Key privacy concerns in Czech Republik 2007

By EDRi · January 30, 2008

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

Last year has seen an increased number attempts from government bodies to
extend their powers and make it easier to access people’s private
information. To name a few, there were legal proposals to increase the
number of agencies authorized to access and process electronic
communication data collected by telecommunication companies under the
Data Retention law, national DNA database enlargement, plans for various
administrative database sharing, introduction of even more CCTV systems
and the pressure on air travel operators to share records about their
passengers. The introduction of biometric into travel documents data as a
mean of identification and the use of contactless chip technologies
still suffers from lack of respect of people’s privacy. Citizens continue
to loose control over their personal data with the same speed or no
visible slowdown.

a. National DNA database

There has been a substantial expansion of the number of DNA samples and
profiles in 2007 – up to 40 000 records. The new legislation which went
into force in 2006 has allowed Police to take samples from not only the
accused, but also uncharged suspects or from any other person related to the
investigation in any unspecified way, which practically means from anybody.
Moreover, the new law made it possible to take DNA samples from all
prisoners found guilty of intentional crimes as well as people under
protected health treatment. There has been a murder related investigation in
the city of Sternberk, where DNA samples were taken from all men of a
certain age, whilst no information was given about the process of
destruction of those samples belonging to innocent people after the

b. Data Retention

EU directive 2006/24/EC on the retention of data generated or
processed in connection with the provision of publicly available
electronic communications services been implemented into the national
legislation since the beginning of 2006. In 2007 the Police routinely used
the data for investigation. However, there are no official statistics of the
number of accesses nor on the efficiency of the measure. In November 2007 a
proposal was made by the Minister of Industry and Trade, Mr. Ríman, to allow
the secret service and the military intelligence a direct access to those
data. He has abandoned the idea only temporarily after a strong negative
reaction from the media and politicians.

c. PNR

The provisional agreement on transfer of Passenger Name Records
expired at the middle of 2007. The new agreement has been accepted
by the Czech government outside the ordinary legislative process due
to the lack of time. Only the Czech Data Protection Agency was
consulted. By its official opinion, the new agreement is worse in
respect to privacy than the previous one, namely because the agreement
doesn’t contain any safeguards against the US interlinking the data with
other databases, using it for other purposes or exporting the data into
third countries with different regimes of privacy protection. The Czech
government has accepted the agreement with reservation.

d. CCTV surveillance

Both the Ministry of Interior and various city magistrates continue to
invest in CCTV systems. The current number of CCTVs in Prague is 400
and keeps increasing. The Prague City Hall has announced its plans to
enclose the whole city in the circular system of interlinked cameras
with a license plate number recognition capabilities combined with speed
cameras in order to register all vehicles entering or leaving the city.
There has been a case well covered by the media of a misuse of the CCTV
system to peek into a private flat on a crossroad in Pilsen in Summer 2007.
The images have appeared on the Internet.

e. Contacless chip cards

In Summer 2007, the Prague City Hall introduced a universal service card
for all citizens of Prague. It’s supposed to be used for parking
payments, access to libraries, as a travel card, electronic wallet and a key
for online communication.
As demonstrated publicly by EDRi-member Iuridicum Remedium, anybody with a
standard RFID reader was able to obtain the personal data (name, date of
birth, sex) from the card, from a distance, without the cardholder’s
consent. Despite the producer’s claims on the enhanced security of the chip,
the actual implementation of the system did not put any focus on the
cardholders’ security and left the card at factory defaults. Neither has it
ever been explained why the personal data should be on the contactless chip
in the first place.
After the campaign, the City Hall has decided to stop putting the data
on the chip and fix the already issued ones. But the fact that many
services which used to be available anonymously are no longer anonymous
(e.g. parking) remains a major unresolved problem.

f. eGovernment

The recent developments on the eGovernment front give other reasons to
worry. There is almost no discussion about the privacy safeguards and
how they are going to be implemented. The available documentation
contains many plans on processing and interlinking people’s personal
data including the broad specification of whom this data will be made
available and how the data is going to be shared. The privacy aspects of
the system, which will potentially concern the majority of the
population, have been left out completely. The proposal made by an
independent working group for a time limited ad-hoc identifiers has not
been taken into consideration.

EDRi-gram: Prague will anonymise RFID city cards (1.08.2007)

EDRi-gram: Government attempts of increased level of surveillance in Czech
Republic (7.11.2007)

More information (in Czech only)

(contribution by Filip Pospísil and Marek Tichý, EDRi-member Iuridicum
Remedium – Czech Republic)