Data Protection Laws and Freedom of Expression: Lithuania
Constitutional/Primary Law Background - see also ECHR and EU Charter
Article 25 of the contemporary Lithuanian Constitution (1992 as revised 2019) enunciates a right to hold and freely express convictions as well as not to be hindered from seeking, receiving and imparting information and ideas. The Article states that these freedoms are incompatible with criminal actions, incitement of national, racial, religious or social hatred, violence, discrimination, slander and disinformation. Somewhat similarly to Article 10(2) of the ECHR, limitations are permitted by law if necessary to protect the health, honour and dignity, private life, and morals of a human being, or to defend the constitutional order. Article 42 separately establishes the freedom of culture, science, research and teaching. Although there are no constitutional data protection rights as such, Article 12 establishes the inviolability of private life and legal protection from arbitrary or unlawful interference with a person’s private and family life or encroachment upon their honour and dignity. The inviolability of communications is also declared, with the collection of information concerning private life permitted here only according to law and with a reasoned/justified court decision. Article 24 guarantees the inviolability of the home, with unconsented entrance requiring necessity on certain limits grounds and a basis in a law or court decision.
The first relevant protection of freedom to express and disseminate thoughts (but only within the limits prescribed by law) as well as inviolability of domicile (but again subject to searches as provided by law) may be traced to articles 37 and 33 of the Fundamental Laws of the Russian Empire 1906. The 1922 Constitution protected citizens’ freedom of speech and the press (with limits provided by law on the basis of morals and/or public order) (s. 15), domcile (with searches as provided by law) (s. 12) and also communications (with exceptions provided by law) (s. 15). The current provisions here trace back to the 1992 Constitution.
First- Generation Statutory Law
Lithuania did not adopt any data protection statute during the first-generation period.
|
Second-Generation Statutory Law
Lithuania first adopted data protection law specific to the public sector in 1996 and extended them also to the private sector (thereby acquiring true data protection legislation) in 1998. The legislation was subsequently amended including significantly in 2001 and 2003. Lithuania joined the EU on 1 May 2004 and thereby became fully subject to Directive 95/46.
Special Expression Derogation
Article 8 of the law set out derogatory provision applicable to processing by the media for the purpose of providing information to the public and also for artistic and literary expression. This provided a categorical exemption in this area but only from the transparency rules, the rules on notifying processing to data subjects, on notifying the DPA of processing and also the international data transfer conditions. Regulatory supervision over this area was reallocated from the Data Protection Inspectorate, the ordinary DPA, to the Inspector of Journalist Ethics with competence as laid down by the Lithuanian Law on Provision of Information to the Public. This entity was a State body but, at least vis-à-vis professional journalism, had a clear co-regulatory mission and structure.
Broad Expression Derogation
No specific provisions were adopted.
Personal Exemption
The law did not apply to the processing of personal data by a natural person only for the respective person’s personal needs not related to business or profession.[1]
Knowledge Facilitation Framework
Art. 12 of the Data Protection Act regulated the processing of personal data for scientific research purposes. Personal data could only be processed for scientific research purposes with the data subject’s consent. Without such consent, it was necessary to notify and get the approval of the Data Protection Inspectorate. Personal data used for scientific research must have been deidentified immediately and could not be used for any other purposes. Research results could only be made public alongside the actual personal data (i.e. in identified or identifiable form) if the data subject consented.
Pursuant to Art. 13(2), personal data collected for other than statistical purposes could still be used for statistical purposes if this was permitted by law for the preparation of official statistical information. It could be disclosed and used for other than statistical purposes in accordance with the Law on Statistics.[2] The combination and comparison of personal data for statistical purposes was only lawful on the condition that the respective data were protected against uses other than statistical processing. Sensitive data to be used for statistical purposes was required to have been anonymized.
In 2011, an additional provision on the processing of personal data for social and public opinion survey was introduced.[3] Such processing was made subject to the consent of the data subject. This consent to the processing of personal data, including the subject’s contact data, for social and public opinion survey must have been explicitly given upon the first direct contact in a written or equivalent form. If consent was denied, any data had to be immediately destroyed. The collection of personal data was limited to that necessary for the social and public opinion survey purpose and had to be anonymized immediately. The use of such data for purposes other than social and public opinion was prohibited.
With an amendment in 2011, a compatibility clause was added. Pursuant to the newly introduced Art. 3(1)(2), personal data collected for other purposes may be processed for statistical, historical or scientific research purposes only if this was specifically laid down in a law. The 2011 law also introduced a limitation to the proactive transparency rule in cases of indirect obtaining of data but, unlike in the Directive, limited this to statistical, historical or scientific research purposes and also required the Data Protection Inspectorate to carry out a prior checking of legality. No exemption was granted from sensitive data rules, with the exception of the processing of health data for scientific medical research purposes which could be processed in accordance with the provisions in the Data Protection Act and other laws and by an authorised health care professional subject to professional secrecy under the Civil Code (art 10) .[4]
|
Third Generation Statutory Law
The Lithuanian Parliament adopted the third-generation Personal Data Protection Law No. I-1374 Amendment which inter alia implemented the GDPR on 16 July 2018.
Special Expression Derogation
Article 4 of the new law extends the scope of this provision to all journalistic, academic, artistic or literary purposes. However, otherwise it sets out a similar substantive regime to the previous law. In sum, this special expressive processing is unconditionally exempt but only from the transparency rules, rules on notifying processing to data subjects, on registering data with the DPA and the data export restrictions. The Inspector of Journalist Ethics continues to be allocated regulatory authority in this area and article 7 of the law details precisely the various powers is has under the GDPR and how the co-operation and consistency mechanism might function in this area. These provisions explicitly establish their priority over the Knowledge Facilitation Framework in the GDPR itself (which Lithuania has not usually further implemented – see below).
Broad Expression Derogation
No specific provisions were adopted.
Personal Exemption – see GDPR, art. 2(2)(c)
Knowledge Facilitation Framework – see also GPDR, art. 5(1)(b) (compatibility), art. 5(1)(e) (time limits) and art. 89(1) (appropriate safeguards)
Lithuania did not include any special provisions on the processing of personal data for knowledge facilitation purposes.
|