowing conclusions to be drawn about the personality traits of individuals from their DNA should be forbidden, including personality profiling.20 DNA should only be used to verify offenders' and victims' identities and for criminal investigations, and should be destroyed as soon as the intended aim has been achieved. Finally, the HDPA does not support any effort to collect and analyse genetic material for preventive purposes.21
In 2009 the HDPA issued Opinion No. 2/2009 on DNA analysis and the creation of a database of DNA profiles.22 In effect, the HDPA commented on a draft Bill amending the Greek Code of Criminal Procedure. The proposed amendment provided for the creation of a DNA database for crime investigation purposes, describing the conditions under which collection of a DNA sample would be mandatory. The same amendment also regulated the operation of the DNA database, in effect placing it outside the controlling power of the HDPA. In this opinion, the HDPA outlined its objections which, most notably, pertained to its authority in supervising the proposed DNA database as well as to the operation details of such database.
National and international data disclosure agreements
No specific information has been provided under this section.
While the current Greek Penal Law does address some cybercrimes, the penalties for violators are generally not severe, and when Greece tries to reduce cybercrime, the laws it passes generally do not correct the problem.23 One example of this can be seen in the government's attempt in the summer of 2002 to restrict electronic games. The primary goal was to stem the flow of illegal online gambling, but the law as drafted led to economic hardship for many arcade owners, Internet cafÃ©s, and computer games stores. Many closed or were forced to pay big fines for violations of the law. A side effect was to increase support for the illegal distribution of pirated copies of games. This ultimately led to its repeal.24
On 25 January 2008, the Greek authorities arrested a hacker in Greece who broke into the computer systems of France's Dassault Group and stole sensitive weapons technology data and sold it to a variety of countries.25
In 2007 the Child's Rights Protection Protocol became law. According to its provisions, the names of individuals who have allegedly committed crimes relating to child pornography may be published upon General Attorneyâ€™s approval.26
In late 2009 General Attorney of Supreme Court published an expressed opinion; although it does not apply as law, it is followed in rem by the police authorities and the courts. According to this expressed opinion, in cases of defamation or verbal assault, personal communications data must be declassified in order to uncover the offender, even though the law does not order declassification in such cases.27
No specific information has been provided under this section.
In September 2000, the HDPA set out guidelines prohibiting the recording, use, monitoring, and retention of personal information from CCTV on a regular, continuous, or permanent basis.28 Recording is only lawful when it is done to protect individuals or goods, or for traffic violations, and in any case only under the principles of necessity and proportionality. In these exceptional cases, the HDPA must grant permission, and the rules on accuracy and notification must be followed. With respect to crime prevention or repression, the HDPA must grant special permission to judicial and legal authorities to use cameras, with strict guidelines for the use and retention of the images.
In May 2004, the HDPA approved a police request to operate CCTV cameras on the streets during the "operational phase" of the Olympics, as long as the cameras are not used after the Games.29 According to the HDPA's decision, the cameras could legally operate only from 1 July until 4 October 2004. Other conditions were that the cameras not be set up in such a way that they film the entrances or interiors of homes or that they record the conversations of passers-by, that the HDPA also requires adequate signposting informing citizens they are entering surveillance areas. The legal preconditions to using the video cameras include: (a) there is no receipt or record of images of the entrance or the interior of private homes; (b) the receiving and hearing of conversations of inhabitants or passing people is not possible; (c) the person is informed in a convenient and adequate way before he enters the range of the video camera (there must be an adequate number of distinguishable signboards in visible places) both that he is entering a place that is video recorded and the purpose of the video recording; (d) the rules of both security system and data storage are strictly followed; and (e) the data is only retained for seven days.30
Tough security measures, including military patrols, special commando units, and more than 1.000 surveillance cameras, were put in place for the 2004 Athens Olympic Games.31 Greek law enforcement authorities were provided with training and intelligence assistance from seven countries: Australia, Britain, France, Germany, Israel, Spain, and the United States.32 There was little concern about the violation of citizens' privacy through the use of these cameras.
In November 2004, the HDPA extended permission for the use of CCTV on the streets for another six months, as long as it was used only for traffic monitoring. All non-traffic uses were barred, including crime control. The use of cameras was allowed only in high-traffic locations and not in areas of low traffic or at places, squares, parks, pedestrian-precincts, and public assembly areas (e.g. theatre entrances). The cameras were to be set up in such a way that they did not film the entrances or interiors of homes, and sound pick-up should not be possible.33
In 2006, the police asked the HDPA for yet another extension to the use of this same surveillance system that had been operating in Athens since the 2004 Olympic Games. The HDPA extended its use until 24 May 2007 (Decision 39/2006), but also imposed a penalty (of â‚¬3,000) when it established that the police had breached the terms set by the HDPA (Decision 57/2006).
As noted above, in 2007 an amendment excluding CCTV cameras from the scope of the Data Protection Act was passed as Law No. 3625/2007.
The HDPA was informed that CCTV systems had been installed in two secondary schools in the prefecture of Karditsa. The HDPA considered the processing of pupils' and teachers' personal data, which was taking place in the school courtyard and the corridors, as unlawful. It deemed that such processing did not conform to the principle of proportionality, as its purpose (securing the premises and controlling vehicle/third party access) could be achieved using less intrusive means.34
In 2009 after a surge of robberies, practically all Greek banks installed surveillance entrance control systems, some of which retained the photographs of all customers who entered a specific bank branch on a given date. When a relevant case was brought to the HDPA's attention, it granted the bank an evaluation period of 12 months in order for the bank to justify its actions with concrete data.
Location privacy (GPS, mobile phones, location based services, etc.)
In May 2009, the HDPA decided to prohibit Google from photographing areas of Greece for use in Street View.35 In doing so, the HDPA prohibited vehicles manned by Google Street View drivers from entering the country.36 The agency did, however, offer to allow Google to take photographs if it was supplied with information concerning the length of time Google planned to store the photographs taken for use in Street View and explain how it intended to notify individuals who were liable to be photographed of their privacy rights.37 The agency indicated that Google's previous attempts to inform residents that they might be photographed were inadequate.38 The HDPA cited the protection of privacy rights as the basis for its action against Google.39 For similar reasons, the HDPA also prohibited the Greek surveillance company ISP Kapou from surveilling areas within Greece.40
For the purposes of national security and serious crime prevention/investigation, all anonymous mobile users were obliged to register with their mobile service providers by July 2010. Under the new law, anonymous users who refuse to register will have all mobile services terminated.41
Travel privacy (travel identification documents, biometrics, etc.) and border surveillance
No specific information has been provided under this section.
National ID and smart cards
On 4 May 2000, in a controversial but important ruling, the HDPA ruled that religious affiliations must be removed from State-issued identity cards. The decision was opposed by the Greek Orthodox Church and led to massive protests and challenges to the ruling.42 The strong connection between the Greek Orthodox Church and the State is notable as there is no separation between Church and State.43 In March 2001, Greece's highest administrative court upheld the ruling, finding that stating citizens' religious affiliation on the compulsory identity cards was unconstitutional.44 Prior to that, Greece was the only member of the European Union to require citizens to list their religious beliefs on citizen identity cards. The new Greek identity cards do not include religion, even on a voluntary basis. In addition to the removal of religious affiliation, new identity cards also no longer include fingerprints, names, or surnames of the cardholder's spouse, maiden names, professions, home addresses, or citizenship.
No specific information has been provided under this section.
In 2003, the HDPA struck down the use of biometric identity verification at Athens International Airport.45 The biometric system was intended to ensure that the passenger who checked in was the same person who actually boarded the airplane. While observing that such cases should be decided on a case-by-case basis, the HDPA ruled that collecting and processing iris and fingerprint data to verify passengers' identity was not permissible. Under the Greek Data Protection Act, gathering biometric data was unlawful because it exceeded its purpose. The HDPA noted that passenger identity could be ascertained in a "milder way" by requiring passengers to show an identity card along with their airplane tickets.46
- 1. Law No. 2225/94 (last amended 2003).
- 2. Law No. 3666/2008, Article 2 paragraph 7(a).
- 3. The Hellenic Authority for Communication Security and Privacy (ADAE)'s website, at http://www.adae.gr/portal/index.php?id=1&L=1.
- 4. Id.
- 5. ADAE letter to Privacy International, 11 September 2008, Registration Number 2077, on file with Privacy International and the Electronic Privacy Information Center.
- 6. Id.
- 7. "Greek Privacy Watchdog Fines Vodafone over Wiretapping Scandal", International Herald Tribune Europe, 14 December, 2006.
- 8. Id.
- 9. Article 29 Data Protection Working Party, 12th Annual Report for the year 2008, 16 June 2009, at 45, available at http://ec.europa.eu/justice/policies/privacy/workinggroup/annual_reports....
- 10. Greek Penal Code, Art. 370A.
- 11. Id., Art. 292A
- 12. "Greece Fully Accepts SAIC Upgrade of Greek C41 Security Command System," SecurityInfoWatch.com, 6 February 2008 available at http://www.securityinfowatch.com/root+level/greece-fully-accepts-saic-up....
- 13. Id.
- 14. Id.
- 15. Id.
- 16. Directive 2006/24/EC of the European Parliament and of the Council on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, 15 March 2006, OJ L 105 13 April 2006, at 54, available at http://www.ispai.ie/DR%20as%20published%20OJ%2013-04-06.pdf.
- 17. Id.
- 18. Art. 29 Data Protection Working Party, Report 01/2010 on the second joint enforcement action: Compliance at national level of Telecom Providers and ISPs with the obligations required from national traffic data retention legislation on the legal basis of articles 6 and 9 of the e-Privacy Directive 2002/58/EC and the Data Retention Directive 2006/24/EC amending the e-Privacy Directive, 13 July 2010, at 22, available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp172_anne....
- 19. HDPA. Opinion. 15/2001, available in English at http://www.dpa.gr/portal/page?_pageid=33,43590&_dad=portal&_schema=PORTAL.
- 20. Id.
- 21. Id.
- 22. See http://www.dpa.gr/portal/page?_pageid=33,43590&_dad=portal&_schema=PORTAL.
- 23. Christos Panageas, Computer Crime and Misuse: The Case of Greece and the EU (2003) (unpublished B.S. thesis, City College of the University of Sheffield) (on file with EPIC).
- 24. Id..See also Amanda Castleman, "More Fallout Over Greek Game Ban," Wired.com, 13 February 2003, available at http://www.wired.com/news/games/0,2101,57305,00.html.
- 25. Jim Carr, "Hacker Arrested in Greece for Stealing, Selling Weapons Data," SC Magazine, 30 January 2008, available at http://www.scmagazineus.com/Hacker-arrested-in-Greece-for-stealing-selli....
- 26. Law No. 3625/2007, Art. 8.
- 27. Expressed Opinion No. 12/2009 of General Attorney of Supreme Court I. Tentes.
- 28. HDPA Directive on Closed Circuit Television Systems, 1122-26.09.2000, available in English at http://www.dpa.gr/portal/page?_pageid=33,43590&_dad=portal&_schema=PORTAL.
- 29. "Privacy Watchdog Approves Use of Street Cameras, But Only During Games," Kathimerini, 5 May 2004.
- 30. Email from Fereniki Panagopoulou, supra. See also Hellenic Data Protection Authority, Decision 28/03.05.2004, available in Greek at http://www.dpa.gr/decs.htm.
- 31. "Athens to Be on Full Alert for Games," The Ottawa Citizen, 24 November 2000.
- 32. "Olympics: More to It than Games," The New York Times, 24 July 2001.
- 33. HDPA, Decision 63/2004, available in English at http://www.dpa.gr/portal/page?_pageid=33,43590&_dad=portal&_schema=PORTAL.
- 34. Article 29 Data Protection Working Party, 12th Annual Report for the year 2008, supra.
- 35. Helena Smith, "Google Street View Banned from Greece: Greek Authorities Ban Google Street View Camera Cars Over Fears of Becoming a 'Big Brother' Society," The Guardian, 12 May 2009 available at http://www.guardian.co.uk/technology/2009/may/12/google-street-view-bann....
- 36. Id.
- 37. Id.
- 38. Id.
- 39. Id.
- 40. Id.
- 41. Law No. 3783/2009.
- 42. "Greek Church at War Over Plans to Change ID Cards," The Guardian, 24 May 2000.
- 43. Email from Fereniki Panagopoulou, to CÃ©dric Laurant, Policy Counsel, Electronic Privacy Information Center, 25 June 2004 (on file with EPIC).
- 44. "Greek Church Causes Fresh Identity Crisis," The Guardian, 29 August 2001. See also HDPA, Decision 134/31.10.2001, available in English at http://www.dpa.gr/portal/page?_pageid=33,43590&_dad=portal&_schema=PORTAL.
- 45. HDPA, Decision 52/05.11.2003, available in English at http://www.dpa.gr/portal/page?_pageid=33,43590&_dad=portal&_schema=PORTAL.
- 46. Id.