This article is also available in:
Deutsch: ENDitorial: Privatsphäre in der Tschechischen Republik – kein Grund...

For the third time the Council of Europe has proclaimed 28 January the European Data Protection Day. EDRi-member Iuridicum Remedium (IuRe) reminds that the safety of Czech citizens´ personal data is still seriously endangered. Some of the most pressing issues are listed below.

RFID based Opencard (or Praguer´s Universal Card) is now being promoted as an electronic travel card for public transportation. However, the contactless chip card formerly used for parking payment and as a library ID is not secure. The contactless chip can be read remotely and the data stored on it can be linked with the central database containing personal data. The system thus allows for movement tracking, especially at the electronic gates which are going to be introduced in Prague metro.

In relation with the Opencard´s drawbacks, IuRe initiated a petition at the beginning of September 2008, which demands the deletion of both Opencard holder data and usage data from the central database after the card´s expiration and an observance of database administrator´s duty to allow user´s data deletion upon request. "We also demand an implementation of an anonymous Opencard at the same price as an ordinary Opencard," reports Filip Pospísil from IuRe. The petition has already been signed by almost 700 people.

The Municipal authorities of Prague began to sell anonymous cards on the 17 December 2008. However, there is an extra 8 EUR charge and since only transferable season transport tickets can be purchased with such a card, the price for the annual travel becomes significantly higher. The Praguers effectively have to pay extra for their privacy protection and IuRe will stand out for an implementation of non-discriminatory anonymous card, i.e. the card allowing to use the service at the same price without unnecessary disclosure of personal data. The Municipal Council of the city of Prague received a Big Brother Award 2008 for the Opencard project in "Worst Public Agency Privacy Intruder" category.

Visa Waiver

The term Visa Waiver refers to a set of agreements related to the abolition of the visa requirement for Czech citizens traveling to the USA. These agreements allow the American authorities access to personal data of the Czech citizens in Czech state authorities´ databases, including biometric data. The access is given as a compensation for the abolition of visa requirements, but in fact the paper visa have been merely replaced by the virtual visa - a system of detailed electronic questionnaires based on which the applicant can still be refused entry to the USA.

"In the case of the Czech Republic the agreements where not negotiated properly with Czech Data Protection Agency and their comments were not respected," points out Filip Pospísil from IuRe.

The complementary Agreement on strengthening the cooperation for the prevention and fight against serious crime was approved by the government on the 4 December 2008. However, the Government disregarded the comments of the Czech Data Protection Agency and other state authorities. At the beginning of 2009, IuRe urged the MEPs and senators to not approve the proposed agreement.

IuRe has made an attempt to find out the scale of personal data which had been promised by the Czech authorities to be handed over to the American authorities as well as the conditions of the data protection. The official request for information has been submitted to the Ministry of Internal Affairs by the end of 2008. "The request was concerning another visa waiver related memorandum on establishing of the Combating Terorism Center and the Electronic System of Travelling Registration (ESTA)," specifies Filip Pospísil from IuRe. However, the memorandum is classified as secret and thus neither IuRe nor any other ordinary citizens know which of their personal data is being handed over.

Privacy and bank sector

The new Police Law was negotiated and approved in 2008. IuRe together with the bank sector and the Czech Bank Association have been criticizing the new power of the Czech Police to request data about the location and time of electronic card payments from banks, and particularly, the ability to access bank information systems. "We have been submitting comments during the negotiation of this law, but while some others have been accepted, our objection against this competence was not" reports Helena Svatosová, a lawyer from IuRe.

According to IuRe, the government document named "The enhancement of the communication system between financial institutions and state authorities" introduces since the fall of 2008 the intention to create a central evidence of financial institutions´ clients and their operations. The evidence would then be available to an unspecified range of public administration authorities. "In our opinion, it's very disturbing that despite the list of related agencies being rather long, there is no mention of the involvement of the Data Protection Office," interprets Helena Svatosová from IuRe who plans to keep an eye on this issue in the future. IuRe has notified both the Czech Data Protection Office and the Bank Association about the issue and asked them for their opinion.

Data retention

EU directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communication services has been implemented into the national legislation since the beginning of 2006. In November 2007, Minister of Industry and Trade Martin Ríman proposed an amendment which would allow the secret service and the military intelligence a direct access to those data. Although he has abandoned the idea under the pressure from the media and politicians, intelligence services gained access through the "backdoor" in the new Police Law.

There is a legal proceeding submitted by Ireland (suported by Slovakia) going on against the directive at the European Court of Justice, as well as at both Hungarian and German constitutional courts. IuRe has also been preparing the trial of the "data retention" provision of a law in respect of its constitutionality and compliance with human-right obligations of the Czech Republic; the plan is to approach lawmakers with the proposal for an annulment of a part of the law, and gather enough support to submit the proposal to the Czech Constitutional Court.

Video surveillance

The volume of CCTVs has been on a sharp increase in recent years. However, the Czech legislation has not reflected this development in any way. In December last year the Government Council for Human Rights accepted a proposal of a Committee for Civil and Political Rights. The proposal has been initiated by IuRe and aims at introducing a conceptual regulation of CCTV´s usage in public. IuRe has emphasised the necessity of such an adjustment for several years. "Thus, the resolution of Council of Government is a significant achievement of our campaign, which leads to a more transparent usage of CCTV systems regulated by strict rules," declared Filip Pospísil from IuRe.

The proposal should allow private persons to use CCTV only in order to protect their own property and family; public authorities should be allowed to make a record only in the public interest and only for purposes defined by the law. The proposal should also prevent the excessive personal data processing and stipulate a duty of the CCTV owner to inform about the CCTV surveillance within its range. The aim of the proposal is also to strictly regulate the retention of records, as well as the duty to clearly state and document the exact purpose of each CCTV installation by the police or another security agency.

IuRe has already tried to pursue the legal regulation of CCTV through the Police law approved in June 2008 with the help of MP Katerina Jacques. Minister of Interior Ivan Langer has rejected the proposal, but has promised that his ministry will, in cooperation with the MP and Czech Data Protection Office, prepare amendments of the Act on Personal Data Protection containing proposed amendments. Negotiations are still ongoing with IuRe participating.

Passengers Name Records (PNR)

Passengers Name Records (PNR), the database of information about airline passengers has originally been used only by the aviation companies. But after the 9/11, the American Security Authorities have started making pressure on aviation companies to provide the detailed data of their passengers.

This practice did not have a legal ground in most countries and the agreement between EU and the USA was found illegal by the European Court of Justice. The provisional agreement, built on the same illegal base in summer 2007, was called back from negotiations in the Czech Parliament by Foreign Affairs Minister after IuRe had sent a letter to MPs raising concerns against the approval of the agreement.

After difficult negotiations, the EU came up with a new agreement on PNR data exchange with the USA in June 2007. In the Czech Republic the proposal of the agreement has not gone through an ordinary legislative process and only the Data Protection Office expressed its opinion: the proposal brings a deterioration of personal data protection level against previous agreements, as US authorities will acquire access to personal data of people without guaranteeing basic rights.( for example the right of correcting of false statements, etc.)

IuRe has also approached a number of parliamentarians expressing concerns about the agreement and this resulted in the fact that the agreement did not obtain the support of the Foreign Affairs committee of the Czech Parliament. Also the Senate Standing Commission for Privacy Protection expressed its negative position.

IuRe believes that the Parliament will demonstrate its sovereign role and will not approve this agreement at the forthcoming session.

This article has been written as a part of the "Reclaim Your Rights in the Digital Age" project supported by the Trust for Civil Society in Central and Eastern Europe Foundation.

(contribution by EDRi-member Iuridicum Remedium- Czech Republic)