Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

I. Legal framework

Constitutional privacy and data protection framework

Article 96 of the Latvian Constitution established a fundamental human right to privacy: "Everyone has the right to inviolability of their private life, home and correspondence."1 All laws protecting privacy apply to citizens and non-citizens equally.2

Privacy and data protection laws and regulations

Comprehensive law

The Personal Data Protection Law was adopted by the Parliament on 23 March 2000 and came into force in January 2001.3 The law is based on standard fair information practices and is fully compliant with the EU Data Protection Directive 1995/46/EC. The Personal Data Protection Law has been amended several times. In 2007 the Personal Data Protection Law was amended to determine exemptions from the notification obligations and to simplify notification procedures.4 In 2008 the law was amended to limit data subjects' right to be fully informed about what has been collected about them, if such rights have been limited by specialised laws intended to preserve the financial interests of the State in the tax field. Additionally, these amendments allowed the processing of sensitive personal data in cases of claimed insurance compensation.

In 2009 the Personal Data Protection Law was amended. It was strengthened by giving data subjects the right to submit requests and receive answers from the data controller, as well as to appeal against the data controller's actions (or inaction) to the Data State Inspectorate.5 Additionally, the requirement to register data processing with the Data State Inspectorate was abolished in the following cases: the data subject has given consent; the data processing derives from contractual obligations or, subject to a request by the data subject, is necessary in order to conclude a contract; the data subject's personal (identification) code is processed in accordance with the requirements set by the law; processing of personal data is carried out for scientific or statistical purposes or for the purposes of genealogical studies. On the other hand, these amendments established a duty to register the processing of personal data with the Data State Inspectorate when personal data are transferred to a non-European Union or non-European Economic Association state; when processing of personal data is carried out for the purposes of providing financial services, carrying out market or sociological research, personnel selection or personnel evaluation (if this is done as a commercial activity or for the purposes of lotteries); when processing of personal data is related to health or crimes, criminal records, and administrative punishments. These amendments also abolished the requirement to register the data processor's internal and external auditors with the Data State Inspectorate, and delegated to the Cabinet of Ministers the responsibility to establish requirements for the auditor's report.

In 2010 the Personal Data Protection Law was further amended in order to widen the circumstances under which personal data may be processed to include purposes that were not initially envisaged (including in the sphere of criminal law), especially allowing processing of sensitive personal data in cases when patients data fixed in medical records are used for research purposes. The 2010 revision also eliminated the requirement to register  with the Data State Inspectorate if the data processor has instead registered a personal data protection specialist.6

Personal data protection law does apply to the police sector.7 It also regulates the protection of personal data that is recognised as an official secret, with the exceptions set out in the Law on Official Secrets.8 This law applies specifically to personal data related to criminal offences, criminal records, court decisions, and other court files, which can only be processed by persons prescribed by law on the occasions provided for by law.

Sector-based laws

Some specific provisions regarding the processing of personal data are contained in sector-based legislation such as, for example, the Law on Electronic Communication or the Law on Establishment and Use of National Database of DNA.9

Data protection authority

Supervision of personal data protection shall be carried out by the Data State Inspectorate(Datu valsts inspekcija), an institution established in 2001 and currently under the jurisdiction of the Ministry of Justice.10 In 2005 "The Concept" for independent institutions was developed under the Prime Minister's Order No. 484.11 The working group that developed the Concept recommended many amendments to the relevant legislation in order to ensure independent institutions could fulfil their functions efficiently. A second working group was created in January 2005 in order to implement requirements under Article 28 of Directive 1995/46/EC. This working group developed amendments to the Personal Data Protection Law, and agreed that eventually it will be necessary to develop a separate Law on Data State Inspectorate.12 The draft law was ready in 200613 but was substantially redrafted in 2008.14 For a number of years the work on this law and discussions were ongoing. Currently, adoption of a separate "Data State Inspectorate Law" has been postponed. The official reasons are that on 1 December 2009 the Lisbon Treaty came into force, and as a consequence changes in the context of the personal data protection laws are anticipated. Because the pillar system has been abolished and the European Union intends to develop a new framework for personal data protection in the police and judicial institutions. In addition, the Consultative Committee of the European Council is planning to develop recommendations on requirements for an independent personal data protection institution in the light of the judgment of the European Court of Justice in case No C-518/07 on the interpretation of the "independence" of the personal data protection supervisory authority as stated in the Directive 1995/46/EC.15

As of August 2007, the Data State Inspectorate had a staff of about 23 employees (rising to 25 employees in 2008), but the number of employees was reduced to approximately 19 in 2009. It is charged with the responsibility of: controlling compliance with the security requirements for information systems; reviewing complaints and issuing decisions and formal recommendations; maintaining the national registers of data processing systems (data processing systems were registered until 1 September 2007; since that date only data processing systems falling under one of a few exceptions provided by the law have to be registered), of data processing cases, and of personal data protections specialists; accrediting and controlling providers of certification services for digital signatures; controlling  compliance with the prohibition against sending unsolicited commercial announcements; issuing permission for the transfer of personal data to third countries; carrying out inspections and controlling personal data protection during the provision of information society's services in the field of electronic communications. The Data State Inspectorate is also authorised to impose administrative penalties for violations of personal data processing.16

In 2006, a draft amendment was submitted to the Cabinet of Ministers that stipulates criminal liability for illegal data processing if it is performed repeatedly within one year, or if it was performed by prior agreement by a group of persons .17 Draft amendments were again submitted to Parliament in 2007. These stipulated criminal liability for illegal data processing if significant harm resulted and specific intent could be shown.18 After completing the constitutional procedures the Criminal Law was amended in 2009 to create criminal penalties for publishing illegal personal data processing, if significant harm was done, or if performed by the data processor or operator for the purposes of revenge, obtaining material benefits, or blackmail, or with the hope of influencing the personal data processor or operator.19

In 2008 Latvia enacted substantial amendments to the Administrative Offences Code to impose more serious sanctions on certain offences, including violations of the Personal Data Protection Law.20 The amendments stipulate administrative liability for the unlawful processing of an individual's personal data and increase sanctions for other data offences.21

By the end of 2005, the Inspectorate had registered 625 systems, bringing the total number of registered personal data processing systems to more than 12,000.22 In 2006 the Inspectorate registered another 731 systems and between then and 1 September 2007 it registered an additional 769 systems. After that date, amendments to the Personal Data Protection Law entered into force, and the registration requirements were changed. Currently the Inspectorate registers personal data processing cases (controllers). For example, in 2009 the Inspectorate registered 384 cases of personal data processing and 93 changes in the information concerning the personal data processing. Out of these cases, the Inspectorate carried out pre-registration verification in 157 cases. These pre-registration verifications revealed two main problems, namely, the holding of an excessive amount of personal data in relation to the purpose of the processing, and the transfer of personal data to third parties without an appropriate legal basis.23

An alternative to registering as a personal data processor with the Data State Inspectorate is to employ  a personal data protection specialist who is certified by the Data State Inspectorate. In 2009 the Inspectorate certified 17 such specialists.24

In 2005, the Inspectorate considered 168 applications and provided 1,500 consultations to data controllers and citizens (via written answers as well as direct communication). The majority of the complaints received by the Inspectorate in 2005 involved illegal data processing in the process of collecting overdue loans and payments; lack of notification, particularly in medical services; and disproportionate data processing beyond the original purpose of the collection.25 In 2006 the Data State Inspectorate received 133 complaints.26 In 2007 it received 120 complaints, of which 30 were determined to be violations.27 In both 2006 and 2007 the primary source of complaints was processing without a legal basis.28 Since then, the Data State Inspectorate has been the supervisor of spam-related violations.29

In 2009 the Inspectorate received 158 written complaints concerning personal data processing.  By comparison, in 2008 the Inspectorate received approximately 140 written complaints, and provided more that 600 consultations.30 Primary concerns with respect to personal data processing in 2009 were related to publishing personal data on the Internet, video surveillance, and the loss of documents containing personal data. Particular problems were discovered in relation to creditors' use of  their debtors' personal data.

The Data State Inspectorate is also supervising personal data processing by Europol. Anyone has a right to access personal data stored by Europol, as well as to request corrections or deletions. Anyone also has the right to ask the Data State Inspectorate to verify the legitimacy of transferring the personal data to Europol.31

In the framework of the Article 29 Working Party (established by Article 29 of Directive 1995/46/EC), the Inspectorate and other EU Data Protection authorities are working to implement common data protection policies and practices.

Major privacy and data protection case law

The Mentzen case concerned the law requiring personal names of foreign origin to be "Latvianised" in official documents. The Latvian Constitutional Court ruled that the law does impinge upon the constitutional right to privacy, but the restriction was declared constitutional because it protected "the right of other inhabitants of Latvia to use the Latvian language on all of Latvia's territory and to protect the democratic order."32 The European Court on Human Rights dismissed the application, stating that the alleged violation is one that could be necessary in a democratic society.33

Footnotes