Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

II. Research and analysis

We conducted research on each country, relying for the most part on the country reports from our partners.  We reviewed each country report and created a summary of the key developments as they were relevant to the ratings scheme.  When information was missing we tried to supplement it with information from other sources.

AUSTRIA

Assessment: Impressive that the Government has not implemented data retention, though there are some concerns about the extent of data-sharing particularly for border surveillance.
 
  • no explicit constitutional protection, though there is a federal law with a number of constitutional provisions including data protection as a fundamental right; constitutional amendment failed but protections are in existence nonetheless; adherence to ECHR in Constitutional Court decisions though Court dismissed a case on police access to data, but also ruled that access to data held by ISPs for copyright is not necessary
  • substantial amendments were done to improve the previous data protection law, and has remedies for interferences; also include sectoral laws and laws applying to specific domains (communications, genetics, medical, financial)
  • regulator can order controllers to respond appropriately to requests for information; includes judicial staff members; increase in number of cases; and can bring criminal charges; high rate of success in cases despite staffing shortages
  • regulator still lacks independence despite being notified in 2005 of this problem by the European Commission
  • centralisation of data on students has been regulated down from 60 years to 20 years retention with more limitations on access and use
  • judicial warrants for interception of communications where a crime is punishable by one year or more of imprisonment - this is quite low threshold; 'dragnet investigations are possible for complex investigations into crimes punishable by more than 10 years imprisonment, and a sunset on this provision was repealed
  • access to data laws were changed to increase availability, particularly in emergencies, and without court orders; Constitutional Court dismissed a case calling this practice into question
  • government has been proposing the use of trojans to gain access to computer systems, but plans are currently in stasis
  • has not implemented the Data Retention Directive, as the issue is controversial in Austria
  • extensive power for audio-surveillance collection though not used too often
  • regulator has ruled in favour of medical privacy, e.g. preventing researchers from gaining access to medical data of drug-addicted convicts who underwent rehabilitation
  • extended use of Schengen Information System, e.g. for issuance of driver's licences
  • reports of plans for granting access to data by foreign government, i.e. granting US authorities access to DNA databases, fingerprint data, etc.
  • growing use of CCTV, though some safeguards have been introduced including proportionality, emphasis on real-time rather than recording, deletion after 72 hours
  • collects two fingerprints for biometric passports, but the data is stored only on the chip and minors under the age of 12 are not fingerprinted; has an e-card social security smart card; mandatory citizen card has been abandoned
  • Supreme Court ruled in favour of workplace privacy re: restricting biometric time reading scanner on grounds of human dignity
  • employers may not monitor private communications of employees, provided they are labelled as such; employers may not use CCTV except to monitor objects
  • lower threshold of protections for medical information in information systems, with wide access provisions for authorised staff
  • recent reduced protections on data-sharing with other countries regarding financial accounts; though banks are regulated in how they can use personal information, including creditworthiness
  • currently dealing with a proposed 'Transparency Database', run by a private company, that will contain net income and social benefits per individual, though there are safeguards on who has access.
  • DNA taken for only for those charged with serious crimes and from convicted, but retention is indefinite for convicts, suspects' information only removed upon acquittal and upon request; profile is retained even upon acquittal
  • government boasts that it is amongst the leading countries in the world regarding DNA, also led the Prum treaty for data-sharing within Europe

BELGIUM

Assessment: Although legal situation is strong with an active civil society, technological surveillance measures are problematic, e.g. data retention regime, unique ID for travel.
 
  • Belgian constitution recognises the right to privacy and private communications; courts have ruled on privacy cases, including on access to subscriber data, preventing disclosure
  • specific laws apply to electronic communications, regulation of camera surveillance, medical privacy, consumer credit, social security, amongst others
  • data protection legal regime has been criticised for not adhering to EU requirements; but Belgium has now fully implemented EU directives into law.
  • DPA reports to Parliament; has greater capacities with 55 members of staff, though the numbers of complaints are relatively low; publishes a number of guidances and recommendations on data processing
  • also have committees that oversee specific areas of activities, e.g. social security and health, national registry, etc.
  • extensive regime of law for communications surveillance: access to communications is authorised by judiciary, though appears to be an investigatory judicial authority; can demand the decryption of data and compelling network managers to comply with orders; significant numbers of interception orders and they are increasing
  • law in 2001 banned anonymity for telecommunications subscribers, and can prohibit any services that hinders the application of wiretapping law;
  • 1 year data retention up to 3 years, with police favouring three-year policy, though not fully in place; industry has opposed extensive surveillance
  • in 2005 established a new agency for 'threat analysis', by evaluating secret surveillance information held by other intelligence agencies, which the DPA argues is lacking in appropriate safeguards
  • extensive plan for surveillance of all vehicles and movement in Belgium
  • one of the first countries to implement RFIDs in passports
  • one of the first countries to implement 'smart IDs' for digital signatures, and a unique identifying number across government services; and the eID can now be used for purchasing train tickets despite privacy issues
  • includes children's ID for use on the internet
  • considerable debate followed introduction of RFID in Brussels public transportation system
  • there are common rules for workplace surveillance, and guidance from the Commission
  • eHealth platform, which is not mandatory, for sharing information within health care system, based on consent and in-built protections
  • banking secrecy still applies, though there is a draft bill to give greater powers to financial investigators
  • leadership: government has sponsored the creation of an Internet Rights Observatory
  • an active NGO network raising issues
  • has not ratified CoE convention on cybercrime
  • DNA of those convicted of 'serious offence', retention of 10 years for those convicted; sample is destroyed upon creation of profile

BULGARIA

Assessment: Very worrying developments particularly in secret surveillance and oversight.
 
  • Constitution consists of detailed provisions for privacy, communications, and access to information.
  • many changes to data protection law, sometimes contradictory directions; law includes fining powers
  • extensive list of other laws that covers privacy
  • Regulator is independent and elected by Parliament, and has order making powers
  • awareness of the office is high, having received 45000 requests for information in 2009, though only 158 complaints
  • national security argument is prevailing and lowering the obstacles to gaining access to information held by private sector organisations
  • little oversight of national security services use of communications interception, and there is a history of abuses
  • policy change is in progress to remedy this; with a Parliamentary sub-committee entrusted with oversight
  • no official statistics available on the use of intercepts
  • no consultation on the data retention policy, with government seeking direct access to databases of traffic data, resulting in significant criticism; later taken to court and Court ruled that data can only be accessed after a warrant has been issued
  • two different governments have continued to try to gain direct access to data-stores
  • significant clamp-down on anonymous use of the internet, e.g. website hosting companies
  • ID contains biometric data
  • collect DNA, and violations on the use of DNA have been identified by the regulator; collected from those indicted for a premeditated crime, deleted when no further reason based on the merits of the case (case-by-case basis);
  • no clear framework of safeguards against workplace surveillance
  • some safeguards are in place for medical privacy, including specific laws
  • has not ratified CoE convention on cybercrime

CROATIA

Assessment: A debate about privacy is emerging in the country, which is promising. Communications surveillance and oversight are worrying.
 
  • Constitution protects both privacy and data protection
  • data protection law includes the power to fine, though for small amounts, but imprisonment is an option; though power has never been used
  • European Commission has stated that Data Protection Act still requires additional work to achieve full alignment for EU membership
  • two additional regulations for data protection for record systems and special categories of personal data; but no sectoral protections
  • regulator is an independent body and reports to Parliament; has order-making powers, and in 2008 dealt with 626 cases
  • communications surveillance authorised by Supreme Court or investigatory judges but for a maximum of 7 months, and supervisory powers are weak as little oversight of intelligence agencies
  • central authority claims the right to conduct interception on behalf of agencies, rather than having to contact service providers; and is an unsupervised body
  • Communications data retention for twelve months for all data collected by service providers
  • developing plans for mandatory sim-registration policy for mobile phones
  • growing use of CCTV, even in some schools but public opposition has arisen
  • biometric passports have been proposed but not implemented
  • trying to reduce the use of a single unique identifier
  • workplace surveillance practices are growing, and there have been calls for a review and some regulatory guidance
  • wide-scale data sharing of financial data is possible, and changes to the Bank Act have allowed for greater use of information
  • centralised medical information system has a lack of safeguards and did not involve notice or consent of citizens
  • Convention on cybercrime has been incorporated into national law
  • DNA collected if identity is questionable in an investigation, retention of DNA from convicted individuals for twenty years

CYPRUS

Assessment: Limited information so unable to make a full assessment, though some promising developments, e.g. workplace surveillance.
  • Constitution protects privacy and communications
  • data protection law was found to be not consistent with the EC Directive on the right of information, transfer to third countries, and some procedural mechanisms; we are unaware of whether this situation has been improved
  • regulator is appointed by Council of Ministers, in consultation with Parliament, so is not entirely independent; head of the regulatory authority must have been a judge on the Supreme Court
  • regulator may investigate complaints but may also conduct inquiries on his own initiative
  • low level of complaints in the country, but runs public awareness initiatives
  • regulates the collection of fingerprints in the workplace and reserves it only for exceptional cases
  • communications surveillance requires a court order, though Attorney General may now authorise in order to save time; 2006 law also allowed police to monitor web logs, downloads and emails
  • no strong legal protections regarding CCTV, regulator has intervened and requires a justification prior to installation
  • workplace surveillance cases have included secret microphones being used
  • workplace surveillance is regulated by the authority's Employment Order
  • has ratified the CoE Convention on Cybercrime
  • DNA: all convicted persons and suspects; removed when record is cleared; suspects' profiles are removed when they are acquitted or otherwise cleared

CZECH REPUBLIC

Assessment: Good developments due to the hard work of civil society and the national regulator; though problematic legal regimes still exist despite some work, e.g. communications surveillance, CCTV, ID.
 
  • Charter of rights and basic freedoms provides for the right to privacy and human dignity, protection of communications, and a data protection clause as well
  • data protection law fully harmonised, and contains additional protections due to amendments, including recordings of communications
  • regulator can impose fines of up to 820,000 euros, and conduct audits
  • number of complaints is rising, number of cases dismissed also quite high
  • regulator has supervisory authority over the use of birth numbers, though over-use still continues
  • regulator has conducted vast awareness-raising exercises
  • Communications interception is authorised by a high court judge, even if done by intelligence agencies (though there are still concerns of abuses), and there is a notification requirement once the case is closed
  • due to complaints about little oversight of communications surveillance, so new protections were introduced in 2009
  • still attempts to expand intelligence agencies' powers
  • 12 month data retention policy was changed to introduce graduated retention for various forms of data; and scope of use is expansive, and no oversight
  • led initiative to sign agreements with US for the transfer of passenger data
  • increasing use of CCTV, and regulator has insufficient power to regulate this activity, with some strong opposition from the public against these systems
  • biometric passports include face and fingerprint data
  • ID cards are increasingly being used in everyday life
  • 'anonymous' RFID cards are now available for travel in Prague
  • a number of medical registries exist, with uncertain legal status; President had to veto a law that was to expand use of birth identification numbers, but this veto was overridden
  • financial surveillance law introduced to limit lawyer-client privilege and solicitors must now report suspicious transactions
  • strong civil society groups
  • has not ratified CoE convention on cybercrime
  • DNA: from all convicted persons, and profiles are kept for eighty years, and samples are retained for this period too

DENMARK

Assessment: Communications surveillance regime in need of oversight. Use of unique identifier across society is worrying, as is the growth in CCTV use, DNA regime is likely to contravene ECHR.
  • constitutional protection to privacy and, indirectly, data protection
  • changes to data protection law allows for increased data sharing
  • intelligence agencies are exempted from privacy laws
  • sectoral laws provide protections for medical information, financial information, and marketing
  • regulator is an claimed to be an independent public body, but key staff are appointed by the Minister of Justice
  • high level of complaints received; regulator gets involved in high profile cases (e.g. immigration system, Facebook)
  • communications surveillance law allows for police to gain access to a list of all active mobile phones near a scene of a crime; government also considered idea of allowing wide-scale interception of communications in an area
  • high levels of wiretapping requests and approvals to the courts
  • 12 months data retention implemented by administrative order despite vocal opposition, though since then some changes to exclude smaller ISPs
  • biometric passport includes facial recognition but no fingerprints as yet
  • no ID card but a unique number is still used to identify on public registers
  • cases emerging on workplace surveillance, and have led to small fine
  • CCTV rules relaxed, and thus becoming more widespread
  • ehealth portal with central register, but provides citizens' access to their own medical records, and uses authenticated access; world leader in centralised record-keeping
  • DNA: collected from convicted persons and suspects charged for offence that could lead to more than 1.5 years in prison; retained for both suspects and convicts until two years after death; and samples retained

ESTONIA

Assessment: Legal framework is there, but policies and technologies are amongst the worst in Europe.
  • Constitution applies to privacy, communications, and data protection; high courts have dealt with privacy cases though the results are mixed, but more recent jurisprudence shows some interest in expanding privacy
  • data protection framework treats biometric and genetic data as 'sensitive'
  • regulator has fining powers, but fines are quite small; regulator was made independent in 2007, though operates under the Ministry of Justice; relatively small office, though activity is increasing
  • surveillance is authorised by head of agencies
  • communications surveillance, however, requires authority of investigation judge
  • 12 month data retention law
  • use of databases and data analysis powers by law enforcement and national security are problematic
  • increasing use of CCTV, though there is a lack of official data on the matter; draft legislation on CCTV is in Parliament
  • mandatory ID cards includes register of biometrics including iris, fingerprint, and face; card is multipurpose and holds additional information and identifiers
  • few sectoral laws, though one on credit information
  • workplace surveillance law exists but there is no regulation or case law as yet
  • mandatory ehealth record system without opportunity to oppose the processing of information
  • established an agreement with the U.S. for transfer of passenger data
  • ratified CoE convention on cybercrime
  • DNA: arrested or convicted for any 'recordable offence'; kept for ten years after death for both suspects and convicts, and samples retained indefinitely

FINLAND

Assessment: Regulator is working hard on increasing awareness. Surveillance plans seem to be unabated by policy deliberations that have occurred elsewhere.
  • constitutional right to privacy and communications; a number of cases have been decided
  • comprehensive data protection law includes civil and criminal sanctions (imprisonment for up to 1 year)
  • complaints to regulator increasing dramatically, indicating a stronger awareness of rights
  • judicial orders for interception of communications
  • retention of traffic data for 12 months
  • access to income data is widespread, e.g. even in the calculation of traffic fines
  • generalised surveillance is permitted in the workplace; though permitted to investigate loss of intellectual property
  • multipurpose ID with information from various sources including medical insurance data is on the card
  • DNA: taken from convicts serving 3 years or more, suspects charged of a crime punishable by 6 months or more; profiles kept for ten years after death, suspects profiles deleted within one year of dismissal; samples retained for same periods
  • ratified CoE convention on Cybercrime

FRANCE

Assessment: Worryingly coming close to being crowned as Europe's leading Surveillance State. New databases and surveillance practices emerging continually; despite the hard work of regulator and civil society, some of the weakest safeguards in Europe.
  • not explicitly named in the constitution but has been ruled to be implicit; though there have been recommendations to include within constitutional reform it has been ignored by the President
  • comprehensive law, and sectoral laws for archives, video surveillance, employment, and consumer protection
  • CNIL does much work around the world; has fining powers that not used extensively, and has limited powers over some areas of government activity
  • level of legal activity is quite high
  • new policing powers have been deployed with worrying implications, e.g. LOPPSI2 to remotely access, record, collect and transfer information held on IT systems
  • police may gain access to logs without judicial orders in terrorism cases
  • has law on the use of PNR
  • 12 month retention law, and may be used for intellectual property rights cases; requires retention of identifying information of subscribers
  • police and intelligence agencies have established a platform to grant themselves easy access to traffic data
  • strong level of civil society and regulatory action, but unfortunately only small changes in government policy are attained
  • many new databases and systems have been established to monitor various groups; some with very high error rates
  • expansive use of CCTV
  • biometrics collected for border management and for passports, though no sign of fingerprints in passports
  • proposed expanded ID card project is still in suspension following protests and criticism
  • workplace privacy rulings have allowed for reading of emails by employers, but abuse of internet activities is insufficient for termination of contract
  • national ehealth records system, but with serious lack of data protection and many security breaches; the system is under revision but other problems prevail
  • financial surveillance has twice breached ECHR according to the ECtHR
  • DNA: taken from convicts or those charged with 'serious offence'; convicts retained for 25 years, suspects' removed by motion of prosecutor; samples retained similarly

GERMANY

Assessment: Strong legal and regulatory framework, amongst the best in the world with highly competent regulators and civil society; but the actions of the Government and security services seriously degrade protections.
  • constitutional protections for privacy of communications; though the Federal Constitutional Court in 1983 also created the right of informational self-determination; court rulings have been mostly privacy protective
  • data protection law is amongst the strictest in Germany; amendments have added areas of regulation include video surveillance, smart cards, anonymisation, etc.
  • additional legal protections were created in 2008 for employee privacy
  • federal and state regulators are amongst the most meticulous and world-leading
  • communications surveillance regime allows for warrantless automated wiretaps; vast use of communications surveillance powers, amongst highest in the world; studies have indicated that unlawful interception occurs
  • government sought power to conduct secret searches of computers, was ruled unconstitutional by the Federal Constitutional Court, though they could be conducted with a judicial warrant
  • subscriber information must be recorded even for pre-paid communications services
  • 6 months data retention policy, but access is regulated by a judicial warrant for investigations on an enumerated list
  • active civil society is an example to the world: 34,000 people filed a case at the Constitutional Court appealing against data retention
  • expanding use of CCTV and visual surveillance techniques, though the courts and regulators have been active in opposing plans (including in one case a museum camera could see into the Chancellor's private flat)
  • police may use GPS technologies to track suspects in cases of serious crimes, even without a judicial warrant
  • increased plans for travel surveilance and road surveillance, and the removal of safeguards that were originally implemented when the systems went live
  • biometric passports include fingerprints, but they are not stored on central or local databases
  • ID cards are mandatory; though ID cards may incorporate fingerprints, on a voluntary basis, as the original mandatory plan faced considerable public opposition
  • use of body scanners in Hamburg Airport, though it is optional
  • genetic diagnostic law bans the use of genetic examinations for employment; biometrics may only be used in the workplace with approval of workers' council/arbitration board
  • rollout of ehealth ID suspended due to security concerns; now there are plans for a 'secure patient data management system'
  • no specific financial privacy law, but is customary law; though now have an automated means for authority to gain access to financial information
  • has not ratified CoE convention on cybercrime, but was part of the Prum convention process
  • DNA: taken from convicts of a serious offence or repeatedly committing same minor offence, and from suspects charged of serious offence; removed when no longer necessary; samples retained similarly

GREECE

Assessment: A rich and controversial history of privacy, with whole-scale abuse, and political upheaval. While many promising developments occurred in the mid 2000s, since then the Government has repeatedly failed to implement necessary safeguards, and so surveillance continues.
  • constitutional protections for privacy and communications, and through an amendment, a constitutional right to data protection through an independent authority
  • comprehensive data protection law has been amended to update definitions of personal data and eal with trans-border data flows, but also to exclude CCTV from the Act
  • regulator is independent, run by a judge, and may issue administrative and penal sanctions, including mid-level financial fines; historically has played a significant role in policy debates, and has made a number of judgments
  • in 2007 there was a collective resignation from the regulator in protest to the CCTV developments
  • oversight bodies exist for communications surveillance; had fined Vodafone and Ericsson for abuses in interception of communications but this was overturned by the Constitutional Court
  • following abuses, new law was introduced in 2008 to protect telecommunications privacy, requiring a security policy for each service provider, and require audits, and new penalties for abuses
  • Government promised a new Security Plan to protect communications but no action has been taken by the Government
  • while there is no retention law, there is extensive retention of communications data varying from 2-5 years
  • repurposing of CCTV installed for the Olympics has been controversial; but now it is expanding even more so, including into schools and was exempted from law
  • introduced law to require sim-registration
  • ID system administered by police includes collection of detailed information, though no longer collects religious information
  • use of biometrics in workplace has been regulated to highly sensitive transactions
  • regulator prevented the use of biometrics of Athens airport
  • financial privacy is being eroded, for both taxation and credit reporting

HUNGARY

Assessment: Worrying developments in political process in Hungary have had serious implications for the privacy landscape. Weak oversight requires attention.
  • constitutional protection for privacy and protection of personal data
  • comprehensive data protection law was previously deemed 'adequate' for trans-border data flows prior to joining the EU
  • there are many sector-specific laws regarding addresses, identitfication codes, medical information, police information, etc. and even bio-banks, though the regulation is weak
  • regulator can investigate complaints, and has order-making powers; though independent, the regulator often receives political pressure, and there are possibilities of weakening powers
  • number of complaints and cases continue to rise; and a number of high profile cases
  • established an agreement with the U.S. for transfer of passenger data
  • growing use of CCTV, extended retention periods
  • communications surveillance require a court order and is limited to crimes punishable by 5 years or more
  • reports have emerged of the use of 'black boxes' on service providers' networks to intercept communications without a warrant
  • Constitutional Court has noted that there are serious oversight problems
  • communications data retention in law in 2008, with a pending case calling for its annulment
  • joined Prum convention to enable data-sharing with other EU countries
  • workplace surveillance cases include Vodafone monitoring the movements of their employees without notice; lack of regulation in this domain
  • passports include fingerprints
  • lack of regulations and promotion of data-sharing in health and financial information
  • active civil society
  • ratified CoE convention
  • DNA: taken from those convicted of specific crimes or suspects in investigations punishable by 5 years or more; convicts' data kept for 20 years, suspects are retained until proceeding is abandoned/acquittal; samples destroyed similarly

IRELAND

Overall: Weaker regulatory enforcement and oversight process is problematic particulary for communications surveillance.
  • no express right to privacy in the constitution, jurisprudence has indicated it is implied under the 'personal rights' provisions
  • comprehensive data protection regime has been amended to update its protections
  • regulator is independent; and can serve enforcement notices; has been criticised for weak decisions on Google
  • communications interception is authorised by Ministerial warrants, and oversen by a Judge of the High Court; law is drafted with a limited jurisdiction, possibly permitting warrantless interception of VOIP
  • retention policy is amongst one of the worst, previously with extensive retention in an unregulated manner, then a 3-year retention scheme, now a 2 year scheme for telephone and 1 year for internet data
  • no external approval is needed for access to traffic data

ITALY

Assessment: Chaotic legislative environment leads to erratic protections. Lack of oversight in national security and law enforcement; but the privacy regulator and active civil society have played key roles in protecting privacy.
  • no explicit protection of privacy in the constitution, though there are protections for communications and the home
  • after two decades of debate, comprehensive data protection law enacted in 1996; updated in 2003 to incorporate new EU directives
  • additional laws relating to video, workplace surveillance, statistical information, electronic files
  • regulator has conducted investigations in variety of sectors and has been involved in high profile and highly influential cases
  • halted biometric registration systems
  • extensive legal framework for communications surveillance, and there are legislative plans to further regulate illegal wiretaps; yet pre-emptive interception occurs at the discretion of the Attorney General
  • there have been cases of 'backdoors' being built into services resulting in over-surveillance, including one case where the communications of 30,000 subscribers were violated
  • interception rates are very high and it is unknown how many illegal interceptions take place
  • signed on to Prum and established a DNA database as a result; retention is for 40 years for the profiles, and 20 years for biological samples
  • video surveillance is growing, though the regulator is quite active in this space
  • biometric passports were to include fingerprints, but they were not to be stored in a central database; but no action has been taken
  • attempted to implement ID system with centralised record store; but it was dismantled in 2009; a new system with a centrally recorded fingerprint has been delayed
  • workplace surveillance rules bar the spying on employees web surfing habits
  • ehealth initiatives involve centralised registers, though again the regulator is involved
  • financial privacy was hampered by the dissemination on the internet of all tax returns
  • active civil society
  • ratified CoE convention on cybercrime

LATVIA

Assessment: Some problematic limitation and oversight problems, particularly in communications surveillance and DNA. Modifications to data protection law to increase exemptions is problematic as well.
  • constitutional protection covers privacy and communications
  • comprehensive law, though amendments recently have included limitations on individuals' rights in state financial and insurance affairs, and again to permit processing of medial information
  • laws exist for electronic communications and the DNA database
  • regulator is under the jurisdiction of the Ministry of Justice; despite attempts to improve independence, plans have been postponed repeatedly
  • regulator's office suffered staffing cutbacks in 2009
  • communications surveillance is regulated to specific investigations
  • supervising authority authorises surveillance, though this could be a prosecutor (in emergencies) or a judge
  • tracking is only permissible with judicial authorisation
  • cases of illegal interception have arisen
  • law enforcement agencies can gain now access to information held by credit agencies in order to combat terrorism
  • 18 month retention period
  • CCTV is overseen by regulator
  • biometric passports include fingerprints
  • compulsory identity cards for all residents
  • employers may monitor the communications of employees
  • specific legal regime for medical privacy, even after death; though allows for medical research if de-identified
  • ratified CoE Convention on cybercrime
  • established an agreement with the U.S. for transfer of passenger data
  • DNA: taken from those convicted or suspected of any 'recordable offence'; retained for 75 years; and samples also retained

LITHUANIA

Assessment: This country is still learning the elements of privacy, but there are some promising developments particularly as the Supreme Court develops case law. The surveillance laws are open to abuse by government authorities, and stricter procedures are required.
  • constitution protects privacy and communications,and the Supreme Court has reaffirmed the right to a private life is one of the most fundamental human rights
  • significant upgrades to the data protection law in order to join the EU, completed in 2003/2004
  • more recent changes include adding video surveillance to the law, restricting use of personal identification numbers, and more stringent protections on medical information, and independence of the regulator was strengthened
  • low number of complaints reflects a lack of awareness levels in the country; though the numbers are rising
  • judicial authorisation required for interception, though there isn't strict scrutiny, and the law has been criticise for being unclear, and the lack of clear procedures to prevent abuse by the State Security Department
  • there are recent claims about the wiretapping of journalists
  • retention law was implemented in 2009, for 6 months period unless the data is necessary for ongoing operations at which point it is retained for a further 6 months; though constitutional court decision of 2002 requires that this is restricted to data collected for normal business operations
  • established an agreement with the U.S. for transfer of passenger data
  • growing use of CCTV though regulator is working on the issue; though there are some cases of secret surveillance; and there has been much debate on the issue
  • biometric passports include fingerprints, including the storage of biometrics on central register
  • increasing use of surveillance techniques in workplaces and there is limited debate, and the courts tend to side with the employers
  • ratified CoE Convention on Cybercrime
  • DNA: taken from all convicts and suspects; all profiles retained for 100 years; samples must be destroyed upon creation of profile

LUXEMBOURG

Assessment: limited resources for regulator but legal frameworks are in place. Financial privacy is strong. Some safeguards across society but we lack sufficient information on actions of security agencies.
  • constitution guarantees the right to privacy and secrecy of coorespondence
  • comprehensive data protection law
  • regulator has a small office; but can investigate on its own initiative, and issue financial penalties, and has order making powers and has dealt with some cases
  • judicial warrants required for interception of communications, with some notification requirements
  • 12 months retention of communications traffic, but requires a clear definition of the types of investigations where police can access the information
  • regulations are in place for CCTV
  • workplace monitoring is governed by law
  • unique identity number of every resident, and widely used; fingerprint in passports, though removed from central register after 1 month
  • strong laws on financial privacy
  • party to the Prum treaty
  • DNA: taken from convicts from specific offences, and suspects of any recordable offence; convicts data retained for life+ten years, suspects deleted upon acquittal; samples retained similarly

FORMER YUGOSLAV REPUBLIC OF MACEDONIA

Assessment: Despite strong frameworks of protections in place, abuses continue and poor surveillance practices persist without adequate remedies.
  • constitutional protection for privacy, secrecy of communications, and data protection
  • comprehensive data protection law in place, including recent amendments to strengthen the legal framework, including greater investigatory powers for the regulator
  • regulator is independent and reports to Parliament (but has already faced political challenges), and will be relatively large in size; and has worked on public awareness programmes
  • unique identifier in place
  • despite legal regime, there are problems with communications surveillance regime, e.g. journalists are subjected to spying
  • legal obligation on telcos to provide direct and uninhibited access to traffic and other data to the Ministry of Interior without notice or court order
  • 24 month data retention regime
  • growing number of CCTV, though it is supposed to be regulated
  • passports use fingerprints; and national ID also uses biometrics
  • no special protections for workplace privacy
  • ratified cybercrime convention

MALTA

Assessment: Privacy expertise and cases are emerging. Communications surveillance regime is problematic, as is surveillance oversight.
  • constitution guarantees privacy protection, with some cases emerging
  • comprehensive law in accordance with EC Directive
  • regulator is independent, and works closely with other regulators in Malta and internationally
  • small number of complaints received, but awareness building campaigns are being run
  • worries about CCTV are high on the list of complaints
  • warrants for interception of communications are issued by the Minister responsible for security services
  • retention for 12 months for telephony data, six months retention for internet data, and some limitations on access
  • passport biometrics are stored on the passport, but no plans to include on identity documents
  • Government is considering full-body scanners, but no decision as yet
  • no guidelines on workplace surveillance; although there are complaints to the regulator, none are actually formal complaints because employees are concerned about their position in the workplace
  • guidelines are in place for financial privacy

NETHERLANDS

Assessment: Strong tradition of civil liberties and privacy is being replaced with ambitious technological programmes and weak oversight. Strong regulator and civil society, and sometimes industry, work hard to draw attention to myriad of proposals and policies.
  • constitutional guarantees to privacy and data protection; there were proposals to expand the data protection rights, and a new Commission has been appointed to review this
  • comprehensive data protection, but there are plans to amend it particularly for third-country transfers, direct marketing
  • additional laws regulate use of personal information by the police, in medical examinations and treatment, social security
  • regulator is independent, though with limited fining powers; and has been given new powers in recent years, the latest promises from the Government have not yet been followed up on
  • regulator is vocal in policy developments in the country, and is an international leader
  • spread of road surveillance is increasing
  • serious problems with jurisprudence on copyright infringement cases have reduced privacy of subscribers to internet service providers
  • intelligence agencies do not require court order for communications surveillance
  • several proposals to grant increased surveillance powrs to law enforcement agencies
  • police also monitoring social networking activities through a pilot
  • Parliament rejected additional safeguards for data retention; retention period was set at 18 months, but reduced to 12 months
  • Camera Surveillance Act allows images to be retained for four weeks
  • notable victory for privacy protection by civil society pushing back against smart meters policy
  • biometric passports to include fingerprints, and government wanted to store data on central database
  • travel surveillance is expanding significantly, with data being retained for seven years
  • plans for electronic patient file are being put in place with significant concerns raised
  • use of identifier for financial transactions has drawn attention of regulator
  • ratified cybercrime convention
  • DNA: taken from anyone convicted or suspected of recordable offence; profiles kept until convict is 100 years old, suspects removed upon acquittal; samples retained similarly

NORWAY

Assessment: Increasing oversight over security agencies appears promising. Financial privacy problems continue despite widespread abuse. Regulatory plays a strong role, and there have been good signs of resistance to surveillance measures, e.g. bodyscanning, retention.
  • constitution does not have a specific privacy clause, though has a search clause; Supreme Court ruled in 1952 to incorporate a legal protection of 'personality' which incorporates privacy
  • comprehensive law is generally considered strong, punishable by fines or imprisonment; and permitted to perform inspections in all databases include police systems
  • regulator operates under the Ministry of Government Administration but is generally regarded as independent;
  • regulator has played world-leading roles in awareness-raising campaigns
  • communications interception authorised by court order in cases involving narcotics and national security, and some less serious offences
  • new oversight body has been introduced for interception monitoring
  • history of illegal wiretapping and political surveillance, so committee was established to monitor security services with an annual report to Parliament
  • laws are now in place to make it easier for police to bug conversations of criminals; upon review a government commission found that the powers were being used in appropriate circumstances but was concerned about over-collection and lack of statistics
  • no data retention law
  • signed Prum treaty
  • issues fingerprint biometric passports since 2010; but no central database, and there is extensive debate regarding the security of the chip
  • non-compulsory ID
  • negative reaction to body scanner proposals lead to the cancellation of the plan
  • fingerprinting in private sector is dissuaded particularly if other means of identification would be sufficient
  • specific law applies to workplace surveillance, and requires negotiation with union representatives and requires regular evaluations
  • medical privacy has been challenged through consolidation within the Government, leading to a high number of users who can access personal records; objections from regulator were ignored until appeal
  • financial privacy degraded in 2009 by granting more agencies access to list of financial transfers in and out of Norway;
  • publicly available tax returns is a long tradition, though in recent years it has become more controversial, leading to opposition parties proposing the banning of the process, particularly as there are now Facebook and iPhone applications to search the lists
  • ratified CoE convention on cybercrime
  • DNA: taken from all convicted with a prison sentence

POLAND

Assessment: Courts and regulator are strong protectors of privacy but the Government pushes hard for vast surveillance schemes and limited oversight.
  • constitutional protection for privacy, communications privacy, and data protection, and emerging jurisprudence
  • comprehensive law's penalties seen as largely ineffective
  • individuals are now given right to withdraw consent at any time
  • sectoral laws apply to medical information, telecommunications, labour code and insurance
  • regulator appointed by Parliament
  • searches generally require warrans by court or public prosecutor; though most searches are carried out under claims of 'urgency' without warrant
  • interception of communications is conducted with limited oversight, and in large numbers (though official numbers are not published)
  • a number of initiatives have been proposed to expand surveillance capabilities; police and anti-corruption authorities are gaining ever more powerful access to data
  • 24 month communciations data retention; originally called for 15-year retention period, and such proposals were rejected by a parliamentary commission
  • access to data is restricted to police, national security agencies, and judicial authorities; though no legal threshold for gaining access
  • recent scandal where 10 journalists were under surveillance by secret services to identify informants
  • not ratified CoE convention
  • increasing debate about CCTV, but there is no regulation of its use
  • ID system is still largest collection of personal data; biometrics will be included this year
  • previously no regulation of monitoring in the workplace, though courts have intervened
  • medical records are protected under law, and particularly mental health records
  • tax authorities have broad access to financial information

PORTUGAL

Assessment: Insufficient information on policing and intelligence practices considering the history of abuse, but strong constitutional and legal measures are promising, and safeguards are emerging in surveillance schemes.
  • constitutional protection to privacy, secrecy, and data protection
  • comprehensive law applies broadly
  • regulator is an independent agency that reports to Parliament; small number of complaints, though they are rising, as are fines
  • regulator runs awareness raising programmes
  • history of illegal political spying; too little information to assess communications surveillance
  • 12 month data retention policy
  • CCTV use must be registered with regulator, and now a law has been established, though use is expanding
  • national ID has specific design and use policies to protect privacy; card can contain fingerprint biometric but can only be accessed with consent or as required by police and justice officials
  • workplace surveillance is permitted; national monitoring of worker absenteeism during national strikes has caused some controversy; use of biometrics in the workplace is regulated by law
  • safeguards have been implemented into national health reporting schemes
  • has not ratified convention on Cybercrime

ROMANIA

Assessment: Under-resourced regulator is supported by remarkable decisions from Constitutional Court. Some worrying developments in DNA surveillance, and the recent history of abuses shows that security services require greater oversight.
  • constitution recognises privacy and confidentiality of communications; recent constitutional court cases have been remarkable in the defence of privacy
  • comprehensive data protection law, with another law on communications privacy
  • new changes in the civil code also protect privacy
  • separate regime for audiovisual privacy
  • regulator has suffered budget cuts and is thus unable to hire full team of staff and can not conduct investigations outside of Bucharest
  • regulator has taken firm position in a number of cases
  • communications surveillance regime requires authorisation of the President of the Court, and only authorises interception for 30 days, renewable only to 120 days
  • intrusive surveillance permissible only if crime is punishable by 7 years in prison or more
  • a number of cases have emerged with secret service spying on journalists and other public figures
  • high level of wiretaps in previous years
  • six month retention period for communciations traffic was appealed to constitutional court which ruled it breached the Romanian Constitution
  • CCTV use is growing as it is unregulated
  • biometric passports involved collection of 10 fingerprints
  • ratified convention on Cybercrime
  • DNA: collected in enumerated cases, and only deleted by court decision or prosecutor's decision; samples are retained

SLOVAKIA

Assessment: Some basic protections but worrying implementation of ID policy and unclear protections in some areas.
  • constitutional protection for privacy, secrecy of communications and data protection
  • comprehensive data protection law as well as some specific laws, though sometimes ambiguous, e.g. workplace surveillance
  • regulator is independent, and is undertaking awareness raising activities with some success; has made some decisions that has been controversial with the government, particularly with respect to identity policy
  • court order for communications interception for serious crimes; constitutional court case has required the Government to substantiate wiretapping warrants
  • history of abuses against political and specific groups; and Roma homes are being entered without warrants
  • six months data retention for internet communications data; and 12 months for other forms of communication data
  • use of CCTV has been found to be in contravention with regulatory requirements
  • biometric passport includes fingerprint
  • mandatory ID card with additional information beyond basic profile characteristics; and is planning an e-ID card
  • detailed procedures for workplace surveillance
  • established an agreement with the U.S. for transfer of passenger data
  • DNA: taken from anyone who receives more than a fine, and from all suspects; convicts profiles retained for ten years, suspects' removed upon acquittal; samples destroyed as soon as possible

SLOVENIA

Assessment: Problematic surveillance practices, though the Commissioner's office plays a strong role in privacy protection.
  • constitutional protection for privacy, communications, and data protection
  • changes to data protection law incorporates coverage of video surveillance and biometrics
  • also has laws on medical privacy, national statistics
  • regulator continues to receive more and more complaint; and is highly credited with strengthening data protection in Slovenia
  • interception requires judicial order; security services have more flexibility, and this is a position that was supported by the Constitutional Court
  • communications traffic was originally retained for 24 months, but was recently amended and shortered to 14 months for telephone traffic and 8 months for internet traffic
  • though Commissioner has drafted guidance for workplace surveillance, it has not been reviewed by Parliament as yet
  • medical privacy in the Patients Rights Act; and abuses have led to fines from the Commissioner
  • noted abuses in financial privacy where Tax Administration has been accessing the records of taxpayers unnecessarily
  • ratified CoE Convention on Cybercrime

SPAIN

Assessment: Commendable regulator, but courts have not been overly helpful on privacy matters. Lack of adequate debate of technological surveillance .
  • constitutional protection for privacy and data protection
  • comprehensive protections are continually updated to increase protections
  • regulator is world renown; strong decisions and guidance, as well as the ability to fine
  • communications surveillance laws have been criticised for being vague, including key recovery, and warantless interception
  • 12 month retention of communications data, and ban on anonymity of prepaid mobile phones
  • CCTV is regulated and sometimes reporting methods are required
  • ID card debate has suffered from a one-sided promotion of the card rather than a critical analysis of its capabilities
  • DNA is deleted upon acquittal
  • ehealth record systems are emerging
  • ratified Coe Convention on Cybercrime

SWEDEN

Assessment: Because of rise of controversy over interception law, some protections improved, but generally worrying developments across the board,and a signifcant need for oversight of security services.
  • constitution serves as a foundation for privacy protection through enabling legislation; have been calls for a constitutional protection, and Swedish parliament voted in favour of proposition (though less far-reaching), banning 'significant' intrusions
  • data protection law has been amended because of concerns of it being 'too restrictive', removing texts, sounds, images, and other 'unstructured materials' from the DPA
  • some sectoral protections have advanced privacy, e.g. privacy of credit information has been increased by a law in 2010
  • regulator is a government agency but 'carries out its functions independently'; has taken strong positions on a number of issues, e.g. objected to use of biometrics in schools even with consent; direct marketing and loyalty cards; though it is believed that its mandate is too limited
  • in discussions re: the need for a 'privacy' regulator, government instead created a commission to monitor and control use of covert surveillance by police and security services; first commissioner resigned following FRA case
  • in principle a court order is required for communications interception, but the security services are given greater lattitude; wiretapping has increased 500% since 1999
  • FRA is permitted to use data mining sotware to search for keywords in all phoen and email communications passing through the country's borders; was later amended because of privacy concerns, subjecting FRA to political scutiny and permissions must be sought for every search
  • despite pushing retention at the EU, Sweden has had a hard time implementing a law because of the FRA controversy
  • statutory regulations on CCTV, though its liberalisation has led to a significant increase in CCTV use; and now even bseing used in schools
  • biometric passport does not include fingerprints
  • eID is a voluntary scheme that includes biometric data (facial)
  • despite recommendations from a government-commissioned Committee, no rules on workplace privacy have emerged; though apparently surveillance is not prevalent
  • proposal to centralise medical records ignored privacy concerns; regulator introduced rules on how information should be processed; leglslative change put these on legal footing, but also enabled internet journals
  • DNA: taken from convicts and suspects in offences that can be punished by 4 years or more; convicts' profiles kept for graduated periods depending on crime, and suspects' removed upon acquittal; samples retained similarly;
  • has not ratified CoE convention on cybercrime

SWITZERLAND

Assessment: Strong traditional protections but seriously being degraded in recent years, with ambitious spying, weak regulation of security services, including upcoming deliberations on communications surveillance expansion. Regulators are doing good work but are limited by resources.
  • constitutional protection for privacy, communications and data protection, with some strong case law
  • federal comprehensive law only requires registration of companies that use sensitive data or who transfer information abroad
  • significant amendments were introduced to require adequate security, and to limite loopholes
  • additional protections for health statistics, medical and legal data medical research
  • regulator has sometimes limited possibilities for interventions; deals with significant volume of complaints despite limited resources; regulators in the cantons also have limited resources; but remarkable decisions are often made
  • clamped down on legal interception of communications and restricted categories; now requires notification of interception; though expanded in 2007 communications surveillance by the secret services
  • six month retention period; but government consulting on expanding to 12 months, and the installation of trojan horses, worms, etc. for monitoring encrypted communications; and identification is necessary for access to communications services, even in cafes or hotels;
  • financial privacy is protected under 1934 law, but recently have been reducing these protections
  • expanding use of CCTV, and even the use of drones
  • changes to passport issuance means that all new passports will contain two fingerprints, and there is a fingerprint database
  • have instituted 'mobile' immigration controls
  • new ID will include fingerprints
  • plans to implement a mandatory health ID that will voluntarily include the storage of medical information
  • growing DNA database for an expanded number of purposes (the enumerated list of crimes for which it could be taken has been deleted);
  • DNA can be used for insurance purposes

TURKEY

Assessment: Limited information on this country should be seen as a lack of progress in developing adequate structures and reporting mechanisms.
  • constitutional protections for privacy and communications surveillance; proposals exist to add data protection
  • data protection law has been pending since 2003, and nonetheless has some loopholes
  • for now, privacy is regulated in the Civil COde, regulating the misuse of information; other sectoral applciations consider privacy issues; but there is a lack of a comprehensive regulation, set of definitions
  • reports state that human rights defenders are routinely placed under surveillance
  • judicial warrants are required for interception of communications; and this has caused some concern for the national intelligence community
  • plans for ID to include fingerprints but only on the card and not on a central database; though contains religious affiliation

UNITED KINGDOM

Assessment:  Over the past decade this country has become on of the worst examples for surveillance amongst democratic states, but there have been some noticeable and significant changes in the past year that may prove that it is possible to rise up from a surveillance state.
  • no constitutional protection despite rich history of privacy
  • Data Protection Act has been criticised for its weakness, though improvements have been made
  • regulator receives many complaints, showing that public awareness is high; but decisions have indicated a timidity and often perceived as a 'soft touch'
  • regulator has been granted greater powers, and significant fining capacities
  • extensive database and network surveillance programmes have been introduced over the past decade, though some are being dismantled
  • most extensive use of visual surveillance, contemplated voice surveillance, and focused visual surveillance on specific populations
  • weak regulatory regime over access to data, and there is extensive use of these powers
  • interception of communications law only requires ministerial approval, with an under-resourced oversight mechanism through a 'commissioner'
  • proponents of health IT systems have avoided implementing adequate safeguards
  • largest DNA database in the world, though lost a case at the ECtHR that may now lead to policy change (though the decision was in 2008 and the policy remains); taken from convicts of recordable offences, or anyone arrested for any recordable offence; indefinite retention of profiles; sample retained 

European Union

Assessment: Despite world-leading legal frameworks and great potential for innovation, the security agenda is over-riding some of the basic principles of the Union.
  • Treaty obligations now include protection of human rights, and privacy as well as data protection rights; ECJ judgments in the area of privacy are weak and tend to ignore substantive issues
  • extension of Directive into other areas of processing, i.e. traditional 'third pillar' of justice and home affairs is a promising development
  • EU's leadership role is impressive, but it is also setting a bad example
  • concerted efforts to elevate the security agenda, i.e. Stockholm Programme
  • data retention Directive was world-leading surveillance legislation
  • passport standards created a mandate for fingerprinting nearly the entire population
  • border information management and surveillance practices are increasing, as well as funding to research in this domain
  • exemplary work from regulator and regulatory authorities