Privacy in Lithuania: what’s new in 2013-2014?

Lithuania has been a member of the European Union since 1May 2004, and diligently follows the EU guidance on regulating personal data protection. Data protection has been comprehensively regulated in Lithuania since 1996 by the special Law on Legal Protection of Personal Data (the current legislation in force is Law of 23 February 2008 (effective from 1 January 2009) with subsequent amendments effective from 1 September 2011). The Law on Legal Protection of Personal Data implements the EU Data Protection Directive 95/46/EC and also provides specific national rules on many additional issues, such as, processing of video surveillance data, processing of personal data for credit referencing and debt recovery, processing of personal identification numbers, direct marketing, etc.

Modern on the surface, the actual data protection endures to be rather nominal in Lithuania. Continuing trend in 2013-2014 is the increasingly broad and exceptions based data processing by the public data controllers. The legislative initiatives in 2013 and especially at the end of 2014 mark the reluctance of the public data controllers to follow the same basic rules for privacy and data protection as the private data controllers.

Public data controllers already control huge amounts of personal data and particularly the sensitive personal data (including citizen’s biometric data) in Lithuania. Already under existing rules the public data controllers are insufficiently accountable. Nevertheless, instead of strengthening the protection of personal data and respecting the privacy, the clear trend among public data controllers is to short-circuit them through legal exceptions.

The biggest and the most damaging infringements of privacy and personal data protection in Lithuania in 2013-2014 have been in the public sector. It is exemplified by the repeating cases where public officers possibly traded personal data for personal gain ( or the reckless public internet disclosure of the personal data of the juveniles affected by the sexual abuse by the officers of the court ( Despite the resonance in the media, the responsibility of perpetrators and whether these cases led to any changes and improvements in personal data protection is unclear.

Another illustrative case of data protection in the public sector is the failure to implement the Decision of the Higher Administrative Court of Lithuania of December 18, 2012 pertaining to privacy violations in the electronic signature certificates issued by the State Enterprise Centre of Registers. Instead of securing the privacy of the electronic signature holders (e.g., by implementing certificate encryption), the conflicting legislation, distorting personal data protection system (and artificially creating a conflict of laws) was adopted in 2013-2014, thus continuing the unrestricted publicity of personal identification numbers in the electronic signature certificates.

The avoidance of the basic personal data protection principles is also entrenched in the new Law on Cyber Security adopted on December 11, 2014. This piece of legislation sets very broad rights for the law enforcement authorities to collect electronic personal data – ‘information that can be related with prevention and investigation of possible criminal offenses in cyberspace’. The proportionality for such processing of personal data is not addressed, and such personal data collection and further processing needs no approval from the judiciary. The procedures and conditions for such data processing were belittled to the by-law regulation.

Yet another very similar example is the proposed bulk banking data collection by the tax authorities, which is being enacted through amendments of the Articles 55 and 55-1 of the Law on Tax Administration ( While these proposals are still pending, the legislative procedures are in progress and the adoption is expected in 2015.

These initiatives demonstrate unilateral administrative intervention into personal privacy, without judicial supervision, without rights to defend the privacy to the data subject, or even without rights to be informed. Article 29 Working Party in its Resolution 220 WP of August 1, 2014, stressed that bulk collection and processing of personal data should be inadmissible in the national laws. Instead, public data processing shall be based on the differentiation of personal data, limitations and exclusions. It must be ensured that that personal data is collected only when necessary.

Unfortunately, these basic principles were not ascertained in Lithuania. 2013-2014 legal regulation of data protection in Lithuania catered to the administrative interest and remained reactionary to resonant incidents, instead of following systemic and comprehensive approach. Existing and newly introduced rules remain extremely vague and the administrative practice continues to be inconsistent (e.g., on the protection of public personal data). Despite major developments at the EU level and the Lithuanian EU presidency in the second half of 2013, there were no official reactions to the new CJEU jurisprudence pertinent to the privacy protection and no official policy on emerging privacy issues.

The above overview is not a way to say that there are no private sector violations of personal data protection in Lithuania. In 2013-2014 important problems of personal data protection persisted among business parties, especially regarding the use of personal data for marketing purposed ( Good privacy practices have also been emerging from the private sector, for example the filtering of past public comments in the internet media, which limits the dissemination of often negative comments.

This comment is an excerpt from the 2013-2014 Human Rights Review in Lithuania prepared for the Human Rights Monitoring Institute (

Parašykite komentarą

El. pašto adresas nebus skelbiamas. Būtini laukeliai pažymėti *

Brukalų kiekiui sumažinti šis tinklalapis naudoja Akismet. Sužinokite, kaip apdorojami Jūsų komentarų duomenys.