ENDitorial: Privacy in the Czech Republic – nothing to celebrate

This article is also available in:
Deutsch: [ENDitorial: Privatsphäre in der Tschechischen Republik – kein Grund zum Feiern … | http://www.unwatched.org/node/1312]

For the third time the Council of Europe has proclaimed 28 January the
European Data Protection Day. EDRi-member Iuridicum Remedium (IuRe) reminds
that the safety of Czech citizens´ personal data is still seriously
endangered. Some of the most pressing issues are listed below.

RFID based Opencard (or Praguer´s Universal Card) is now being promoted as
an electronic travel card for public transportation. However, the
contactless chip card formerly used for parking payment and as a library ID
is not secure. The contactless chip can be read remotely and the data stored
on it can be linked with the central database containing personal data. The
system thus allows for movement tracking, especially at the electronic gates
which are going to be introduced in Prague metro.

In relation with the Opencard´s drawbacks, IuRe initiated a petition at the
beginning of September 2008, which demands the deletion of both Opencard
holder data and usage data from the central database after the card´s
expiration and an observance of database administrator´s duty to allow
user´s data deletion upon request. “We also demand an implementation of an
anonymous Opencard at the same price as an ordinary Opencard,” reports Filip
Pospísil from IuRe. The petition has already been signed by almost 700
people.

The Municipal authorities of Prague began to sell anonymous cards on
the 17 December 2008. However, there is an extra 8 EUR charge and since
only transferable season transport tickets can be purchased with such a
card, the price for the annual travel becomes significantly higher. The
Praguers effectively have to pay extra for their privacy protection and IuRe
will stand out for an implementation of non-discriminatory anonymous card,
i.e. the card allowing to use the service at the same price without
unnecessary disclosure of personal data. The Municipal Council of the city
of Prague received a Big Brother Award 2008 for the Opencard project in
“Worst Public Agency Privacy Intruder” category.

Visa Waiver

The term Visa Waiver refers to a set of agreements related to the abolition
of the visa requirement for Czech citizens traveling to the USA. These
agreements allow the American authorities access to personal data of the
Czech citizens in Czech state authorities´ databases, including biometric
data. The access is given as a compensation for the abolition of visa
requirements, but in fact the paper visa have been merely replaced by the
virtual visa – a system of detailed electronic questionnaires based on which
the applicant can still be refused entry to the USA.

“In the case of the Czech Republic the agreements where not negotiated
properly with Czech Data Protection Agency and their comments were not
respected,” points out Filip Pospísil from IuRe.

The complementary Agreement on strengthening the cooperation for the
prevention and fight against serious crime was approved by the government on
the 4 December 2008. However, the Government disregarded the comments of the
Czech Data Protection Agency and other state authorities. At the beginning
of 2009, IuRe urged the MEPs and senators to not approve the proposed
agreement.

IuRe has made an attempt to find out the scale of personal data which had
been promised by the Czech authorities to be handed over to the American
authorities as well as the conditions of the data protection. The official
request for information has been submitted to the Ministry of Internal
Affairs by the end of 2008. “The request was concerning another visa waiver
related memorandum on establishing of the Combating Terorism Center and the
Electronic System of Travelling Registration (ESTA),” specifies Filip
Pospísil from IuRe. However, the memorandum is classified as secret and thus
neither IuRe nor any other ordinary citizens know which of their personal
data is being handed over.

Privacy and bank sector

The new Police Law was negotiated and approved in 2008. IuRe together with
the bank sector and the Czech Bank Association have been criticizing the new
power of the Czech Police to request data about the location and time of
electronic card payments from banks, and particularly, the ability to access
bank information systems. “We have been submitting comments during the
negotiation of this law, but while some others have been accepted, our
objection against this competence was not” reports Helena Svatosová, a
lawyer from IuRe.

According to IuRe, the government document named “The enhancement of the
communication system between financial institutions and state authorities”
introduces since the fall of 2008 the intention to create a central evidence
of financial institutions´ clients and their operations. The evidence would
then be available to an unspecified range of public administration
authorities. “In our opinion, it’s very disturbing that despite the list of
related agencies being rather long, there is no mention of the involvement
of the Data Protection Office,” interprets Helena Svatosová from IuRe who
plans to keep an eye on this issue in the future. IuRe has notified both the
Czech Data Protection Office and the Bank Association about the issue and
asked them for their opinion.

Data retention

EU directive 2006/24/EC on the retention of data generated or processed in
connection with the provision of publicly available electronic communication
services has been implemented into the national legislation since the
beginning of 2006. In November 2007, Minister of Industry and Trade Martin
Ríman proposed an amendment which would allow the secret service and the
military intelligence a direct access to those data. Although he has
abandoned the idea under the pressure from the media and politicians,
intelligence services gained access through the “backdoor” in the new Police
Law.

There is a legal proceeding submitted by Ireland (suported by Slovakia)
going on against the directive at the European Court of Justice, as well as
at both Hungarian and German constitutional courts. IuRe has also been
preparing the trial of the “data retention” provision of a law in respect of
its constitutionality and compliance with human-right obligations of the
Czech Republic; the plan is to approach lawmakers with the proposal for an
annulment of a part of the law, and gather enough support to submit the
proposal to the Czech Constitutional Court.

Video surveillance

The volume of CCTVs has been on a sharp increase in recent years. However,
the Czech legislation has not reflected this development in any way. In
December last year the Government Council for Human Rights accepted a
proposal of a Committee for Civil and Political Rights. The proposal has
been initiated by IuRe and aims at introducing a conceptual regulation of
CCTV´s usage in public. IuRe has emphasised the necessity of such an
adjustment for several years. “Thus, the resolution of Council of Government
is a significant achievement of our campaign, which leads to a more
transparent usage of CCTV systems regulated by strict rules,” declared Filip
Pospísil from IuRe.

The proposal should allow private persons to use CCTV only in order to
protect their own property and family; public authorities should be allowed
to make a record only in the public interest and only for purposes defined
by the law. The proposal should also prevent the excessive personal data
processing and stipulate a duty of the CCTV owner to inform about the CCTV
surveillance within its range. The aim of the proposal is also to strictly
regulate the retention of records, as well as the duty to clearly state and
document the exact purpose of each CCTV installation by the police or
another security agency.

IuRe has already tried to pursue the legal regulation of CCTV through the
Police law approved in June 2008 with the help of MP Katerina Jacques.
Minister of Interior Ivan Langer has rejected the proposal, but has promised
that his ministry will, in cooperation with the MP and Czech Data Protection
Office, prepare amendments of the Act on Personal Data Protection containing
proposed amendments. Negotiations are still ongoing with IuRe participating.

Passengers Name Records (PNR)

Passengers Name Records (PNR), the database of information about airline
passengers has originally been used only by the aviation companies. But
after the 9/11, the American Security Authorities have started making
pressure on aviation companies to provide the detailed data of their
passengers.

This practice did not have a legal ground in most countries and the
agreement between EU and the USA was found illegal by the European Court of
Justice. The provisional agreement, built on the same illegal base in summer
2007, was called back from negotiations in the Czech Parliament by Foreign
Affairs Minister after IuRe had sent a letter to MPs raising concerns
against the approval of the agreement.

After difficult negotiations, the EU came up with a new agreement on PNR
data exchange with the USA in June 2007. In the Czech Republic the proposal
of the agreement has not gone through an ordinary legislative process and
only the Data Protection Office expressed its opinion: the proposal brings
a deterioration of personal data protection level against previous
agreements, as US authorities will acquire access to personal data of people
without guaranteeing basic rights.( for example the right of correcting of
false statements, etc.)

IuRe has also approached a number of parliamentarians expressing concerns
about the agreement and this resulted in the fact that the agreement did not
obtain the support of the Foreign Affairs committee of the Czech Parliament.
Also the Senate Standing Commission for Privacy Protection expressed its
negative position.

IuRe believes that the Parliament will demonstrate its sovereign role and
will not approve this agreement at the forthcoming session.

This article has been written as a part of the “Reclaim Your Rights in the
Digital Age” project supported by the Trust for Civil Society in Central and
Eastern Europe Foundation.

(contribution by EDRi-member Iuridicum Remedium- Czech Republic)