Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

II. Surveillance policies

National security, government surveillance and law enforcement

Wiretapping, access to, and interception of communications

The Constitution and the law limit government observation of and intrusion into individuals' privacy. Under a Criminal Procedure Law, as well as a Law on Operational Activities,1 wiretapping requires a warrant issued by a judge upon the request of a prosecutor. In urgent cases it may be issued by the prosecutor, but it has to be affirmed by the judge within the next three days.2 Police and security services may, with this warrant, engage in surveillance and monitoring activities on the grounds of national security, law enforcement, and important financial or economic interests of the state. In practice, the boundaries of lawful surveillance are still being determined, with the emergence of new national and international case law. The list of potential surveillance targets, covered by the Law on Operational Activities, is not exhaustive, and includes "other persons and events related to the state security."3 In addition, the law does not include a principle of proportionality – it does not contain a requirement to assess the reasonable relationship between the means employed and the aim sought to be achieved.

Courts tend to issue warrants for surveillance without strict scrutiny. In 2006 the Commission for Parliamentary Scrutiny of Intelligence Operations stated that courts had sanctioned surveillance too informally and without careful consideration.4 This statement was based on the data received from different state institutions; for example, the Lithuanian Customs office stated that in 2004-2006, courts issued two warrants for secret checks of mail and posted documents, 604 for use of special technical equipment, and 217 for taped telephone conversations. Only once during the period of 2004-2006 did a court refuse an application for surveillance activities.

The Chairman of the Human Rights Monitoring Institute (HRMI) Steering Committee has stated that there is no clear procedure for when calls may be intercepted and when not.5 There is no need to have very serious proof that a crime was committed.6 The mere assumption that such a crime could be committed is sufficient for starting the wiretapping. After this happens, it is not necessary to submit the case to the court. In addition, no one explains what happens with the records. The records may be stored in the archives, copied, and later on distributed for various purposes. Moreover, there is a huge potential to intercept all phone calls of important people.7

In 2004, the press announced that the State Security Department has the ability to tap mobile phones without any restrictions.8 Representatives of the major telecommunication companies admitted that, taking into account current technical possibilities for the operational activity services to intercept mobile phone calls, the companies couldn't control whether the officers are tapping only those subscribers indicated in the court order. There is a lack of the detailed procedure guaranteeing that the officers would control only those subscribers indicated in the court order and only during the foreseen period of time. The institution nominated for the control of electronic communications, i.e., the State Security Department, is the same institution that conducts operational activities and pre-trial investigations.9 The Report of the HRMI states that this is a malpractice and suggests the control of electronic communications should be allocated to another institution than the State Security Department.

The excessive use of wiretapping is particularly troubling given published leaks of collected information. In 2004, phone conversations between Parliament members who were suspected of being corrupted and private persons were publicised. These conversations were broadcast on TV and radio and publicly discussed. The heads of the law enforcement institutions, the Deputy General Prosecutor and the Head of Vilnius Board of the Special Investigation Service, called for publicising the private conversations between the Parliament members and private persons.10

A 2005 survey on "How the Society Evaluates the Human Rights Situation in Lithuania" assessed the level of tolerance for interference with the private life of the respondent and of the public person.11 Respondents totalling 1,005,12 from 19 cities and 59 villages, participated in the survey. Almost 80 percent of the respondents negatively evaluated the possibility to publicise their telephone conversations, but only about one-fifth of the respondents thought that publicising the conversations of a well-known politician would violate his or her right to private life.13 For most of the people, the decisive criterion on admissibility to limit private life is the person's status in the society.14 The threshold for the privacy protection of well-known politicians, i.e., public persons, is rather low.15

One particular case may be noted where the Special Investigation Service tapped the phone of the mayor of Vilnius city; later, a special agent of this service handed the telephone records over to journalists.16 The agent received only a strict warning from the Head of the Special Investigation Service, who admitted that the agent caused a lot of trouble for the Special Investigation Service. However, the agent's actions were evaluated in a liberal manner. The Head of the Special Investigation Service also denied that the agent acted with the knowledge of the superior officers.17

On 26 June 2003, the Parliament (Seimas) of the Republic of Lithuania passed a resolution to ensure the protection of personal information managed by government agencies.18 There are specific privacy protections in laws relating to telecommunications,19 statistics,20 the population register,21 and health information.22 The Criminal Code provides for criminal responsibility for violations of the inviolability of a residence, infringement on secrecy of correspondence and telegram contents, on privacy of telephone conversations, persecution for criticism, secrecy of adoption, slander, desecration of graves, and impact on computer information.23 The new Criminal Process Code requires a judge's authorisation for the search of premises of an individual. The seizure, monitoring, and recording of information transmitted through telecommunications networks or surveillance must also be court-ordered.24 Civil laws provide for compensation for moral damage because of dissemination of unlawful or false information demeaning the honour and dignity of a person in the mass media.25

The safety of classified information remains problematic. There were instances in 2006 when classified information was leaked and publicised. For example, the State Security Department (SSD) detained an editor of a newspaper for attempting to publish an article based on classified information. Although there had been an intelligence information leak, the negative consequences were borne only by the editor – he was arrested and the newspaper edition was confiscated. The SSD director publicly stated that an intensive investigation would be carried out for identification of responsible persons;26 however, in May 2006, they were not identified. To secure better protection of classified information, HRMI supports a more effective application of the existing legal norms, which enable initiation of pre-trial investigations and punishment of guilty persons. In addition, the law should define clear and precise safety rules and foresee deterrent sanctions.

The Inspector of Journalistic Ethics noted that the data protected by the LLPPD, such as personal identification number, family status, incapacities for work, health, are too often publicised without the public interest. In particular, he drew attention to publicised information about debtors (those indebted to the mobile communication companies, municipality companies).27 The Inspector of Journalistic Ethics said in his report that a public announcement of debtors in the newspapers and other mass media initiated by the creditors is not lawful and violates the rights of these persons. Creditors do not have a right to disseminate information about debtors' solvency.28 Some of the companies consider this an effective measure in the fight against the debtors' insolvency.29 However, publicising such information should not become a precedent in the democratic society.30 Currently, the amendments to the LLPPD concerning rules for personal data processing for the purposes of solvency evaluation and debt management are pending in the Parliament.31

In 2009 the press again announced that the tendencies of wiretapping in 2008 and 2009 remained the same: the number of requests for wiretapping provided by the SSD to the judges was so high that the judges issued warrants without sufficient time to dwell on them more carefully.32

In October 2009 information spread around in public discourse about the wiretapping of journalists performed by the SSD.33 As it turned out later, the Å iauliai District Court issued a warrant to wiretap Vilnius journalists upon the request of the SSD.

The Commission for Parliamentary Scrutiny of Intelligence Operations, which investigated the wiretapping of the journalists, stated that subjects of operational activities could in fact wiretap any person and sometimes this is being carried out in violation of the law.34 It also found that the requests for wiretapping were not always submitted by the prosecutors, as sometimes entities of operational activities applied straight to the judges themselves, thus acting in violation of the law. The Commission also criticised the lack of an integrated information system in Lithuania where information regarding the warrant issue would be available for all the courts in Lithuania. The present situation allows someone to reapply to a different court in a different city requesting a warrant for wiretapping if the first request is not granted.

National security legislation

No specific information has been provided under this heading.

Data retention

The government adopted a resolution that affects Internet privacy.35 The Resolution introduces data retention requirements for hosting service providers. They are required to log operations with data and content hosted on their servers and to provide them free of charge, along with the personal data of the individual and entities using the hosting services, to criminal investigators and other law enforcement authorities. However, the obligation to provide such data is limited to data necessary for normal business operations, following the September 2002 Constitutional Court decision.36

On 15 April 2004, the Parliament adopted Law No. IX-2135 on Electronic Communications,37 which replaced the former Law on Telecommunications. The law implements all of the EU directives of 2002 on electronic communications, including the EU Directive on Privacy and Electronic Communications (2002/58/EC), and is aimed at regulating the operation of electronic communications in Lithuania.38

In March 2006, the European Union amended the EU Directive on Privacy and Electronic Communications by enacting the Directive 2006/24/EC (Data Retention Directive), which requires Member States to require communications providers to retain communications data for a period of between six months and two years.39 Though Lithuania was among the 16 Member States that have declared that they would delay the implementation of data retention of Internet traffic data for the additional period, the relevant amendments were made to the Law on Electronic Communication and came into force on 15 March 2009.40

Annex No. 1 to the Law on Electronic Communication lists the categories of data to be retained, which is identical to Article 5(1) of Directive 2006/24/EC. According to the Law on Electronic Communication Data, retention period for traffic data in Lithuania is six months and an additional six months if this data is necessary for operational investigation services, pre-trial investigation institutions, prosecutors, courts, or judges to prevent, investigate and detect criminal acts.41

National databases for law enforcement and security purposes

Lithuania joined Schengen Information System in September 2007. The System contains data on certain wanted/controlled persons and objects that can be accessed by relevant Lithuanian law enforcement agencies.42

National and international data disclosure agreements

In 5 June 2008, Lithuania ratified an Agreement between the European Union and the Unites States of America on the processing and transfer of European Union-sourced passenger name record (PNR) data by air carriers to the US Department of Homeland Security (DHS).43 On 21 May 2009, Lithuania ratified a similar agreement concerning the processing and transfer of European Union-sourced PNR data by air carriers to the Australian Customs Service.44

The EU Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters has not been transferred into Lithuanian national laws yet.45 The draft version of the Law on legal protection of personal data processed in the framework of police and judicial cooperation in criminal matters, however, has already been prepared by the State Data Protection Inspectorate and presented for coordination in February 2010.46

Cybercrime

The Criminal Code of Lithuania provides for criminal liability for crimes against security of electronic data and information systems.47 Article 196 states, "A person who unlawfully destroys, damages, removes, or modifies electronic data or technical equipment or software or otherwise restricts the use of such data thereby incurring major damage shall be punished by community service,  by a fine, or by imprisonment for a term of up to four years." A person who unlawfully disturbs or terminates the operation of an information system thereby incurring major damage, or a person who unlawfully observes, records, intercepts, acquires, stores, appropriates, distributes, or otherwise uses the electronic data which may not be made public is subject to a fine or imprisonment. A legal entity shall also be held liable for these acts. A person who unlawfully connects to an information system by damaging the protection means of the information system shall be punished by community service, by a fine, or by imprisonment for a term of up to one year. A person who unlawfully produces, transports, sells or otherwise distributes the installations of software, also passwords, login codes, or other similar data directly intended for the commission of criminal acts or acquires or stores them for the same purpose shall be punished by community service, by a fine, or by imprisonment for a term of up to three years. A legal entity shall also be held liable for these acts.

Critical infrastructure

No specific information has been provided under this heading.

Territorial privacy

Video surveillance

As previously reported, the latest amendments of the LLPPD of 1 January 2009 introduced a new chapter on video surveillance, which includes a definition of the concept of video surveillance, rules for installation of video surveillance devices, and notification to data subjects and processing of collected video data. These amendments to the LLPPD addressed the issue of video surveillance and created procedures that must be followed.48 Among other things, the amendments require notification of public surveillance and prohibit surveillance in the workplace, except in cases to ensure safety.49

More and more companies and organisations have established video surveillance systems in public places. As of 2004, the Inspectorate had not yet made a systemic legal analysis on the use of video surveillance measures and had limited itself to the review of single complaints.50 In the absence of proper legal safeguards, in 2006 the HRMI observed a noticeable increase in establishment of video surveillance systems. In Vilnius, streets are monitored now by over 200 cameras.51 A growing number of video cameras had been installed in Kaunas, Klaipėda, Panevėžys, Šiauliai. and Kėdainiai.52 Vilnius municipality planned to allocate LTL2 million (approx. €580,000) each year for the maintenance of the system.53 Kaunas spends nearly LTL50,000 (approx. €14,500) each month for maintenance of its systems.54 The claims about the usefulness and effectiveness of video surveillance systems without a cost-benefit analysis remain questionable. In addition, public notice regarding video surveillance systems is lacking, and no signage regarding cameras in public places has been installed. On 20 March 2006, groups in Vilnius celebrated the "International Day Against Video Surveillance".

In March 2010, press announced that a secret video and audio surveillance system was installed in a night club "Paradoksas" in KlaipÄ—da. Supposedly, the surveillance system was installed in 2008 and was used to collect private information about the visitors to the club.55 KlaipÄ—da County Police Headquarters and KlaipÄ—da Regional Prosecutor's Office have started a pre-trial investigation on the issue.56 Another article reported a detention of suspects in Vilnius as a result of a video surveillance: a girl was noticed on surveillance cameras consuming alcoholic drinks in a public place and consequently was detained; and two men were noticed stealing a mobile phone and also were detained.57

Location privacy (GPS, mobile phones, location based services, etc.)

No specific information has been provided under this heading.

Travel privacy (travel identification documents, biometrics, etc.) and border surveillance

Pursuant to EU Council Regulation No. 2252/2004 on standards for security features and biometrics in passports and travel documents issued by the member states,58 on 8 August 2008, Lithuania started issuing passports containing biometric data (facial image) and secured by basic access control. Moreover, the roll-out of new Lithuanian Passports following the "EU model" was to commence on 2 January 2008.59

National ID and smart cards

Recently, Lithuania started to issue passports with biometric data to Lithuanian diplomats. In 2006, the Parliament amended Laws on Regular Passport,60 Official Passport,61 and State Registry62 to introduce the use of biometric data (digital images of the face and fingerprints) in all passports and information storage in the state register. The European Union Regulation regulating personal biometric data and its storage provided Member States with discretion in deciding whether to store data only in the personal document or in the state registry as well. The HRMI urged members of Parliament while voting for amendments of law to take into consideration that biometric data storage in one centralised state database may put at risk the safety of stored information and leave possibilities for its leak.63 The HRMI publicly opposed information storage in a centralised state registry; however, the law amendments were adopted and parliamentarians’ discussion was limited only to the costs incurred in application of the new technology. Information provided to the public took the form of a public relations campaign and advertising portraying the adoption of biometric passports as an attractive innovation which increases the security of society,64 without discussing the privacy implications. Passports that follow the EU Model for access to biometric data started to be issued in January 2008.65

Another important issue concerning passports relates to writing of non-Lithuanian characters in the passports of Lithuanian citizens. On 6 November 2009, the Constitutional Court of Lithuania submitted clarification regarding the writing of name and surname in the passport of a citizen of Lithuania. Though in general it is prohibited to write a person's name and surname in any other characters but Lithuanian in the passport, the Constitutional Court submitted that a legislature had a discretionary power to allow inclusion in some section of the same passport of a name and surname in non-Lithuanian characters and in non-grammatical form, if the person so wishes.66

RFID tags

No specific information has been provided under this heading.

Bodily privacy

A big issue of concern is a report, published in media several times, of surveillance cameras hidden in solariums, beauty salons, or cosmetology rooms. Last year the State Data Protection Inspectorate, upon an anonymous complaint, investigated the "Bovary" beauty saloon in Vilnius, and found eight cameras installed in almost every room, including the dressing-rooms of the employees and the cosmetology rooms. Upon the administrative law offence protocol submitted by the Inspectorate, Vilnius First Circuit Court fined the company LTL600 (approx €175)in April 2010.67

Footnotes