Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

II. Surveillance policies

National security, government surveillance and law enforcement

Wiretapping, access to, and interception of communications

The Penal Code has provisions against unlawful surveillance and interference with privacy.1 Evidence obtained by any violation of privacy, including that of the home, correspondence, or telecommunications, without the consent of the affected party is null and void.2 An inquiry was opened in October 1994 on illegal surveillance of politicians after microphones were discovered in the offices of a state prosecutor and several ministers.3 The Portuguese government ordered cellular telephone companies to assist with surveillance in October 1996.4 There are also specific laws on the SIS,5 cybercrime,6 and counselling centres.7

National security legislation

Law 67/98 on the Protection of Personal Data expressly applies to any processing of personal data for the purposes of public and state security.8

Data retention

In July 2008, a law requiring communication providers to store customer data for a period of one year was enacted.9 It is aimed at preventing serious crime through mandating the retention of data relating to communications made by telephone, text message, media message or email, where such data is likely to identify those communications' source, destination, time, and type.10 The data includes customer information, which includes personally identifying information as well as a user’s location.11 The law requires those handling communications data to be authorised and registered by the CNPD.12

National databases for law enforcement and security purposes

Decree Law 309/2007 was promulgated in an effort to fight fraud. It aims at regulating the linking of governmental databases and the government's methods for sharing data. The new law allows government bodies to access third party databases to aid their activities.13

National and international data disclosure agreements

There are no national nor international data disclosure agreements to report.

Cybercrime

Portuguese Law 109/2009 on Cybercrime was implemented in order to regulate and punish cybercrime, including perpetrators who unlawfully access others' IT system or deletes, modifies, or suppresses data stored electronically in an IT system.14 The penalties imposed by this legislation are not, however, contingent on the violation of any rights to the protection of personal data. Notwithstanding, the statute does impose procedural safeguards aimed at protecting personal data, namely by requiring judges to deliberate on whether data or documentation likely to reveal personal data apprehended in the course of an investigation ought to be allowed as evidence,15 and by requiring national authorities to act in conformance with the 1998 Law on the Protection of Personal Data when they cooperate with competent foreign law enforcement bodies.16

Critical infrastructure

There is nothing to report with respect to critical infrastructure.

Territorial privacy

Video surveillance

Law 207/200517 sets the means of any electronic (including video) surveillance for road safety used by law enforcement agencies.18 The system is limited to specific and determined purposes: catching traffic infractions, traffic control, locating stolen or illegal vehicles, and use as evidence of a crime.19 The installation of the surveillance methods should be directed, as much as possible, to capture images of vehicles.20 Information from the system may be released for didactic and statistical purposes, as long as no individuals or vehicles are identifiable.21 The CNPD published a clarification in response to many inquiries concerning the surveillance.22 The clarification states that according to the law these systems do not need CNPD approval. The equipment should be registered with the CNPD, and the make, model, and serial number of the surveillance equipment used is published on the CNPD website.

In 2006, Law 51/2006 on the use of video surveillance to monitor traffic as well as other incidents entered into force.23 That law grants permission to "Estradas de Portugal" (Roads of Portugal) to install roadway video surveillance equipment in the interests of road safety. All such installation is subjected, however, to the terms of Act No. 67/98, particularly the requirement of prior notification to the CNPD.

In August 2007, Portugal published a new law punishing improper handling of visual data with fines up to EUR 10,000 and directed captured images to be deleted if the threat did not actually materialise.24

In October 2008, three Portuguese cities were authorised to be equipped with CCTV cameras.25

On 14 July 2008, the CNPD issued an opinion on the use of video surveillance and set down conditions, including: using the system at night if possible, not recording sound, and preventing private houses from being recorded.26

Location Privacy (GPS, Mobile Phones, Location Based Services, etc.)

Article 7 of Law 41/2004 requires any company in the course of providing electronic communication services that process information about a data subject's location, to process that data anonymously.27 The data processor must also inform the data subject of the types of location data that will be processed, how long the data will be kept, and for what purposes the data is being processed.28

Travel Privacy (Travel Identification Documents, Biometrics, etc.) and Border Surveillance

A new vehicle identification system was introduced that requires all information about a vehicle to be stored on a chip-equipped driver's license.29 The government has addressed how such a system may impact privacy rights.30

National ID and smart cards

Law No. 7/2007 established a national identification card,31 or Cartão de cidadão ("Citizen Card"), which contains personal information about each citizen and is mandatory for all citizens. The use of the card has become widespread with thus far over 3.5 million card bearers.32 Details on the face of the card include parentage, date of birth, nationality, photograph, and the individual's civil, tax, health insurance, and social security numbers.33 The various numbers cannot be cross-referenced or interconnected other than in ways permitted by the data protection authority.34 The law also expressly prohibits retention of the card, including by photocopy, unless authorised by law.35 The card contains an integrated circuit which stores one's residential address, a fingerprint, digital authentication and digital signature certificates, space for further data elements as well as space for personal data of the choice of the individual.36 The law prohibits the physical detention, as well as photocopying, of the card without the consent of the card owner, except as otherwise prescribed by law.37 The biometric fingerprint may only be accessed upon the citizen's consent, and only the police and justice officials may otherwise compel a citizen to identify him or herself via the biometric fingerprint.38 The card has a document number, comprising the civil identity number plus extra digits, but the number is unique to the document – if the document is re-issued, the new document must have a different number.39 The digital certificates on the card are accessible only by the use of a PIN and are revocable, but must be replaced when revoked.40 A citizen is entitled to know what is contained in the card – including in electronic storage and in the files created during the issuance of the card – and has the right to correct information, suppress improperly collected information, and insert omitted information.41

RFID tags

In 2004, the CNPD published guidelines on the usage of Radio Frequency Identification (RFID) technology,42 biometrics,43 and surveillance systems.44 These guidelines establish the need for the registration of the databases connected to these systems, and determine the criteria for the use of such systems to comply with data protection principles. The data controller must not only comply with the terms of Law 67/98 on Personal Data Protection, but must also clearly label the RFID-capable product and issue a warning to its user whenever the RFID system is remotely activated.

Bodily privacy

The CNPD has issued guidelines on the use of biometrics in the workplace.45 These guidelines state that collecting biometric data for the purpose of monitoring a worker's productivity does not constitute per se a violation of the worker's bodily privacy,46 but the data subject may object to such processing of his or her data where there are "compelling legitimate grounds relating to his particular situation," as per the terms of Article 12, Act No. 67/98 of 26 October 1998. Collection of biometric data may not be carried out in a manner so intrusive that it violates the data subject's constitutional rights to personal identity, private life, and bodily integrity.47 Whether these rights have been violated depends on the purpose for which the data is to be used, which must be proportionate and non-discriminatory.48

Footnotes