II. Surveillance policies
National security, government surveillance and law enforcement
Wiretapping, access to, and interception of communications
The right to privacy of communication is guaranteed by the Constitution1 and is also covered by Article 150 of the Penal Code that prescribes sanctions for the violation of the secrecy of means of communication. This article prohibits unauthorised opening of letters and other postal messages and interception of messages transmitted via telecommunications networks, or reading of their contents without opening a letter or other postal messages. Similarly, it prohibits unauthorised acquaintance with the content of a message transmitted by telephone or other telecommunications equipment, as well as the unauthorised forwarding of someone's letter to a third party. Article 151 further prohibits the publication of private communications without consent by the authorised person.
Privacy of communication may only be invaded by a court order, and if such an invasion is deemed necessary for the purpose of criminal proceedings, or in order to protect the security of the state. In Slovenia, this area is regulated by the Criminal Proceedings Act and the Slovenian Intelligence and Security Agency Act (SISAA) and carried out by the police and Slovenian Intelligence and Security Agency (SOVA).2
The Criminal Proceedings Act includes a detailed list of criminal offences and cases in which the privacy of communications may be invaded (with a court order), but the SISAA is not as specific. For example, it stipulates that state security is threatened by "activities aimed againstâ€¦the strategic interests of the Republic of Slovenia", but experts draw attention to the problems potentially arising from such a wording that enables broad interpretations of "strategic interests" in contrast to other more well-defined criminal offences. However the SOVA does not prosecute criminal offenders. If it deals with a suspected criminal offence, it must provide information about it to the director general of the police force and the public prosecutor. SOVA is compelled to inform the Prime Minister about its activities and findings, as well as the President of the Republic, the President of the National Assembly and other ministers if these activities are related to their fields of competence.
In general, a judge's warrant must be issued prior to a house search or telephone tapping. A new Law on the Police, adopted in 1998, allows secret observation and following, and secret police collaboration, to be authorised under very special circumstances by a General Police Director.3 However, the wording of the SISAA allows for potential abuse on the part of the SOVA, because it could result in SOVA acquiring too easily a court warrant for communications interception.
Article 50 of the Postal Services Act states that providers of postal services should enable an authorised body to access, on the basis of a court order, the content of post. Both telephone operators and providers of postal services must ensure an indelible record of such moves.4
In 2008, the Commissioner lodged a request for a constitutional review of the Slovenian Intelligence and Security Agency Act, a review of the provisions regarding the strategic telecommunications supervision, which implies emergence of personal data filing systems.5 The Commissioner requested that the Constitutional Court determine the discrepancies between certain provisions of the Act and Article 38 of the Constitution (basic human right to data protection or information privacy).6 The Commissioner also requested that the Court determine whether the provisions of the Act were in accordance with Article 37 of the Constitution which provides for communication privacy and defines the conditions and limitations regarding breaches of this fundamental right.7 Communication privacy may only be suspended under very strict conditions, for the institution or course of criminal proceedings or for reasons of national security when prescribed by law and on the basis of a court order. The Constitutional Court rejected the Information Commissioner's request for formal reasoning, as the applicant did not show that the question of constitutional review arising in connection with a procedure he was conducting and therefore procedural conditions have supposedly not been fulfilled. The Constitutional Court was of the opinion that the Security Agency Act is precise enough in defining that wiretapping of international communications (so-called strategic surveillance of international communications) is only allowed when the telephone number and person are not defined. It has to be stressed that during the inspection process the Commissioner has found out that the surveillance was conducted according to the specific telephone number and hence an identifiable person. The law, however, does not allow for strategic surveillance of the international communication, but the constitutional legal question of this case was whether the surveillance of the strategic international communication can be allowed by the director of the Surveillance Agency as the law stipulates or only the court has that power as Constitution demands. The question remains unanswered. The Commissioner was of the opinion that the article giving the director the power to order surveillance was unconstitutional.
On 1 May 2004, the Electronic Communications Act came in effect. This Act regulates Internet communications; is compatible with the EU Privacy and Electronic Communications Directive, and replaces the former Telecommunications Act. Article 104 is about traffic data. It requires that subscribers and users' traffic data processed and stored by an operator be erased or made anonymous as soon as it is no longer needed for the transmission of a message. Operators may store and process traffic data required for billing and interconnection payments only until payment for services or if they have the user's prior consent. Location data other than traffic data relating to users may be processed only in anonymous form or on the basis of the user's prior consent, according to Article 106. Article 107 states that operators shall be obliged at their own expense to ensure adequate equipment and appropriate interfaces enabling lawful interception of communications in their networks, and minister for information society shall prescribe the equipment and determine appropriate interfaces in ordinance, with agreement with the minister for internal affairs, the minister for defence, and the director of SOVA.
On 1 June 2004, an important discussion took place at a meeting among representatives of the Ministry of Information Society, the Ministry of the Interior, police authorities and some Internet service providers (ISPs) (including a representative of SISPA, the Slovenian ISP association) to discuss the implementation of the requirement of the Electronic Communications Act that compels operators to pay the expenses for equipment enabling lawful interception of communications in their networks.8 Since these expenses were estimated to be between â‚¬100,000 and â‚¬700,000 per operator, small ISPs had a good reason to fear for their survival. In response to those concerns, representatives of the Ministry of the Interior and the police proposed to create one central interception centre to decrease the costs per operator.9 Concerns were also shared that small ISPs may not have enough people and expertise to operate interception devices. The police offered to help manage them.
The Act on Electronic Communications was amended in December 2006 in order to transpose the EU Data Retention Directive into the Slovenian legal system.10 The amendments foresaw a 24-month retention of traffic data; both the Information Commissioner and members of civil society criticised the amendment. The amendment concerning data retention of telephony services entered into force on 15 September 2007, whereas data retention in the field of Internet, email and Internet telephony entered into force on 15 March 2009. Inspections concerning retention of traffic data are assigned to the Information Commissioner.
As reported above, the Electronic Communications Act (ZEKom-B)11 was recently amended in 2009. The amendment to the Act shortened data retention period (from 24 months to 14 months for telephone communications and eight months for internet communication) and defined new rules (with appropriate safeguards) for fast disclosure of traffic and location data in cases for the protection of human life.
National databases for law enforcement and security purposes
No specific information has been provided under this section.
Intrusion into a computer system is the subject of Article 242 of the Penal Code, but such an intrusion is punishable only if it is connected with business dealings, and made with the aim of acquiring illegal property-related benefits, or causing material harm to others.12 Article 154 provides for sanctions and prohibits any use of personal data that is in breach of the law, or any intrusion into an electronic database for the purpose of obtaining some item of information for personal use or for a third party's use. Article 225 also prohibits unauthorised access to an unprotected database, the modification and copying of its content, or the insertion of viruses. The conditions under which personal data may be gathered, processed and used are regulated by the PDPA.
Video surveillance is covered in PDPA and the Private Protection Act that was enacted in November 2003. PDPA requires that administrators of video surveillances system publish a notice about video surveillance. The notice must contain information about who is performing video surveillance, where, and where an individual can get information about data retention periods. The video surveillance system must be protected from unauthorised access. Article 43 of Private Protection Act allows video surveillance systems to be operated only by private guards with a license. The law contains provisions about maximum retention periods of video and audio data. It also mandates video surveillance users to notify people about the monitoring. Failure to notify can carry penalties of up to â‚¬12,500.
In 2006, the Information Commissioner inspected the unlawful video surveillance that was going on for some years in a well-known shopping mall. Paragraph 3 Article 77 of the PDPA clearly states that video surveillance shall be prohibited in work areas outside of the workplace, particularly in changing rooms, lifts and sanitary areas. The inspection procedure performed by the Information Commissioner revealed that the shopping centre had indeed been conducting video surveillance in changing rooms, thus breaching the individual's right to privacy in national data protection legislation. This case was given great publicity which resulted in an overflow of complaints against several applications of video surveillance that eventually led to both greater awareness as well as increased respect of legal provisions governing video surveillance.13
Travel privacy (travel identification documents, biometrics, etc.) and border surveillance
Slovenia is included in the US visa waiver program and is required to produce biometric passports. Slovenia began issuing the passports in August 2006.14
National ID and smart cards
Slovenia has ID cards. The ID Card Act requires all adults to have and carry a valid ID card with a photograph (Article 2) and to show it to authorities when required. Non-compliance with this requirement carries fines of up to â‚¬420.15
Article 79 of the PDPA states that biometric measures in the public sector may only be provided for by statute if it is required for the security of people or property or to protect secret data and business secrets and if this purpose cannot be achieved by milder means. Irrespective of this provision, biometric measures may be provided by statute where they involve compliance with obligations arising from binding international treaties or for identification of individuals crossing state borders. This provision provides legal ground for the introduction of biometric passports that were introduced in 2006 to comply with US VISA Waiver Program (VWP) requirements.16
Article 80 of the PDPA regulates that the private sector may implement biometric measures only if they are necessarily required for the performance of activities, for the security of people or property, or to protect secret data or business secrets. Biometric measures may only be used on employees if they were informed in writing thereof in advance. If the implementation of specific biometric measures in the private sector is not regulated by statute, a data controller intending to implement biometric measures shall, prior to introducing the measures, be obliged to supply the Information Commissioner with a description of the intended measures and the reasons for the introduction thereof. The Information Commissioner is obliged to decide within two months whether the intended introduction of biometric measures complies with the PDPA.
The Information Commissioner received 40 applications concerning the implementation of biometric measures during 2007, 16 applications in 2008, whereas in 2009 it received just 10 such requests, which means that the number of such applications is decreasing. Six decisions as to the admissibility of biometric measures were issued in 2009, of which two had been lodged in 2008; one application was withdrawn by the applicant. Four decisions vindicated the implementation of biometric measures; limited implementation was approved in three instances, while two decisions explicitly proscribed the introduction of biometric measures.17
Police have a right to take a picture, fingerprints, and saliva samples from suspects, as provided by Article 149 of the Criminal Proceeding Act. Police also can use DNA samples for criminal investigations.
- 1. Cfr. Section "Constitutional Privacy and Data Protection Framework," supra.
- 2. Criminal Proceedings Act (ZKP-UPB4), consolidated version, in Slovenian at http://www.uradni-list.si/1/objava.jsp?urlid=200946&stevilka=2283; the Slovene Intelligence and Security Agency Act (ZSOVA-UPB2), consolidated version, in English at http://sova.gov.si/en/media/zsova.angl.upb2.pdf.
- 3. Article 49, Law on the Police, 18 July 1998.
- 4. Postal Services Act (ZPSto-2), in Slovenian at http://www.apek.si/sl/zakon_o_postnih_storitvah_zpsto_2.
- 5. 12th Annual Report of Article 29 Data Protection Working Party (2008), supra, at 94-95.
- 6. Cfr. Section "Constitutional Privacy and Data Protection Framework", supra.
- 7. Id.
- 8. Not all Slovenian ISPs are members of SISPA.
- 9. Proceedings from the meeting: Ministry of Information Society, Realisation of lawful interception of telecommunications traffic which flows over the Internet, 1 June 2004 (on file with EPIC).
- 10. Directive 2006/24/EC of the European Parliament and of the Council on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, 15 March 2006, OJ L 105, 13 April 2006, at 54-63, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054....
- 11. ZeKOM-B, 2009, supra.
- 12. Unfortunately, this wording could lead to a situation in which an intrusion into a computer system not resulting in material harm, or not yielding other kinds of benefit for the intruder, would not be sanctioned. In such a case Article 309, which sanctions the production or acquisition of tools for intrusion into a computer system, has to be applied.
- 13. Email from Sonia Bien and Andrej Tomsic, supra.
- 14. See http://travel.state.gov/visa/temp/without/without_1990.html.
- 15. The ID Card Act -- Consolidated version, (ZOIzk-UPB2) in Slovenian at http://www.uradni-list.si/1/objava.jsp?urlid=200871&stevilka=3100.
- 16. Id.
- 17. Information Commissioner's Annual Report for 2009, in English at http://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/Annual-report-200....