17 July, 2008

Country by Country Ranking -- Privacy International

Privacy International

Privacy International

Leading surveillance societies in the EU and the World 2007

The 2007 International Privacy Ranking

State of Privacy Map

Map of Privacy Protections 2007

Table of findings

Worst countries in each category

The findings are available in PDF format by clicking here.

Contents

Overview

Each year since 1997, the US-based Electronic Privacy Information Center and the UK-based Privacy International have undertaken what has now become the most comprehensive survey of global privacy ever published. The Privacy & Human Rights Report surveys developments in 70 countries, assessing the state of surveillance and privacy protection.

The most recent report published in 2007, available at http://www.privacyinternational.org/phr and may be purchased in book form through EPIC's website, is probably the most comprehensive single volume report published in the human rights field. The report runs over 1,100 pages and includes 6,000 footnotes. More than 200 experts from around the world have provided materials and commentary. The participants range from eminent privacy scholars to high-level officials charged with safeguarding constitutional freedoms in their countries. Academics, human rights advocates, journalists and researchers provided reports, insight, documents and advice. In 2006 Privacy International took the decision to use this annual report as the basis for a ranking assessment of the state of privacy in all EU countries together with eleven non-EU benchmark countries (click here for the 2006 results). Funding for the project was provided by the Open Society Institute (OSI) and the Joseph Rowntree Reform Trust. Follow this link for more details of last year's results.

The new 2007 global rankings extend the survey to 47 countries (from the original 37) and, for the first time, provide an opportunity to assess trends.

The intention behind this project is two-fold. First, we hope to recognize countries in which privacy protection and respect for privacy is nurtured. This is done in the hope that others can learn from their example. Second we intend to identify countries in which governments and privacy regulators have failed to create a healthy privacy environment. The aim is not to humiliate the worst ranking nations, but to demonstrate that it is possible to maintain a healthy respect for privacy within a secure and fully functional democracy.

Important note

This study and the accompanying ranking chart measure the extent of surveillance and privacy. They do not intend to comprehensively reflect the state of democracy or the full extent of legal or parliamentary health or dysfunction in these countries (though the two conditions are frequently linked). The aim of this study is to present an assessment of the extent of information disclosure, surveillance, data exploitation and the general state of information privacy.

Summary of key findings

(Please note that "worst ranking" and "lowest ranking" denotes countries that exhibit poor privacy performance and high levels of surveillance.

Background

In recent years, Parliaments throughout the world have enacted legislation intended to comprehensively increase government's reach into the private life of nearly all citizens and residents. Competing "public interest" claims on the grounds of security, law enforcement, the fight against terrorism and illegal immigration, administrative efficiency and welfare fraud have rendered the fundamental right of privacy fragile and exposed. The extent of surveillance over the lives of many people has ow reached an unprecedented level. Conversely, laws that ostensibly protect privacy and freedoms are frequently flawed – riddled with exceptions and exceptions that can allow government a free hand to intrude on private life.

At the same time, technological advances, technology standards, interoperability between information systems and the globalisation of information have placed extraordinary pressure on the few remaining privacy safeguards. The effect of these developments has been to create surveillance societies that nurture hostile environments for privacy.

Governments have created hundreds of key policy initiatives that, combined, may fundamentally destabilize core elements of personal privacy. Among these are proposals for the creation across society of "perfect" identity using fingerprint and iris scanning biometrics the linkage of public sector computer systems, the development of real-time tracking and monitoring throughout the communications spectrum, the development of real-time geographic vehicle and mobile phone tracing, national DNA databases, the creation of global information sharing agreements and the elimination of anonymity in cyberspace.

The potential for engagement of these developments is currently limited to a marginal response. The problem for civil society – or indeed anyone wishing to challenge surveillance - is not simply the sheer magnitude of the threat, but also its complexity and diversity.

It is important for each country to decide rationally and openly which element of personal privacy should be lost, but it is also important for each country to understand how far down the path of mass surveillance it has travelled. It is for this reason that we have undertaken the rankings project.

The ranking assess the key areas of surveillance and control, and will identify mechanisms of protection that have failed to operate according to the letter and spirit of the national and international privacy protections. It will concentrate on policy development issues, inadequacies in the consultation process, legal protections (or lack of them), the impact of surveillance on democratic institutions, changes to the nature of society and the implications for individual freedoms and autonomy.

Methodology

Changes from 2006

Weightings

Methodology

Grading

Countries have been graded according to a mean score across fourteen criteria. These are divided into

Score rangeDescription

4.1-5.0

Consistently upholds human right standards

3.6-4.0

Significant protections and safeguards

3.1-3.5

Adequate safeguards against abuse

2.6-3.0

Some safeguards but weakened protections

2.1-2.5

Systemic failure to uphold safeguards

1.6-2.0

Extensive surveillance societies

1.1-1.5

Endemic surveillance societies

Criteria

Constitutional protection

Statutory protection

Privacy enforcement

Identity cards and biometrics

Data-sharing

Visual surveillance

Communication interception

Workplace monitoring

Government access to data

Communications data retention

Surveillance of medical, financial and movement

Border and trans-border issues

Leadership

Democratic safeguards

Rationale for 2007 rankings: key aspects per country

(links take you to the country reports from Privacy and Human Rights 2006 for additional information)

AUSTRIA

  • No explicit right to privacy in constitution but there are special laws for civil rights, including one for data protection; recent Supreme Court decisions are highly problematic
  • Data Privacy law does not apply equally to paper files; law is considered cumbersome by experts; also sectoral laws
  • Data Privacy Commission can bring civil and criminal provisions against institutions; but criticised for lack of independence
  • Prohibits use of genetic data by insurance companies
  • Medical data is treated as sensitive data by law
  • Legal requirement permitting Austrian military to request subscriber data from telecommunications providers
  • Centralisation of data on students that is stored for 60 years
  • Social security card with unique numbers but little other information is stored; number of abandoned initiatives including health data cards, or 'citizen card' have been abandoned; e-identity management system is heavily criticised
  • Judicial warrants for interception for serious crimes (10 years punishment or more)
  • CCTV and audio surveillance is now permitted where data is stored for 48 hours; but this has not been enforced adequately
  • Communications data is made available to copyright industry under Supreme Court decision
  • Postponed data retention
  • Matched DNA database with Germany in December 2006

BELGIUM

  • Belgian constitution was amended in 1994 to recognise the right to privacy; Supreme Court has ruled in accordance with Article 8 of the ECHR
  • Comprehensive privacy law
  • Commission has investigatory powers, issues a number of recommendations; took a strong stance against the transfer of data from SWIFT to the U.S. government
  • Through negotiations a common agreement has been established to regulate workplace surveillance
  • Law in place to protect health privacy rights
  • Judicial warrants for interception of communications with limited duration; though Parliament has given authority to the 'juge d'instruction' to demand decryption
  • Retention period of 12 months, though there is a push for three-years
  • Anonymous communications was banned in 2001
  • Leading country for smart ID cards, issued from age 6, that may contain such data as medical files, for use in public and private sectors, despite much criticism
  • First European country to use RFID passports
  • Content industry has agreements with ISP's to monitor for copyright infringement; court case in 2007 upholds use of filtering technology on networks to prevent file-sharing

BULGARIA

  • Constitutional protections in articles 32, 33, 34
  • Comprehensive privacy law, though many changes have occurred without adequate debate; law is poorly implemented
  • Sectoral laws protect medical privacy
  • Data privacy authority is relatively large
  • Identity cards are required to access cybercafés, and internet service providers have to register the ID numbers of users
  • Court order generally required for interception, though ministry of interior has discretionary power, resulting in regular complaints of abuse and illegal bugging

CYPRUS

  • Constitution in articles 15 and 17 protects privacy
  • Comprehensive privacy law, though it is not fully compliant with EU standards
  • Plans for e-ID smart cards
  • Commissioner has broader jurisdiction to cover telecommunications since 2004; issues guidelines and information campaigns
  • Increasing use of CCTV along border
  • Attorney general authorises interception
  • CCCTV being installed for traffic management, speed cameras, and failing to wear seatbelts or talking on mobile phones

CZECH REPUBLIC

  • Charter providers for privacy in articles 7, 10, and 13
  • Comprehensive privacy law
  • Data Privacy Authority has issued a number of fees for breaches of the law, and rejects requests for transfer of data abroad, and has been participating in an intense set of activities for public education
  • Judicial warrants for interception, for up to six months; though exemptions apply for secret services and significant concern about who has access to recordings
  • Money laundering law limits lawyer-client privilege
  • Illegal for employers to read employee's email, though subject lines are permissible
  • Legal basis of medical registries is very contentious issue, led to Presidential veto on privacy grounds, but was over-ridden by Chamber of Deputies vote
  • Increasing use of CCTV, and few are registered with the Data Privacy Authority
  • Data Privacy Authority fined state body for scanning biometric data and fingerprints
  • Plans for data sharing across different government agencies

DENMARK

  • Constitutional right to privacy depends on section 71 on personal liberty and section 72 on search and seizure
  • Comprehensive privacy law, and exempts security and defence services
  • Data privacy authority is appointed by the minister of justice, and the ministry is also responsible for the budget
  • Data privacy authority may enter any premise without a court order to investigate under the privacy law
  • Extensive interception of communications; and use of bugs on computers to monitor activity and keystrokes; and plans are in place to minimise notification
  • Police require list of all active mobile phones near the scene of a crime
  • DNA samples may be required from applicants for residency based on family ties
  • Implemented retention of communications data well before EU mandate, for one year
  • Police took the DNA of 300 youth protestors in 2007
  • Implementing air travel surveillance program
  • Parliament is over-keen to implement surveillance programs
  • Ratified Cybercrime convention

ESTONIA

  • 1992 Constitution recognises right to privacy in Article 42, 43, and 44
  • Comprehensive privacy law
  • Inspectorate was made an independent organisation in 2007
  • Extensive research into Genetics and disease
  • Mandatory identity card for all over 15
  • Interception is authorised by the head of a surveillance agency, while exceptional surveillance requires judicial authorisation and only in cases of serious crime
  • Citizens may obtain access to information about them held by police and security agencies
  • Ratified Cybercrime convention

EUROPEAN UNION

  • Treaty of the European Union requires compliance with the ECHR, and so protection falls under Article 8
  • Data protection in the first pillar is under the EU Directive 1995
  • Data protection under the third pillar, i.e. Justice and home affairs, is inadequate
  • European Data Protection Supervisor oversees the first pillar activities, and has pursued legal action when appropriate
  • Data sharing is set to expand significantly under the Treaty of Prum
  • Border plans include copying U.S.-style biometric and passenger data checks
  • Communications data retention directive and biometric passport directives are world-leading in their expansive surveillance goals

FINLAND

  • Constitutional protection under section 10
  • Much information in the public domain, including name, birth year, taxable income, property taxes, and total taxes paid
  • Comprehensive privacy law
  • Criminal and civil sanctions (including imprisonment) for unlawful processing
  • Data privacy authority must go through public prosecutor before taking action on a violation
  • Postponed retention of internet data until 2009
  • Judicial warrant for interception for specific crimes as listed in law, while transactional data can be obtained if suspect faces at least four months of jail; electronic surveillance only in cases if punishment is greater than four years imprisonment
  • Police use mobile phones to access official tax records in order to enforce traffic fines (fines are based on income)
  • Location data tracking of youth is widely provided service
  • Corporate abuse of telephone records lead to high profile scandal
  • Helsinki transport network monitors movements of travellers, though data privacy authority has compelled a change of policy
  • Specific act on workplace privacy now permits email surveillance, video surveillance, and drug testing; though ombudsman recently ruled that employers can not use search engines to assess prospective employees without consent
  • Identity number used extensively in public and private sectors
  • New identity card also includes, voluntarily, medial insurance data
  • Finland worked to be a pioneer in biometric passports
  • Sectoral laws protect medical privacy
  • Ratified Cybercrime convention

FRANCE

  • No explicit right to privacy in constitution, though constitutional court has ruled that it is implicit
  • Comprehensive privacy law; though the law permits intellectual property rights holders to create records of rights infringers
  • Data privacy authority well known for its strong stance on many issues, investigates, warns and imposes financial sanctions (the first of the latter was in 2006)
  • DPA has limited powers over large government systems
  • Tort of privacy in civil code, and sectoral laws also exist, as well as protections in the penal code
  • DNA database is expanding to include nearly all crime investigations, and is known to be a register of 'civil disobedience' since the protests in 2005 and 2006; compels DNA collection from immigrants if parentage is questioned
  • Interception authorised by investigative judge and lasts four months (renewable)
  • In 2007, the highest administrative court ruled that database of illegal migrants was excessive, though not on privacy grounds
  • Retention policy applies for up to one year; subscriber data and identifying data may only be disclosed upon judicial request
  • This was expanded under terrorism law allowing access without any judicial order by the police
  • Latest draft rules on retention requires all service providers to retain all information on users and deliver to police upon mere request, and may even require retention of passwords, and payment details; and police may then retain the data for three years
  • Intellectual property rights holders may monitor online activity
  • Individuals must be identifiable whilst online if they wish to publish content
  • Still maintain encryption restrictions
  • CCTV is spreading, and may be installed prior to any authorisation
  • Collects passenger data
  • Biometric ID scheme is still postponed
  • Border and visa data is now accessible to all police since 2006
  • No fingerprints in passports as yet
  • Serious lack of data protection and many security breaches identified in computerized patient records, according to data privacy authority in 2007

GERMANY

  • Basic Law protects communications privacy under article 10; but Constitutional Court ruled in 1983 that individuals have a right of informational self-determination based on Articles 1 and 2 on rights to freedom
  • One of the strictest privacy laws in the world
  • Despite calls for workplace privacy law, none exists
  • Federal Data Privacy Authority and Lander authorities are world leading
  • Interception is permitted under the G-10 law which includes warrantless automated wiretaps
  • One of the highest rates of interception across Europe
  • Despite objections, data retention law approved
  • Fingerprints have been included in ID cards, although not for storage on a central database
  • CCTV is expanding despite protests
  • Approved Treaty of Prum provision

GREECE

  • Article 9 of the constitution recognises the right to privacy in the home, and data protection (since amendment), Article 19 for communications privacy
  • Comprehensive privacy law
  • Data Privacy Authority is independent, led by high ranking official, and may impose administrative or penal sanctions that include imprisonment; a history of controversial but important rulings, covering ID, CCTV, DNA, and workplace surveillance
  • CCTV was permitted for the Olympics on the condition that they be de-activated after the games; but this was continued for a further six months to monitor car traffic circulation, and was then extended to 2007, but also fined the police for a breach
  • Infamous wiretapping case involving Vodafone and ministers' communications, led to a 76m EUR fine for Vodafone

HUNGARY

  • Constitutional right in Article 59, and strong Supreme Court decisions upholding this right; in 2007 the court called on enhanced protection to the right of privacy because of poor oversight
  • Statutory protections are comprehensive, prohibits all-purpose identification numbers or codes; and sector-specific protections also exist, as well as Criminal Code protections
  • Order-making powers for Commissioner was granted in 2004
  • 82% of CCTV deployments do not comply with the law, and may contain facial recognition capabilities
  • Judicial authorisation of warrants but Constitutional Court decided that there was insufficient oversight
  • Communications surveillance permitted in investigations where the crime may be punishable by more than five years imprisonment
  • Security services require approval by specially appointed judge or Minister of Justice; though there are claims of abuse by the National Security Service
  • Public protests led to a rejection of new data retention proposals
  • Famous Vodafone case where company tracked employees 24-hours per day at 15-minute increments; courts sided with employees
  • President of Hungary refused to sign law enabling transfer of passenger data to the U.S. unless individual consent was given
  • Intends to join Prum Convention; ratified Cybercrime convention

IRELAND

  • No explicit right to privacy in constitution, Supreme Court has seen an implicit right in Article 40.3.1
  • Comprehensive privacy law, with broad exemptions for security, tax, and combating crime; misuse of data is also criminalised
  • Improvements in the law went into effect in 2007
  • High Court imposed safeguards on the disclosure of identity of suspected file-sharers
  • One of the longest data retention regimes in Europe; currently pursuing legal action on this issue to ensure the government has the ability to uphold its retention regime
  • Planning Automatic Number Plate Recognition
  • Extensive data matching and use of unique identifiers
  • While the Garda are prohibited from collecting personal identification numbers from nationals, they may do so in relation to non-EU nationals
  • A public services card is being developed
  • No plans for fingerprints in biometric passports

ITALY

  • Constitution protects right to privacy in the home (article 14) and communications (article 15)
  • Comprehensive privacy law
  • Data privacy authority has extensive powers, including auditing databanks of intelligence activities
  • Data privacy authority has stopped two initiatives for expanding use of fingerprinting; and has regulated use of CCTV; and has run public education campaigns on television
  • Judicial authorisation for interception, and granted for 15 days at a time; if transcripts are not used they must be destroyed; and exceptions apply for religious ministers, lawyers, and doctors, though there are more lenient procedures for anti-mafia cases
  • 2007 a judge ruled that planting bugging devices in a car was not an offence because the law only applies to the home
  • A number of abuses in communications surveillance: in 2005 Italian police placed a backdoor into an ISP's server, and monitored all transactions of 30,000 subscribers; telecom italy collected thousands of file on stars and influential people
  • Data retention period were for four years, though internet traffic data is now set for 12 months, through a graduated scheme where investigations involve serious crimes are allowed to get telephone data after 2 years, or internet data after 6 months
  • Biometric plans for travel authorisation have been reviewed and changed by authority
  • Council of ministers approve law requiring every blogger to register with the state; though law is in early stages

LATVIA

  • Constitutional right in article 96
  • Wide exemption in statutory protections but does apply to police sector
  • Inspectorate has 23 employees, and has powers of inspection and administrative penalties; considering stronger penalties; but independence is questioned
  • Access to data is only with judicial warrant
  • Abuse in interception case where TV news presenter's phone was tapped and transcripts were sold to a newspaper
  • Money laundering laws now require increased data sharing and disclosure
  • Fingerprints in passports
  • Workplace privacy handbook for employers and employees; inspectorate allows for interception but notification
  • Now has a DNA database
  • Mandatory ID cards since 2002 for those over the age of 15, but was postponed to 2007 for implementation
  • Ratified Cybercrime convention

LITHUANIA

  • Constitutional right under Article 22, with mixed Supreme Court jurisprudence
  • Comprehensive privacy law
  • Recent amendment requires public statements by companies on their websites regarding accountability
  • Data Privacy Authority is financed by government budget, and is accountable to the government; has not conducted review of visual surveillance
  • Delaying application of retention law to internet, though was an early adopter of retention for telephony
  • Interception warrants issued by prosecutor general or judge; and law does not include principle of proportionality; oversight is seen as weak and abuses are rife
  • Increasing workplace surveillance and no legal framework applies
  • Growing number of camera installations and great cost
  • Passports will include a centralised biometric database despite concerns raised at the time
  • Ratified Cybercrime convention

LUXEMBOURG

  • Constitutional protections in article 28 only applies to communications
  • Comprehensive data protection law, that also covers moral persons, and contains specific provisions on medical data, and the workplace; though draft law from 2006 would have curtailed many protections
  • Commission is independent agency that has worked to reduce surveillance plans, e.g. Retention periods; and authorisation is required before installing video cameras or electronic tracking
  • Postponing implementation of retention directive, though currently has a six month retention period
  • Interception by judicial authorisation for serious crime (2 or more years of imprisonment), for one month periods, extendable up to a year; and individuals may be sometimes informed of the surveillance
  • Administrative interceptions may be authorised for national security by a special tribunal
  • Workplace monitoring only permitted if staff representative, joint committee, and the person being monitored have been informed, with a specific piece of legislation aimed at this activity
  • Banking privacy laws forbids unwarranted surveillance
  • No fingerprints in passport as yet, but are making plans
  • Approved Treaty of Prum

MALTA

  • Constitutional right under article 38 against arbitrary searches
  • Comprehensive privacy law
  • Law is enforced by ministry, not an independent agency, though the commissioner and ombudsman investigate complaints
  • Sectoral laws

NETHERLANDS

  • Constitutional protection in Article 10, Article 12, and 13; moves to change the constitution to be more technology neutral were postponed
  • Comprehensive privacy law and sectoral protections
  • Data Privacy Authority can apply administrative measures and impose fines; and posts advisories to government on new legislation; extensive work in the area of medical records in 2007
  • Growth of corporate privacy officers across the country
  • Court order required for interception, except for the intelligence services who are authorised by the Minister of Interior; controversies and court cases over the burden to industry
  • Access to traffic data by order of the public prosecutor, but for serious offences (where punishment is imprisonment for four years or more); though subscriber data can be accessed by police in case of mere suspicion. Parliament rejected proposal to notify suspects after subscriber data has been accessed.
  • In 2007 government moved to implement data retention directive with 18 months period, despite concerns from Authority
  • Continued proposals to increase power of law enforcement agencies
  • Plans to implement in 2008 a database of all children to record development from birth
  • New plans for expanded use of biometrics
  • DNA collected on all convicted of serious crimes
  • Compulsory identification for all persons from age of 14, where 5300 individuals are fined every month for not carrying ID
  • Passport includes facial images, with plans for fingerprints, and government proposed in 2005 that a centralised register be created
  • Law from 2003 makes it unlawful to use hidden cameras in public places without notification; cameras can otherwise keep images for 4 weeks for the purpose of keeping public order
  • Courts have ruled that subscriber data can be disclosed to copyright industry, and anonymous website owners
  • Ratified Cybercrime convention

POLAND

  • Constitutional rights in Articles 47, 49, and 51, though constitutional court has mixed record limiting government surveillance
  • Comprehensive privacy law, and sectoral laws apply
  • Data Privacy Authority can impose fines and declare that a criminal activity has occurred
  • Large amount of interception of communications with limited oversight
  • Increasing use of visual surveillance; in 2007 Auschwitz installed CCTV scheme, including monitoring of schools
  • Draft retention law called for fifteen year retention period
  • ID card is controversial over its use of biometrics and the use of a unique identifier
  • New law requires national identifier to be used for filling prescriptions, despite protests from physicians

PORTUGAL

  • Article 26 and 34 of constitution protect privacy; and in 1997 it was amended to give a right to data protection
  • Comprehensive privacy law
  • Commission regularly publishes guidelines; most recently in 2007 on workplace surveillance and recording of political convictions
  • History of abuse of interception of communications
  • Roadway video surveillance is regulated closely
  • Approved identity card in 2007, and data will include parentage, tax, health and social security numbers; though the numbers can not be matched or linked; stores fingerprint on the card and biometric authentication can only be compelled by police and justice officials
  • Mandatory reporting of HIV and AIDS
  • Genetic privacy is protected under strict rules, employers may not request genetic tests, even with consent

ROMANIA

  • Constitutional right under Articles 26, 27 and 28
  • Comprehensive privacy law
  • Data Privacy Authority has run public education campaigns in 2006 and 2007, and issues guidelines; and issued security breach rules for telecommunications providers
  • Interception is authorised by General Prosecutor of the Office related to the Supreme Court, and individuals can appeal to the Commissions of Human Rights of the two Chambers of Parliament, with careful reporting schemes; though abuses still occur
  • Draft retention law has not yet been approved, but proposes 12 month period of retention without any explanatory reports; though access is only permitted in combating organized crime and terrorism investigations, with judicial authorisation
  • Ratified Cybercrime convention

SLOVENIA

  • Extensive constitutional protections
  • Comprehensive privacy law, and has been updated in recent years to reflect new technologies
  • It is against the law to use the same identifier in databases in the areas of public safety, state security, defense, judiciary and health; where connections are permitted only upon consent or if there is a legal basis
  • Labor law prohibits employers and candidates questions about family matters, marital status, pregnancy, etc.
  • Serious breach of law regarding cancer screening centre in 2006
  • Extensive rules on video surveillance, though abuse still occurs including in changing rooms in shopping malls though the situation is improving
  • Biometrics are regulated
  • Court order required for interception of communications, for a prescribed list of criminal offences, except for intelligence purposes where the language is broad
  • Law requires location data be processed only in anonymous form unless prior consent granted
  • 24 month retention period
  • Failure to produce ID card when required involves fine of up to 420 euro
  • New electronic population register merges three separate registries
  • Ratified Cybercrime convention

SLOVAKIA

  • Good statement in constitution from 1992; with some jurisprudence from Constitutional Court, but European court has ruled against government recently
  • Commissioner files biannual reports, has investigative powers
  • ODPD conducted preventive audits of video surveillance
  • Few complaints received however
  • There are no biometric-specific rules on collecting, using or disclosing this data
  • Law on interception applies to extraordinarily serious premeditated crimes, but over the years there have been many public revelations of illegal wiretapping of opposition politicians, reporters and dissidents
  • Continuing reports of Roma homes being entered without warrants
  • Plan to start fingerprinting citizens for passport in 2008
  • Government supports Irish Government on data retention case
  • Government abuses data protection law to protect police and Cabinet from oversight

SPAIN

  • Constitutional protection under Article 18
  • Comprehensive right to privacy with extensive court decisions
  • Extensive investigations and cases reviewed by Data Privacy Authority; Authority has made a number of rulings, including that IP addresses can be personal data; and on video surveillance data
  • Authorities exist at local levels as well
  • Several interception scandals over the years; including extensive access to communications without court order
  • Laws for preventing funding of terrorism have been applied to other crimes
  • Lack of debate around introduction of planned electronic ID card
  • Retention period for 12 months, and plan to ban anonymous pre-paid mobile phones

SWEDEN

  • Constitutional protection under Section 2 and Section 3 of the Instrument of Government Act 1974
  • Comprehensive privacy law, and sectoral privacy laws; though in 2006 the Parliament amended the Personal Data Act to increase exemptions, and the requirement of gross negligence before data breaches are prosecuted
  • Inspection Board has powers of investigation; ruled on proposed use of biometrics in schools saying that it was neither necessary nor proportionate, but even still it is being used by schools
  • Medical records are regulated by sector specific law, but there is a lack of adequate organisational policies to protect access to data
  • 2002 proposals to enhance workplace privacy has not been followed through with legislation; and few firms delete data on their employees
  • There are policy recommendations that DNA collection from all investigations
  • No fingerprints on passport, and no central register of biometrics
  • Non-mandatory ID card
  • Video surveillance is tightly regulated
  • Annual reporting of electronic surveillance
  • Proposed law to scan all communications without a court order, although it was abandoned in 2007, temporarily at least

UNITED KINGDOM

  • World leading surveillance schemes
  • Lack of accountability and data breach disclosure law
  • Commissioner has few powers
  • Interception of communications is authorised by politician, evidence not used in court, and oversight is by commissioner who reports only once a year upon reviewing a subset of applications
  • Hundreds of thousands of requests from government agencies to telecommunications providers for traffic data
  • Data retention scheme took a significant step forward with the quiet changes based on EU law
  • Plans are emerging regarding surveillance of communications networks for the protection of copyrighted content
  • Despite data breaches, 'joined-up government' initiatives continue
  • Identity scheme still planned to be the most invasive in the world, highly centralised and biometrics-driven; plan to issue all foreigners with cards in 2008 are continuing
  • E-borders plans include increased data collection on travellers

England & Wales

  • Inherited constitutional and statutory protections from UK Government and many of the policies
  • National policies are not judged, e.g. Communications surveillance, border and trans-border issues
  • Councils continue to spread surveillance policies, including RFID, CCTV, ID and data sharing, road user tracking
  • Few democratic safeguards at local government level, even though local government may be more accountable to electorate because of smaller numbers, decisions do not appear to be informed by research, prototyping

Scotland

  • Inherited constitutional and statutory protections from UK Government and only some of the policies
  • National policies are not judged, e.g. Communications surveillance, border and trans-border issues
  • Stronger protections on civil liberties
  • DNA database is not as open to abuse as policy in England and Wales
  • Identity policy is showing possibility of avoiding mistakes of UK Government
  • Scottish government appears more responsive and open to informed debate than local governments in England

NON-EU COUNTRIES

ARGENTINA

  • Constitutional right in Article 18 and 19, and habeas data right in Article 43; with important jurisprudence from Supreme Court
  • Comprehensive privacy law, and several provincial laws; jurisprudence is emerging
  • Data Privacy Authority has powers to investigate and intervene through both administrative and criminal sanctions; though is based in the Ministry of Justice
  • Only one penalty has been imposed
  • Data retention law previously called for 10 year retention period, but the President suspended the decree to allow for 'evaluation'
  • Judicial warrant required for interception, and domestic surveillance can not be conducted by military personnel; many changes in the law since the 1990s

AUSTRALIA

  • No right to privacy in federal constitution, though one territory now includes the right to privacy within its bill of rights
  • Comprehensive privacy laws at federal level and others within some states and territories, but there are broad exemptions that have precluded action by the privacy commissioner against small businesses and political parties; and does not meet international standards
  • Power of commissioner diminished because determinations are not legally binding
  • Numerous reports of data breaches, including at the taxation office, child support agency, and even amongst the police
  • High level of interception activity; no notification requirement to innocent participants to communications
  • Expanded surveillance powers in 2004
  • Movement towards electronic medical records but no opt-in protections as yet
  • De-identified medical data has been approved by the privacy commissioner for sale to pharmaceutical companies, despite protests
  • Expanded financial surveillance and secret reporting
  • DNA collection only for serious crimes at the moment
  • Made preliminary steps to secure passports in 2006
  • New government promised to abandon ID card plans; the office of access card has been closed but senior staff have moved to other department hinting at possible proposals to emerge
  • Document verification service for use by public and private sector is being implemented despite lack of privacy considerations
  • Abusive case of visa revocation of individual related to suspects in UK anti-terrorism case

BRAZIL

  • Constitutional protection ensured in 1988 constitution; recent court cases have resulted in a fragmented protection so that bank records are protected but databases aren't necessarily; and stored emails as well
  • No data privacy law but there is one under consideration
  • Can not force a correction of data
  • Civil code protects privacy, but with exemptions for law enforcement; and no regulatory commission
  • Protects right to privacy of children under 1990 law
  • Test for interception is relatively simplistic
  • Id law requires ID for public and private sector use, but it has not been implemented; private sector use of biometrics is growing
  • Recent controversy over censoring Youtube
  • Bank records are protected under the constitution, and warrants are required
  • Growing concerns about workplace surveillance, led to a labour court decision saying monitoring is illegal, unless a court order is issued, but protections do not apply to corporate email accounts; video monitoring is illegal in recent court decision
  • Interception for serious crime; but illegal wiretapping continues, and concerns that the content-industry is spying on Brazilian networks without warrants
  • Access to traffic data is not protected under privacy regulations according to the superior court of justice; and proposed law for identification for access did fail, but requires ISPs to identify illegal conduct to the police
  • Extensive travel surveillance on roads with RFID with poor privacy protections

CANADA

  • Privacy not mentioned in Charter of Rights and Freedoms, but courts have recognised the right to a reasonable expectation of privacy
  • Statutory rules at the federal level (public and private sectors) and provincial laws apply to sectors and governments
  • Federal commission is widely recognised as lacking in powers such as order-marking powers, and ability to regulate trans-border data flows
  • Variety of provincial privacy commissioners have made privacy-enhancing decisions and taken cases through the courts over the past year (particularly Ontario)
  • Court orders required for interception and there is no reasonable alternative method of investigation
  • Video surveillance is spreading despite guidelines from privacy commissioners
  • Highly controversial no-fly list, lacking legal mandate
  • Continues to threaten new policy on online surveillance
  • Increased calls for biometric documents to cater for U.S. pressure, while plans are still unclear for biometric passports

CHINA

  • Limited rights under constitution under articles 37, 38, 39
  • Chinese government acknowledges that it has room for improvement in applying laws fairly and systematically
  • Stricter controls are being exerted on press, internet, academics, lawyers and NGO's
  • Extensive surveillance schemes implemented in anticipation of the 2008 Olympics
  • Increased expectation of privacy amongst citizens has led to academics calling openly for stronger privacy laws
  • Some privacy laws
  • Search and interception does require warrants but they are authorised by officials and prosecutors
  • Increased legal activity and suits in the area of medical privacy
  • In 2006 China's central bank developed a database that links up information on consumer credit; and private sector initiatives are emerging that advertise access to 90 million incomes, marital status and sensitive information for 12 cents per request

ICELAND

  • Constitutional protection exists, and interferences only when urgent; Supreme Court has decided in favour of privacy such as in health privacy cases
  • An opt-out registry for marketing exists under law
  • Data Privacy Authority can investigate and issue rulings, issue fines and seek criminal sanctions; received 820 cases, solve 685, 8-members of staff
  • In late 2006 DPA's rule on surveillance went into force prohibiting workplace, schools and public areas from surveillance unless under a legal act or court order; and surveillance must comply with Data Privacy principles
  • ID numbers issued and widely used by public and private sector (including video rentals)
  • Medical and genetic databases are world-leading; health database was postponed in 2002;
  • Supreme court ruled in favour of the protection of health information of deceased because it could disclose information about descendants; this hints that the health database act may be unconstitutional
  • Since 2001 instituted facial recognition at international airport; lodging information must be retained for two years and may be accessed by the police at any time, and could apply to private homes
  • Six months of communications data retention, though with now limited data sets, ad no requirement to show ID to buy phone cards but surveillance still exists
  • Ratified the Cybercrime convention

INDIA

  • No explicit right to privacy, though Supreme Court sees it as implicit under article 21 on the right to liberty
  • General right to privacy in law, requiring warrants for searches
  • No comprehensive privacy law, though sectoral laws do provide some protections; though there is great pressure to implement a privacy law, little is being done
  • Fraud and identity theft in the outsourcing industry continues
  • History of abuse of wiretapping, and NGOs complain of their communications being intercepted
  • Law requires disclosure of encryption keys, and there are stiff penalties on anyone who fails to provide requested information to authorities

ISRAEL

  • Section 7 of the Basic Laws provide right to privacy, and is thus considered a 'basic right'
  • Comprehensive privacy law, though broad exemptions for security and police services
  • Amendment to privacy law in 2007 included requirement for 'conscious' consent to an invasion of privacy
  • Credit databases automatically share credit information
  • Data-sharing of criminal records amongst more than 30 government agencies
  • Data Privacy Authority established in 2006, with a small budget and few employees, but has been quite active
  • History of abuse in communications surveillance; now the President of the District Court must authorise interception for a period of three months (renewable); Prime Minister or Defense Minister may also authorise interception in cases of national security; though all in all this amounts to approximately 1000 per year
  • Chief Military Censor may intercept international conversations to or from Israel for purposes of censorship
  • DNA is taken from suspects, and is retained for 7 years if acquitted or 20 years if convicted; police have a target of 20,000 samples annually
  • Voluntary biometric system at border
  • In 2007 Ben Gurion airport installed devices that permit seeing through travelers' clothes, with unclear privacy protections
  • Border surveillance technology is advancing to include biometrics
  • A commission has proposed a number of legislative changes, in particular on trans-border data flows and data-breach legislation
  • Government proposed biometric authentication of adults wishing to view pornographic, violent or gambling content online, and is under consideration

JAPAN

  • No explicit right to privacy in constitution though Supreme Court has interpreted a substantial right as falling under Article 13 on right to life an liberty
  • No comprehensive privacy law, instead only guidelines for specific industries; and some legislation in some sectors
  • Government created a privacy seal, but serious shortcomings have been identified
  • Judicial warrants for interception, and warrants only last ten days initially, though application appears to be overly broad and abuses have emerged
  • Surveillance cameras continue to spread despite constitutional issue, though at least one ward has enacted an ordinance to limit rapid increase of cameras
  • Tagging and tracking of children continues
  • Genetic test abuses across country, and only guidelines have been released to deal with the problem
  • Developing DNA database though court order is required to take DNA samples
  • Resident registration law; extensive legal activity at the moment with court cases outstanding
  • Extensive data breach problems
  • Only second country to implement vast biometric collection at borders
  • Ratified convention on Cybercrime

MALAYSIA

  • No right to privacy in constitution
  • No comprehensive privacy law
  • Controversial internal security act allows for extensive police powers
  • Interception authorised by attorney general
  • Extensive use of identification scheme, mykad
  • Plan to implement citizen data hub across government departments, developed by oracle corporation, including individuals background, education, and health records
  • Biometric system monitors foreigners in the country
  • Extensive use of CCTV with no privacy safeguards

NEW ZEALAND

  • Article 21 of the Bill of Rights refers to searches and seizures; court of appeal has interpreted this as a right to privacy
  • Privacy Act and sector-specific legislation; also a law against intimate covert filming
  • OPC oversees compliance but is not a central data registration or notification authority; deals with complaints and reviews public sector information matching programs; power to investigate
  • Datasharing between law enforcement agencies is enabled by statute
  • Employment court allowed random drug tests on workers in safety sensitive areas, pre-employment, and on suspicion, or near accidents
  • Court of appeal has had some problematic decisions regarding privacy complaints
  • DNA database based on order from high court judge, violent crimes, and convicted burglars; though voluntary samples can be included and increasingly this is being pushed by the police, resulting in more than 80% of samples on database being given 'voluntarily'
  • Newborn blood spot samples and related information is collected, and this data may be used by the police but only as a last resort or with parental consent
  • Interception requires judicial warrants but only upon 'reasonable grounds' test; though this does not apply to security services

NORWAY

  • No specific constitutional protection, though Supreme Court early on decided that there is a general legal protection of 'personality'
  • Comprehensive privacy law, though some police databases are excluded
  • Mobile phones must all be registered, and retention is in place
  • Data Privacy Authority is within administration wing of government but is expected to be independent
  • Data protection tribunal has made a number of questionable decisions, e.g. Audiotape of telephone conversation does not fall under the law
  • Whistleblowing law in 2007 lets workers remain anonymous
  • Mandatory disclosure of information to Child Welfare authorities
  • Police certificate is required to apply for citizenship; though other safeguards were implemented
  • Court order for interception, for period of 4 weeks, with a supervisory board that oversees process, after years of abuses
  • Created a database of asylum seekers with fingerprint data, which is open to the police for criminal investigations
  • Government merged a number of welfare databases without implementing adequate access restrictions
  • Government intends to require DNA for all convicted
  • Ratified Cybercrime convention

PHILIPPINES

  • Supreme Court is optimistic that there will be a privacy law (based on habeas data) will be crafted by the SC before end of 2007, but initially only in extraordinary circumstances; though some rights are covered in sections 1, 2, and 3(1)
  • Protections against disclosure of journalistic sources
  • Two pending laws for comprehensive privacy protection, and there is a civil law right to privacy
  • A number of statutory rules relating to privacy including rape victims, juveniles, financial data, and at local government
  • Financial data protections have been undermined in recent years
  • Pending Cybercrime legislation and new terrorism legislation raises serious concerns
  • Despite constitutional protections, ID plans are being revived leading to the Supreme Court reversal of prior jurisprudence
  • Spread of biometric technologies continue, including in healthcare, social services, travel
  • Judicial authorisation for interception, and limited to serious crimes; though illegal wiretapping continues

RUSSIA

  • Constitutional right exists under Article 23, 24, and 25
  • Criminal Code imposes a penalty for violation of privacy, enforced by a court is physical or moral damages result from a violation
  • 2006 law on personal data protection adopts Council of Europe convention, but government is given wide exemptions
  • Despite law coming into force in 2007 most provisions are still inactive, e.g. No data protection authority yet exists
  • Data Privacy Authority, when it will exist, will not be independent and will be within the Ministry of Communications
  • Illegal collection of data is commonplace
  • Court order is generally required for communications surveillance except in some circumstances including secret services; further exemptions apply to tax police, border guards, presidential security service, and ministry of internal affairs
  • Extensive powers and technological capabilities to access communications and communications records
  • ID required for all over 14, and is necessary for purchase of train and plane tickets, amongst other activities, and contains a residency stamp, and plans for a electronic ID system are emerging
  • Used visa-regime to prevent election monitors from entering country in time for overseeing election

SINGAPORE

  • No right to privacy under constitution, though the High Court has ruled that personal information may be protected under duty of confidences
  • No statutory protections, and has been under review for thirteen years
  • Judicial warrants are not necessary for surveillance
  • ID required for using ISP's
  • Data-sharing with government is not necessarily on legal basis
  • No workplace surveillance regulation as this is regulated under property law
  • Some protections for genetic testing
  • 'Biopass' is a passport with fingerprint and facial biometrics

SWITZERLAND

  • Both old and new constitutions grant right to privacy
  • Comprehensive privacy law, with criminal penalties for violations, with recent changes enhancing privacy protections; while most cantons have their own privacy laws; and there are protections in the civil and penal codes, and special sectoral rules
  • Federal commissioner, though plays important consultative and educational role, has limited powers of intervention
  • Passports only have digital facial images, though there are plans to store biometric data on central database, though this proposal was criticised by the federal commissioner
  • Swiss banking law protects privacy of banking records, though international pressure is reducing this protection
  • Joined Schengen agreement in 2005, and now all Swiss citizens have to carry id
  • New policy plans for police and security services' databases; and plans for increased powers of interception of communications
  • Increased border surveillance for European football championships
  • Six month retention law for telecommunications
  • Federal court has ruled that individuals must be notified after surveillance of communications
  • 2007 expanded surveillance powers of secret services, but only as a last resort, but without suspecting of criminal activity
  • Expanded collection of DNA since 2005
  • Biometrics in place for access to sports facilities, but commissioner has ensured that there are no central databases and alternative solutions are available for those who oppose biometrics
  • Plans to store medical information on new health insurance cards, but currently delayed
  • Foreigners data stored on central register, and plans in place to include biometric data
  • Expanded use of CCTV, and now automatic care plate recognition, and plans for these systems to be adapted to control speeding
  • Air force using unmanned aerial vehicles, strengthening co-operation with the police, and is now used to monitor celebrations and protests
  • First country to use facial recognition at border controls

SOUTH AFRICA

  • Constitutional right under sections 14, 32; constitutional court has delivered several judgements; and applies in private litigation
  • No comprehensive private law or data privacy authority
  • Interception law followed minimal consultation, requires intercept capability by design
  • All service providers must gather detailed personal data on individuals before signing contracts or selling sim cards, with no specified length of retention period, but communication-related information is stored for 12 months
  • New banking law came into effect in 2007, requiring court orders for access to financial information, and regulate credit bureau information
  • New smart ID cards began deployment in 2007, and in particular for refugees and asylum seekers

TAIWAN

  • Not explicitly mentioned in the constitution, but relevant rights are enshrined
  • 1995 data protection law
  • Calls to strengthen law since data breaches and leaks to crime syndicates
  • Widespread illegal wiretapping by government; legal wiretapping is conducted for broad purposes with over 25,000 over the past year
  • Fingerprints are submitted for paper-based national ID card, though placed in a national fingerprint bank; and there is an electronic ID infrastructure being developed, with over a million active cards
  • Patient ID card includes a smartcard solution with illnesses encoded on the card
  • Mandatory HIV tests for foreigners who have been in Taiwan for more than three months, which could lead to deportation
  • Government wants to become global leader in RFID technology

THAILAND

  • Constitutional exception for law enforcement
  • Lack of law regulating industry
  • New law protecting the privacy of people under 18 passed in November 2007, though of course there are concerns about how this protects children's' rights to express themselves
  • Wiretapping is prevalent, with 'reasonable grounds' test only
  • Cyber crime act 2007 defines 12 internet crimes with punishments ranging from six months in jail to 20 years in jail, and requires certain internet service providers to keep logs of traffic data up to 90 days.
  • New passports are embedded with a microchip that contains biometric information including fingerprints and facial data. Id cards are now smartcards, and will be mandatory from birth.
  • ID is required to buy SIM cards
  • Political bugging is no less common. Politicians and human rights activists accused a political party of wiretapping political opponents and journalists.

UNITED STATES OF AMERICA

  • No right to privacy in constitution, though search and seizure protections exist in 4th Amendment; case law on government searches has considered new technology
  • No comprehensive privacy law, many sectoral laws; though tort of privacy
  • FTC continues to give inadequate attention to privacy issues, though issued self-regulating privacy guidelines on advertising in 2007
  • State-level data breach legislation has proven to be useful in identifying faults in security
  • REAL-ID and biometric identification programs continue to spread without adequate oversight, research, and funding structures
  • Extensive data-sharing programs across federal government and with private sector
  • Spreading use of CCTV
  • Congress approved presidential program of spying on foreign communications over U.S. networks, e.g. Gmail, Hotmail, etc.; and now considering immunity for telephone companies, while government claims secrecy, thus barring any legal action
  • No data retention law as yet, but equally no data protection law
  • World leading in border surveillance, mandating trans-border data flows
  • Weak protections of financial and medical privacy; plans spread for 'rings of steel' around cities to monitor movements of individuals
  • Democratic safeguards tend to be strong but new Congress and political dynamics show that immigration and terrorism continue to leave politicians scared and without principle
  • Lack of action on data breach legislation on the federal level while REAL-ID is still compelled upon states has shown that states can make informed decisions
  • Recent news regarding FBI biometric database raises particular concerns as this could lead to the largest database of biometrics around the world that is not protected by strong privacy law

Related:
PHR2006 - Executive Summary
PHR2006 - Country Reports Overview
PHR2006 - Country Reports
Leading surveillance societies in the EU and the World 2006

<<>

Privacy International, 6-8 Amwell Street, Clerkenwell, London EC1R 1UQ UK. Email us at privacyint@privacy.org.
Call on +44 (0)208.123.7933 or +1.202.470.0099.

Bookmark and Share
posted by u2r2h at Thursday, July 17, 2008

0 Comments:

Post a Comment

<< Home

Locations of visitors to this page Politics Blogs - Blog Top Sites