II. Surveillance policies
National security, government surveillance and law enforcement
Wiretapping, access to, and interception of communications
The Penal Code has provisions against unlawful surveillance and interference with privacy.1 Evidence obtained by any violation of privacy, including that of the home, correspondence, or telecommunications, without the consent of the affected party is null and void.2 An inquiry was opened in October 1994 on illegal surveillance of politicians after microphones were discovered in the offices of a state prosecutor and several ministers.3 The Portuguese government ordered cellular telephone companies to assist with surveillance in October 1996.4 There are also specific laws on the SIS,5 cybercrime,6 and counselling centres.7
National security legislation
Law 67/98 on the Protection of Personal Data expressly applies to any processing of personal data for the purposes of public and state security.8
In July 2008, a law requiring communication providers to store customer data for a period of one year was enacted.9 It is aimed at preventing serious crime through mandating the retention of data relating to communications made by telephone, text message, media message or email, where such data is likely to identify those communications' source, destination, time, and type.10 The data includes customer information, which includes personally identifying information as well as a userâ€™s location.11 The law requires those handling communications data to be authorised and registered by the CNPD.12
National databases for law enforcement and security purposes
Decree Law 309/2007 was promulgated in an effort to fight fraud. It aims at regulating the linking of governmental databases and the government's methods for sharing data. The new law allows government bodies to access third party databases to aid their activities.13
National and international data disclosure agreements
There are no national nor international data disclosure agreements to report.
Portuguese Law 109/2009 on Cybercrime was implemented in order to regulate and punish cybercrime, including perpetrators who unlawfully access others' IT system or deletes, modifies, or suppresses data stored electronically in an IT system.14 The penalties imposed by this legislation are not, however, contingent on the violation of any rights to the protection of personal data. Notwithstanding, the statute does impose procedural safeguards aimed at protecting personal data, namely by requiring judges to deliberate on whether data or documentation likely to reveal personal data apprehended in the course of an investigation ought to be allowed as evidence,15 and by requiring national authorities to act in conformance with the 1998 Law on the Protection of Personal Data when they cooperate with competent foreign law enforcement bodies.16
There is nothing to report with respect to critical infrastructure.
Law 207/200517 sets the means of any electronic (including video) surveillance for road safety used by law enforcement agencies.18 The system is limited to specific and determined purposes: catching traffic infractions, traffic control, locating stolen or illegal vehicles, and use as evidence of a crime.19 The installation of the surveillance methods should be directed, as much as possible, to capture images of vehicles.20 Information from the system may be released for didactic and statistical purposes, as long as no individuals or vehicles are identifiable.21 The CNPD published a clarification in response to many inquiries concerning the surveillance.22 The clarification states that according to the law these systems do not need CNPD approval. The equipment should be registered with the CNPD, and the make, model, and serial number of the surveillance equipment used is published on the CNPD website.
In 2006, Law 51/2006 on the use of video surveillance to monitor traffic as well as other incidents entered into force.23 That law grants permission to "Estradas de Portugal" (Roads of Portugal) to install roadway video surveillance equipment in the interests of road safety. All such installation is subjected, however, to the terms of Act No. 67/98, particularly the requirement of prior notification to the CNPD.
In August 2007, Portugal published a new law punishing improper handling of visual data with fines up to EUR 10,000 and directed captured images to be deleted if the threat did not actually materialise.24
In October 2008, three Portuguese cities were authorised to be equipped with CCTV cameras.25
On 14 July 2008, the CNPD issued an opinion on the use of video surveillance and set down conditions, including: using the system at night if possible, not recording sound, and preventing private houses from being recorded.26
Location Privacy (GPS, Mobile Phones, Location Based Services, etc.)
Article 7 of Law 41/2004 requires any company in the course of providing electronic communication services that process information about a data subject's location, to process that data anonymously.27 The data processor must also inform the data subject of the types of location data that will be processed, how long the data will be kept, and for what purposes the data is being processed.28
Travel Privacy (Travel Identification Documents, Biometrics, etc.) and Border Surveillance
A new vehicle identification system was introduced that requires all information about a vehicle to be stored on a chip-equipped driver's license.29 The government has addressed how such a system may impact privacy rights.30
National ID and smart cards
Law No. 7/2007 established a national identification card,31 or Cartão de cidadão ("Citizen Card"), which contains personal information about each citizen and is mandatory for all citizens. The use of the card has become widespread with thus far over 3.5 million card bearers.32 Details on the face of the card include parentage, date of birth, nationality, photograph, and the individual's civil, tax, health insurance, and social security numbers.33 The various numbers cannot be cross-referenced or interconnected other than in ways permitted by the data protection authority.34 The law also expressly prohibits retention of the card, including by photocopy, unless authorised by law.35 The card contains an integrated circuit which stores one's residential address, a fingerprint, digital authentication and digital signature certificates, space for further data elements as well as space for personal data of the choice of the individual.36 The law prohibits the physical detention, as well as photocopying, of the card without the consent of the card owner, except as otherwise prescribed by law.37 The biometric fingerprint may only be accessed upon the citizen's consent, and only the police and justice officials may otherwise compel a citizen to identify him or herself via the biometric fingerprint.38 The card has a document number, comprising the civil identity number plus extra digits, but the number is unique to the document â€“ if the document is re-issued, the new document must have a different number.39 The digital certificates on the card are accessible only by the use of a PIN and are revocable, but must be replaced when revoked.40 A citizen is entitled to know what is contained in the card â€“ including in electronic storage and in the files created during the issuance of the card â€“ and has the right to correct information, suppress improperly collected information, and insert omitted information.41
In 2004, the CNPD published guidelines on the usage of Radio Frequency Identification (RFID) technology,42 biometrics,43 and surveillance systems.44 These guidelines establish the need for the registration of the databases connected to these systems, and determine the criteria for the use of such systems to comply with data protection principles. The data controller must not only comply with the terms of Law 67/98 on Personal Data Protection, but must also clearly label the RFID-capable product and issue a warning to its user whenever the RFID system is remotely activated.
The CNPD has issued guidelines on the use of biometrics in the workplace.45 These guidelines state that collecting biometric data for the purpose of monitoring a worker's productivity does not constitute per se a violation of the worker's bodily privacy,46 but the data subject may object to such processing of his or her data where there are "compelling legitimate grounds relating to his particular situation," as per the terms of Article 12, Act No. 67/98 of 26 October 1998. Collection of biometric data may not be carried out in a manner so intrusive that it violates the data subject's constitutional rights to personal identity, private life, and bodily integrity.47 Whether these rights have been violated depends on the purpose for which the data is to be used, which must be proportionate and non-discriminatory.48
- 1. Penal Code, Chapter VII, Â§Â§ 190-98, available at http://www.pgdlisboa.pt/pgdl/leis/lei_mostra_articulado.php?nid=109&tabe....
- 2. Code of Penal Procedure, Article 126, paragraph 3, available at http://www.pgdlisboa.pt/pgdl/leis/lei_mostra_articulado.php?nid=199&tabe....
- 3. "Bug Found in Portuguese State Prosecutor's Office," Reuters European Business Report, 27 April 1994.
- 4. "Portugal to Tap Mobile Phones in Drugs War," Reuters World Service, 9 October 1996.
- 5. Law No. 2/94 of 19 February 1994 (Estabelece os mecanismos de controlo e fiscalização do Sistema de Informação Schengen), available at http://www.cnpd.pt/bin/text/legis/nacional/lei_294.htm.
- 6. Law No. 109/2009 of 15 September 2009 (Sobre a Lei do Cibercrime) (Law on Cybercrime), available at http://dre.pt/pdf1sdip/2009/09/17900/0631906325.pdf.
- 7. This law creates a duty of confidentiality for counseling centers, Article 15, Law No. 3/84 (Educação sexual e planeamento familiar).
- 8. Law 67/98, op. cit., at Art. 4 (7).
- 9. Law No. 32/2008 (TranspÃµe a Directiva da Retenção de Dados, relativa Ã conservação de dados das comunicaçÃµes electrónicas), July 2008, available at http://www.cnpd.pt/bin/legis/nacional/Lei32-2008_retencao_dados.pdf.
- 10. Id. at Article 4.
- 11. Brett Allan King, "Portugal Cabinet Urges One Year Retention of Communication Provider Customer Data," BNA Privacy and Security Law Report, 24 September 2008, available at http://www.bna.com.
- 12. Id.
- 13. Decree Law No. 309/2007, available at http://www.dre.pt/pdf1sdip/2007/09/17300/0633606340.PDF.
- 14. See http://www.dre.pt/pdf1s/2009/09/17900/0631906325.pdf.
- 15. Id., at Art. 16(3).
- 16. Id., at Art. 20.
- 17. MinistÃ©rio da Adminstração Interna, Decreto-Lei No. 207/2005, 29 November 2005, available at http://www.dre.pt/pdfgratis/2005/11/229A00.pdf.
- 18. Law No. 207/2005 of 29 November 2005, available at http://www.cnpd.pt/bin/legis/nacional/DL207-2005-RADARES.pdf.
- 19. Id. at Article 10.
- 20. Id. at Article 3.
- 21. Id. at Article 18.
- 22. CNPD, "Sistemas de VigilÃ¢ncia Electrónica Rodoviária Utilizados Pelas Forças de Segurança: Esclarecimento da CNPD," 16 May 2006, available at http://www.cnpd.pt/bin/relacoes/comunicados/16-05-06.HTM.
- 23. Article 29 Working Party on Data Protection, Tenth Annual Report, June 2007, available at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/10th_annua....
- 24. Law 33/2007, available at http://www.cnpd.pt/bin/legis/nacional/Lei33-2007-vvg-táxis.pdf.
- 25. Oporto, Portimão and Fátima. "Big Brother Will Be Watching You," The Portugal News Online, 25 October 2008 http://theportugalnews.com/.
- 26. Available at http://www.cnpd.pt/bin/decisoes/2008/htm/par/par27-08.pdf.
- 27. Article 7 (1) of Decree-Law No. 41/2004, 18 August 2004, available at http://www.cnpd.pt/bin/legis/juris/decisoes/Lei41-2004.pdf.
- 28. Id., at Article 7(4).
- 29. Decree-Law No. 112/2009, 18 May 2009, available at http://dre.pt/pdf1sdip/2009/05/09500/0310703118.pdf /.
- 30. Decree-Law No. 112/2009, 18 May 2009, available at http://dre.pt/pdf1sdip/2009/05/09500/0310703118.pdf /.
- 31. Law No. 7/2007, of 5 February 2007, creating a citizen's card and regulating its use and emission, available at http://www.cnpd.pt/bin/legis/nacional/Lei7-2007-cartao-cidadao.pdf; see also http://www.cnpd.pt/bin/legis/leis_nacional.htm.
- 32. At http://www.cartaodecidadao.pt/index.php?option=com_content&task=view&id=....
- 33. Article 7, Law No. 7/2007 of 5 February 2007, available at http://www.cnpd.pt/bin/legis/nacional/Lei7-2007-cartao-cidadao.pdf.
- 34. Article 16, Law No. 7/2007 of 5 February 2007, supra.
- 35. Article 5(1) Law No. 7/2007 of 5 February 2007, supra.
- 36. Article 8, Law No. 7/2007 of 5 February 2007, available at http://www.cnpd.pt/bin/legis/nacional/Lei7-2007-cartao-cidadao.pdf.
- 37. Article 5(3), Law No. 7/2007 of 5 February 2007, supra.
- 38. Article 14, Law No. 7/2007 of 5 February 2007, supra.
- 39. Article 17, Law No. 7/2007 of 5 February 2007, supra.
- 40. Article 18, Law No. 7/2007 of 5 February 2007, supra.
- 41. Article 39, Law No. 7/2007 of 5 February 2007, supra.
- 42. Comissão Nacional para a Protecção de Dados, "Identificação por radiofrequÃªncia," 13 January 2004, available at http://www.cnpd.pt/bin/decisoes/2004/htm/del/del009-04.htm.
- 43. Comissão Nacional para a Protecção de Dados,"Principles for the use of biometric data in controlling access and monitoring hours worked," 26 February 2004, available at http://www.cnpd.pt/bin/orientacoes/principiosbiometricos.htm.
- 44. Comissão Nacional para a Protecção de Dados, "PrincÃpios sobre o tratamento de videovigilÃ¢ncia," 19 April 2004, available at http://www.cnpd.pt/bin/orientacoes/principiosvideo.htm.
- 45. Comissão Nacional para a Proteção de Dados,"Principles for the use of biometric data in controlling access and monitoring hours worked," 26 February 2004, supra.
- 46. Id., at paragraph 28.
- 47. Id., at paragraph 44.
- 48. Id., at paragraphs 49-52.