NO COUNTRY FOR PRIVACY: A REVIEW OF PRIVACY REGULATION AND PRACTICE IN LITHUANIA

Over a year ago I did survey the state of privacy in Lithuania in 2013-2014. The situation was already upsetting then, but in 2015, and especially during the first six months of 2016, it has become even direr.

The degradation of privacy has been most noticeable in the media, which feels entitled to freely portray personal images and highlight errands of the public and private persons (even when the law is obeyed), freely publish sensitive health data,  photograph and film anything and anywhere, completely disregard the privacy of residence – all without the fear of any retribution and regard for the consequences of these actions.

Formally, the media operated under the cover of the freedom of expression and freedom information (Constitution of the Republic of Lithuania, Art. 25). Due to this freedom the media is largely exempt from the Law of Legal Protection of Personal Data (Law on Legal Protection of Personal Data, Art. 8), but does it really allow full disregard of privacy? In the hierarchy of constitutional values the right to privacy (Constitution of the Republic of Lithuania, Art. 22) surpasses the freedoms of expression and information (Constitution of the Republic of Lithuania, Art. 25). Furthermore, rights and freedoms can be realized only by not violating the other Constitutional virtues and the rights of others – therefore, the gathering and dissemination of public information must be executed only in observance of the person’s right to the protection of personal data (Law on Provision of Information to the Public, Art. 14). Presuming the media do comprehend their legal obligations, they justify their dubious practices through a noble intent – by publicizing private information they are seemingly fighting alcohol or drug addictions, or illegal construction, or environmental pollution, or something else. Do these ends really justify the means and obvious violations of privacy? I do not think so.

When assessing these situations it is important to remember that the disregard of
privacy in the media has become a business. Content that systematically violates privacy is lucrative because it has an audience, and the advertising within it sells well. Private content resonates, lures public reactions and plentiful comments, it is deemed premium click-bait material. Moreover, the Lithuanian media feels immune to the consequences because the maximum legal liability for privacy violations is much lower than the profit they generate. Violating privacy simply pays off!

Ignorance of privacy in Lithuania is unequivocally led and enabled by the example of privacy ignorant government and sleepy privacy watchdogs. Members of the Parliament, having seemingly forgotten the Art. 24 of the Constitution and Art. 165 of the Criminal Code, feel free to disregard the privacy of people’s residences – enter and puff a smoke in private home yards, terraces or entertain themselves in private swings. The State Tax Inspectorate feels entitled to be informed of all electronic payment accounts, as well as the transactions done. The Financial Crime Investigation Service wants to know everything about private payment cards and transactions done with them. Other institutions want to know everything about transport passengers and their travels (PNR records), though they already know plenty (API data is already retained). The national regulations enabling all of this are extremely vague and provide no external oversight and are sure to leave no chance for the data subjects to defend themselves.

The Lithuanian government also continues to ignore the CJEU decisions (cf. C-293/12 and C-594-12) repealing the Data Retention Directive (in Lithuania the legal norms implementing the late directive are still “successfully” enforced and the further legitimization of data retention is proposed through switching the legal grounds from the EU law to the national regulation). The European Court of Human Rights practice on data retention concerning crime suspects or expired sentences (including violations of administrative law) (cf. Brunet vs. FRANCE, 21010/10) is also snubbed. Although ECHR likens the storage of such data for 20 years to indefinite storage, in Lithuania this same data is stored for over 75 years (!), because privacy was never even considered!

As soon as the government decides it must know more, we all suddenly become telephone fraudsters or even potential terrorists. Not surprisingly such major privacy-restricting regulations are introduced at the ministerial and agency regulation level, instead of legislative level.

Experience elsewhere suggests that the government’s knowing does not only fail to stop real terrorists, but the nearly unlimited data about millions of people the government retains only gives more potential power to real criminals. It is worthwhile to recall that the gravest (and affecting the most people) violations of privacy in Lithuania so far have been committed precisely by parties serving the government.

In Lithuania, privacy, even in the cases of the gravest violations, is priced at barely more than 1000 EUR (highest non-pecuniary damages award for privacy violation, cf. Civil Case 2A-389/2012, which involved disclosure of nude pictures). Other liability (pecuniary, criminal-administrative) is even lesser. Privacy defense by the data subject usually means legal proceedings lasting several years, substantial legal expenses and a Don Quixotic fight with the media, or worse – the government, which both fight dirty. I second the conclusion made by the Law Institute of Lithuania in a 2013 study – „Since the litigation regarding violations of privacy is extraordinarily lengthy – taking 2–3 years, the eventual awards frequently do not even cover expenses.” Not to mention the demeaning experiences, wasted time and stress through the process of defending your privacy. Mere fact that you wish to remain private will be played as “evidence” that you must be a potential terrorist, likely criminal or at least an alcohol sympathizer. The media and the government understand these stigmas well and actively play them to intimidate any voices of privacy.

The real price of privacy in elsewhere in the EU is best illustrated by the sanctions for privacy violations set forth in the new EU General Data Protection Regulation (GDPR), which provides fines up to 20 M EUR! GDPR accounted for sanction practice in most EU countries including the not so new EU member states. It is worth reminding that already in 2014 the Lithuanian GDP per capita made circa 75% of the EU’s average. Thus, it is not normal that awards for privacy violations in Lithuania seem, quite frankly, laughable to the residents of Western Europe. In the aforementioned Brunet vs. FRANCE case, for mere prolonged processing of data in the governmental data base the ECHR awarded 3000 EUR in non-pecuniary damages!

The climate of privacy ignorance may only be overcome through public privacy awareness and active defense in case of privacy violations. As privacy is becoming increasingly more sellable and profitable, the damages for privacy violations shall take into account income generated (even if it was not reached) and discourage profit making. Even if in the short-term the only real award is going to be just moral victory, at this rate the other alternative is a country without privacy and other liberties.

Parašykite komentarą

El. pašto adresas nebus skelbiamas. Būtini laukeliai pažymėti *