Republic of Latvia

Article 17 of the Constitutional Law on Rights and Obligations of a Citizen and a Person states, "(1) The State guarantees the confidentiality of correspondence, telephone conversations, telegraph and other communications. (2) These rights may be restricted by a judgeís order for the investigation of serious crimes." [fn 1]

Legislation on the protection of personal data is expected to be introduced by mid-1998. The law is being prepared by a working group operating under the Ministry of Transportation. Another working group operating under the Ministry of Culture is preparing legislation on the protection of databases maintained by the government sector. [fn 2] Latvia has broadened access to government-held information. In April 1997, Latvia's parliament amended the law on state secrets to extend access to classified information to non-citizen employees of the Interior Ministry and other state security agencies. The law mainly applies to Russian residents of Latvia who intend to become Latvian citizens. [fn 3]

On November 16, 1995, it was reported that telephones in the Latvian Defense Ministry were tapped. The Latvian Defense Ministry responded by stating Latvia's "military counterintelligence service reserves the right to ensure the security of communications at the Ministry of Defense and structures of the national armed forces." [fn 4] In April 1994, a bugging device was found on the switchboard of the "Dienas Bizness" newspaper. [fn 5]

Latvia is a member of the Council of Europe but has not signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [fn 6] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [fn 7]

Republic of Lithuania

Article 22 of the Constitution states, "The private life of an individual shall be inviolable. Personal correspondence, telephone conversations, telegraph messages, and other intercommunications shall be inviolable. Information concerning the private life of an individual may be collected only upon a justified court order and in accordance with the law. The law and the court shall protect individuals from arbitrary or unlawful interference in their private or family life, and from encroachment upon their honor and dignity." [fn 8]

Lithuania enacted its Law on Legal Protection of Personal Data in 1996 [fn 9] and amended it in 1998 to harmonize it with EU Data Protection Directive. The Law regulates the processing of all types of personal data, not just in state information systems. It defines the time and the general means of protecting personal data and sets rights of access and correction. It also sets rules on the collecting, processing, transferring and using of data. The Administrative Code defines various monetary penalties in cases of the infringement of the processing and use of data. [fn 10] There is also a Law on State Registers [fn 11] which governs the use and legitimacy of state data registers that contain personal information. The law also mandates that data registers may only be erased or destroyed in cooperation with the State Data Protection Inspectorate.

The State Data Protection Inspectorate was established in 1996 to enforce the provisions of the Law on Legal Protection of Personal Data and the Law on State Registers. [fn 12] Under the 1998 Law, it is subordinated to the Minister of Public Administration Reforms and Local Authorities from July 1998. There are efforts to make it an independent agency in the next year.

Wiretapping requires a warrant issued by the Prosecutor General. [fn 13] On October 27, 1995, the Lithuanian State Security Department Chief, Jurgis Jurgialis, denied opposition charges that his department bugged telephones for political reasons. He said, "we resort to such actions only on the basis of the law and after receiving the prosecutor's authorization in each particular case." Jurgialis denied that his department was involved in widespread bugging but conceded such activities were conducted throughout Lithuania "by quite different structures, including foreign intelligence services." [fn 14] In May 1998, Lietuvos rytas, the country's largest daily, revealed that a top-secret surveillance unit was monitoring the media, the prosecutor general, cabinet ministers, the Prime Minister, and the President. The unit was shut down after the revelations. [fn 15]

There are specific privacy protections in laws relating to telecommunications, [fn 16] radio communications, [fn 17] statistics, [fn 18] the population register, [fn 19] and health information. [fn 20] The Penal Code of the Republic of Lithuania provides for criminal responsibility for violations of the inviolability of a residence, infringement on secrecy of correspondence and telegram contents, on privacy of telephone conversations, persecution for criticism, secrecy of adoption, slander, desecration of graves and impact on computer information. Civil laws provide for compensation for moral damage because of dissemination of unlawful or false information demeaning the honor and dignity of a person in the mass media. [fn 21]

Lithuania is in the process of preparing for membership in the EU and has a National Program for the Adoption of EU Regulations. It is a member of the Council of Europe but has not yet signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [fn 22] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [fn 23]

Grand Duchy of Luxembourg

Article 28 of the Constitution states, "(1) The secrecy of correspondence is inviolable. The law determines the agents responsible for the violation of the secrecy of correspondence entrusted to the postal services. (2) The law determines the guarantee to be afforded to the secrecy of telegrams." [fn 24]

Luxembourg's Act Concerning the Use of Nominal Data in Computer Processing was adopted in 1979. [fn 25] The law pertains to individually-identifiable data in both public and private computer files. It also requires licensing of systems used for the processing of personal data. The law considers all personal data to be sensitive, although special provisions may be applied to medical and criminal information. For personal data processing by the private sector, an application must first be made to the Minister for Justice who thereafter issues an authorization for such processing to take place. An Advisory Board oversees the law. If an application for personal data processing is granted, and there is an objection raised or if the application is refused or the original authorization is withdrawn for some reason, an appeal can be made to the Disputes Committee of the Council of State. A national register of all systems containing personal information is maintained by the Minister for Justice. Public sector personal data systems can only be established upon the issuance of a special law or regulation. Such proposed laws or regulations are submitted to and reviewed by the Advisory Board. In 1992, the law was amended to include special protection requirements for police and medical data. A bill is currently pending in the Parliament that would make the law consistent with the EU Directive. [fn 26]

Telephone tapping is regulated by the Criminal Code. [fn 27] Under the law, a tribunal selected by the president authorizes wiretaps. There are also sectoral laws on privacy relating to telecommunications, [fn 28] identity numbers, [fn 29] and banking secrecy. Luxembourgís status as a financial haven ensures that unwarranted surveillance of individuals is forbidden. This may change as Luxembourg comes under increasing pressure to amend its financial confidentiality laws to permit greater access to personal financial records by European and American investigators.

Luxembourg is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [fn 30] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [fn 31] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.


The Constitution of Malaysia does not specifically recognize the right to privacy. [fn 32]

The Ministry of Energy, Telecommunications and Posts is drafting a Personal Data Protection Act which will create legal protections for personal data. Minister Datuk Leo Moggie said the Act would also cover the security of personal data in relation to the implementation of an electronic network. [fn 33] He told the Dewan Rakyat (House of Representatives) in July 1998 that the Act will be tabled in Parliament by the end of the year.

In July, the House approved the Communications and Multimedia Bill, which has several sections on telecommunications privacy. Section 234 prohibits unlawful interception of communications. Section 249 sets rules for searches of computers and includes access to encryption keys. Section 252 authorizes police to intercept communications without a warrant if a public prosecutor considers that a communications is likely to contain information which is relevant to an investigation. [fn 34]

Several other laws relating to technology have recently been approved, including The Digital Signature Act 1997 [fn 35] and the Computer Crime Act, 1997. [fn 36] Section 8 of the Computer Crime Act allows police to inspect and seize computing equipment of suspects without a warrant or any notice. The suspect is also required to turn over all encryption keys for any encrypted data on his equipment. Malaysia's Banking and Financial Institutions Act 1989, Pt XIII, also has provisions on privacy.

Police detained four people under the Internal Security Act on suspicion of spreading rumors of disturbances in Kuala Lumpur in August 1998. Inspector-General of Police Tan Sri Abdul Rahim Noorsaid told the media then that the suspects were detained after police tracked their activities on the Internet with the assistance of Internet service provider Mimos Berhad. [fn 37] The provider said later that it did not screen private email. [fn 38]

United Mexican States

Article 16 of the 1917 Mexican Constitution provides in part: "Oneís person, family, home, papers or possessions may not be molested, except by virtue of a written order by a proper authority, based on and motivated by legal proceedings. The administrative authority may make home visits only to certify compliance with sanitary and police rules; the presentation of books and papers indispensable to verify compliance with the fiscal laws may be required in compliance with the respective laws and the formalities proscribed for their inspection. Correspondence, under the protective circle of the mail, will be free from all inspection, and its violation will be punishable by law." [fn 39]

Article 214 of the Penal Code protects the disclosure of personal information held by government agencies. [fn 40] The General Population Act regulates the National Registry of Population and Personal Identification. The Registry's purpose is to register all persons making up the country's population using data enabling their identity to be certified or attested reliably. The aim of this is ultimately to issue the citizen's identity card, which will be the official document of identification, fully endorsing the data contained in it concerning the holder. [fn 41]

Chapter 6 of Mexicoís Postal Code, in effect since 1888, recognizes the inviolability of correspondence and guarantees the privacy of correspondence. [fn 42] The 1939 General Communication Law provides penalties for interrupting communications and divulging secrets. [fn 43] The Federal Penal Code establishes penalties for the crime of revealing personal secrets by any means, including personal mail. [fn 44] In 1981, the Penal Code was amended to include the interception of telephone calls by a third person. [fn 45] The Law Against Organized Crime, passed in November 1996, allows for electronic surveillance with a judicial order. [fn 46] The law prohibits electronic surveillance in cases of electoral, civil, commercial, labor, or administrative matters and expands protection against unauthorized surveillance to cover all private means of communications, not merely telephone calls. [fn 47] The Law has been widely criticized by Mexican human rights organizations as violating Article 16 of the Constitution. [fn 48] They noted that telephone espionage had historically been used by the ruling PRI party "to keep the opposition in check." [fn 49] In 1997, the telephones of the Jalisco State Supreme Court were found to have been wiretapped. [fn 50] On March 3, 1998, a large cache of government electronic eavesdropping equipment which had been used since 1991 to spy on members of opposition political parties, human rights groups and journalists was discovered in Campeche. [fn 51] Thousands of pages of transcripts of telephone conversations were uncovered along with receipts for $1.2 million in Israeli surveillance equipment. More than a dozen other cases of government espionage in four other states were exposed, ranging from hidden microphones and cameras found in government offices in Mexico City, to tapes of a state governorës telephone calls. Every government agency identified with the electronic surveillance operations -- the federal attorney-general and interior ministry, the military, the national security agency and a plethora of state institutions -- denied knowing anything about them.[fn 52]

The U.S.-Mexican border has been an area of increased surveillance. Mexican authorities now routinely perform "security sweeps" of homes in areas bordering the United States. [fn 53] On the U.S. side, biometric facial feature recognition systems have been implemented by the Immigration and Naturalization Service at the Otay Mesa border crossing (San Diego-Tijuana) for frequent U.S. commuters to Mexican maquiladora factories. The biometric data is stored with driver's license number, vehicle registration number and passport status in an INS database. When a commuter in the program approaches the U.S. border, a transponder under his vehicle sends a signal to the checkpoint booth, activating the database and displaying the driver's image. Other commuters use a voice-activated device in addition to the facial scan. [fn 54]

Mexico is a member of the Organization for Economic Cooperation and Development but does not appear to have adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Mexico has also signed the American Convention on Human Rights.

Kingdom of the Netherlands

The Constitution grants citizens an explicit right to privacy. [fn 55 ] Article 10 states, "(1) Everyone shall have the right to respect for his privacy, without prejudice to restrictions laid down by or pursuant to Act of Parliament. (2) Rules to protect privacy shall be laid down by Act of Parliament in connection with the recording and dissemination of personal data. (3) Rules concerning the rights of persons to be informed of data recorded concerning them and of the use that is made thereof, and to have such data corrected shall be laid down by Act of Parliament." Article 13 states, "(1) The privacy of correspondence shall not be violated except, in the cases laid down by Act of Parliament, by order of the courts. (2) The privacy of the telephone and telegraph shall not be violated except, in the cases laid down by Act of Parliament, by or with the authorization of those designated for the purpose by Act of Parliament."

The Dutch Data Registration Act 1988 [fn 56] levenssfeer in verband met persoonsregistraties (Wet persoonsregistraties). Gepubliceerd ] establishes a code of fair information practices which applies to the handling of personal data files. The Act defines "personal data file" as "any organized collection of personal data relating to different persons which is operated by automated means or is systematically disposed in such a way as to facilitate access to the data therein contained." The Act generally stipulates that a personal data file must be set up only for a specific purpose that is relevant to the interests of the party controlling the personal data file. Personal data must be obtained legitimately and in accordance with the purpose for which the file was set up. There is a duty on the party collecting data to ensure that the data is accurate and complete. Use of the personal data must be compatible with the purpose of the data file. The party controlling the data must take appropriate measures to ensure data is secure, and can be held liable for any loss or damage resulting from failure to comply with the Act. Data can only be disclosed if the disclosure is compatible with the purpose of the data file, is required by statute, or if the data subject consents to the disclosure. Controllers of personal data files must notify every person about whom personal data has been recorded. Provisions allow data subjects to have access to their data files and to request correction of their personal data. The data subject can apply to the district court for enforcement of these provisions.

The Data Registration Act establishes the Registration Chamber (Registratiekamer). [fn 57] The Registration Chamber, which serves as the Dutch Data Protection Authority, exercises supervision of the operation of personal data files in accordance with the Data Registration Act. The Chamber advises the government, deals with complaints submitted by data subjects, institutes investigations and makes recommendations to controllers of personal data files. In 1997, the Chamber released a report on anonymous payment systems.

Two decrees have been issued under the Data Registration Act. The Decree on Sensitive Data [fn 58] sets out the limited circumstances when personal data on an individual's religious beliefs, race, political persuasion, sexuality, medical, psychological and criminal history may be included in a personal data file. The Decree on Regulated Exemption [fn 59] exempts certain organizations from the registration requirements of the Data Registration Act.

The Dutch Data Registration Bill 1998 [fn 60] was introduced in the Lower House of the Dutch Parliament in June 1998. This bill is a revised and expanded version of the 1988 Data Registration Act that will bring Dutch law in line with the European Data Protection Directive and will regulate the disclosure of personal data to countries outside of the European Union. Since June 1998, many questions have arisen from members of Parliament concerning the new bill, and those questions are currently being investigated and answered by the Minister of Justice. The bill will be open to debate in the Lower House in October 1998, and is scheduled to move to the Upper House in November 1998. The earlier Data Registration Act will be repealed when the 1998 Bill comes into force, which is expected to be on March 1, 1999. Passage by Parliament is expected in January 1999.

Interception of communications is regulated by the criminal code and requires a court order. [fn 61] In November 1997, XS4ALL, a Dutch ISP, refused to conduct a broad wiretap of electronic communications of one of their subscribers. A bill to expand wiretapping powers to require that all telecommunications services make their systems wiretap capable was approved by the Lower Chamber of the Dutch Parliament in April 1998. [fn 62] A survey by the Dutch Ministry of Justice in 1996 found that police in the Netherlands intercept more telephone calls than their counterparts in the United States, Germany or Britain. [fn 63] The Parliamentary Investigations Commission into police methods released a 4700 page report in 1996. The report was critical of legal controls on police surveillance [fn 64] and found that there was a failure among judges, prosecutors and other officials to limit police abuses .

There are sectoral laws dealing with the Dutch police [fn 65], medical exams [fn 66], medical treatment [fn 67], social security [fn 68], entering private homes [fn 69] and the employment of minorities.[fn 70]

The Netherlands is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [fn 71] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [fn 72] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

New Zealand

Article 21 of the Bill of Rights Act 1990 states, "Everyone has the right to be secure against unreasonable search or seizure, whether of the person, property, or correspondence or otherwise." [fn 73] The Human Rights Act 1994 prohibits discrimination. [fn 74]

New Zealand's Privacy Act was enacted in 1993 and has been amended twice. [fn 75] It regulates the collection, use and dissemination of personal information in both the public and private sectors. The Privacy Act applies to "personal information," which is any information about an identifiable individual, whether automatically or manually processed. Recent case law has held that the definition also applies to mentally processed information. [fn 76] The news media are exempt from the Privacy Act in relation to their news activities.

The Act creates twelve Information Privacy Principles generally based on the 1980 OECD guidelines and the information privacy principles in Australia's Privacy Act 1988. In addition, the legislation includes a new principle that deals with the assignment and use of unique identifiers. The Information Privacy Principles can be individually or collectively replaced by enforceable codes of practice for particular sectors or classes of information. At present, there is only one full code of practice in force, the Health Information Privacy Code 1994. There are several codes of practice that alter the application of single information privacy principles: the Superannuation Schemes Unique Identifier Code 1995, the EDS Information Privacy Code 1997, and the Justice Sector Unique Identifier Code 1998.

In addition to the information privacy principles, the legislation contains principles relating to information held on public registers; it sets out guidelines and procedures in respect to information matching programs run by government agencies; and it makes special provision for the sharing of law enforcement information among specialised agencies.

The Office of the Privacy Commissioner is an independent oversight authority which was originally created prior to the Privacy Act by the 1991 Privacy Commissioner Act. [fn 77] The Privacy Commissioner oversees compliance with the Act, but does not function as a central data registration or notification authority. The Privacy Commissioner's principal powers and functions include promoting the objects of the Act, monitoring proposed legislation and government policies, dealing with complaints at first instance, approving and issuing codes of practice and authorizing special one-off exemptions from the information privacy principles, and reviewing public sector information matching programs.

Complaints by individuals are initially filed with the Privacy Commissioner who attempts to conciliate the matter. The office received 1200 complaints in the year ending June 1997. [fn 78] If conciliation fails, the Proceedings Commissioner [fn 79] or the complainant (if the Proceedings Commissioner is unwilling) can bring the matter before the Complaints Review Tribunal, which can issue decisions and award declaratory relief, issue restraining or remedial orders, and award special and general damages up to NZ $200,000.

The Privacy Act does not apply to self-governing territories associated with New Zealand, the Cook Islands and Niue. Neither does it apply to the soon-to-be self-governing territory of Tokelau.

The New Zealand Crimes Act governs the use of evidence obtained by listening devices. [fn 80] Judicial warrants may be granted for bugging premises or interception of telephonic communications. Emergency permits may be granted for the bugging of premises. Emergency permits to intercept private communications are prohibited under the law. Those who illegally disclose the contents of private communications are merely liable for a NZ$500 fine. The New Zealand Security Intelligence Service (NZSIS) is also permitted to carry out electronic interceptions under the New Zealand Security Intelligence Service Act 1969. Under the provisions of this act, the Minister in Charge of the NZSIS is required to submit an annual report to the House of Representatives. In 1996, the minister reported 4 warrants issued to the NZSIS for intercepts. The report states, "the average length of time for which these warrants were in force was 4 months and 19 days." The report further states that "the methods for interception and seizure used were listening devices and the copying of documents."

One agency not governed by the restrictions imposed on law enforcement and the NZSIS is the Government Communications Security Bureau (GCSB), the signals intelligence (SIGINT) agency for New Zealand. Operating as a virtual branch of the U.S. National Security Agency, this agency maintains two intercept stations at Waihopai and Tangimoana. The Waihopai station routinely intercepts trans-Pacific and intra-Pacific communications and passes the collected intelligence to NSA headquarters. David Lange, a former Prime Minister of New Zealand, said he and other ministers were told very little about the operations of GCSB while they were in power. Of particular interest to GCSB and NSA are the communications of the governments of neighboring Pacific island states. [fn 81]

The Official Information Act 1982 and the Local Government Official Information and Meetings Act 1987 are freedom of information legislation. Their enforcement is supervised by the Office of the Ombudsman. There are significant interconnections between this freedom of information legislation and the Privacy Act in subject matter, administration, and jurisprudence, so much so that the three enactments may be viewed as complementary components of one overall statutory scheme.

New Zealand is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. New Zealand is one of six countries involved in a European Commission study of methods of assessing whether laws of "third countries" meet the provisions of the EU data protection directive. [fn 82]

Kingdom of Norway

There is no provision in the Norwegian Constitution of 1814 dealing specifically with the protection of privacy. The closest to such a provision is section 102, which prohibits searches of private homes except in "criminal cases." More generally, section 110c of the Constitution places state authorities under an express duty to "respect and secure human rights." However, the European Convention on Human Rights and Fundamental Freedoms (ECHR) of 1950 has not been formally incorporated into Norwegian law. The Norwegian Supreme Court has held that there exists in Norwegian law a general legal protection of "personality" which embraces a right to privacy. This protection of personality exists independently of statutory authority but helps form the basis of the latter (including data protection legislation), and can be applied by the courts on a case-by-case basis. This protection was first recognized in 1952. [fn 83]

Norwayís main data protection statute is the Personal Data Registers Act of 1978. [fn 84] The Act regulates the establishment and use, in the public and private sectors, of automated and physical data files on both physical/natural persons and legal persons (corporations and the like). A person wishing to set up a computerized database of personal information must apply for a license. There are stricter controls on sensitive information. In 1994, the act was amended to also cover video surveillance. [fn 85] The Act is in the process of being overhauled. This is partly to update the legislation in the light of new technological developments, and partly to bring Norwegian law into conformity with the requirements of the EC Directive on data protection. A preliminary proposal for new data protection legislation has been issued. [fn 86] However, a Bill based on this proposal has yet to be introduced into the Norwegian Parliament. The proposal follows closely the EC Directive.

The Data Inspectorate (Datatilsynet) is an independent administration body set up under the Ministry of Justice in 1980. [fn 87] The Inspectorate accepts applications for licenses for data registers and evaluates the licenses, enforces the privacy laws and regulations, and provides information. The Inspectorate can conduct inspections and impose sanctions. As of 1996, the Inspectorate had issued 65,000 licenses. Decisions of the Inspectorate can be appealed to the Ministry of Justice.

Wiretapping requires the permission of a tribunal and are initially limited to four weeks. [fn 88] A large number of other pieces of legislation contain provisions relevant to privacy and data protection. These include the Administrative Procedures Act of 1967, [fn 89] the Freedom of Information Act of 1970, [fn 90] and the Criminal Code of 1902. [fn 91]

A Parliamentary Commission of Inquiry was set up in 1994 to investigate the post-war surveillance practices of Norwegian police and security services. The Commission delivered its report in 1996, causing a great deal of public and political debate on account of its finding that much of the undercover surveillance practices had been instituted and/or conducted illegally.

Norway is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [fn 92] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [fn 93] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Although Norway is not a member of the EU, it is a party to the 1992 Agreement on the European Economic Area (EEA). As such, Norway is required to comply with the EU Directive before it is formally incorporated into the EEA.

Republic of the Philippines

Article III of the 1987 Constitution protects the right of privacy. Section 2 states "The right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures of whatever nature and for any purpose shall be inviolable, and no search warrant or warrant of arrest shall issue except upon probable cause to be determined personally by the judge after examination under oath or affirmation of the complainant and the witnesses he may produce, and particularly describing the place to be searched and the persons or things to be seized." Section 3 states: "(1)The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law. (2) Any evidence obtained in violation of this or the preceding section shall be inadmissible for any purpose in any proceeding." Section 7 states: "The right of the people to information on matters of public concern shall be recognized. Access to official records, and to documents and papers pertaining to official acts, transactions, or decisions, as well as to government research data used as basis for policy development, shall be afforded the citizen, subject to such limitations as may be provided by law." [fn 94]

There is no general data protection law but there is a recognized right of privacy in civil law. [fn 95] Bank records are protected by the Bank Secrecy Act.

The Anti-Wiretapping Law requires a court order to obtain a telephone tap. [fn 96] In May 1998, Director Gen. Santiago Alino, chief of the Philippine National Police, ordered an investigation of the alleged electioneering and illegal wiretapping activities by members of the National Police's Special Project Alpha (SPA). Matillano said that his office received information that the former SPA men had been using the office as their "monitoring center" against Vice-President Estrada's political opponents. Five recorders used to monitor wiretaps were found at the offices. [fn 97] The House and the Senate held investigations in August 1997 after officials of the telephone company admitted that their employees were being paid to conduct illegal wiretaps. [fn 98]

The Supreme Court ruled in July 1998 that Administrative Order No. 308 introduced by former President Ramos in 1996, the Adoption of a National Computerized Identification Reference System, was unconstitutional. The Court said that the order, "will put our people's right to privacy in clear and present danger . . No one will refuse to get this ID for no one can avoid dealing with government. It is thus clear as daylight that without the ID, a citizen will have difficulty exercising his rights and enjoying his privileges." Government lawyers asked the court to reconsider its decision in August, [fn 99] and President Joseph Estrada reiterated his support for the use of a national identification system in August 1998 stating that only criminals are against a national ID. [fn 100] Justice Secretary Serafin Cuevas authorized the National Statistics Office (NSO) to proceed to use the population reference number (PRN) for the Civil Registry System-Information Technology Project (CRS-ITP) on August 14, claiming that it is not covered by the decision. [fn 101]

Republic of Poland

The Polish Constitution recognizes the rights of privacy and data protection. Article 47 states, "Everyone shall have the right to legal protection of his private and family life, of his honor and good reputation and to make decisions about his personal life." Article 51 states, "(1) No one may be obliged, except on the basis of statute, to disclose information concerning his person. (2) Public authorities shall not acquire, collect nor make accessible information on citizens other than that which is necessary in a democratic state ruled by law. (3) Everyone shall have a right of access to official documents and data collections concerning himself. Limitations upon such rights may be established by statute. (4) Everyone shall have the right to demand the correction or deletion of untrue or incomplete information, or information acquired by means contrary to statute. (5) Principles and procedures for collection of and access to information shall be specified by statute." [fn 102]

The Act on Personal Data Protection was approved in 1997 and took effect in April 1998. [fn 103] Under the Act, everyone will have the right to verify his or her personal records held by government agencies or private companies. Every citizen has the right to be informed whether such databases exist and who administers them; queries should be answered within 30 days. Upon finding out that data is incorrect, inaccurate, outdated or collected in a way that constitutes a violation of the Act, citizens will have the right to request that the data be corrected, filled in or withheld from processing. [fn 104]

The Act is enforced by the recently created Office of Inspector General for the Protection of Personal Information. The Office can make checks on the basis of a complaint or by random inspections. Another responsibility is to register databases. An inspector has the right to access data, check data transfer and security systems, and determine whether the information gathered is appropriate for the purpose which it is supposed to serve. [fn 105] The office will monitor the activities of all central government, local government and private institutions, individuals and corporations.

Interception of communications is regulated by the new code of penal procedure that took effect September 1, 1998. [fn 106] The main difference between this and the previous code is that under the new regime, it is specified in the law in which cases tapping of communications is admissible. Telephones can be tapped only after the person in charge of the investigation has obtained permission from a court. In special instances, the prosecutor will have the right to authorize a wiretap, but the decision must be confirmed by a court within five days. [fn 107] According to official data released by the Internal Affairs Ministry in 1995, wiretapping and correspondence control were ordered in approximately 3000 instances. [fn 108] In 1996, an opposition party member of Parliament revealed that the State Protection Office's (UOP's) was conducting surveillance against major labor unions. [fn 109]

Controversy still surrounds efforts to create an expanded national id system. The Electronic Census System (PESEL) number, which has been issued since the mid-1970s, is the biggest collection of personal data in Poland. Every identity card contains a PESEL number, which is a confirmation of the owner's date of birth and sex. The system is fully computerized. A Tax Identification Number (NIP) is also being developed. By the end of 1997, a total of 24 million citizens and companies will have received their NIP numbers. This system will be fully computerized in the near future.

Poland is a member of the Council of Europe but has not signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [fn 110] Poland has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [fn 111] Poland is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Republic of Portugal

The Portuguese Constitution has extensive provisions on protecting privacy, secrecy of communications and data protection.

Article 26 states, "(1) Everyone's right to his or her personal identity, civil capacity, citizenship, good name and reputation, image, the right to speak out, and the right to the protection of the intimacy of his or her private and family life is recognized. (2) The law establishes effective safeguards against the abusive use, or any use that is contrary to human dignity, of information concerning persons and families. (3) A person may be deprived of citizenship or subjected to restrictions on his or her civil capacity only in cases and under conditions laid down by law, and never on political grounds." Article 34 states, "(1) The individual's home and the privacy of his correspondence and other means of private communication are inviolable. (2) A citizen's home may not be entered against his will, except by order of the competent judicial authority and in the cases and according to the forms laid down by law. (3) No one may enter the home of any person at night without his consent. (4) Any interference by public authority with correspondence or telecommunications, apart from the cases laid down by law in connection with criminal procedure, are prohibited."

Article 35 states, "(1) Without prejudice to the provisions of the law on State secrecy and justice secrecy, all citizens have the right of access to the data contained in automated data records and files concerning them as well as the right to be informed of the use for which they are intended; they are entitled to request that the contents thereof be corrected and brought up to date. (2) Access to personal data records or files are forbidden for purposes of getting information relating to third parties as well as for the interconnection of these files, save in exceptional cases as provided for in the law and in Article 18. (3) Data processing may not be used in regard to information concerning a person's philosophical or political convictions, party or trade union affiliations, religious beliefs, or private life, except in the case of non-identifiable data for statistical purposes. (4) The law defines the concept of personal data for the purposes of data storage as well as the conditions for establishing data banks and data basis by public or private entities and the conditions of utilization and access. (5) Citizens may not be issued all-purpose national identification numbers. (6) The law defines the provisions applicable to transborder data flows establishing adequate norms of protection of personal data and of any other data in which the national interest is justified." Article 35 was amended in October 1997. [fn 112]

The Act on the Protection of Personal Data with Regard to Automatic Processing covers computer based processing of personal information held by government agencies or private parties. [fn 113] Sensitive information relating to political, philosophical, union, or religious beliefs, racial origin, criminal convictions, health status, marriage, and finances cannot be processed without permission. For other information, individuals have a right of access. The holders have a duty to ensure accuracy and only use the information for the purpose for which it is stored. At the moment, there is a bill under consideration at the Parliament which might amend the Portuguese data protection law to make it consistent with the E.U. data protection directive. [fn 114]

The Act is enforced by the National Commission for the Protection of Automated Personal Data (CNPDPI). [fn 115] The Commission is an independent Parliament-based agency that registers databases, authorizes and controls databases, issues directives, and oversees the Schengen information system. [fn 116]

There are also specific laws on the Schengen information system, [fn 117] computer crime, [fn 118] and counseling centers. [fn 119] The penal code has provisions against unlawful surveillance and interference with privacy.[fn 120] Evidence obtained by any violation of privacy, the home, correspondence or telecommunications without the consent of the interested party is null and void. [fn 121] An inquiry was opened in October 1994 on illegal surveillance of politicians after microphones were discovered in the offices of a state prosecutor and several ministers. [fn 122] The Portuguese government ordered cellular telephone companies to assist with surveillance in October 1996. [fn 123]

Portugal is a member of the Council of Europe and recently signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[fn 124] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[fn 125] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Russian Federation

The Constitution of the Russian Federation recognizes rights of privacy, data protection and secrecy of communications. Article 23 states, "1. Everyone shall have the right to privacy, to personal and family secrets, and to protection of one's honor and good name. 2. Everyone shall have the right to privacy of correspondence, telephone communications, mail, cables and other communications. Any restriction of this right shall be allowed only under an order of a court of law." Article 24 states, "1. It shall be forbidden to gather, store, use and disseminate information on the private life of any person without his/her consent. 2. The bodies of state authority and the bodies of local self-government and the officials thereof shall provide to each citizen access to any documents and materials directly affecting his/her rights and liberties unless otherwise stipulated under the law."

Article 25 states, "The home shall be inviolable. No one shall have the right to enter the home against the will of persons residing in it except in cases stipulated by the federal law or under an order of a court of law." [fn 126] The Russian Supreme Court ruled in 1998 that individuals have a right to live anywhere without getting permission from local officials. [fn 127]

The Duma approved the Law of the Russian Federation on Information, Informatization, and Information Protection in January 1995. [fn 128] The law covers both the government and private sectors and licenses the processing of personal information by the private sector. The remainder of the law mostly deals with access to information. The Russian law does not establish a central regulatory body for data protection and it is not clear that it has been effective. The law specifies that responsibility for data protection rests with the data controllers. There was reportedly some effort to update the data protection law, perhaps to make it more compliant with the Council of Europe's Convention 108, before the recent political upheaval.

Secrecy of communications is protected by the 1995 Communications Act. The tapping of telephone conversations, scrutiny of electric-communications messages, delay, inspection and seizure of postal mailings and documentary correspondence, receipt of information thereon, and other restriction of communications secrets are allowed only on the basis of a judicial decision. [fn 129] The Law on Operational Investigation Activity regulates surveillance methods of the secret services and requires a warrant. [fn 130] However, there have been numerous credible reports that the security services have conducted illegal wiretaps of politicians throughout Russia. In June 1998, it was publicly revealed that the Federal Security Service was drafting a ministerial act code-named SORM-2 (Systems for Ensuring Investigative Activity) that would require Internet Service Providers to install surveillance devices and high speed links to the Federal Security Service in their systems agencies which would allow police direct access to the communications of Internet users without a warrant. [fn 131]

There are also privacy protections in the Civil Code [fn 132] and the Criminal Code. [fn 133] The United Nations Human Rights Committee expressed concerns over the state of privacy in Russia in 1995 and recommended the enactment of additional privacy laws. It noted: "The Committee is concerned that actions may continue which violate the right to protection from unlawful or arbitrary interference with privacy, family, home or correspondence. It is concerned that the mechanisms to intrude into private telephone communication continue to exist, without a clear legislation setting out the conditions of legitimate interference with privacy and providing for safeguards against unlawful interference . . The Committee urges that a legislation be passed on the protection of privacy, as well as strict and positive action be taken to prevent violations of the right to protection from unlawful or arbitrary interference with privacy, family, home or correspondence." [fn 134]

Russia is a member of the Council of Europe but has not signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [fn 135] It has not signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [fn 136]


Some of the twenty-two autonomous republics of the Russian Federation have constitutional provisions on privacy. In some cases, these republics claim that their constitutions take precedence within their territories over that of the Russian Federation.

Republic of San Marino

The Act Regulating the Computerized Collection of Personal Data was enacted in 1983 and amended in 1995. [fn 137] The Act applies to any computerized filing system or data bank, both private and public. It prohibits the collection of personal and confidential data through fraudulent, illegal or unfair means. It requires that information is accurate, relevant and complete. Any individual is entitled both to inquire whether his or her personal data have been collected or processed, to obtain a copy, and to require that inaccurate, outdated, incomplete or ambiguous data, or data whose collection, processing, transmission or preservation is forbidden, be rectified, integrated, clarified, updated or canceled. The creation of a data bank requires the prior authorization of both the State Congress (the Government) and the Guarantor for the Safeguard of Confidential and Personal Data. There are additional rules for sensitive information. Infringements can be punished by means of administrative sanctions or penalties. There were a number of Regency's Decrees issued under the 1983 Act that remained in force after the 1995 revisions. [fn 138] The Regulation on Statistical Data Collection and Public Competence in Data Processing [fn 139] regulates data processing within the Public Administration.

The Act is enforced by the Guarantor for the Safeguard of Confidential and Personal Data, a judge of the Administrative Court. The Guarantor can examine any claim or petition relating to the application of the above-mentioned law and pass judgment whenever the confidentiality of personal data is violated. His judgment can be appealed to a higher court. The release of information to other countries is conditioned on the prior authorization of the Guarantor, who must verify that the country to which confidential information is being transmitted ensures the same level of protection of personal data as that established in Sammarinese legislation.

Republic of Singapore

The Singapore Constitution is based on the British system and does not contain any explicit right to privacy. [fn 140]

There is no general data protection or privacy law in Singapore. In September 1998, the National Internet Advisory Board proposed an industry-based self-regulatory "E Commerce Code for the Protection of Personal Information and Communications of Consumers of Internet Commerce." [fn 141] The code would oblige providers to ensure the confidentiality of business records and

personal information of users, including details of usage or transactions, would prohibit the disclosure of personal information, and would require providers not to intercept communications unless required by law. The code would also limit collection and prohibit disclosure of personal information without informing the consumer and giving them an option to stop the transfer, ensure accuracy of records and provide a right to correct or delete data. The Code would be enforced by an industry-run Compliance Authority. Providers that were in compliance could use a "Privacy Code Compliance Symbol." The regulatory authority for the electronic medium in Singapore is the Singapore Broadcasting Authority (SBA). SBA is a statutory board under the Ministry of Information and the Arts (MITA).

In July 1998, the Singapore government passed three major bills concerning computer networks. They are the Computer Misuse (Amendment) Bill, the Electronic Transactions Bill and the National Computer Board (Amendment) Bill. The CMA provides the Police with additional powers of investigations. Under the amended Act, it is now an offense to refuse to assist the Police in an investigation. Amendments also widened the provisions allowing the Police lawful access to data and encrypted material in their investigations of offenses under the CMA as well as other offenses disclosed in the course of their investigations. Such power of access requires the consent of the Public Prosecutor.

Electronic surveillance of communications is governed by the Telecommunications Authority of Singapore (TAS) Act. However, the government has extensive powers under the Internal Security Act and other acts to monitor anything that is considered a threat to "national security." The U.S. State Department in 1998 stated, "Divisions of the Government's law enforcement agencies, including the Internal Security Department and the Corrupt Practices Investigation Board, have wide networks for gathering information. It is believed that the authorities routinely monitor citizens' telephone conversations and use of the Internet. While there were no proven allegations that they did so in 1997, it is widely believed that the authorities routinely conduct surveillance on some opposition politicians and other critics of the Government." [fn 142] All of the Internet Services Providers are controlled by government-owned or government-controlled companies. [fn 143] Each person in Singapore wishing to obtain an Internet account must show their national ID card to the provider to obtain an account. [fn 144] ISPs reportedly provide information on users to government officials without legal requirements on a regular basis. In 1994, Technet -- then the only Internet provider in the country serving the academic and technical community -- scanned through the email of its members looking for pornographic files. According to Technet, they scanned the files without opening the mails, looking for clues like large file sizes. In September 1996, a man was fined US$43,000 for downloading sex films from the Internet. It was the first enforcement of Singapore's Internet regulation. The raid followed a tip-off from Interpol which was investigating people exchanging pornography online. Afterwards, the SBA assured citizens that it does not monitor e-mail messages, chat groups, what sites people access, or what they download.[fn 145]

An extensive Electronic Road Pricing system for monitoring road usage went into effect in 1998. The system collects information on an automobile's travel from smart cards plugged into transmitters in every car and in video surveillance cameras. [fn 146] The service claims that the data will only be kept for 24 hours. Video surveillance cameras are also commonly used for monitoring roads and preventing littering in many areas. [fn 147] It was proposed in Tampines in 1995 that cameras be placed in all public spaces including corridors, lifts, and open areas such as public parks, car parks and neighborhood centers and broadcast on the public cable television channel. [fn 148]

Slovak Republic

The 1992 Constitution provides for protections for privacy, data protection and secrecy of communications. Article 16 states "(1) The inviolability of the person and its privacy is guaranteed. It can be limited only in cases defined by law." Article 19 states "(1) Everyone has the right to the preservation of his human dignity and personal honor, and the protection of his good name. (2) Everyone has the right to protection against unwarranted interference in his private and family life. (3) Everyone has the right to protection against the unwarranted collection, publication, or other illicit use of his personal data." Article 22 states "(1) The privacy of correspondence and secrecy of mailed messages and other written documents and the protection of personal data are guaranteed. (2) No one must violate the privacy of correspondence and the secrecy of other written documents and records, whether they are kept in privacy or sent by mail or in another way, with the exception of cases to be set out in a law. Equally guaranteed is the secrecy of messages conveyed by telephone, telegraph, or other similar means." [fn 149]

The Act on Protection of Personal Data in Information Systems was approved in February 1998. [fn 150] The Act replaces the previous 1992 Czechoslovakian legislation (see Czech Republic report for information). The new act closely tracks the EU Data Protection Directive and limits the collection, disclosure and use of personal information by government agencies and private enterprises either in electronic or manual form. It creates duties of access, accuracy and correction, security, and confidentiality on the data processor. Processing of information on racial, ethnic, political opinions, religion, philosophical beliefs, trade union membership, health, and sexuality is forbidden. Transfers to other countries are limited unless the country has "adequate" protection. All systems are required to be registered with the Statistical Office of the Slovak Republic. The Act creates a new office for a Commissioner for the Protection of Personal Data in Information Systems who will supervise and enforce the Act.

Under the 1993 Police Law, the police are required to obtain permission from a court or prosecutor before undertaking any telephone tapping. [fn 151] However, there have been many public revelations of illegal wiretapping by government agencies of opposition politicians. [fn 152] In 1997, the UN Human Rights Committee recommended that the government: "ensure control, by an independent judicial authority, of the interception of confidential communications -- related to, for example, wire-tapping and protection of the right to privacy." [fn 153]

There are also other legal protections. Article 11 of the Civil Code states "everyone shall have the right to be free from unjustified interference in his or her privacy and family life." There are also computer-related offenses linked with the protection of a person (unjustified treatment of a personal data). [fn 154] The Slovak Constitutional Court ruled in March 1998 that the law allowing public prosecutors to demand to see the files or private correspondence of political parties, private citizens, trade union organizations and churches, even if this is not necessary for prosecution, was unconstitutional. Court chairman Milan Cic said this was "not only not usual, but opens the door to widespread violation of peoplesí basic rights and their right to privacy." [fn 155]

Slovakia is a member of the Council of Europe but has not signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[fn 156] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [fn 157]

Republic of Slovenia

The 1991 Constitution recognizes many privacy rights. Article 35 on the Protection of the Right to Privacy and of Personal Rights states, "The physical and mental integrity of each person shall be guaranteed, as shall be his right to privacy and his other personal rights." Article 37 on the Protection of Privacy of Post and Other Means of Communication states, "The privacy of the post and of other means of communication shall be guaranteed. In accordance with statute, a court may authorize action infringing on the privacy of the post or of other means of communication, or on the inviolability of individual privacy, where such actions are deemed necessary for the institution or continuance of criminal proceedings or for reasons of national security." Article 38 on the Protection of Personal Data states, "The protection of personal data relating to an individual shall be guaranteed. Any use of personal data shall be forbidden where that use conflicts with the original purpose for which it was collected. The collection, processing and the end-use of such data, as well as the supervision and protection of the confidentiality of such data, shall be regulated by statute. Each person has the right to be informed of the personal data relating to him which has been collected and has the right to legal remedy in the event of any misuse of same." [fn 158]

The Law on Personal Data Protection was enacted in 1990. [fn 159] It broadly adopts the basic principles of the OECD Guidelines on the Protection of Privacy and the Council of Europe's Convention. Specifically, the law regulates the security of personal data in data files; restricts third-party access and use only upon the written consent of the data subject; provides for data subject access to his or her files; and permits the transfer of personal data to other countries only if the recipient country has guaranteed "full protection of personal data" to include that held on "foreign citizens." However, the Slovenian law merely provides for a somewhat nebulous "republican organ" oversight of personal data protection practices, and therefore is not compliant with the pan-European instruments on data protection, including the EU's Privacy Directive.

Slovenia is in the process of amending its data protection law to be fully compliant with EU and COE requirements. This includes the establishment of a separate data protection office. Since Slovenia is one of the first of central and eastern European nations to join the EU, it was told by European Internal Market Commissioner Mario Monti during his visit to Slovenia in May 1998, that "legislative adjustments" to its data protection law were required before the country could accede to EU membership. [fn 160] Slovenia hopes to conclude its negotiations and enter the EU as a full member by the year 2002.

A judge's warrant must be issued prior to a house search or telephone tapping. According to the European Commission, "this procedure has not thus far given rise to abuse on the part of the police." [fn 161] In 1994, Parliament fired the country's defense minister, Janez Jansa, following claims that he tapped journalists' phones. [fn 162] Defense Minister Tit Turnsek resigned in February 1998 after two military intelligence officers were arrested by Croatian authorities while driving a vehicle filled with electronic surveillance equipment. [fn 163] The Law on National Statistics regulates the privacy of information collected for statistical purposes. [fn 164]

Slovenia is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [fn 165] It has also signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [fn 166]

Republic of South Africa

Section 14 of the South African Constitution of 1996 states, "Everyone has the right to privacy, which includes the right not to have -- (a) their person or home searched; (b) their property searched; (c) their possessions seized; or (d) the privacy of their communications infringed." Section 32 states: "(1) Everyone has the right of access to -- (a) any information held by the state, and; (b) any information that is held by another person and that is required for the exercise or protection of any rights; (2) National legislation must be enacted to give effect to this right, and may provide for reasonable measures to alleviate the administrative and financial burden on the state." [fn 167] The interim Constitution contained an essentially similar provision to Section 14, in Section 13. [fn 168] It is clear that both sections are written in a way which directly responds to the experiences during the apartheid era of gross interferences with peoples' right to privacy.

The South African Constitutional Court has delivered a number of judgments on the right to privacy relating to the possession of indecent or obscene photographs, [fn 169] the scope of privacy in society, [fn 170] and searches. [fn 171] All the judgments were delivered under the provisions of the Interim Constitution as the causes of action arose prior to the enactment of the Final Constitution. However, as there is no substantive difference between the privacy provisions in the Interim and Final Constitutions, the principles remain authoritative for future application.

South Africa is currently in the process of adopting a comprehensive privacy and freedom of information law. The Open Democracy Bill was introduced in July 1998. [fn 172] The bill covers both public and private sector entities and allows for access, rights of correction and limitations on disclosure of information. The bill would be enforced by the Human Rights Commission. This Bill is now with the Portfolio Committee on Justice, which has promised to hold public hearings on the final draft before sending the Bill to Parliament for tabling. The Bill was recently taken off the Parliamentary agenda for this session and is unlikely to reappear before the election in May next year.

South Africa does not have a privacy commission but has a Human Rights Commission which was established under Chapter 9 of the Constitution and whose mandate is to investigate infringements on and to protect the fundamental rights guaranteed in the Bill of Rights, and to take steps to secure appropriate redress where human rights have been violated.

The Interception and Monitoring Act of 1992 regulates the interception of communications. [fn 173] This Act prohibits the interception of certain communications and the monitoring of certain conversations and also provides for the interception of postal articles and communications and for the monitoring of conversations in the case of a serious offense, or if the security of the country is threatened.

There are no other specific pieces of legislation on general data protection law. Other than the Constitutional right to privacy, the South African common law protects rights of personality under the broad umbrella of the actio injuriarum. The elements of liability for an action based on invasion of privacy are the same as any other injury to the personality, namely an unlawful and intentional interference with another's right to seclusion and to private life.

The Cabinet approved a plan in March 1998 to issue a multi-purpose smart card which combines access to all government departments and services with banking facilities. This is part of the information technology strategy formulated by the Department of Communications to provide kiosks for access to government services. [fn 174] In the long term, the smart card is intended to function as passport, driver's license, identity document and bank card. The driver's license will include fingerprints.

Kingdom of Spain

The Constitution recognizes the right to privacy, secrecy of communications and data protection. Article 18 states, "(1). The right of honor, personal, and family privacy and identity is guaranteed. (2) The home is inviolable. No entry or search may be made without legal authority except with the express consent of the owners or in the case of a flagrante delicto. (3) Secrecy of communications, particularly regarding postal, telegraphic, and telephone communication, is guaranteed, except for infractions by judicial order. (4) The law shall limit the use of information, to guarantee personal and family honor, the privacy of citizens, and the full exercise of their rights." [fn 175]

The Spanish Data Protection Act (LORTAD) was enacted in 1992. [fn 176] It covers automated files held by the public and private sector. The law establishes the right of citizens to know what personal data is contained in computer files and the right to correct or delete incorrect or false data. Personal information in an automated system may only be used or disclosed to a third party with the consent of the individual and only for the purpose for which it was collected. There are efforts under way to update the law to make it consistent with the EU Directive.

The Agencia de Protección de Datos is charged with enforcing the LORTAD. [fn 177] The Agency maintains the registry and can investigate violations of the law. The agency has issued a number of decrees setting out in more detail the legal requirements for different types of information. [fn 178] It can also impose penalties. In June 1997, it fined Telefonica, the Spanish telephone company, 110 million pesetas for providing information from their subscriber database to banks, direct marketing companies and Reader's Digest. [fn 179]

Electronic eavesdropping of communications requires a court order. [fn 180] The 1997 Telecommunications Act amended the law and restricts the use of cryptography. [fn 181] There have been a number of scandals in Spain over illegal wiretapping by the intelligence services. In 1995, Deputy Prime Minister Narcis Serra, Defense Minister Julian Garcia Vargas and military intelligence chief Gen. Emilio Alonso Manglano were forced to quit following revelations that they had monitored the conversations of hundreds of people, including President Juan Carlos. [fn 182] There are also additional laws on the privacy of credit information [fn 183] and automatic tellers [fn 184].

Spain is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [fn 185] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [fn 186] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Kingdom of Sweden

Swedenís Constitution, which consists of several different legal documents, contains several provisions which have relevance for data protection. Section 2 of the Instrument of Government of 1974 [fn 187] provides, inter alia, for the protection of individual privacy. Section 13 of Chapter 2 of the same instrument states also that freedom of expression and information -- which are constitutionally protected pursuant to the Freedom of the Press Act of 1949 [fn 188] -- can be limited with respect to the "sanctity of private life." Moreover, Section 3 of the same chapter provides for a right to protection of personal integrity in relation to automatic data processing. The same article also prohibits non-consensual registration of persons purely on the basis of their political opinion. It is also important to note that the European Convention on Human Rights has been incorporated into Swedish law as of 1994. The ECHR is not formally part of the Swedish Constitution but has, in effect, similar status.

The main statute on data protection is the Data Act of 1973, which was the first comprehensive national act on privacy in the world. [fn 189] This Act regulates the establishment and use, in both public and private sectors, of automated data files on physical/natural persons. Sweden has just enacted a new piece of legislation to replace the Data Act and bring Swedish law into conformity with the requirements of the EC Directive on data protection. This is the Personal Data Act of 1998. [fn 190] The new Act basically repeats what is set out in the EC Directive. The Data Act of 1973 shall continue to apply until October 2001 with respect to processing of personal data which is initiated prior to October 24,1998.

Sweden is a country that has traditionally adhered to the Nordic tradition of open access to government files. In fact, the world's first data protection act dates back as far as 1776 and the Riksdag's (Swedish Parliament) "Access to Public Records Act." Although the 1776 act was more of a "freedom of information act" in that the public was allowed to scrutinize public records for accuracy, it also served the purpose of ensuring that all government-held information was, in fact, required for legitimate purposes.

The Data Inspection Board (Datainspektionen) is an independent board that oversees the enforcement of the Data Act. [fn 191] The Board has been active in trying to limit the use of the personal identity number. [fn 192] They are pursuing a case pending against SABRE, the airline reservation system, for transferring medical information of passengers without adequate controls.

Numerous other statutes also contain provisions relating to data protection. These include the Secrecy Act of 1980, [fn 193] Credit Reporting Act of 1973, [fn 194] Debt Recovery Act of 1974, [fn 195] and Administrative Procedure Act of 1986. [fn 196]

Over the past year, there has been increasing publicity and discussion about the fact that Swedenís police/security services have carried out, over a long period, covert surveillance of a large number of Swedish citizens, often on highly tenuous or trivial grounds. Pressure is mounting for an official Commission of Inquiry to be set up, similar to the Commission set up in Norway (see above), in order to investigate these surveillance practices. Previously, it was also discovered that the Swedish statistical agency, Statistika, was monitoring 15,000 Stockholm residents born in 1953, in intimate detail. The information included statistics on drinking habits, religious beliefs, and sexual orientation. The DIB was not even aware of this program and subsequently ordered the destruction of the master tape containing the data. [fn 197]

Sweden is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [fn 198] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [fn 199] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Swiss Confederation (Switzerland)

Article 36(4) of the Constitution states, "The inviolability of the secrecy of letters and telegrams is guaranteed." [fn 200]

The Federal Act of Data Protection of 1992 regulates personal information held by government and private bodies. [fn 201] The Act requires that information must be legally and fairly collected and places limits on its use and disclosure to third parties. Private companies must register if they regularly process sensitive data or transfer the data to third parties. Transfers to other nations must be registered and the recipient nation must have equivalent laws. Individuals have a right of access to correct inaccurate information. Federal agencies must register their databases. There are criminal penalties for violations. There are also separate data protection acts for the Cantons (states). In 1989, a Parliamentary inquiry revealed that the Federal Police had collected files on about 900,000 people, most of whom were not suspected of having committed any offence.

The Act creates a Federal Data Protection Commission. [fn 202] The commission maintains and publishes the Register for Data Files, supervises federal bodies and private bodies, provides advice, issues recommendations and reports, and conducts investigations. The commissioner also consults with the private sector.

Telephone tapping is governed by the Penal code and Penal Procedure code amended by the 1997 Telecommunication Act.[fn 203] A court order is required for every wiretap. A proposal to modify wiretapping and mail interception was introduced in July 1998. [fn 204] There were 1020 wiretaps authorized in 1996. [fn 205] There have been numerous public revelations of illegal wiretapping. A 1993 inquiry found that phones used by journalists and ministers in the Swiss Parliament were tapped. [fn 206] The Data Protection Commissioner also accused PTT, the state telephone company, of illegally wiretapping telephones. There were considerable protests in 1996 when it was revealed that the federal government was wiretapping journalists to discover their sources. Swiss President Arnold Koller described the taps as "excessive." [fn 207] In December 1997, the newspaper Sonntags Zeitung reported that Swisscom, the Swiss telephone company, was tracking the location of cellular phone users and maintaining those records for an extended period. [fn 208] The Data Protection Commissioner issued a report in July 1998. [fn 209]

Besides the Data Protection Act, there are also legal protections for privacy in the Civil Code [fn 210] and Penal Code, [fn 211] and special rules relating to workers' privacy from surveillance, [fn 212] telecommunications information, [fn 213] banking privacy, [fn 214] health care statistics, [fn 215] professional confidentiality including medical and legal information, [fn 216] medical research, [fn 217] police files, [fn 218] and identity cards. [fn 219]

Switzerland is a member of the Council of Europe and recently signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108). [fn 220] Switzerland has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. [fn 221] Switzerland is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Switzerland is not a EU member state but has been granted associate status.

Republic of China (Taiwan)

Article 12 of the 1994 Taiwanese Constitution states: "The people shall have freedom of privacy of correspondence." [fn 222]

The Computer-Processed Personal Data Protection Law was enacted in August 1995. [fn 223] The Act governs the collection and use of personally identifiable information by government agencies and some areas of the private sector. The Act requires that "The collection or utilisation of personal data shall respect the rights and interests of the principal and such personal data shall be handled in accordance with the principles of honesty and credibility so as not to exceed the scope of the specific purpose." Individuals have a right of access and correction, the ability to request cessation of computerized processing and use, and the ability to request deletion of data. Data flows to countries without privacy laws can be prohibited. [fn 224] Damages can be assessed for violations. The Act also established separate principles for the eight categories of private institutions covered: credit information organizations, hospitals, schools, telecommunication businesses, financial businesses, securities businesses, insurance businesses, mass media, and "other enterprises, organizations, or individuals designated by the Ministry of Justice and the central government authorities in charge of concerned end enterprises."

There is no single privacy oversight body to enforce the Act. The Ministry of Justice enforces the Act for government agencies. For the private sector, the relevant government agency for that sector enforces compliance.

Permission for telephone tapping and other similar interferences with privacy of communications must be granted according to law. According to the Taiwanese Association for Human Rights, "prosecutors appeared to have abused their eavesdropping power by authorizing law enforcement units to monitor more than 16,000 telephone calls in less than a year. Such behavior has constituted a serious infringement of people's privacy." [fn 225] On July 26, 1997, the Independence Morning Post accused intelligence director Yin Tsung-wen of ordering the phone-tapping of National Assembly deputies who had opposed a proposal to modify the Constitution to eliminate the provincial government. The report said Yin passed on the phone-tapping order to a number of police and other intelligence agencies. [fn 226] Article 315 of Taiwan's Criminal Code states that a person who, without reason, opens or conceals a sealed letter or other sealed document belonging to another will be punishable under the law. Under a new Draft Criminal Code, a provision covering the interception of electronic communications will be added. [fn 227]

Responding to public concern following repeated incidents of the filming and selling of videotapes of couples making love in motels, the Taiwanese Ministry of Justice has decided to revise the Criminal Code to impose stiffer penalties on those convicted of eavesdropping or making secret videos. A person found guilty of eavesdropping or making secret films without any business motives would be punished with a prison term of up to three years. [fn 228]

Taiwan is planning to issue a new national id card called the "Citizen's Card", which will integrate the functions of the cards for ID, health insurance, driver's license, taxation and possibly small-value payments into one smart card-based card. [fn 229] A special commission was set up to evaluate privacy concerns after protests about the plan arose. [fn 230]

Kingdom of Thailand

Article 37 of the 1998 Constitution states, "Persons have the freedom to communication with one another by lawful means. Search, detention or exposure of lawful communication materials between and among persons, as well as actions by other means so as to snoop into the contents of the communications materials between and among persons, is prohibited unless it is done by virtue of the power vested in a provision of the law specifically for the purpose of maintaining national security or for the purpose of maintaining peace and order or good public morality." [fn 231]

The National Information Technology Committee (NITC) approved plans in February 1998 for a series of information technology (IT) laws. Six sub-committees will address the following areas: the data protection draft law, the computer crime draft law, the Electronic Data Interchange draft law, the Electronic Signature draft law, the electronic transfer of funds draft law and the information infrastructure draft law. The NITC will submit the proposed draft laws to the Cabinet at year's end, or early next year. The six draft laws will be drawn up after study of standard international laws in each of the six respective areas. [fn 232] A proposed Internet Promotion Act put forward by the Internet Society of Thailand in late 1997 that included censorship provisions generated intense opposition.

Phone tapping is a criminal offense under the 1934 Telegraph and Telephone Act. In 1996, Prime Minister Banharn introduced a bill that would give the Supreme Commander and the three armed forces chiefs the power to approve wire-tapping for national security reasons. It drew strong opposition from the chairman of the House justice and human rights committee, Witthaya Kaewparadai, who described the proposal as "irrational". The Bangkok Post described it as an "unsavory move". [fn 233] Illegal wiretapping is common in Thailand. In April 1997, tapes and transcripts from wire-taps of Sanan Kachornprasart, the opposition party Democrat secretary-general, were found in the compound of Government House. [fn 234] The Armed Forces Security Centre was accused of being behind the tapping. [fn 235]

In June 1998, the Royal Thai Police Department asked Thai Internet service providers to adopt caller-ID in order to keep a record of the telephone numbers and login information of people who access the network. Under the proposal, ISPs will be asked to record this information on their servers, and allow the police to access this information in the course of investigations of Internet-related crime. [fn 236]

In 1997, Thailand began issuing a new national ID card with a magnetic strip. The computer system will be linked with other government departments including the Revenue Department, the Ministry of Foreign Affairs, the Ministry of Defense and the Office of the Narcotics Control Board. The government also plans to link the system with other governments to allow holders to travel in Asian countries without the need for a passport, using only the new card. Bank customers who carry the new ID card can use it as an ATM card as well. [fn 237] In 1995, Control Data Systems was awarded a $11.5 million contract by the Bangkok Metropolitan Administration (BMA) project to install the Computerized National Census and Services Project. The system includes names, addresses, national ID card numbers, and census information such as birth and death records and address changes. It will be used for checking individual tax returns and compiling census statistics. [fn 238] In 1996, three hundred cameras were set up to catch people littering. [fn 239 ]

Republic of Turkey

Section Five of the 1982 Turkish Constitution[fn 240] is entitled, "Privacy and Protection of Private Life." Article 20 of the Turkish constitution deals with "Privacy of the Individualís Life," and it states, "Everyone has the right to demand respect for his private and family life. Privacy of individual and family life cannot be violated. Exceptions necessitated by judiciary investigation and prosecution are reserved. Unless there exists a decision duly passed by a judge in cases explicitly defined by law, and unless there exists an order of an agency authorized by law in cases where delay is deemed prejudicial, neither the person nor the private papers, nor belongings of an individual shall be searched nor shall they be seized." Article 22 states, " Secrecy of communication is fundamental. Communication shall not be impeded nor its secrecy be violated, unless there exists a decision duly passed by a judge in cases explicitly defined by law, and unless there exists an order of an agency authorized by law in cases where delay is deemed prejudicial. Public establishments or institutions where exceptions to the above may be applied will be defined by law." There is a state of emergency is some areas of Turkey and Constitutional rights have been limited.

The Turkish Ministry of Justice is currently working on draft legislation on the Protection of Personal Data. The new proposals follow the Council of Europeís 1981 Convention and the European Union Directive. The new proposals will cover the collection and processing of data by both public and private bodies. However, in this special draft legislation, the tendency is to put in penalties of administrative nature. Criminal penalties will be appearing under articles 193-196 of the draft Criminal Law. The new proposals would make it a criminal offense to collect and process data unlawfully or without consent with a maximum prison sentence of three years. In the draft law, it is considered a criminal offense to cause the data to be seized by others, to be deteriorated, or to be damaged as a result of failure to take the necessary security measures. A prison sentence of one to four years is contemplated for these offences. The draft Criminal Law also regulates the collection and processing of ethical characteristics, political, philosophical and religious opinions, races, union relationships, sexual lives and health conditions of individuals as criminal offenses unless permitted by laws. The prison sentence for violating the regulation is one to two years. The draft Criminal Law also considers the disclosure and delivery of personal data to unauthorized persons. Furthermore, failure to destroy the data required to be destroyed within a specific time period is a criminal offense with a prison sentence of 6 months to one year. The draft states that the above mentioned criminal offenses are applicable for all systems in which data is held and emphasizes the liability of legal entities. The new proposals discussed within the May 1998 E-Commerce Laws Working Party Report [fn 241] emphasize both the importance of facilitating the collection and processing of personal data and the protection of personal data of individuals in the information age.

Within the Turkish national legislation, the protection of personal rights is regulated in the Civil Code. Pursuant to Article 24 of the Civil Code, an individual whose personal rights are violated unjustly may request from the judge protection against the violation. Individuals can bring action on violation of their private rights. However, there is no criminal liability for such violations of personal rights and currently there is no protection of personal data laws (through data protection laws or any other laws) under the current Turkish Criminal Code.

Articles 195-200 of the Turkish Criminal Code on the freedom of communications govern communication through letters, parcels, telegram and telephone. Despite the existing laws and regulations, the right to privacy and to private communications seem to be rather problematic in Turkey. According to Civaoglu, a columnist for the Turkish daily Milliyet: "Apart from the right of privacy of individuals being violated in Turkey, it would be correct to say that these rights are practically "raped" in Turkey." [fn 242] Civaogluís strong words stemmed from the unregulated use of bugging devices within Turkey. His article describes how the former opposition leader Mesut Yilmaz (now the prime minister) was annoyed that his telephones were tapped and also that his house walls were bugged. According to acting Security Director Kemal Celik, all telephones in Turkey are bugged. The Turkish parliamentís telephone bugging committee, set up to investigate allegations of government phone taps, confirmed allegations that the Security Directorate listens in on all telephone communications, including cellular calls, according to a secret 50-page report documenting and confirming the bugging of telephones. [fn 243] According to Celikís report, selective secret bugging of phones in Turkey has enabled the Security Directorate to solve 33 assassination attempts since 1995. Numerous other "incidents", including bombings and murders, have also been solved since indiscriminate and unregulated bugging of phones began in Turkey.

In 1990, a parliamentary commission on human rights was established with the power to monitor the human rights situation in Turkey and abroad. Currently, the commission consists of 25 parliamentarians, three consultants and four secretaries. Since its inception, the commission has taken up some 20 cases on its own initiative. Most of these cases relate to alleged violations of physical integrity [fn 244] and it is unknown whether the Commission has dealt with any cases of individual privacy.

Turkey is a member of the Council of Europe and has accepted the Councilís monitoring mechanism. [fn 245] Turkey has also been a member of the Organization for Economic Co-operation and Development since 1961.

United Kingdom of Great Britain and Northern Ireland

There is no general right of privacy in the United Kingdom. [fn 246] The UK does not have a written constitution, and the general liberties of the citizens are theoretically protected by the Parliament. The recently elected Labour government has pledged to incorporate the European Convention of Human Rights into domestic law, a process which will establish a right of privacy. [fn 247]

The Parliament approved the Data Protection Act (1998) in July. [fn 248] This piece of legislation updates the 1984 Act in accordance with the requirements of the European Union's Data Protection Directive. [fn 249] The Act covers records held by government agencies and private entities. It provides for limitations on the use of personal information, access to records and requires that entities that maintain records register with the Data Protection Commissioner.

The Office of the Data Protection Commissioner is an independent agency that enforces the Act. [fn 250] Under the Previous act, a total of 225,000 organizations and businesses registered, [fn 251] although this figure is believed to fall well short of the total number of entities that qualify to register.

The dependent territories of Isle of Man, [fn 252] Isle of Guernsey and Isle of Jersey each have a data protection act and data protection commission.

The Interception of Communications Act of 1985 sets limitations on surveillance of telecommunications. Police can obtain telephone taps by obtaining a warrant signed by the Home Secretary. 1712 phone and mail orders were approved in 1997. Telephone taps for national security purposes are authorized by the Foreign Minister. The law was amended in 1997 to allow bugging of homes with only the permission of a chief constable or police commissioner. A Special Commissioner will review these activities. [fn 253]

There is a long history of illegal wiretapping of political opponents, labor unions and others in the UK. [fn 254] In 1985, the European Court of Human Rights ruled that police interception of individualsí communications was a violation of Article 8 of the European Convention on Human Rights. [fn 255] The decision resulted in the adoption of the Interception of Communications Act 1985. Most recently, the European Court of Human Rights ruled in 1997 that police eavesdropping of a police woman violated Article 8. [fn 256] It was recently revealed that in the late 1970ís, M15, Britainís security service, tapped the phone of Secretary of State for Trade and Industry Peter Mandelson, and kept files on Jack Straw, now Home Secretary, and Harriet Harman, former Social Security Secretary, as well as Guardian journalist Victoria Brittain. The High Court issued an injunction against the Mail on Sunday preventing the publication of further revelations. In September 1998, it was revealed that there were secret talks between the Association of Chief Police Officers (ACPO) and representatives for Internet Service Providers (ISPs) which aim to reach a "memorandum of understanding" to give the police access to private data held by ISPs. [fn 257]

In late 1997, a report commissioned by the European Parliament and prepared by the UK based research group Omega Foundation, confirmed that Britain was a key player in a vast global signals intelligence operation controlled by the U.S. National Security Agency (NSA). [fn 258] According to the report, the U.S. and its UK partner, GCHQ, "routinely and indiscriminately" intercepted large amounts of sensitive data which had been identified through keyword searching. The eavesdropping was carried out from a number of spy bases in the UK, most notably the Menwith Hill base in the north of England. The report led to some concern in various European States, and on September 14, 1998, the European Parliament, in plenary session in Strasbourg, took the unprecedented step of openly debating the operation. A "compromise resolution" framed in the wake of the debate by the four leading parties called for greater accountability and "protective measures" over such intelligence gathering.[fn 259]

There are also a number of other laws containing privacy components, most notably those governing medical records [fn 260] and consumer credit information. [fn 261] A proposal for an Open Government law is currently being debated. [fn 262] Other laws with privacy components include the Rehabilitation of Offenders Act, 1974, the Telecommunications Act 1984, the Police Act 1997, the Broadcasting Act 1996, Part VI and the Protection from Harassment Act 1997. Some of these acts are amended and may be repealed in part by the 1998 Data Protection Act. The Police and Criminal Evidence Act (1984) allows police to enter and search homes without a warrant following an arrest for any offense. And while police may not demand identification before arrest, they have the right to stop and search any person on the street on grounds of suspicion. Following arrest, a body sample will be taken for inclusion in the national DNA database. [fn 263]

The privacy picture in the UK is mixed. [fn 264] There is, at some levels, a strong recognition and defense of privacy. Proposals to establish a national identity card, for example, have routinely failed. On the other hand, crime and public order laws passed in recent years have placed substantial limitations on numerous rights, including freedom of assembly, privacy, freedom of movement, the right of silence and freedom of speech. There has been a proliferation of Closed Circuit Television (CCTV) cameras in hundreds of towns and cities in Britain. The camera networks can be operated by police, local authorities or private companies, and are partly funded by a Home Office grant. Their original purpose was crime prevention and detection, though in recent years the cameras have become important tools for city center management and the control of "anti social behavior". Between 150 million and 300 million pounds a year is spent expanding the web of 200,000 cameras covering public spaces in Britain [fn 265], but despite the ubiquity of the technology, successive governments have been reluctant to pass specific laws to govern their use.

The UK is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) [fn 266] along with the European Convention for the Protection of Human Rights and Fundamental Freedoms.[fn 267] In addition to these commitments, the UK is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

United States of America

There is no explicit right to privacy in the U.S. Constitution. The Supreme Court has ruled that there is a limited constitutional right of privacy based on a number of provisions in the Bill of Rights and subsequent amendments. This includes a right to privacy from government surveillance into an area where a person has a "reasonable expectation of privacy" [fn 268] and also in matters relating to marriage, procreation, contraception, family relationships, child rearing and education. [fn 269] However, records held by third parties such as financial records or telephone calling records are generally not protected unless a specific federal law applies. The court has also recognized a right of anonymity [fn 270] and the right of groups to not have to disclose their members' names to government agencies. [fn 271]

The U.S. has no general privacy protection law. The Privacy Act of 1974 protects records held by U.S. Government agencies and requires them to apply basic fair information practices. [fn 272] Its effectiveness is significantly weakened by administrative interpretations of a provision allowing for disclosure of personal information for a "routine use" compatible with the purpose for which it was originally collected. Limits on the use of the Social Security Number have also been undercut in recent years for a number of purposes.

There is no privacy oversight agency in the U.S. The Office of Management and Budget plays a limited role in setting policy for federal agencies and has not been particularly active or effective. The Federal Trade Commission has oversight and enforcement powers for the laws protecting consumer credit information and fair trading practices. [fn 273] Recently, the FTC began requiring that companies follow the privacy notices on their Internet sites. [fn 274] The FTC said in September 1998 that it would seek legislation to cover Internet privacy. [fn 275] An FTC judge also recently found that TransUnion, a major credit bureau, had violated the law by using information from credit reports for direct marketing purposes. [fn 276]

Surveillance of telephone, oral and electronic communications for criminal investigations is governed by the Omnibus Safe Streets and Crime Control Act of 1967 and the Electronic Communications Privacy Act of 1986. [fn 277] Police are required to obtain a court order based on a number of legal requirements. Surveillance for national security purposes is governed by the Foreign Intelligence Surveillance Act which has less legal requirements. [fn 278] The laws were amended by a controversial bill in 1994 to force telephone companies to redesign their equipment to facilitate surveillance. [fn 279] There were 1186 orders for interceptions for criminal purposes and 749 for national security purposes in 1997. [fn 280]

A patchwork of laws covers some specific areas of information. [fn 281] These include financial records, [fn 282] credit reports, [fn 283] video rentals, [fn 284] cable television, [fn 285] educational records, [fn 286] motor vehicle registrations, [fn 287] and telephone records. [fn 288] The Freedom of Information Act was enacted in 1966. [fn 289] There is also a variety of sectoral legislation on the state level that may give additional protections to citizens of individual states. [fn 290] The tort of privacy was first adopted in 1892 and all but two of the 50 states recognize a civil right of action for invasion of privacy in their laws.

There has been significant debate in the United States over recent years about the development of privacy laws covering the private sector. There are over 100 bills pending in Congress on privacy protection, including laws on genetic and medical records, Internet privacy, children's privacy and other issues. [fn 291] However, the current position of the White House and the private sector is that self-regulation is sufficient and that no new laws should be enacted except for limited measures on children's privacy and medical information.

The U.S. is a member of the Organization for Economic Cooperation and Development but has not adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in any substantive way in either the public or private sector.


1. Constitutional Law: The Rights and Obligations of a Citizen and a Person, 1991. <>.

2. Janis Bicevskis and Girts Karnitis, "Problems in the Integration of Registers of State Significance in Latvia," Baltic IT Review, No. 8, p. 77.

3. OMRI, April 11, 1997.

4. "Defense Ministry issues a statement in response to reports of bugging," Latvian Radio, Riga, November 16, 1995, BBC Summary of World Broadcasts, November 20, 1995.

5. BBC Summary of World Broadcasts, April 16, 1994.

6. See <>.

7. Signed 10/2/95. Ratified 26/7/96. Entered into force 26/7/96. <>.

8. Constitution of the Republic of Lithuania. <>.

9. The Law on Legal Protection of Personal Data (No 63-1479, 1996).

10. See Ona Jakstaite, "Regulating Data Security in Lithuania," Baltic IT Review

11. The Law on the Public Registers (13 August 1996, No. I-1490).

12. Resolution No. 1185 "On establishing the State Data Protection Inspectorate, 10 October 1996 (No 100-2293).

13. Law on Operative Activities, 1991.

14. Vladas Burbulis , "Lithuania Security Chief Refutes Any Telephone Bugging," ITAR-TASS TASS, October 27, 1995.

15. Keeping an Eye on Politicians, Transitions, August 1998. <>

16. The Law on Telecommunications, 30 November 1995, No. I-1109.

17. LAW ON RADIO COMMUNICATION, 7 November 1995, No.I-1086. <>.

18. The Law on Statistics, 12 October 1993, No.I-270.

19. Law on the Population Register, January 23, 1992, No. I-2237.

20. Law on the Health System, 19 July 1994, No.I-552.

21. United Nations Human Rights Committee, Consideration of Reports Submitted by States Parties Under Article 40 of the Covenant, Initial reports of States parties due in 1993, Addendum, Lithuania, 1996. <>.


23. Signed 14/05/93. Ratified 20/06/95. Entered into force 20/06/95. <>.

24. Constitution of the Grand Duchy of Luxembourg. <>.

25. Act on the Use of Nomative Data in Computer Processing, 31 March 1979.

26. Act on the protection of individuals with regard to the processing of their personal data, no. 4357.

27. Art 88-1 - 88-4 of the Criminal Code, Law of 26 November 1982, modified by the law of 7 July 1989.

28. Loi du 21 mars 1997 sur les télécommunications. <>, Règlement grand-ducal du 22 décembre 1997 fixant les conditions du cahier des charges pour l'établissement et l'exploitation de réseaux fixes de télécommunications. <>.

29. Loi du 30 mars 1979 organisant l'identification numérique des personnes physiques et morales <>. Règlement grand-ducal du 7 juin 1979 déterminant les actes, documents et fichiers autorisés &#136; utiliser le numéro d'identité des personnes physiques et morales. <>, Règlement grand-ducal modifié du 21 décembre 1987 fixant les modalités d'application de la loi du 30 mars 1979, <>.

30. Signed 28/01/81. Ratified 10/02/88. Entered into force 01/06/88. <>

31. <>.

32. Constitution of Malaysia, <>.


34. Communications and Multimedia Bill 1998 <>.

35. Digital Signature Bill 1997, <>.

36. Computer Crimes Bill 1997, <>.

37. Rumours over Internet: Four to be charged soon, NST , September 24, 1998.

38. E-mail not screened, says service provider, The Straits Times, August 17, 1998.

39. Constitucion Politica de los Estados Unidos Mexicanos, <>.

40. Código Penal Federal

41. See United Nations Commission on Human Rights, Question of the follow-up to the guidelines for the regulation of computerized personal data files: report of the Secretary-General prepared pursuant to Commission decision 1995/114 <>.

42. El Código Postal de los Estados Unidos Mexicanos (1884).

43. Ley de V&#146;as Generales de Comunicación de 30 de diciembre de 1939, Arts 571. 576, 578

44. Código Penal Federal, Art 210

45. Id., Art. 167, part 9

46. Ley Federal Contra la Delincuencia Organizada, 7 de noviembre de 1996, <>.

47. Zedillo to sign sweeping organized crime package, The Los Angeles Times, October 30, 1996.

48. Exigen siete ONG la renuncia del titular de Seguridad Publica, La Jornada , October 7, 1997.

49. Con la reforma anticrimen, el espionaje entrar&#146;a a la Constitución, La Jornada, 28 de abril de 1996.

50. AP, January 18, 1997.

51. Spy Network Stuns Mexicans, Raid Opens Door to Exposure of Government Snooping, The Washington Post, April 13, 1998.

52. Anger as Big Brother spy tactics exposed, The Guardian (London), April 14, 1998.

53. En marcha, amplia operacion anticrimen en la frontera con EU, La Jornada, November 5, 1996.

54. Human bar codes, The San Diego Union-Tribune, May 13, 1998.

55. Constitution of the Kingdom of the Netherlands 1987. <>.

56. Wet van 28 december 1988, houdende regels ter bescherming van de persoonlijke levenssfeer in verband met persoonsregistraties (Wet persoonsregistraties). Gepubliceerd in het Staatsblad 1988, 655. <>(in Dutch only).

57. <>.

58. March 5, 1993, <>.

59. July 6, 1993, <>.

60. <> (in Dutch only).

61. Article 125i of the Code of Criminal Procedure.

62. Dutch Law Goes Beyond Enabling Wiretapping to Make It a Requirement, New York Times Cybertimes, April 14, 1998.

63. Ibid.

64. Statewatch bulletin, Vol. 6 no 1, January-February 1996.

65. Dutch Police Registers Act 1990, <>.

66. Dutch Medical Examinations Act 1997, <>.

67. Dutch Medical Treatment Act 1997, <>.

68. Dutch Social Security System Act 1997, <>, Compulsory Identification Act.

69. Dutch Act on the Entering of Buildings and Houses 1994, <>.

70. Dutch Act on the Stimulation of Labor by Minorities 1994, <>.

71. Signed 07/05/82, Ratified 28/05/93, Entered into Force 01/09/93. <>


73. Bill of Rights Act, 1990 <>.


75. The Privacy Act 1993,<>, The Privacy Amendment Act 1993 <>, The Privacy Amendment Act 1994 <>.

76. See Re Application by L [information stored in person's memory] (1997) 3 HRNZ 716 (Complaints Review Tribunal).

77. Home Page: <>.

78. NZ Privacy Commission, Annual Report for the year ended 30 June 1997.

79. The Proceedings Commissioner is a member of the Human Rights Commission, to which the Privacy Commissioner also belongs. The Proceedings Commissioner is empowered to take civil proceedings before the Complaints Review Tribunal on behalf of a complainant if conciliation fails.

80. Part XIA, New Zealand Crimes Act.

81. Nicky Hager, "Secret Power: New Zealand's Role in the International Spy Network," (Nelson, MZ: Craig Potton, 1996).

82. <>.

83. Supreme Court decision of 13 December 1952, reported in Rt. 1952, p. 1217.

84. Personal Data Registers Act of 1978 (lov om personregistre mm av 9 juni 1978 nr 48), in force 1 January 1980

85. Penal Code, Act No. 10, dated 22 May 1902 as amended by Act no. 68, 20 July 1991.

86. Et bedre personvern -- forslag til lov om behandling av personopplysninger [Better privacy protection -- proposal for an Act on processing of personal data], NOU 1997:19).

87. Home Page: <>.

88. Law of 17 December 1976. , Law of 24 Juin 1915.

89. Administrative Procedures Act of 1967 (lov om behandlingsm&#140;ten i forvaltningssaker av 10 februar 1967),

90. the Freedom of Information Act of 1970 (lov om offentlighet i forvaltningen av 19 juni 1970 nr 69)

91. Almindelig borgerlig Straffelov 22 mai 1902 nr 10.

92. Signed 13/03/81, Ratified 20/02/84, Entered into Force 01/10/85. <>.


94. Constitution of the Republic of the Philippines. <>

95. Cordero v. Buigasco, 34130-R, April 17, 1972, 17 CAR (2s) 539; Jaworski v. Jadwani, CV-66405, December 15, 1983.

96. Penal Code, Articles 290-292.

97. Balita News Service, May 7, 1998.

98. Wiretapping probe, BusinessWorld (Manila), August 26, 1997.

99. Gov't lawyers ask Supreme Court to reconsider decision, Businessworld, August 12, 1998.

100. Erap wants nat'l ID system (Only criminals disagree with it, says the President), Businessworld, August 12, 1998.

101. Opinion Number 91. see Foundation laid for proposed nat'l ID, Businessworld, August 14, 1998.

102. The Constitutional Act of 1997. <>.

103. Act on Personal Data Protection, Dz.U. nr 133, poz. 833 , 29 September 1997. <> (In Polish).

104. The Info Boom's Murky Side, Warsaw Voice, November 9, 1997.

105. A One-Woman Orchestra, Warsaw Voice, June 21, 1998.

106. Article 237.

107. Bugged About Wiretapping, Warsaw Voice, May 26, 1996.

108. Ibid.

109. Deja Vu All Over Again? Security service "monitoring" of labor unions draws criticism, Warsaw Voice, June 23, 1996.



112. Constitution of the Portuguese Republic, 2 April 1976 <>.

113. Lei no 10/91 - Lei da Protec&#141;&#139;o de Dados Pessoais face &#136; Inform&#135;tica. <>. Amended by Lei n.o 28/94, de 29 de Agosto. Aprova medidas de refor&#141;o da protec&#141;&#139;o de dados pessoais <>.

114. Proposta de Lei da Protec&#141;&#139;o de Dados Pessoais <>, Proposal of Law n 173/VII <>.

115. Comiss&#139;o Nacional de Protec&#141;&#139;o de Dados Pessoais Informatizados. <>.

116. <>.

117. Lei no 2/94, de 19 de Fevereiro Estabelece os mecanismos de controlo e fiscaliza&#141;&#139;o do Sistema de Informa&#141;&#139;o Schengen. <>.

118. Lei no 109/91 - Sobre a criminalidade inform&#135;tica. <>.

119. Act No. 3/84 of 24 March.

120. Chapter VI, Penal Code. Section 179-183.

121. Article 126 of the Code of Penal Procedure paragraph 3. See United Nations, Committee Against Torture Consideration of Reports Submitted by States Parties Under Article 19 of the Convention, Addendum, Portugal, 10 June 1997.

122. Bug Found in Portuguese State Prosecutor's Office, The Reuters European Business Report, April 27, 1994.

123. Portugal to tap mobile phones in drugs war, Reuters World Service, October 9, 1996.

124. Signed 14/05/81. Ratified 02/09/93. Entered into force 01/01/94. <>.

125. Signed 22/09/76. Ratified 09/11/78. Entered into force 09/11/78. <>.

126. Constitution of the Russian Federation, 1993. <> (English).

127. RFE/RL, March 11, 12, 1998.

128. Russian Federation Federal Act No. 24-FZ, Law of the Russian Federation on Information, Informatization and Information Protection, 25th January 1995. <> (extracts).

129. Russian Federation Federal Act No. 15-FZ. Adopted by the State Duma on January 20, 1995.

130. OMRI, August 16, 1995, "Yeltsin Signs Law Regulating Criminal Investigations."

131. Russia Prepares To Police Internet. The Moscow Times, July 29, 1998. English translation of bill is available at <>.

132. Civil Code, Article 19. RF Act No. 51-FZ. Adopted By The State Duma On October 21, 1994.

133. The Criminal Code of the Russian Federation No. 63-FZ of June 13, 1996.

134. United Nations Human Rights Committee, Comments on Russian Federation, U.N. Doc. CCPR/C/79/Add.54 (1995). <>



137. Regulating the Computerized Collection of Personal Data, Law N. 70 of 23 May 1995 revising Law N. 27 of 1 March 1983. Amended by law 70/95. See <>

138. Decree N. 7 of 13 March 1984, "Establishment of a State Data Bank as provided for by Article 5 of Law N. 27 of 1 March 1983"; Decree N. 7 of 3 June 1986, "Integration to Decree N. 7 of 13 March 1984, Establishing a State Data Bank"; Decree N. 140 of 26 November 1987, "Procedures for the Establishment of Private Data Banks".

139. Regulation on Statistical Data Collection and Public Competence in Data Processing, Law N. 71 of 23 May 1995.

140. Constitution of the Republic of Singapore, 16 September 1963. <>

141. Report of the National Internet Advisory Board 1997/1998, September 1998. <>.

142. U.S. Department of State Singapore Country Report on Human Rights Practices for 1997, January 30, 1998.

143. Garry Roday, The Internet and Social Control in Singapore, Pol. Sci. Q. Vol. 113, No. 1, Spring 1998.

144. Ibid.

145. The Straits Times, September 27, 1996.

146. You're on candid camera, The Straits Times, September 2, 1998.

147. Video cameras to monitor traffic at 15 junctions, The Straits Times, March 12, 1995, Surveillance system set up in Jurong East, The Straits Times, July 16, 1996.

148. Do we really want an all-seeing camera?, The Straits Times, July 13, 1995.

149. Constitution of the Slovak Republic, 3 September 1992. <>.

150. Act No. 52 of February 3, 1998 on Protection of Personal Data in Information Systems.

151. The Slovak Republic Country Report on Human Rights Practices for 1996, U.S. Department of State, February 1997.

152. Hungarian Politicians in Slovakia are Being Bugged, CTK National News Wire, February 21, 1995, DEPUTY BRINGS CHARGES AGAINST SLOVAK SECRET SERVICES SPOKESMAN, CTK National News Wire, August 21, 1997.

153. United Nations Human Rights Committee, July/August 1997 Session. <>.

154. European Commission, Agenda 2000 - Commission Opinion on Slovakia's Application for Membership of the European Union, Doc 97/20, July 15, 1997.


156. See <>.

157. Signed 21/02/91. Ratified 18/03/92. Entered into force 01/01/93. <>.

158. Constitution of the Republic of Slovenia, 1991. <>.

159. Law on Personal Data Protection (The Official Journal of the Republic of Slovenia, No. 8/90, 38/90 and 19/91).


161. European Commission, Agenda 2000 - Commission Opinion on Slovenia's Application for Membership of the European Union, July 15, 1997.

162. United Press International March 28, 1994.

163. Deutsche Presse-Agentur, February 25, 1998.

164. Law on National Statistics, 25 July 1995. <>.

165. Signed 23/11/93. Ratified 27/05/94. Entered into force 01/09/94. <>.

166. Signed 14/05/93. Ratified 28/06/94. Entered into force 28/06/94. <>.

167. The Constitution of the Republic of South Africa, Act 108 of 1996. <>.

168. The interim Constitution (Act 200 of 1993).

169. Case and Another v Minister of Safety and Security and Curtis and Another v Minister of Safety and Security 1996 (3) SA 617 (CC).

170. Bernstein and others v Von Weilligh Bester NO and others 1996 (2) SA 751 (CC); 1996 (4) BCLR 449 (CC) - delivered 27 March 1996.

171. Mistry v The Interim National Medical and Dental Council of South Africa and others as yet unreported CCT 13/97, decided on 29 May 1998.

172. Open Democracy Bill No. 67, 1998. <>.

173. Interception and Monitoring Prohibition Act, No 77 of 1992 (amended by the Intelligence Services Act, No. 38 of 1994).

174. David Shapshak, SA services get `smart', Mail & Guardian, April 24, 1998.

175. Constitution of Spain, Amendment 27 Aug 1992. <>.

176. Ley Organica 5/1992 de 29 de Octubre de Regulación del Tratamiento Automatizado de los Datos de Caracter Personal (LORTAD). <>.

177. Agencia de Protección de Datos (Data Protection Agency). <>

178. See

179. Telefonica De Espana Appeals Fine For Sharing Database, Dow Jones, June 19, 1997.

180. Ley Organica 11/1980 de 1 de Dec 1980. Penal Code, Sections 196-199.

181. See Global Internet Liberty Campaign Member Statement, New Spanish telecommunications law opens a door to mandatory key recovery systems , July 1998. <>.

182. Spain Socialists seek opposition apology on bugging, Reuters, February 6, 1996.

183. INSTRUCCION 1/1995, de 1 de marzo, de la Agencia de Protección de Datos, relativa a prestación de servicios de información sobre solvencia patrimonial y crédito. <>.

184. Seguridad en cajeros autom&#135;ticos y otros servicios. ORDEN de 23 de abril de 1997. <>.

185. Signed 28/01/82, Ratified 31/04/84, Entered into Force 01/10/85. <>.

186. Signed 24/11/77, Ratified 04/10/79, Entered into Force 04/10/79. <>.

187. Regeringsformen, SFS 1974:152.

188. Tryckfrihetsf&#154;rordningen, SFS 1949:105.

189. Datalagen, SFS 1973:289.

190. Personuppgiftslagen, SFS 1998:204, to be in force 24 October 1998.

191. Web Site:

192. Anitha Bondestam, Identity Numbers, Presentation at the XVth International Conference of Data Protection and Privacy Commissioners, September 1993.

193. Sekretesslagen, SFS 1980:100. For information on the background to the new Act, see the report, Integritet -- Offentlighet -- Informationsteknik [Integrity -- Publicity -- Information Technology], SOU 1997:39.

194. Kreditupplysningslag, SFS 1973:1173.

195. Inkassolag, SFS 1974:182.

196. F&#154;rvaltningslagen, SFS 1986:223.

197. Wayne Madsen, Handbook of Personal Data Protection, (New York: Stockton Press, 1992), p. 64.

198. Signed 28/01/81, Ratified 29/09/82, Entered into Force 01/10/85. <>.

199. Signed 28/11/50, Ratified 04/02/52, Entered into Force 03/09/53. <>.

200. Constitution of Switzerland, <>.

201. Loi fédérale sur la protection des données (LPD) du 19 juin 1992. <>

202. Home Page: <>.

203. Art 66-73, Procédure pénal fédérale. Loi de 23 Mars 1979 sue la protection de la vie priveé. Telecommunications Law 30.04.97/BAKOM/TC/frm (LTC) of 30 April 1997. <>. O du 1er décembre 1997 sur le service de surveillance de la correspondance postale et des télécommunications. <>.

204. DEPARTEMENT FEDERAL DE JUSTICE ET POLICE, Ecoutes téléphoniques: Communiqué de presse, 1er juillet 1998. <>.

205. Conseil national: Session d'automne 1997, Surveillance téléphonique, 10 octobre 1997.

206. Statewatch bulletin, vol. 3 no 1, January-February 1993.

207. Phone Taps Raise Ire Of Swiss Public, Media, Christian Science Monitor, March 14, 1997.

208. Digital Cellular Report, January 15, 1998.


210. Section 28 of the Civil Code , 10 December 1907.

211. Code pénal, Titre troisiéme: Infractions contre l'honneur et contre le domaine secret ou le domaine privé, Art 173-179.

212. Section 328 of the Code of Obligations. See International Labour Organization, Conditions of Work Digest, Vol. 12, 1/1993.

213. Telecommunications Law (LTC) of 30 April 1997. <>.

214. 1934 of the Federal Banking Law on privacy. See 7 Pace Int'l L. Rev. 329 on effects of money laundering legislation on limiting banking privacy.

215. Office fédéral de la statistique, La protection des données dans la statistique médicale, 1997. <>.

216. Code pénal, Art 320-322.

217. O du 14 juin 1993 concernant les autorisations de lever le secret professionnel en matière de recherche médicale (OALSP), 14 juin 1993. <>.

218. O du 31 août 1992 sur le système provisoire de traitement des données relatives &#136; la protection de l'Etat (Ordonnance ISIS), 31 août 1992. <>. O du 14 juin 1993 concernant le traitement des données personnelles lors de l'application de mesures préventives dans le domaine de la protection de l'Etat, 14 juin 1993 <>. O du 19 juin 1995 sur le système de recherches informatisées de police (RIPOL), <>.

219. O du 18 mai 1994 relative &#136; la carte d'identité suisse. <>.

220. Signed 02/10/97. Ratified 02/10/97. Entered into force 01/02/98. <>.

221. <>.

222. Constitution of the Republic of China, Adopted by the National Assembly on December 25, 1946, promulgated by the National Government on January 1, 1947, and effective from December 25, 1947. <>.

223. Computer-Processed Personal Data Protection Law of August 11, 1995.

224. <>.

225. Taiwan takes stick on human rights, China News, December 8, 1997.

226. Independence Morning Post, July 26, 1997.

227. The Internet and its Legal Ramifications in Taiwan, George C.C. Chen, 20 Seattle Univ. L. R. 677 (Spring, 1997).

228. Motel sex tapes prompt revised law, China News, February 27, 1998.

229. New 'national card' set to be issued next year, China News, August 26, 1998.

230. When Smart Cards Get Too Smart, The Industry Standard, September 7, 1998.

231. Constitution of the Kingdom of Thailand, 1998. (International Translations Office, Bangkok).

232. Thailand's NTIC Approves New IT Laws, Bangkok Post, July 21, 1998.

233. Thailand: Editorial - Democracy in Danger if Spying Sanctioned, Bangkok Post, July 5, 1996.

234. Thailand: Politics - PM Denies Chuan's Wire-tapping Claim, Bangkok Post, April 8, 1997.

235. Inside Politics Infuriated by tap rap, FT Asia Intelligence Wire, July 3, 1997.

236. Thailand: Critics Fret Over Govít Access to Internet Records, Inter Press Service, September 23, 1998.

237. Thailand: Issuing Computerized National Identity Cards, Newsbytes, September 8, 1997.

238. Control Data Wins Thai Census Project, Newsbytes, October 3, 1995.

239. Bangkok police to capture litterbugs on camera and videos, The Straits Times, December 2, 1996.

240. Constitution Republic of Turkey <>.

241. Turkish Republic Foreign Trade Office, E-Commerce Laws Working Party Report, 8 May, 1998. A summary of the report in Turkish is available at

242. G&#159;neri Civaoglu, ìDemokrasiínin irzi (Rape of Democracy),î Milliyet, 1 December, 1996 at

243. Asia Times , ìNo privacy on the phone lines,î April 16, 1997, p 8.

244. See Commission On Human Rights, Question of the Human Rights of All Persons Subjected to any Form of Detention or Imprisonment: Promotion and protection of the right to freedom of opinion and expression, report of the Special Rapporteur, Mr. Abid Hussain, submitted pursuant to Commission on Human Rights resolution 1996/53 Addendum Mission to Turkey at, Distr. General E/CN.4/1997/31/Add.1 11 February 1997.

245. See Republic of Turkey, Ministry of Foreign Affairs paper, ìHuman Rights in Turkey: V. Turkeyís Place and Role in the International Context,î at

246. Kaye v. Robertson [1991] FSR 62, Malone v. Metropolitan Police Commissioner (No.2) [1979] 2 All ER 620. See

247. Human Rights Bill, CM 3782, October 1997. <>.

248. Data Protection Act 1998 [c. 29]. <>.

249. Data Protection Act 1984 (c. 35). <>.

250. Home page of the Data Protection Registrar <>.

251. Annual Report of the Data Protection Registrar, July 1998.

252. Isle of Man Data Protection Register <>.

253. Police Act, 1997 <>.

254. See e.g., Stranger on the Line.

255. Malone v United Kingdom (A/95): (1991) 13 EHRR 448.

256. Halford v United Kingdom (Application No 20605/92), 24 EHRR 523, 25 June 1997.

257. Police tighten the Net, The Guardian Online, September 17, 1998. <>.

258. European Commission, Science and Technology Options Assessment Office (STOA), ìAssessing the technologies of political controlî, Brussels, 1997. <>.

259. Minutes of the plenary sessions, European Parliament, September 14, 1998 : 17. Transatlantic relations (ECHELON) B4-0803, 0805, 0806 and 0809/98.

260. Access to Medical Reports Act 1988 and the Access to Health Records Act 1990.

261. Consumer Credit Act, 1974.

262. See Your Right to Know: The Government's proposals for a Freedom of Information Act , December 1997. <>.

263. Criminal Justice and Public Order Act 1994. <>.

264. See Simon Davies, Big Brother (Pan Books, 1996). <>

265. House of Lords, Science and Technology Committee, Inquiry : ìUse of digital images as evidenceî, 3 February 1998, section 4.3

266. Signed 14/05/81. Ratified 26/08/87. Entered into force 01/12/87. <>


268. Katz v. U.S., 386 U.S. 954 (1967) <>.

269. Paul V. Davis, 424 U.S. 714 (1976).

270. McIntire v. Ohio Elections Committee, April 19, 1995.

271. NAACP v. Alabama, 357 U.S. 449 (1958). <>.

272. Privacy Act of 1974, 5 USC 552a, PL 93-579. <>.

273. See

274. In the Matter of GEOCITIES, a corporation. FILE NO. 9823015. <>.

275. FTC 'Losing Patience' With Business on Web Privacy, NY Times, September 21, 1998.

276. In the Matter of Trans Union Corporation, Docket No. 9255, August 26, 1998<>.

277. 18 USC 2500 et sec. <>.

278. Foreign Intelligence Surveillance Act of 1978, 50 USC 1801.

279. Communications Assistance for Law Enforcement Act of 1994, PL 103-411. <>.

280. See

281. See Marc Rotenberg, The Privacy Law Sourcebook, EPIC 1998. <>.

282. Right to Financial Privacy Act, PL 95-630.

283. Fair Credit Reporting Act, PL 91-508, amended by PL 104-208 (Sept. 30, 1996). <>.

284. Video Privacy Protection Act of 1988, 100-618, 1988.

285. Cable Privacy Protection Act of 1984, 98-549, 1984. <>.

286. Family Educational Rights and Privacy Act, Public Law 93-380, 1974. <>.

287. Drivers Privacy Protection Act, PL 103-322, 1994. <>.

288. Telephone Consumer Protection Act, PL 102-243, 1991.

289. Freedom of Information Act, 5 USC 552, 1966.

290. Compilation of State and Federal Privacy Laws (1997 ed.), by Robert Ellis Smith and Privacy Journal .<>.

291. See EPIC Online Guide to 105th Congress Privacy and Cyber-Liberties Bills. Available at: <>.