skip to content
 

Data Protection Laws and Freedom of Expression: Lithuania  File:Flag of Lithuania.svg

 

 

I. First- Generation Statutory Law

Lithuania did not adopt any data protection statute during the first-generation period.
 

II.Second-Generation Statutory Law

Lithuania first adopted  data protection law specific to the public sector in 1996 and extended them also to the private sector (thereby acquiring true data protection legislation) in 1998.  The legislation was subsequently amended including significantly in 2001 and 2003.  Lithuania joined the EU on 1 May 2004 and thereby became fully subject to Directive 95/46.
 
Special Expression Derogation
Article 8 of the law set out derogatory provision applicable to processing by the media for the purpose of providing information to the public and also for artistic and literary expression.   This provided a categorical exemption in this area but only from the transparency rules, the rules on notifying processing to data subjects, on notifying the DPA of processing and also the international data transfer conditions.  Regulatory supervision over this area was reallocated from the Data Protection Inspectorate, the ordinary DPA, to the Inspector of Journalist Ethics with competence as laid down by the Lithuanian Law on Provision of Information to the Public.  This entity was a State body but, at least vis-à-vis professional journalism, had a clear co-regulatory mission and structure.
 
Broad Expression Derogation
No specific provisions were adopted.
 
Personal Exemption
The law did not apply to the processing of personal data by a natural person only for the respective person’s personal needs not related to business or profession.[1]
 
Knowledge Facilitation Framework
Art. 12 of the Data Protection Act regulated the processing of personal data for scientific research purposes. Personal data could only be processed for scientific research purposes with the data subject’s consent. Without such consent, it was necessary to notify and get the approval of the Data Protection Inspectorate. Personal data used for scientific research must have been deidentified immediately and could not be used for any other purposes. Research results could only be made public alongside the actual personal data (i.e. in identified or identifiable form) if the data subject consented.
Pursuant to Art. 13(2), personal data collected for other than statistical purposes could still be used for statistical purposes if this was permitted by law for the preparation of official statistical information. It could be disclosed and used for other than statistical purposes in accordance with the Law on Statistics.[2] The combination and comparison of personal data for statistical purposes was only lawful on the condition that the respective data were protected against uses other than statistical processing. Sensitive data to be used for statistical purposes was required to have been anonymized.
In 2011, an additional provision on the processing of personal data for social and public opinion survey was introduced.[3] Such processing was made subject to the consent of the data subject. This consent to the processing of personal data, including the subject’s contact data, for social and public opinion survey must have been explicitly given upon the first direct contact in a written or equivalent form. If consent was denied, any data had to be immediately destroyed. The collection of personal data was limited to that necessary for the social and public opinion survey purpose and had to be anonymized immediately. The use of such data for purposes other than social and public opinion was prohibited.
With an amendment in 2011, a compatibility clause was added. Pursuant to the newly introduced Art. 3(1)(2), personal data collected for other purposes may be processed for statistical, historical or scientific research purposes only if this was specifically laid down in a law. The 2011 law also introduced a limitation to the proactive transparency rule in cases of indirect obtaining of data but, unlike in the Directive, limited this to statistical, historical or scientific research purposes and also required the Data Protection Inspectorate to carry out a prior checking of legality. No exemption was granted from sensitive data rules, with the exception of the processing of health data for scientific medical research purposes which could be processed in accordance with the provisions in the Data Protection Act and other laws and by an authorised health care professional subject to professional secrecy under the Civil Code (art 10) .[4]  
Preliminary Remark on the Legislative History
Lithuania passed its first data protection law on 11 June 1996, shortly after the restoration of its independence from the Soviet Union.[5] At the time, Lithuania was not a member of the EU. The 1996 Act was, however, limited to the regulation of electronic processing of personal data by various governmental agencies.[6] It did not contain any provision relevant for the present purposes.
 
The scope of the 1996 Act was extended to cover all persons (individuals and legal entities) processing of personal data with an Amendment passed on 12 March 1998.[7] However, there were no debates on freedom of expression in relation to this amendment.
 
A revised Data Protection Act entered into force on 1 January 2001.[8] The 2001 Data Protection Act which introduced special expression derogations for journalism, artistic and literary expression in Art. 8 was repealed in 2003 as a new Data Protection Act came into force on 1 July of the same year, implementing Directive 95/46/EC.[9] The new act marginally changed the wording of the special expression exemption and introduced clear principles on the processing of personal data for historical, statistical and scientific research.
 
In 2008, the Lithuanian Parliament repealed the 2003 Act and adopted a revised Data Protection Act, which came into force on 1 January 2009.[10] Slight changes of the wording were made to the journalism, art and literature exemption[11] as well as the additional conditions introduced regarding the exemption from the obligation of data controllers to notify data subjects about the processing of data in the course of statistical, historical or scientific research.[12]
 
Parliamentary Debates
No parliamentary debates were recorded with regard to data protection’s interaction with journalistic or other special forms of expression. A number of concerns were raised with regard to the exemption for historical research and its interaction with the constitutional guarantee of freedom of research which is listed in the Lithuanian Constitution separately from freedom of expression.[13]
 

III. Third Generation Statutory Law

The Lithuanian Parliament adopted the third-generation Personal Data Protection Law No. I-1374 Amendment which inter alia implemented the GDPR on 16 July 2018.
 
Special Expression Derogation
Article 4 of the new law extends the scope of this provision to all journalistic, academic, artistic or literary purposes. However, otherwise it sets out a similar substantive regime to the previous law. In sum, this special expressive processing is unconditionally exempt but only from the transparency rules, rules on notifying processing to data subjects, on registering data with the DPA and the data export restrictions. The Inspector of Journalist Ethics continues to be allocated regulatory authority in this area and article 7 of the law details precisely the various powers is has under the GDPR and how the co-operation and consistency mechanism might function in this area.  These provisions explicitly establish their priority over the Knowledge Facilitation Framework in the GDPR itself (which Lithuania has not usually further implemented – see below).
 
Broad Expression Derogation
No specific provisions were adopted.
 
Personal Exemption – see GDPR, art. 2(2)(c)
 
Knowledge Facilitation Framework – see also GPDR, art. 5(1)(b) (compatibility), art. 5(1)(e) (time limits) and art. 89(1) (appropriate safeguards)
Lithuania did not include any special provisions on the processing of personal data for knowledge facilitation purposes.
Parliamentary Debates
No transcripts of the parliamentary debates could be accessed online.
 

[1] Lithuania, Data Protection Act, art. 1(4).
[2] Lithuania, Data Protection Act, art. 13(3).
[3] Lithuania, Data Protection Act, art. 131.
[4] Lithuania, Data Protection Act, art. 10.
[5] Act of the Republic of Lithuania on Legal Protection of Personal Data (Lietuvos Respublikos asmens duomenų teisinės apsaugos įstatymas), Official Gazette, 1996, No-63-1479 (1996 Act). English translation can be found at http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=38025 (last accessed 13 November 2012).
[6] Ibid Art. 1(1).
[7] Act of the Republic of Lithuania on the Amendment and Supplement of Articles 1, 2, 3, 5, 6, 7, 8, 9, 14 of the Act on Legal Protection of Personal Data (Lietuvos Respublikos asmens duomenų teisinės apsaugos įstatymo 1, 2, 3, 5, 6, 7, 8, 9, 14 straipsnių pakeitimo ir papildymo įstatymas)// Official Gazette, 1998, No 31-819 (1998 Amendment Act) http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=52604&p_query=&p_tr2=2 (last accessed 11 December 2020).
[8] Act of the Republic of Lithuania on the Amendment of the Act on Legal Protection of Personal Data (Lietuvos Respublikos asmens duomenų teisinės apsaugos įstatymo pakeitimo įstatymas)// Official Gazette, 2000, No 64-1924 (2000 Act). The translation of the Act into English can be found at http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=109017 (last accessed 11 December 2020).
[9] Act of the Republic of Lithuania on the Amendment of the Act on Legal Protection of Personal Data (Lietuvos Respublikos asmens duomenų teisinės apsaugos įstatymo pakeitimo įstatymas)// Official Gazette, 2003, No 15-597 (2003 Act). The translation of the Act into English can be found at http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=208886 (last accessed 11 December 2020).
[10] Act of the Republic of Lithuania on the Amendment of the Act on Legal Protection of Personal Data (Lietuvos Respublikos asmens duomenų teisinės apsaugos įstatymo pakeitimo įstatymas)// Official Gazette, 2008, No 22-804 (2008 Act). The translation of the Act into English can be found at http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=315633 (last accessed 11 December 2020).
[11] Ibid reworded Art. 8.
[12] Ibid reworded Art. 24(4).
[13] The Committee of Law and Order, The Conclusions of the Main Committee on the Draft of the Amendments Act of the Act on Legal Protection of Personal Data (XP-1350) http://www3.lrs.lt/pls/inter3/dokpaieska.showdoc_l?p_id=279348 (last accessed 11 December 2020).