Last update: 02/01/2023
The European Data Protection Board has published its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data as well as Recommendations 02/2020 on the European Essential Guarantees as an update of the previous Art. 29 Working Party WP 237 after the Schrems II judgment. You can also download an unofficial Redline for the latter Recommendations.
When conducting Transfer Impact Assessments (“TIAs“), please also pay attention to the Human Rights Reports available for the data importer’s jurisdiction:
Click on a ➕ country to see a preliminary, non-binding assessment of compliance with the “European Essential Guarantees” and ECtHR case law by an expert contributor. Thanks to their voluntary commitment, the EEGG (European Essential Guarantees Guide) is constantly growing and remains as up-to-date as possible.
Country | Continent | ccode | 🇪🇺 Adequacy | 🇬🇧 Adequacy | 🇨🇭 Adequacy | 🇲🇨 Adequacy | 🇷🇺 Adequacy Roskomnadzor | 🇷🇸 Adequacy Poverenik | SCC/Model Clauses | CoE 108 Data Protection | CoE 108+ (223) Data Protection | CoE 185 Cybercrime | OECD Guidelines 2013 Protection of Privacy and Transborder Flows of Personal Data, 2013 | RCEP Member | CPTPP Signatory | Local Expert: | Guarantee A: Is processing based on clear, precise and accessible rules (legal basis)? | Guarantee B: Are necessity and proportionality with regard to legitimate objectives pursued demonstrated? | Guarantee C: Is processing subject to an independent oversight mechanism? | Guarantee D: Are effective remedies available to the individual? | Additional Information | ||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Andorra | Europe | AD | ✔️ See here | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021). | S, R, E: 01/09/2008 | S | S, R, E: 01/03/2017 | |||||||||||||||||||||||||||||||||||||||||
United Arab Emirates | Asia | AE | ❌ Dubai International Financial Centre (DIFC) as a potential future candidate (p. 52) for adequacy? | ❌ | ❌ | ❌ | ❌ | ❌ | ADGM Standard Contractual Clauses under Article 42(2) of the Regulations to transfer personal data from the ADGM to a third party located in a third country or jurisdiction that does not provide an adequate level of protection. DIFC Standard Contractual Clauses (DIFC SCCs) as a combination of the EU and the UK SCCs "for ease of use across as many jurisdictions as possible", providing additional safeguards in accordance with DP Law 2020, Article 27(2)(c) and as prescribed in Regulation 5 of the DIFC DP Regulations 2020. | Luna de Lange | |||||||||||||||||||||||||||||||||||||||||||
Afghanistan | Asia | 🇦🇫 | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Antigua and Barbuda | North America | AG | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Anguilla | North America | AI | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Albania | Europe | AL | ❌ | ❌ | ❌ | ❌ | ✔️ | ✔️ | S, R, E: 01/06/2005 | S, R, E: 01/07/2004 | Emirjon Marku | Yes. Article 35 of the Albania Constitution and articles 5 - 7 and 12 - 16 of the law no. 9887, dated 10.03.2008 “On personal data protection” as amended (“Data Protection Law” or “DPL”) provide for the obligation of the data controller to conduct processing activities, inter alia, based on clear, precise and accessible rules. On the other hand, the interception of communications is specifically regulated under the provisions of the Albanian Criminal Procedure Code, in harmony with the provisions of legislation governing the telecommunication sector. In any case, the criteria are inherent to the abovementioned provisions of the Albanian legislation. | Albanian legislation does not entitle public authorities to have access to data subjects’ personal data on a generalised basis (including the data sourced through electronic communications). As such, the principles of article 5, and legal criteria set out under article 6, of DPL provide for several obligations which the public authorities should account to when processing one’s personal data. Such principles, include, without limitation, the obligation of public authorities to process personal data (i) on a fair and lawful basis, (ii) in accordance with the relevant legitimate purposes and in a manner that is not incompatible therewith (i.e. purpose limitation), (iii) limitation of processing to what is necessary to the relevant purpose thereof (i.e. data minimisation), (iv) processing (i.e. including, storing) of personal data for no longer as it necessary for achievement of the purpose of the processing (i.e. storage limitation), etc. | According to articles 29 - 38/a of DPL, the competent authority for the supervision and monitoring of the personal data processing and the respecting of the individuals’ right for personal data protection and privacy is the Commissioner for Freedom of Information and Personal Data Protection (the “Commissioner”). The Commissioner is an independent authority, appointed by the Albanian Parliament for a term of 5 years (renewable). The Commissioner reports to the Albanian Parliament at least once a year and whenever deemed necessary by and/or is of interest of the latter. The Commissioner might initiate administrative investigations at any time, irrespective of whether based on a complaint of a data subject or ex officio. | Articles 12 - 15 of DPL confer onto the data subjects the right of seek access to their personal data, the right to seek the blocking of further processing thereof, and the right to seek correction or erasure of their personal data that are, inter alia, untrue, incomplete or processed/collected in violation of the provisions of DPL. According to article 16 of DPL, any individual is entitled to file complaint with the Office of the Commissioner. According to article 32 of DPL, any data controller is obliged to cooperate with the Commissioner’s inspectors during the relevant administrative proceedings. To this effect, the Commissioner, in order to properly carry out its legal tasks and duties, it entitled to access the ICT systems used by any data controller personal data processing activities and/or for archiving purposes. Moreover, any individual is entitled to seek before court the damage relief in relation to the unlawful processing activities of a data controller (art. 17 of DPL). | For further information please consult the Commissioner’s website: https://www.idp.al/?lang=en | |||||||||||||||||||||||||||||||||||||
Armenia | Europe | AM | ❌ | ❌ | ❌ | ❌ | ✔️ | ✔️ | S, R, E: 01/09/2012 | S | S, R, E: 01/02/2007 | ||||||||||||||||||||||||||||||||||||||||||
Angola | Africa | AO | ❌ | ❌ | ❌ | ❌ | ✔️ See here or here | ❌ | Paulo Pedro | ||||||||||||||||||||||||||||||||||||||||||||
Antarctica | AQ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ||||||||||||||||||||||||||||||||||||||||||||||
Argentina | South America | AR | ✔️ See here | ✔️ | ✔️ | ✔️ | ❌ See here | ✔️ | Disposición 60 - E/2016: Contrato modelo de transferencia internacional de datos personales con motivo de la cesión de datos personales (Anexo I) and Contrato modelo de transferencia internacional de datos personales con motivo de prestación de servicios (Anexo II). The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021). | R (Accession), E: 01/06/2019 | S | N/A Please see the country report for Argentina as part of the study "State of Privacy" conducted by Privacy International. | |||||||||||||||||||||||||||||||||||||||||
American Samoa | Oceania/Australia | AS | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Austria | Europe | AT | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/07/1988 | S | S, R, E: 01/10/2012 | ✔️ | Thomas Schweiger | |||||||||||||||||||||||||||||||||||||||
Australia | Oceania/Australia | AU | ❌ | ❌ | (✔️) Before personal data are transferred, it should be clarified whether Australian legislation governs this matter, in particular whether personal data of foreign nationals are covered or not. | ❌ | ✔️ | ❌ | Australian Privacy Principle 8 - Cross-border disclosure of personal information (Sec. 8.16 et seqq.) | ✔️ | ✔️ | ✔️ | Kara Birch | ||||||||||||||||||||||||||||||||||||||||
Aruba | North America | AW | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Azerbaijan | Asia | AZ | ❌ | ❌ | ❌ | ❌ | ✔️ | ✔️ | S, R, E: 01/09/2010 | S, R, E: 01/07/2010 | |||||||||||||||||||||||||||||||||||||||||||
Bosnia and Herzegovina | Europe | BA | ❌ | ❌ | ❌ | ❌ | ✔️ | ✔️ | S, R, E: 01/07/2006 | S | Anisa Tomic, Attorney at Law, Partner, Maric & Co LLC Law Firm | In accordance with the Law on Criminal Procedure of FBiH and Law on Criminal Procedure of RS, the types of special investigative actions („measures“) and conditions of their application are regulated. These are actions that need to assist prosecutors to effectively reveal the perpetrators and the evidence of serious and complex crimes, especially organized crime. There are criminal offenses in whose execution included a larger number of people in different locations and which are carried out with the help of new communication technologies, so that it is not possible to prove the classic the means of proof (documents, material evidence, witnesses). Special investigative actions may be ordered in case of criminal offenses punishable by at least three years of imprisonment or by a more severe sentence. If evidence cannot be obtained in any another way or its obtaining would be accompanied by disproportional difficulties, special investigative measures may be ordered against a person where grounds for suspicion exsists that he or she has committed or has along with other persons taken part in committing or is participating in thecommission of an offense. Measures referred above shall be ordered by the preliminary proceedings judge in an order upon the properly reasoned motion of the prosecutor containing: the data on the person against whom the measure is to be applied, the grounds for suspicion, the reasons for undertaking the measures and other important circumstances necessitating the application of the measures, the reference to the type of required measure and the method of its implementation and the extent and duration of the measure. The order shall contain the same data as those featured in the prosecutor’s motion as well as ascertainment of the duration of the measure ordered. Exceptionally, if a written order cannot be received in due time and if there is danger in delay, the execution of a measure may commence on the basis of a verbal order pronounced by the preliminary proceeding judge. The written order of the court must be obtained within 24 hours following the issue of the verbal order.
Special investigative measures are as follows: a) Surveillance and technical recording of telecommunications, also called WIRETAPPING; This measure may be ordered against persons against whom there are grounds for suspicion that he or she will deliver to the perpetrator or will receive from the perpetrator of the offenses information in relation to the offenses, or grounds for suspicion that the perpetrator uses a telecommunication device belonging to those persons. In practice this measure is very useful but it limits right to privacy not only for suspicious person, but indirectly, for any third party with whom the suspect makes contact by means of communication. Companies performing the transmission of information shall be bound to enable the prosecutor and police authorities to enforce these measures. b) Access to computer systems and computer data comparison; This measure would apply to the computer crimes such as double accountancy, correspondence and other. State investigative authority have access to computer systems and electronic transmission of data. c) Supervision and technical recording of the premises; d) Secret surveillance and technical recording of persons, means of transport and objects which are in relation to them; This measure nowdays is often applied. If the judge approved this measure in the preliminary procedure in this case it can be evidence. e) Use of undercover investigators and use of informant; By compiling or transcribing the records without making references to the personal data therein about the undercover investigator and informant, or in another appropriate way, the prosecutor and the preliminary proceedings judge shall prevent unauthorized persons as well as the suspect and his defense attorney from establishing the identity of the undercover investigator and of informant. f) Simulated purchase of certain objects and simulated bribery; g) Supervised transport and delivery of the objects of a criminal offense.
Measures referred above under a), through d) and g) may last up to one (1) month, while on account of particularly important reasons the duration of such measures may upon a properly reasoned motion of the prosecutor be prolonged for a term of another month, provided that the measures referred under a), b) and c) may last up to six (6) months in total, while the measures referred under d) and g) may last up to three (3) months in total. It is also worth to note that in accordance with the Criminal Code of Federation of Bosnia and Herzegovina (FBiH) and the Criminal Code of Republika Srpska (RS) it is regulated that whoever takes a photograph, film or other recording of another person in his personal premises without that person's consent, or who directly passes on or displays such a photograph to a third person or enables the third person in some other way to have a direct access to the photograph, shall be shall be punished by a fine or imprisonment for a term not exceeding three years. An official person, who perpetrates this criminal offence in the discharge of duty, shall be punished by imprisonment for a term between six months and five years. Whoever photographs or films a child with an aim of developing photographs, audio-visual tapes or other pornographic materials or who possesses or imports or sells or deals in or projects such material, shall be punished by imprisonment for a term between one and five years. Items meant or used for the perpetration of this criminal offence shall be forfeited and items produced by the perpetration of the criminal offence shall be forfeited and destroyed. An official or responsible person in the Federation who, without the consent of an individual (data subject) and contrary to the conditions stipulated by the law, collects, processes or uses personal data, or uses such data contrary to the statutory purpose of their collection, shall be punished by a fine or by imprisonment for a term not exceeding six months. | The general overarching national data protection law in Bosnia and Herzegovina (BH) is the Law of Personal Data Protection, published in the Official Gazette of BH (Official Gazette) as Nos. 49/06, 76/11, 89/11 (PDP law).
Data Controller means any public authority, natural or legal person, agency or any other body, which, independently or together with another party, manages, processes and determines the purpose and the manner of personal data processing on the basis of laws or regulations.
In accordance with the Article 22 of the PDP law, it is regulated that before collecting any personal data, the controller shall notify a data subject, unless the data subject has already been informed, on:
If the controller failed to collect personal data from a data subject, it is required to notify the data subject without delay about the identity of the third party that provided the controller with the personal data, and provide information aforementioned in accordance with Article 22 of the PDP Law.
Some exceptions do apply. Namely, the data controller shall not be obliged to provide information on processing of personal data or to enable access to personal data if that action could cause significant damage to legitimate interests of the following categories in Bosnia and Herzegovina:
These restrictions shall be allowed only to the extent required in a democratic society for any of the aforesaid purposes.
In accordance with the PDP law, main principles of personal data processing are regulated under the Article 4. Personal data protection rules and principles are:
The principle of legality of personal data processing implies the processing of personal data prescribed by law, which regulate a certain area, i.e. on the basis of and within the limits of laws and other regulations. The Law of Personal Data Protection (PDP) regulates the processing of personal data which is any operation or set of operations performed on personal data, such as but not limited to:
PDP law generally applies to the processing of personal data in the territory of Bosnia and Herzegovina (Article 2(1), PDP law). It also applies to processing outside of Bosnia and Herzegovina when a data controller engages a data processor outside of Bosnia and Herzegovina, to process data on behalf of the data controller (Article 12 and 18 PDP law). Under the PDP law, a data controller or data processor processing data on behalf of a data controller may process personal data without the consent of a data subject if the processing is:
Personal data are processed only to the extent necessary to fulfil a certain purpose. This principle means that if the law or by-laws adopted on the basis of law do not prescribe per se which personal data are processed, then the minimum personal data required to achieve the purpose of such processing is taken. Realization of the principles of justice and legality means adherence to material and formal legal regulations that are to be applied in a specific legal matter, e.g. insight and access to emails of data subjects. Therefore, in case personal data processing is carried out by government authorities for intelligence purposes would be justifiable but only to the extent and scope necessary for the fulfilment of the specified lawful purpose and only within the period of time necessary for the fulfilment of the lawful specified purpose. The existence of reasonable suspicion against the data subjects, i.e. persons concerned for specific criminal act charges would be objective criteria used to determine which personal data of individuals are stored.
Lawyer, defence counsel, notary public, doctor of medicine, doctor of dentistry, or other health professional, a psychologist, a guardian, a religious confessor, or another person who without authorization discloses a secret learned in the exercise of professional duties, shall be punished by imprisonment up to one year.
Disclosure of professional secrets is not criminal offense if someone discovers a secret in the general interest or the interest of another person which is more important than the interest of secrecy.
The PDP law permits the transfer of personal data outside of Bosnia-Herzegovina if adequate safety measures are ensured in the destination country. The adequacy of the safety measures is assessed on case by case basis by the Personal Data Protection Agency of BH (Agency), particularly with regard to:
The Agency considers EU member states adequate for transferring personal data. The Agency also allows data transfers to countries that do not meet adequacy requirement if:
In addition to meeting the foregoing requirements, transfers of data abroad require:
| Materials received through the measures and notification of the measures undertaken:
Upon the completion of the application of the measures, all information, data and objects obtained through the application of the measures as well as a report must be submitted by police authorities to the prosecutor. The prosecutor shall be bound to provide the preliminary proceedings judge with a written report on the measures undertaken. On the basis of the submitted report the preliminary proceedings judge shall evaluate the compliance with judge's order.
Should the prosecutor refrain from prosecution, or should the data and information obtained through the application of the ordered measures not be needed for the criminal proceedings, these data shall be destroyed under the supervision of the preliminary proceedings judge, of which event the judge shall make separate records.
No data or information received through the undertaking of measures (Incidental Findings) shall be used as evidence if they are not related to a criminal offense punishable by at least three years of imprisonment or by a more severe sentence. | In accordance with the PDP law, the controller is not required to provide information to data subject on the processing of personal data in the following cases:
The person against whom any of the aforementioned measures were undertaken, shall be notified of the undertaking of the measures, the reasons for their undertaking and information stating that the received materials did not constitute sufficient grounds for criminal prosecution and were thereafter destroyed.
In case of personal data processing carried out by government authorities for intelligence purposes, the preliminary proceedings judge shall forthwith and following the undertaking of the measures inform the person against whom the measures were undertaken. That person may request from the court a review of legality of the order and of the method by which the order was enforced. Data and information received through the undertaking of the measures shall be stored and kept as long as the court file is being kept.
The PDP law grants data subjects the following rights, amongst others:
According to the Article 24 PDP law, it is regulated that the Controller shall, at the request of the data subject, correct, delete or block data that were found to be incorrect or incorrectly listed or processed in any other manner that is contrary to law and rules relating to data processing. The controller shall, at the request of the data subject, inform the third party to whom the data were transferred. | Before start processing personal data, data controllers are required to submit to the Data Protection Agency of Bosnia and Herzegovina (DPA) the Notification/Request for Intention to Establish Personal Data Filing System along with prescribed documents. The DPA will make the assessment based on the documents and forms submitted and following their approval (Authorization) the processing of the personal data may start. The data controller is authorised to begin processing personal data only after the DPA approves the processing, or upon the expiration of two (2) months following the day the request has been received by the DPA. If upon the expiration of 2 months from the day the request was submitted, the DPA makes no decision whatsoever, the processing may also start.
Local notification/authorization regime is based on purposes.
Please note that Prior Notification to the DPA is required whenever the processing does not come directly from a law. Therefore, data controller would be required to notify DPA on its intent to process data and adopt Decision on Personal Data Processing for such purpose.
If the processing of personal data is based on the on particular law (such as Criminal Law, Employment Law, Tax Law etc.), Prior Notification to the DPA is not required. However, DPA's Authorization is still required.
In another words, DPA's Authorization for processing of personal data is always required, while Prior Notification is required only when the processing purpose does not directly come from a specific law. | |||||||||||||||||||||||||||||||||||||
Barbados | North America | BB | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Bangladesh | Asia | BD | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Belgium | Europe | BE | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/09/1993 | S | ✔️ | Thomas O. Dubuisson | ||||||||||||||||||||||||||||||||||||||||
Burkina Faso | Africa | BF | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Invitation valid until 24 March 2022 | Invitation valid until 12 December 2024 | Moumouni Ouiminga | ||||||||||||||||||||||||||||||||||||||||||
Bulgaria | Europe | BG | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/01/2003 | S, R | ||||||||||||||||||||||||||||||||||||||||||
Bahrain | Asia | BH | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | Ms. Tripti Dhar, Partner – Reina Legal
|
Article 26 of Constitution: The freedom of postal, telegraphic, telephonic and electronic communication is safeguarded and its confidentiality is guaranteed. Communications shall not be censored or their confidentiality breached except in exigencies specified by law and in accordance with procedures and under guarantees prescribed by law. Article 372 Amiri decree no. 15 of 1976 with respect to enactment of the Penal Code: A fine not exceeding BD20 shall be penalty for any person who opens a letter or telegram against the will of the addressee or eavesdrop on a telephone conversation. An offender shall be liable for imprisonment for a period not exceeding 6 months or a fine not exceeding BD 50 if he divulges the contents of the letter, telegram, or telephone conversation to a person other than that to whom it has been intended and without the permission thereof should such action cause damage thereto Article (4) of Law on Combating Cybercrime in the Kingdom of Bahrain: Without prejudice to any more severe penalty in any other law, imprisonment with a fine not exceeding one hundred thousand Dinars or one of these penalties shall be punishable by wiretapping, intercepting or intercepting without legal justification using technical means, Transmitted from or to the IT system, including any emissions of electromagnetic waves from the IT system that carry such data. If an eavesdropping, capture or objection results in a disclosure of the transmission or part thereof without legal justification, that is not an aggravating circumstance.
The existing laws in the region are silent on this subject.
The existing laws in the region are silent on this subject.
The existing laws in the region are silent on this subject.
The existing laws in the region are silent on this subject.
The existing laws in the region are silent on this subject.
The existing laws in the region are silent on this subject. |
The existing laws in the region are silent on this subject.
The existing laws in the region are silent on this subject.
The existing laws in the region are silent on this subject.
|
The existing laws in the region are silent on above subjects. |
| There exist Law No. 30 of 2018 Promulgating The Personal Data Protection Law and Law No. 60 of 2014 with respect to Information Technology Crimes, mentions the penalties of unlawful taping, capturing or intercepting, by technical means, any non-public transmission of information devices data to, from or within an information technology system. Due to unavailability of translation in English we have not captured the effect of both the laws. | ||||||||||||||||||||||||||||||||||||||
Burundi | Africa | BI | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Benin | Africa | BJ | ❌ | ❌ | ❌ | ❌ | ✔️ See here or here | ❌ | Invitation valid until 20 June 2024 | Julien Hounkpe, Bilingual Lawyer, PhD Website: https://julienhounkpe.com |
- national independence, territorial integrity and security as well as national defense; - the prevention of terrorism; - the prevention of attacks on the government; - the major interests of foreign policy, the execution of international commitments of Benin and the prevention of any form of foreign interference; - crime and organized crime; - the fight against the proliferation of arms; - economic, industrial and scientific interests. (Intelligence Services Act in Benin Republic : Article 3)
The surveillance measures are applicable to any person on whom there are serious reasons to collect information for intelligence purposes, except members of parliaments, judges, public prosecutors and barristers during the period of their mandate or professional activity, as well as people who, by virtue of their statute are likely to know of the indictment of the President of the Republic and members of the Government. The exemption can be lifted by the National Commission for the Control of Surveillance Measures as part of legal proceedings or under conditions of absolute necessity. (Intelligence Services Act in Benin Republic : Article 6)
The surveillance measures are granted for a maximum period of four (4) months by the National Commission for the Control of Surveillance Measures. They shall stop at the end of this period. They are renewable under the same conditions of form and duration. (Intelligence Services Act in Benin Republic : Article 17)
The authorization granted by the Head of Government to carry out surveillance measures is subject to the prior opinion of the National Commission for the Control of Surveillance Measures, except in the cases provided by the law. The Commission has twenty four (24) hours to respond to requests and seventy two (72) hours if a plenary session of the committee is necessary. After authorization by the Head of Government, and with the exception of the emergency cases listed in the law, requests for the implementation of surveillance measures are expressed in writing and are motivated by the National Intelligence Coordinator. Each request must specify: - the organization for which it is presented; - the purpose (s) pursued; - the reason (s) for the measure (s); - the person (s) concerned. If the identity of the person (s) concerned is not known, s/he may be designated by his technical identifier (s) or his/her function (s). Requests for renewal of an authorization also specify the reasons why this renewal is justified. (Intelligence Services Act in Benin Republic : Article 14, 15, 16)
If a request for international mutual legal assistance, or if a national legal procedure concerns facts or acts committed by intelligence services and covered by the secrecy of national defense, the public prosecutor, under the authority of the minister in charge of justice, shall inform the National Intelligence Coordinator. If this is the case, the Minister of justice shall inform the public prosecutor or the requesting international authority that its request cannot be granted, in whole or in part. This decision is notified to the judicial authority at the origin of the request and shall obstruct the execution of the request or the return of performance documents. If this is not the case, the National Intelligence Coordinator shall propose total or partial lifting of the secrecy of national defense, relating to these acts and acts committed. (Intelligence Services Act in Benin Republic : Article 25)
The authorization and implementation of surveillance measures on national territory can only be decided if: - they proceed from an authority legally empowered ; - they result from a procedure in accordance with the law; - they respect the missions entrusted to the competent services; - they are justified by the threats, risks and challenges related to the fundamental interests of the Nation. (Intelligence Services Act in Benin Republic : Article 4)
The agents committed for the collection of intelligence data must be sworn agents. They are responsible for any deliberate infringement of the individual liberties and the rights to privacy if the violations go beyond the provisions of the law. (Intelligence Services Act in Benin Republic : Article 5) |
Rights to privacy, in particular the secrecy of correspondence, the protection of personal data and the inviolability of home, are guaranteed by law. The public authority can only infringe on them in case of necessity, of public interest and within the limits fixed by law. (Intelligence Services Act in Benin Republic : Article 4)
Only information related to one of the following objectives can be retained : - national independence, territorial integrity and security as well as national defense; - the prevention of terrorism; - the prevention of attacks on the government; - the major interests of foreign policy, the execution of international commitments of Benin and the prevention of any form of foreign interference; - crime and organized crime; - the fight against the proliferation of arms; - economic, industrial and scientific interests (Intelligence Services Act in Benin Republic : Article 18)
(Intelligence Services Act in Benin Republic : Article 3)
|
The National Commission for the control of surveillance measures is an independent administrative authority. It is composed of five (5) members : - two (2) members of parliament designated for the duration of the legislature by the National Assembly, one (l) from the majority and one (l) from the minority; - two (2) judges of the Supreme Court appointed by the President of the Supreme Court, one from the Administrative Chamber, the other from the Judicial Chamber; - one (1) high ranking officer, still in function or not, appointed by the Head of Government because of his knowledge and experience in intelligence and State security In the exercise of their functions, the members of the commission do not receive instructions from any authority. (Intelligence Services Act in Benin Republic : Articles 7 and 8)
The authorization granted by the Head of Government to carry out surveillance measures is subject to the prior opinion of the National Commission for the Control of Surveillance Measures, except in the cases provided by the law. (Intelligence Services Act in Benin Republic : Articles 7 and 14) |
Any citizen who suspects that he or she is subject of surveillance can submit a complaint to the National Commission for control of surveillance measures which shall carry out investigations The Court of Appeal has jurisdiction in first instance to hear cases related the implementation of surveillances measures. The Supreme Court has jurisdiction in last resort. (Intelligence Services Act in Benin Republic : Articles 32 and 33)
An independent oversight committee.
The requests and authorizations are recorded in the registers kept by the National Intelligence Coordinator and accessible to the National Commission for the Control of surveillance measures whenever necessary (Intelligence Services Act in Benin Republic : Article 17) | Law No 217- 44 of 5 February 2018 on Intelligence Services in the Republic of Benin
Constitutional Court decision No DCC 18-013 of 01 February 2018 (conformity of surveillance legislation with the Constitution) | ||||||||||||||||||||||||||||||||||||||
Bermuda | North America | BM | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Alexander McD White, Privacy Commissioner Commissioner White is Bermuda’s first Privacy Commissioner, establishing the office and building the foundations for a successful data protection environment in the country. He is a licensed lawyer, a founding member of the International Association of Privacy Professionals' Privacy Bar Section Advisory Board, and founder of the IAPP State, Local, and Municipal (SLAM) Government Affinity Group. He served a three-year term on the U.S. Department of Homeland Security (DHS) Data Privacy and Integrity Advisory Committee (DPIAC). Prior work includes service as State Deputy Chief Privacy Officer for the U.S. State of South Carolina and as a lawyer in the insurance industry. For more information, see: www.linkedin.com/in/a1exwhite Note: This analysis of European Essential Guarantees is primarily based upon Bermuda’s Personal Information Protection Act (PIPA), which received Royal Assent in 2016. As a United Kingdom Overseas Territory, individuals in Bermuda are also protected by the European Convention on Human Rights. | The Personal Information Protection Act 2016 (PIPA) requires that processing of data be based on specific “conditions” (section 6) that largely align with the “legal bases” of the European Union’s General Data Protection Regulation. Further, as a United Kingdom Overseas Territory, Bermuda law is influenced by the decisions and case precedent of the European Court of Human Rights. | The Personal Information Protection Act 2016 (PIPA) contains certain “Minimum Requirements” that apply to all entities in Bermuda, even national security entities that are exempt from other PIPA requirements. These Minimum Requirements include “Fairness” (section 8) and “Proportionality” (section 11) that largely align with concepts of necessity and proportionality in European law and jurisprudence. Further, as a United Kingdom Overseas Territory, Bermuda law is influenced by the decisions and case precedent of the European Court of Human Rights. | Bermudians have numerous avenues by which to appeal to protect their rights. The Personal Information Protection Act 2016 (PIPA) creates the Office of the Privacy Commissioner, with powers to receive reports, investigate, and issue orders of any entity subject to PIPA. This includes national security entities, which must comply with PIPA’s “Minimum Requirements.” The Privacy Commissioner is an independent officer appointed by the Governor of Bermuda, not its political government, and “shall not be subject to direction of control of any other person or authority” (section 26). In addition, Bermuda’s Human Rights Commission receives complaints and investigates violations of Bermuda’s Human Rights Act, and individuals may protect their common law rights to privacy through Bermuda’s courts. Further, as a United Kingdom Overseas Territory, Bermuda law is influenced by the decisions and case precedent of the European Court of Human Rights. | Individuals have the ability to report violations to the Office of the Privacy Commissioner, who has statutory powers to investigate and issue orders. The Privacy Commissioner’s orders are subject to judicial review by the Supreme Court of Bermuda (PIPA section 45), and if the court finds violations of orders then both entities and individual actors personally may be held liable (PIPA section 47). Further, as a United Kingdom Overseas Territory, individuals in Bermuda may submit their case for review by the European Court of Human Rights. | For more information on the Office of the Privacy Commissioner, including copies of the Personal Information Protection Act 2016 and regulatory guidance, visit www.privacy.bm. | |||||||||||||||||||||||||||||||||||||||
Brunei | Asia | BN | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ASEAN Model Contractual Clauses for Cross Border Data Flows (2021) Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021) | ✔️ | ✔️ | ||||||||||||||||||||||||||||||||||||||||||
Bolivia | South America | BO | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Brazil | South America | BR | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021). | Invitation valid until 12 December 2024 | N/A Please see the country report for Brazil as part of the study "State of Privacy" conducted by Privacy International. | ||||||||||||||||||||||||||||||||||||||||||
Bahamas | North America | BS | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Bhutan | Asia | BT | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Botswana | Africa | BW | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Senwelo Modise is a practising attorney in Botswana and an information privacy professional proficient in the areas of data protection, cybersecurity law, telecommunications law, electronic transactions and digital forensics. Twitter: @Modise_SK | In terms of Section 28 of the Cybercrime & Computer Related Crimes Act, 2018 empowers a police officer or any person authorized by the Commissioner may apply to a judicial officer ex-parte for an order permitting real time collection or recording of traffic data. An order may also be granted ex-parte compelling a service provider to effect such real time collection or recording of traffic data. The Directorate of Intelligence Security Services (DISS) may also intercept communications in terms of Section 22(4) of the Intelligence Security Services Act pursuant to a court order, the Act provides that the Directorate shall show cause to a judicial officer justifying the grant of the surveillance order. It may be inferred from the Acts that the offences that may give rise to an interception order are cybercrimes and issues related to national security. The answers to all the questions in the criteria outlined below are in the negative. Thus, the interception of communications is not “foreseeable” in the sense of WP 237; there are no clear, precise and accessible rules. The intrusive act of interception is beyond getting a court order upon an ex-parte application generally not regulated. Section 31 of the Cybercrime & Computer Related Crimes Act provides for purpose limitation of the data collected in respect of an investigation under the Act but the manner in which the purpose limitation would be guaranteed is not stipulated. |
The answer is in the negative to all questions. The law in Botswana makes no provision in this regard. |
|
The answer is in the negative for all questions. The Data Protection Act, 2018 which affords a data subject the right to access, rectification and erasure was passed in 2018 but is not in force due to the fact that the supervisory authority, the Information and Data Protection Commission has not been constituted. We await an announcement of the commencement date. | Have a look at this article written by a former lecturer of mine at the University of Botswana:
Cybercrime & Computer Related Crimes Act: https://www.bocra.org.bw/cybercrime-and-computer-related-crimes-act-2018
Data Protection Act: https://www.bocra.org.bw/data-protection-act
Section 22 of the Intelligence Security Services Act:
(1) Where the Director General believes, on reasonable grounds, that a warrant under this section is required to enable the Directorate to investigate any threat to national security or to perform any of its functions under this Act, the Director General shall apply to a senior magistrate or a judge of the High Court for a warrant in accordance with this section. (2) If the magistrate or judge to whom an application is made under subsection (1) is satisfied that there are reasonable grounds for suspecting that there is in the premises, place, vessel, boat, aircraft or other vehicle anything which is or contains evidence of the commission of any of the offences referred to in this Act, he or she may by warrant direct the Director General, or any officer or support staff authorised by the Director General under this Act, to enter and search such premises, place, vessel, boat, aircraft or other vehicle and seize and detain anything which the Director General, or the officer or support staff authorised by the Director General, has reason to believe is or contains evidence of any of the offences referred to in this Act. (3) Whenever the Director General, or an officer or support staff authorised by him or her under this Act, has reasonable cause to believe that there is in any premises, place, vessel, boat, aircraft or other vehicle any article or document- (a) which is evidence of the commission of an offence referred to in this Act; (b) in respect of which an offence has been, is being, or is about to be committed under this Act; (c) is being conveyed, or is concealed or contained in any package in the premises, place, vessel, boat, aircraft or other vehicle, for the purpose of being conveyed, then and in any such case, if the Director General, or the officer or support staff authorised by him or her under this Act considers that the special exigencies of the case so require, he or she may without a warrant enter the premises, place, vessel, boat, aircraft or other vehicle, and search, seize and detain such article, document or package. (4) The court mentioned in subsection (1) may, on application made by the Director General or an officer or support staff authorised by him or her to do so, issue a warrant under this section authorising the taking of such action as may be specified in the warrant in respect of anything so specified if the court considers it necessary for that action to be taken in order to obtain information which- (a) is likely to be of substantial value to the Directorate in the discharge of its functions; and (b) cannot be reasonably obtained through other means: Provided that in the event the Directorate wishes to conduct an investigation of a personal or intrusive nature such as searches or interception of postal mail, electronic mail, computer or telephonic communications, the Director General or an officer or support staff authorised by him or her shall show cause to a court of Senior Magistrate or above or a Judge of the High Court and obtain an order in a secret hearing. (5) In the exercise of the powers of search, seizure and detention under this section, the Director General, or any other officer of the Directorate may use such reasonable force as is necessary in the circumstances, and may be accompanied or assisted by such other person as he or she considers appropriate to assist him or her to enter into or upon any premises, place, vessel, boat, aircraft or other vehicle, as the case may be. (6) A magistrate may, on the application, ex parte, of the Director General, by written notice require a person who is the subject of an investigation in respect of an offence alleged or suspected to have been committed by him or her to surrender to the Director General any travel document in his or her possession. (7) If a person on whom a notice under subsection (6) has been served fails to comply with the notice, he or she may be arrested and taken before a magistrate. (8) Where a person is taken before a magistrate under subsection (7), the magistrate shall, unless such person complies with the notice under subsection (6) or satisfies the magistrate that he or she does not possess a travel document, by warrant commit him or her to prison where he or she shall be safely kept until he or she complies with the notice. (9) A person who has surrendered a travel document under this section may at any time make a written application to the Director General for its return, and every such application shall contain a statement of the grounds on which it is made. (10) The Director General may, within 14 days of receipt of the application referred to in subsection (9)- (a) grant the application either without conditions or subject to such conditions as to the further surrender of the travel document and the appearance of the applicant at any time and place in Botswana as may be specified by the Director General in a written notice served personally on the applicant; or (b) refuse the application. (11) A person aggrieved by the refusal of the Director General to return his or her travel document to him or her may appeal to a magistrate. | |||||||||||||||||||||||||||||||||||||||
Belarus | Europe | BY | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | Alexey Koziuk, Sabina Tereshko | ||||||||||||||||||||||||||||||||||||||||||||
Belize | North America | BZ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Canada | North America | CA | (✔️) For commercial organisations, see here | ✔️ Only covers data that is subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). Not all data is subject to PIPEDA. | ✔️ | ✔️ | ✔️ See here or here | ✔️ Commercial organisations | ✔️ | ✔️ | Jennifer Sellars, J.D., CIPP/C, CIPM Twitter: @ModernPrivacy |
Any “Offence” of the Criminal Code as detailed in section 183[1]. There are 85 listed offences from the Criminal Code which range from high treason, terrorism related, weapons trafficking, bribery, breach of trust, child pornography, keeping a gaming or betting house, murder, sexual assault, robbery, identity theft, and unauthorized use of a computer. The Criminal Code also lists certain offences of the following Acts: Controlled Drugs and Substances Act Corruption of Foreign Public Officials Act Immigration and Refugee Protection Act S. 487.014 of the Criminal Code, also allows, without a court order, a law enforcement official “to ask a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing.” This means that so long as no other law prohibits such a disclosure, the information may be provided to law enforcement without a court order. The Canadian Security Intelligence Service[2] (CSIS) may apply to a judge for a warrant is they believe that information is required to investigate a threat to the security of Canada[3].
Anyone participating in private communications with a person who is in Canada[7]
I could not find national legislation that addresses the above topics. CSIS warrants are not required to be disclosed, there is an absence of publicly information that indicates what the limitations are._______ [1] https://laws-lois.justice.gc.ca/eng/acts/C-46/page-41.html#h-118716 [2] https://www.canada.ca/en/security-intelligence-service.html [3] CSIS Act. Section 21, https://laws-lois.justice.gc.ca/eng/acts/C-23/page-9.html#h-1193870 [4] https://www.cse-cst.gc.ca/en [5] https://www.canada.ca/en/government/ministers/harjit-singh-sajjan.html [6] National Defence Act [7] See the definition of “Private Communication” under section 183 of the Criminal Code |
For Information collection by authority of CSIS Act, the judicial authorization issued under section 11.13 or 21 of the Act is required to address destruction or retention of a dataset.
There is no specific national legislation that protections citizens from requests for disclosure from governmental bodies in general. However, the Supreme Court of Canada has confirmed that Solicitor-Client privilege is a Constitutional Right[9] under section 7 of the Charter[10] and the right to privacy under section 8 of the Charter. For Canadian datasets collected by authority of the CSIS Act, information that is protected by solicitor-client privilege must be deleted[11]._______ [8] Canadian Security Intelligence Service Act (R.S.C., 1985, c. C-23), Art.12.1 [9] Canada (Privacy Comissioner) v. Blood Tribe Department of Health, 2008 SCC 44 (CanLII), [2008] 2 SCR 574 [10] https://laws-lois.justice.gc.ca/eng/Const/page-15.html [11] Canadian Security Intelligence Service Act (R.S.C., 1985, c. C-23), Art. 11.1 (1) b |
At the moment there is no National body overseeing surveillance measures. Recently, the federal government has introduced Bill C-59[12], which would introduce a new regulatory body, the National Security and Intelligence Review Agency. This regulatory body would oversee the work of all national security agencies. The three major surveillance organizations in Canada are the RCMP, the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE).
Surveillance collected by a warrant obtained through the criminal must be disclosed to the person surveilled after the expiry of the authorization. Surveillance obtained through the CSIS is not required to ever be disclosed to the person surveilled. Unless a person is ultimately charged, they would never know they were subject to surveillance._______ [12] https://www.parl.ca/LegisInfo/BillDetails.aspx?Language=E&billId=9057418 |
Section 8 of the Charter of Rights protects Canadians and individuals present in Canada unreasonable search or seizure. If this has been violated, individuals must pursue their claim through the provincial courts through the civil liability legal regime. The most notable case was of Maher Arar who commenced his claim in the Province of Ontario[13] and eventually received an apology and compensation in the amount of $10.5 million from the federal government[14]. Section 37 and 38 of the Canada Evidence Act permits a Canadian Minister to object to disclosure of information before a court if relase of information would encroach on a specified public interest, would be injurious to international relations, national defence or national security.[15]_______ [13] https://www.falconers.ca/wp-content/uploads/2016/09/Ara-Statement-of-Claim.pdf [14] https://archive.vn/20070128130429/http://cnews.canoe.ca/CNEWS/War_Terror/2007/01/26/3453332-cp.html, accessed July 14, 2020. [15] https://laws-lois.justice.gc.ca/eng/acts/C-5/page-6.html#h-137843 | R. v. Rogers Communications, 2016 ONSC 70 Canadian Charter of Rights and Freedoms: https://laws-lois.justice.gc.ca/eng/Const/page-15.html Criminal Code of Canada: https://laws-lois.justice.gc.ca/eng/acts/C-46/index.html | |||||||||||||||||||||||||||||||||||||
Cocos [Keeling] Islands | Oceania/Australia | CC | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Congo [DRC] | Africa | CD | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Central African Republic | Africa | CF | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Congo [Republic] | Africa | CG | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Switzerland | Europe | CH | ✔️ See here | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | The FDPIC recognises the 2021 SCCs of the European Union under the GDPR, including all modules, with the reservation that they will be adapted and/or supplemented as necessary in specific cases. Comprehensive guidance available. | S, R, E: 01/02/1998 | S | ✔️ | Esther Zysset, PhD https://publicsector.ch | Preliminary remarks:
Nature of the offences which may give rise to an interception or surveillance order:
Categories of people that might be subject to surveillance;
Duration of the measure:
Provisions surrounding access to and use of the data:
Proportionality regarding number of persons who can access stored data:
|
|
| As regards data collected through surveillance measures in criminal proceedings, the access to personal data is governed:
| English versions of the main acts cited above can be found here: Federal Supreme Court decision of March 2nd, 2018 (in German), finding that the blanket duty to store telecommunications metadata for a duration of six months as per the SPTA does not violate Article 8 of the European Convention on Human Rights nor the corresponding provision of the Swiss federal constitution (Article 13): | |||||||||||||||||||||||||||||||||||
Côte d'Ivoire (Ivory Coast) | Africa | CI | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Charles Nguessan | ||||||||||||||||||||||||||||||||||||||||||||
Cook Islands | Oceania/Australia | CK | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Chile | South America | CL | ❌ | ❌ | ❌ | ❌ | ❌ See here | ❌ | The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021). | ✔️ | ✔️ | N/A Please see the country report for Chile as part of the study "State of Privacy" conducted by Privacy International. | |||||||||||||||||||||||||||||||||||||||||
Cameroon | Africa | CM | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Danielle Moukouri Djengue | ||||||||||||||||||||||||||||||||||||||||||||
China | Asia | CN | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | The Cyberspace Administration of China (CAC) has published its Draft "Data Exit Security Assessment Measures" (数据出境安全评估办法), available here (unofficial translation available here). These measures are relevant under China's Cybersecurity Law (CSL), Data Security Law (DSL) and Personal Information Protection Law (PIPL). In addition, the CAC issued Draft Provisions on Standard Contracts for Cross-border Transfer of Personal Information on 30 June 2022, which contain some similiarities (see, Art. 4) with transfer impact assessments under the EU Commission's SCCs. | ✔️ | N/A Please note that according to a recent legal study published by the European Data Protection Board "on Government access to data in third countries", the researchers found that "[...] the Chinese legal system does not provide sufficient safeguards for foreigners’ data comparable to those found in the EU". | ||||||||||||||||||||||||||||||||||||||||||
Colombia | South America | CO | ❌ Potential future candidate (p. 52) for adequacy? | ❌ | ❌ | ❌ | ❌ | ❌ | The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021). | Invitation valid until 12 September 2020 | ✔️ | N/A Please see the country report for Colombia as part of the study "State of Privacy" conducted by Privacy International. | |||||||||||||||||||||||||||||||||||||||||
Costa Rica | North America | CR | ❌ | ❌ | ❌ | ❌ | ✔️ See here or here | ❌ | The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021). | Alethya Howells | |||||||||||||||||||||||||||||||||||||||||||
Cuba | North America | CU | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Christmas Island | Oceania/Australia | CX | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Cyprus | Asia | CY | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/06/2002 | S, R | Maria Raphael | |||||||||||||||||||||||||||||||||||||||||
Czech Republic | Europe | CZ | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/11/2001 | S | ✔️ | Luděk Nezmar | ||||||||||||||||||||||||||||||||||||||||
Germany | Europe | DE | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/10/1985 | S | ✔️ | |||||||||||||||||||||||||||||||||||||||||
Djibouti | Africa | DJ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Denmark | Europe | DK | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/02/1990 | ✔️ | ||||||||||||||||||||||||||||||||||||||||||
Dominica | North America | DM | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Dominican Republic | North America | DO | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Carlos J. Tapia Barredo |
|
|
|
| Dominican Republic has very poor data protection legislation. However, due to certain requirements of the GDPR for data transfer, and all jurisdictions of the area approving significant data protection legislation, there is currently a committee from Congress discussing a new data protection legislation which will not only increase scrutiny to data handlers, provide further protection to users, but also create an authority specifically for Data Protection. | |||||||||||||||||||||||||||||||||||||||
Algeria | Africa | DZ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Ecuador | South America | EC | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Rafael Serrano |
Ecuadorian legislation establishes that interception or surveillance measures may be carried out as a priority in the case of offenses considered as serious in accordance with the Convention against Transnational Organized Crime. Nevertheless, the Public Prosecutor's Office may request a judge to order an interception or surveillance measure for any offence established in the Criminal Code. The petition must be duly motivated. Furthermore, according to the National Security Act, in cases of undercover investigation related to national security situations, interception or surveillance measures can be performed upon obtaining judicial authorization or court order.
There is no definition nor limitation regarding a category of people.
The Criminal Code established a 90-day measure duration. This term can be renewed once for an equal period. For national security matters, the National Security Law establishes a 60-day measure duration. This term can be renewed once for an equal period.
The Criminal Code establishes that the Prosecutor must request the intervention measure to the judge. This petition must be duly motivated with relevant evidence related with the purpose of the investigation. The judge will determine the period for the interception; this must not exceed 90 days. The Prosecutor may request an extension for a similar period. Data and information obtained during the interception may be used in the procedure against the alleged offender. The data and information must remain secure and confidential. Only the transcription of the conversations or parts that are considered useful or relevant for the criminal investigation, will be included in the criminal procedure. Meanwhile, the National Security Act establishes that the information that is not related or will not be used in a criminal procedure must be destroyed or deleted with the court`s authorization.
There is no technical description regarding the precautions to be taken when communicating the data to other parties. Nevertheless, the National Security Law establishes that the access to reserved information shall be authorized by both the National Secretariat of Intelligence and officials from related agencies. Furthermore, the Criminal Code establishes that all digital content (including recordings and videos) must be in compliance with the chain of custody procedures.
According to the Criminal Code, the Prosecutor must file a petition duly motivated to the judge, requesting any interception or surveillance measure. The motivation of the petition must determine the need of the interception measure with the purpose of the investigation. Meanwhile, the National Security Law establishes that the National Intelligence Secretariat must file a petition to the President of the National Court for the implementation of interception and surveillance measures. Access to reserved information will only be granted to officials of the National Intelligence Secretariat and related authorities, including police or army members related to the investigation.
|
The Criminal Code allows the recording of all communications and information. Nonetheless, the use of these communications and information, is limited to the scope of the criminal investigation. The person may request all the recordings, when he or she deems it appropriate. Meanwhile, the National Security Law does not establish any objective limitation to the strictly necessary. Nevertheless, the President of the National Court may limit or prohibit the interception or surveillance if the interception or surveillance measures violates or affects constitutional rights. Information collected and not considered as necessary for the criminal procedure must be destroyed or erased, previous authorization and in presence of the President of the National Court.
The Criminal Code and the National Security Law establishes that the data which must be stored is that which would give rise to the initiation of a criminal procedure. The information must be destroyed or erased if it not required or used in the criminal procedure.
Yes, the National Security Law establishes that the data which must be retained has to be related or would give rise to a criminal procedure (if the data is related to a threat to national security).
The National Security Law prohibits data and information treatment based or selected by a persons religion, ethnicity, sexual orientation, political views, trade union, cultural, labor organizations or any other information that could result on discrimination.
There is no time restriction or limitation. Depending on the third person, it may be subject to a particular regulation (i.e. Witnesses protection regulation).
|
A judge is responsible for overseeing the surveillance measures. The judge is an independent authority and may refuse the interception or surveillance if these measures, if they violate constitutional rights or if they are not considered relevant for the criminal investigation. For national security measure, the President of the National Court is the competent judge to authorize or override these measures
|
Yes, Ecuadorian legislation recognizes the constitutional guarantee of habeas data. With this constitutional guarantee, the data subject may request the rectification or deletion of his personal data.
The individual can file a habeas data to any judge.
| ||||||||||||||||||||||||||||||||||||||||
Estonia | Europe | EE | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/03/2002 | S, R | ✔️ | Jamile Hamideh | ||||||||||||||||||||||||||||||||||||||||
Egypt | Africa | EG | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | N/A Please see the country report for Egypt as part of the study "State of Privacy" conducted by Privacy International. | ||||||||||||||||||||||||||||||||||||||||||||
Western Sahara | Africa | EH | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Eritrea | Africa | ER | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Spain | Europe | ES | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator. The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021). | S, R, E: 01/10/1985 | S | ✔️ | Manuel David Martín Rodríguez | ||||||||||||||||||||||||||||||||||||||||
Ethiopia | Africa | ET | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Finland | Europe | FI | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/04/1992 | S, R | ✔️ | Jamile Hamideh | ||||||||||||||||||||||||||||||||||||||||
Fiji | Oceania/Australia | FJ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Falkland Islands [Islas Malvinas] | South America | FK | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Micronesia | Oceania/Australia | FM | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Faroe Islands | Europe | FO | ✔️ See here | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | |||||||||||||||||||||||||||||||||||||||||||||
France | Europe | FR | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/10/1985 | S | ✔️ | |||||||||||||||||||||||||||||||||||||||||
Gabon | Africa | GA | ❌ | ❌ | ❌ | ❌ | ✔️ See here or here | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
United Kingdom (UK) | Europe | GB | ✔️ See here for the GDPR and here for the EU Law Enforcement Directive | ✔️ As of 31/01/2020 | ✔️ | ✔️ | ✔️ | For the time being, you can continue to use the former EU Standard Contractual Clauses for "restricted transfers" from the UK. The ICO has prepared UK versions (with guidance). The ICO consulted on their draft international data transfer agreement (IDTA) and guidance, which will replace the Standard Contractual Clauses. Note: The new 2021 EU Standard Contractual Clauses do not constitute retained EU law in the UK (pursuant to the European Union (Withdrawal) Act 2018). They are not recognized under the UK GDPR. | S, R, E: 01/12/1987 | S | S, R, E: 01/09/2011 | ✔️ | Mahdi Assan, Website | DP Tracker (a compilation of EU and UK data protection cases) | Twitter | LinkedIn | Preliminary Remarks: The majority of UK State surveillance law is contained in the Investigatory Powers Act 2016 (IPA 2016). Among the powers that the Act makes provision for includes the retention of communications data and the acquisition of communications data. Further rules and procedures can also be found in the Communications Data Code of Practice and the Bulk Acquisition of Communications Data Code of Practice, both of which were issued by the Home Office in 2018 under the IPA 2016. In relation to the retention of communications data, the Secretary of State may require a telecommunications operator to retain communications data by providing that operator with a retention notice (s.87(1) IPA 2016). The Home Office, liaising with various public authorities (including the SIAs), is responsible for issuing retention notices. Telecommunications operators subject to a retention notice must keep the existence and the content of such a notice secret unless permission is given otherwise by the Secretary of State (ss.95(2) and (3) IPA 2016). In relation to the acquisition of communications data, public authorities can obtain authorisation for the acquisition of communications data from telecommunications operators (ss.60A and 61 IPA 2016). This power may also be exercised in bulk form (s.158 IPA 2016). The existence and contents of an acquisition notice must be kept secret unless permission is given otherwise by the public authority serving the notice or the Secretary of State (ss.82(1) and (3) and 174(1) and (2) IPA 2016). “Communications data” essentially means metadata, i.e., the ‘who, what, where and how’ of a communication (s.261(5) IPA 2016). “SIAs” means the security and intelligence agencies, which includes the Government Communications Headquarters (GCHQ, for which see s.3 of the Intelligence Services Act 1994), MI5 (see s.1 of the Security Service Act 1989) and MI6 (see s.1 of the Intelligence Services Act 1994). The nature of the offences which may give rise to an interception or surveillance order:
Retention of Communications Data A retention notice may be served on a telecommunications operator on any of the following grounds (s.87(1) IPA 2016):
Acquisition of Communications Data In its targeted form, an acquisition notice may be served on a telecommunications operator on any of the following grounds (ss.60A(7) and 61(7) IPA 2016):
A “telecommunications operator” includes a wide range of entities responsible for providing a system facilitating the transmission of communications by means involving the use of electrical or electromagnetic energy (ss.261(10), (11) and (13) IPA 2016). This includes not only public networks but also private networks, such as:
Under a retention notice, a telecommunications operator must (s.92(1) IPA 2016):
| Retention of Communications Data Before issuing a retention notice, the Secretary of State must consider that it is both necessary and proportionate to issue the notice on one of the relevant statutory grounds (see Guarantee A for the statutory grounds) (s.87(1) IPA 2016).In addition, the Secretary of State must consider the following factors (s.88(1) IPA 2016):
The Secretary of State may require the retention of internet connection records, which effectively identify the service that a person has accessed online (s.62(7) IPA 2016). This includes a persons’ web browsing history, however the data that can be retained is limited to that before the first slash of a URL, i.e., ‘thecybersolicitor.com’ and not ‘www.thecybersolicitor.com/your-privacy/’.
Targeted Acquisition of Communications Data The issuing of an acquisition notice on a telecommunications operator must be both necessary and proportionate in relation to the statutory grounds on which it is being issued (see Guarantee A for the statutory grounds) (ss.60A(1)(a) and (c) and 61(1)(a) and (c) IPA 2016).The telecommunications operator will only be required to obtain and disclose to public authorities the amount of data needed to comply with the acquisition notice that is served on it (s.66(2) IPA 2016). A telecommunications operator will not be required to take steps to comply with an acquisition notice that are not reasonably practicable for it to take (s.66(3) IPA 2016). Public authorities may only acquire internet communication records where those records are used to:
Bulk Acquisition of Communications Data The issuing of a bulk acquisition notice on a telecommunications operator must be both necessary and proportionate in relation to the statutory grounds on which is being issued (see Guarantee A for the statutory grounds) (ss.158(1)(a) and (b) IPA 2016).Bulk acquisition of communications data must also satisfy three other conditions:
The Secretary of State must also have regard to (s.2(2) IPA 2016):
Does national legislation provide for any exception for persons under an obligation of professional secrecy (g., doctors, judges, public prosecutors, lawyers)? Public authorities must have regard to whether the level of protection to be applied in relation to the obtaining of information by virtue of a retention or acquisition notice is higher because of the particular sensitivity of that information. This includes items subject to legal privilege of which may require the level of protection applied to be higher (ss.2(2)(b) and (5)(a) IPA 2016). | Retention of Communications Data Ex ante oversight:
Targeted Acquisition of Communications Data Ex ante oversight:
Bulk Acquisition of Communications Data Ex ante oversight:
| The Data Protection Act 2018
Investigatory Powers Tribunal
| See Report of the Bulk Powers Review (2016) for a detailed description of the operational utility of the bulk powers contained under the IPA 2016, including the bulk acquisition of communications data. See R (Liberty) v Secretary of State for the Home Department (2018), in which the High Court held that where public authorities are seeking to serve a retention notice on a telecommunications operator for the purpose of preventing or detecting crime, that purpose should be specifically limited to ‘serious’ crime. The IPA 2016 was amended in 2018 to comply with this part of the judgment (see Data Retention and Acquisition Regulations 2018). However, the Court did find that the other aspects of the retention provisions, including the requirement for a notice to be necessary and proportionate subject to review by a Judicial Commissioner, was held to be compliant with EU law (in particular the Watson Case). See R (Liberty) v Secretary of State for the Home Department (2019), in which the High Court held that the bulk powers under the IPA 2016 were, on their face, compliant with the requirements under the ECHR and the caselaw of the European Court of Human Rights.-------- Comment by Christopher Schmidt: Please observe that EU law on the protection of personal data (see, Article 70 of the Withdrawal Agreement) shall apply in the UK for personal data collected before 01/01/2021 and processed in the UK on the basis of the Withdrawal Agreement even after the end of the transition period (31/12/2020) pursuant to Article 71(1)(b) of the Withdrawal Agreement (commonly referred to as 'Frozen GDPR'). | |||||||||||||||||||||||||||||||||||
Grenada | North America | GD | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Georgia | Asia | GE | ❌ | ❌ | ❌ | ❌ | ✔️ | ✔️ | S, R, E: 01/04/2006 | Sophio Kurtauli | There are two types of secret surveillance in Georgia: Counterintelligence and secret investigative actions. Let’s review legal framework:
The nature of the offences could be an intentionally serious and/or particularly serious offence or offences defined article by article (see article 1433, p.2, sub-paragraph “a”). The people that might be subject to surveillance could be person against whom a secret investigative action is to be carried out, has committed any of the offences defined already (person directly related to the offence), or a person receives or transmits information that is intended for, or is provided by, a person directly related to the offence, or a person directly related to the offence uses the communication means of the person (see article 1433, p.2, sub-paragraph “b”). The prosecutor is entitled to apply to court with reasonable motion and court is authorized to define period of time to conduct secret investigative action (Article 1433, p. 10, sub-paragraph “d”). There is one exception then prosecutor is entitled to conduct secret investigative action without court ruling in the case of urgent necessity, when a delay may cause destruction of the facts important for the case (investigation), or make it impossible to obtain those data, but he/she is obliged to limit this action in time that doesn’t exceed 48 hours. Also, prosecutor is obliged to apply to first instance court no more than 24 hours after beginning secret investigative process and ask for recognition of lawfulness (article 1433, p. 6). Another exception goes to duration of time that might not be clear and precise because the total period of time to conduct secret investigative action could be 6 months (article 1433, p. 12). There is balance when General Prosecutor of Georgia is authorized to extend secret investigative action once no longer than 3 months. Some about procedure, after court ruling of authorization or refusing or recognition of lawfulness one copy of ruling is sent to State Inspector Office of Georgia (hereinafter – SIOG, remark: that is authorized to control data protection in the country) by using electronic control program and after submission from SIOG is possible to begin action. Court ruling determines authorized agency that conducts secret investigative action and authorized agency that is introduced and transmitted secret investigative materials. Only investigators, prosecutors and judges may, before the completion of secret investigative actions, examine the information obtained as a result of those actions (provided that such information is substantially related to the issue that they are to review) (article 1439). The procedure for destruction is quite detailed and determined in article 1438. The information obtained as a result of secret investigative actions shall, by decision of the prosecutor, be immediately destroyed after the termination or completion of such actions, unless the information is of any value to the investigation. The authorized officials for destruction are: prosecutor/supervisor prosecutor in the presence of a judge. A record of the destruction of materials signed by the relevant prosecutors and judges, shall be handed over to the SIOG and shall be included in the court's registry of secret investigative actions.If materials will be recognized as inadmissible evidence shall be immediately destroyed six months after the court of the final instance renders a ruling on the case. Until destruction, these materials shall be kept in a special depository of a court. No one may access these materials, or make copies of them or use them, except for the parties who use them for the purpose of exercising their procedural powers. The materials obtained as a result of secret investigative actions that are attached to a case as material evidence shall, be kept in the court for the period of keeping this criminal case. After the expiration of this period, the above materials shall be immediately destroyed. An administration of the court that kept the material before its destruction shall be responsible for adequate keeping of the material obtained as a result of secret investigative actions. These measures aren’t enough to say that Georgia has clear precise and accessible rules because there is opportunity from State Intelligence Service always and anytime control and listen who they want.
| There is general rule in law of Georgian on Counter-intelligence activities that all measures they carry out depend on strict protection of human rights and freedoms and the rights of legal persons, and respect for human dignity. Counter-intelligence agency has very special and important role in any country to detect and prevent terrorist acts and foreign intelligence, to prevent threat against national security. Their activities are secret so its very difficult to control proportionality or legitimate objectives do meet the expectations or not. The principles of carrying out secret investigative actions according to Criminal Procedure Code of Georgia are the following: a) Determinacy - there is a list of criminal offences there should be initiated secret investigative actions (article 1433, section 2, sub-section “a”), b) Legitimate goal - to achieve a legitimate goal in a democratic society, in particular, to ensure national or public security, to prevent riots or crime, to protect the country's economic interests and the rights and freedoms of other persons. Secret investigative actions are necessary in a democratic society if they are carried out due to urgent public needs and if they constitute an adequate and proportional means for the achieving a legitimate goal; c) necessity - Secret investigative actions may be carried out only when the evidence essential to the investigation cannot be obtained through other means or it requires unreasonably great effort; d) Proportionality - The scope (intensity) of the secret investigative action must be proportionate to the legitimate goal of the secret investigative action. There are special laws providing obligations for professionals to save professional secrecy:
| The independent oversight mechanism is still under question (see, my Answer in Guarantee A about Constitutional lawsuit) because Legal Entity Georgian Operational-Technical Agency has technical capacity for real-time communication. Court and SIOG have opportunity to control in electronic registry if the measures were done properly. According to Criminal Procedure Code of Georgia the Supreme Court of Georgia shall prepare a registry of secret investigative actions, which shall include statistical information on secret investigative actions, in particular: information on motions filed with the courts for the conduct of secret investigative actions, and on ruling rendered by courts on those motions, as well as information on the destruction of materials obtained as a result of operative-investigative actions that did not concern criminal activities of the given person but which, include details on that or another person's private life and that has been destroyed in accordance with Article 6(4) of the Law of Georgia on Operative-Investigative Activities. According to Georgian Law on “State Inspector Office in Georgia” SIOG has obligation to control activities regarding secret investigative actions determined in Criminal Procedure Code of Georgia (chapter IV). | The individual is guaranteed by legal remedies to access his/her personal information, to obtain information on his/her personal data processed, request their correction, updating, addition, blocking, deletion and destruction. But this is not absolute right and might be restricted according to article 24 of Law of Georgia “On Personal Data Protection”. The individual applies to the authority who processes her/his information and requests correction, updating, addition, blocking, deletion and destruction. If this authority denies his/her request individual has right to apply to the SIOG that researches legal grounds and decides the case. If the latter rejects individual’s request he/she has right to apply to court. Generally, if materials (see, my answer in Guarantee A) are closed no one has right to access to it, because these materials are destructed by special committee (for secret investigative actions destruction procedure is provided in article 143 8 of Criminal Procedure Code of Georgia). But in some cases, it might be different when it comes to state secrecy or other relevant information. One more but, there isn’t clear provision in law that destructed materials aren’t reachable for anybody. | Links:
| ||||||||||||||||||||||||||||||||||||||
French Guiana (French Overseas Department and Region) | South America | GF | (EU member state) | ✔️ | ✔️ | ✔️ | |||||||||||||||||||||||||||||||||||||||||||||||
Guernsey | Europe | GG | ✔️ See here | ✔️ | ✔️ | ✔️ | ❌ | ✔️ | Guernsey's Office of the Data Protection Authority has published guidance (including an Addendum for the EU Commission’s Standard Contractual Clauses) for transferring people’s data outside the Bailiwick. | ||||||||||||||||||||||||||||||||||||||||||||
Ghana | Africa | GH | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Desmond Israel | ||||||||||||||||||||||||||||||||||||||||||||
Gibraltar | Europe | GI | ❌ | ✔️ | ✔️ As of 31/01/2020 | ❌ | ❌ | ❌ | Please note that, on 1st January 2021, the EU GDPR was superseded by the Gibraltar General Data Protection Regulation. The legislation however remains largely the same, and therefore, the general principles relating to the EU GDPR as may be referenced within this Guidance Note, continue to apply to the current regime. Guidance on International Transfer by the Gibraltar Regulatory Authority can be found here. | ||||||||||||||||||||||||||||||||||||||||||||
Greenland | North America | GL | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Gambia | Africa | GM | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Guinea | Africa | GN | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Guadeloupe (French Overseas Department and Region) | North America | GP | (EU member state) | ✔️ | ✔️ | ✔️ | |||||||||||||||||||||||||||||||||||||||||||||||
Equatorial Guinea | Africa | GQ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Greece | Europe | GR | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/12/1995 | S | ✔️ | Magdalini Skondra, CIPP/E, Lawyer at the Supreme Court of Greece | A. As regards to the area of Police marking elements, e.g. fingerprints, photographs, DNA, blood and other human body fluids examination (applicable laws p.d. 342/1977, CPP, p.d. 178/2014, J.M.D. 3021/2005): There are many different laws applicable. Older laws (such as p.d. 342/77 about fingerprints and photographs of arrested people) apply to every offence and every arrested person. In case of a conviction the retention period is 90 years after the person’s birth, or until death, if sooner than 90 years. There is no erasure even in case of a decision declaring the defendant innocent if the innocence relies on his/her practical repentance. There are some measures and procedure steps’ requirements regarding the collection, storage and communicating of the data, as well as a prohibition of confidentiality breach. Among third parties that are allowed to access the data collected, surprisingly private companies are included, as long as the data refer to an employee or candidate employee, and the public prosecutor allows their access. To the best of my knowledge, this provision is due to the period this law came into force and hopefully is currently not applied. Things look much better regarding the recently renewed Code of Penal Procedure, that enforces the immediate destruction of evidence such as DNA, in case of innocence, or the retention under strict rules of access in a special registry, inspected by a public prosecutor. Any DNA file must be destroyed at the time of death of the referred person. The right to obtain a defendant’ s DNA sample only applies in most severe offences. As far as fingerprints collected in the course of passports’ issuance, Greece follows the EU Regulation 2225/2004, but Homo Digitalis complaints about police’ s unlawful practice of retention in its central database of all fingerprints collected for purposes of passport issuance. There is no legal basis for such retention, since the law and the EU regulation, provides for fingerprint storage only on the encrypted machine-readable biographical data page of the passport. The main law that provides for video surveillance in public spaces is 3917/2011. Art. 14 p.5 provides that it might be allowed to implement such surveillance only for the specific, exhaustively listed in it, serious offences, through means and under guarantees provided by a presidential decree that was never signed, until recently: on September 10 2020, the Greek Republic issued the presidential Decree 75/2020 for the execution of art. 14. The first draft of the Decree, was vastly amended, in accordance to the Hellenic DPA Opinion, that had found it to be unconstitutional and totally incompatible with the GDPR and the L.4624/2019 that implemented the EU 2016/680 Directive. The later p.d. provides for the circumstances under which the Hellenic Police, the Coast Guard and the Fire Brigade are allowed to install and operate sound and/or video recording systems, including body worn cameras and drones, in public places. The provisions of the p.d. are clear enough and accessible to anyone through the national official journal. As for the precision element: Article 5 provides that it is required to have sufficient evidence that the specific offences referred to in art. 3 are taking place or are about to take place in the specific space. The existence of sufficient evidence should be reasoned with reference to facts such as, in particular, statistical or empirical data, studies, reports testimonies, information on frequency, type and specific characteristics of the crimes committed in a specific area, as well as for, on the basis of the above elements, probable spread or transfer of crime to another public space. The p.d. provides that a data protection impact assessment should be carried out before the installation decision, but also before the operation decision, of any surveillance system. The p.d. provides for several technical and organizational measures that should be implemented, such as strict access rights, log file retention and encrypted connection. A recent amendment of L.2800/2000 added art. 25, that provides for the use of police drones for collection and processing of images. There is absolutely no other provision than a rather indefinite reference allowing such a processing “according the law”. Homo Digitalis sent the Minister an open letter about this issue too. There is another case where the police may currently use smartphone cameras, or other technical equipment to collect image, audio and video footage: art. 41D of L.2725/1999, as it was recently amended provides that: in case of sport events and after a public prosecutor’s authorization, police officers may use such means, for the confrontation of acts of violence and criminal offenses on the occasion of sporting events and for the purposes of prevention, investigation, detection, prosecution of criminal offenses, imposition and execution of criminal sanctions or restrictive conditions. For the lawful collection and processing of the above data, the previous relevant notification of the fans is necessary by any appropriate means, in particular with a clear indication on the ticket, with announcements on fixed or mobile plates, with announcements from loudspeakers or with a relevant announcement in the Media. The physical or digital carrier in which the evidence is embedded is a legal means of proof, which can be used in the context of criminal proceedings and the execution of criminal sanctions and restrictive conditions. The content of the material or digital carrier is permanently deleted or the material or digital carrier is completely destroyed after thirty (30) days from the collection and processing of personal data (unless it actually provides evidence of criminal offence). C) Undercover/secret police investigations such as video/audio recordings of activities (not communications) PCC art. 254, 255: The totally renewed in late 2019 Code of Penal Procedure provided specific guarantees for secret investigative acts such as video/audio recordings of activities: such recording is strictly prohibited if the activity is taking place inside a house. It can take place only by a competent public prosecutor order for specific and exhaustively listed serious crimes, and only when there are serious indications of guilt of the person(s) under surveillance. Additionally, there must be no other appropriate way to detect or prevent the specific crime. D) Retention periods of criminal convictions CPP art. 573. One might think that all the issues older legislation raises are resolved by the newer national law that implements the LED. But this is not exactly the case. There are serious issues raised by this law, such as time limits: art. 5 of the LED provides that time limits are to be established for the erasure of personal data, and that a periodic review procedure of the need for the storage of personal data must be in place. Art.73 of L.4624/2019 does not provide for time limits, nor for periodic reviews by Greek law enforcement authorities. In addition, while the provision of article 10 GDPR is providing authorization to the national legislator to take the necessary measures for the provision of adequate guarantees for the processing of personal data relating to criminal convictions and offenses, the Greek law did not introduce such a provision. According to the Greek DPA’s opinion on this law, “it becomes rather impossible to implement the provision of Article 10 of the GDPR” in Greece. |
|
|
| The recent Greek data protection law (L.4624/2019) has raised serious concerns due to its vagueness and some of its provisions that appear to be incompatible with the GDPR and the LED. Some of these issues are presented in the Greek DPA’ s opinion. Due to all the above issues, on October 24, 2019, Homo Digitalis lodged a complaint to the European Commission for non-compliance with EU law, regarding the provisions of the Law 4624/2019 on personal data and namely with the provisions of Directive 2016/680 and Regulation 2016/679 (Reference No CHAP(2019)03059). | |||||||||||||||||||||||||||||||||||
South Georgia and the South Sandwich Islands | South America | GS | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Guatemala | North America | GT | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Guam | Oceania/Australia | GU | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Guinea-Bissau | Africa | GW | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Guyana | South America | GY | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Gaza Strip | Asia | GZ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Hong Kong | Asia | HK | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Jasmine Yung, Trainee Solicitor, Hong Kong Law Firm, is a privacy professional with experience in privacy law enforcement, compliance investigation, policy research, speech writing, international liaison and promotion. Interested in how technologies impact privacy and our lives. Prior to pursuing a legal career, Jasmine has worked in Hong Kong’s Office of the Privacy Commissioner for Personal Data for 6 years. | The main legislation in Hong Kong is Interception of Communications and Surveillance Ordinance (Cap. 589, Laws of Hong Kong) (ICSO). The nature of the offences which may give rise to an interception or surveillance order:
A definition of the categories of people that might be subject to surveillance:
A limit on the duration of the measure:
The circumstances and substantive and procedural conditions relating to the access of the competent authorities:
“Relevant factors” mean —
[i] “Type 1 surveillance” means any covert surveillance other than Type 2 surveillance. [ii] “Type 2 surveillance” means any covert surveillance that—
|
|
__________
|
|
| |||||||||||||||||||||||||||||||||||||||
Heard Island and McDonald Islands (Australian External Territory) | Africa | HM | ❌ | ||||||||||||||||||||||||||||||||||||||||||||||||||
Honduras | HN | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ||||||||||||||||||||||||||||||||||||||||||||||
Croatia | Europe | HR | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/10/2005 | S, R | ||||||||||||||||||||||||||||||||||||||||||
Haiti | HT | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ||||||||||||||||||||||||||||||||||||||||||||||
Hungary | HU | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/02/1998 | S | ✔️ | ||||||||||||||||||||||||||||||||||||||||||
Indonesia | ID | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ASEAN Model Contractual Clauses for Cross Border Data Flows (2021) Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021) | ✔️ | N/A Please see the country report for Indonesia as part of the study "State of Privacy" conducted by Privacy International. | |||||||||||||||||||||||||||||||||||||||||||
Ireland | IE | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/08/1990 | S | ✔️ | ||||||||||||||||||||||||||||||||||||||||||
Israel | Asia | IL | ✔️ See here | ✔️ | ✔️ | ❌ | ✔️ See here or here | ✔️ | ✔️ | Nir Feinberg | |||||||||||||||||||||||||||||||||||||||||||
Isle of Man | IM | ✔️ See here | ✔️ | ✔️ | ✔️ | ✔️ | |||||||||||||||||||||||||||||||||||||||||||||||
India | IN | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Ms. Tripti Dhar, Partner – Reina Legal
|
Section 69 of the Information Technology Act, 2000 confers power on the central government or the state government to issue direction for interception, monitoring or decryption of any information through any computer resource to protect sovereignty or integrity of India, defence of India security of state, friendly relations with foreign states, or public order or preventing incitement to commission of any cognizable offence or for investigation of any offence.
The existing laws in the region are silent on this subject.
Rule 11 of Information Technology (Procedure and Safeguards for Interception, Monitoring; and Decryption of Information) Rules, 2009 prescribes maximum time of interception as 60 days and on renewal not to exceed 180 days
Rule 3 of Information Technology (Procedure and Safeguards for Interception, Monitoring; and Decryption of Information) Rules, 2009 prescribes that such interception requires prior approval from the competent authority i.e. Secretary in Ministry of Home Affairs, in case of Central Government and Secretary in charge of Home department in case of State Government (except. in emergency cases where separate procedure is provided).
Rule 20 of Information Technology (Procedure and Safeguards for Interception, Monitoring; and Decryption of Information) Rules, 2009 prescribes that the The intermediary or person in-charge of computer resources shall put in place adequate and effective internal checks to ensure the unauthorised interception of information does not take place and extreme secrecy is maintained and utmost care and precaution shall be taken in the matter of interception or monitoring or decryption of information as it affects privacy of citizens and also that it is handled only by the designated officers of the intermediary and no other person of the intermediary or person in-charge of computer resources shall have access to such intercepted or monitored or decrypted information.
Rule 6 of the said rules provides for Interception or monitoring or decryption of information by a State beyond its jurisdiction Rule 21 of the said rules places the obligation on intermediaries to ensure their employees maintain secrecy and confidentiality of intercepted communications and Rule 25 prohibits its disclosure except to the officer of authorized agency who" can use such information only for specified uses pursuant to direction of competent authority. Rule 23 prescribes destruction of intercepted communications after these are not required for law enforcement purposes.
Similarly, the Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 were passed for governing activities of monitoring and collection of traffic data. Rule 3 of the said rules mandate prior permission of competent authority i.e. Secretary to the Government of India in Department of Information Technology under Ministry of Communications and Information Technology to conduct monitoring or collection of traffic data for cyber security reasons, inter alia, forecasting of imminent cyber incidents, tracking of persons and computer resource breaching cyber security. Competent authority can authorize any agency for the said purposes. In order to prevent unauthorized monitoring and maintenance of secrecy of information collected intermediaries are made liable for their employees by Rules 5, 6 and 11 of the said rules.
The Retd. Justice K S Puttaswamy Case (2017 SCC OnLine SC 996) established the ‘proportionality and legitimacy’ test – which is a four-fold test that needs to be fulfilled before state intervention in the right to privacy:
|
|
Competent Authorities: Under Rule 2(d) of Information Technology (Procedure and Safeguards for Interception, Monitoring; and Decryption of Information) Rules, 2009 the Secretary in the Ministry of Home Affairs, in case of the Central Government; or the Secretary in charge of the Home Department, in case of a State Government or Union territory, as the case may be; Any officer not below the rank of Joint Secretary to the Government of India, who has been authorised by the Union Home Secretary or the State Home Secretary in this behalf, may authorize the interception of communications in case of an emergency. Review committee: Under the Indian Telegraph Act 1885 and the Rules issued thereunder (Rule 419A), a Central Any direction issued by the competent authority under Rule 3 of of Information Technology (Procedure and Safeguards for Interception, Monitoring; and Decryption of Information) Rules, 2009 shall contain reasons for such direction and a copy of such direction shall be forwarded to the Review Committee within a period of seven working days. |
There is no legislation in place however the Personal Data Protection Bill, 2019 provides for correction, completion, updating and erasure of personal data and also envisages to establish regulating authority. The bill is yet to come into effect. Since right to privacy was recognised by Apex court in case of Retd. Justice K.S. Puttaswamy v. Union of India (2017 SCC OnLine SC 996). It signifies that one can always file writ for legal remedy. | The Personal Data Protection Bill, 2019 is introduced in parliament and is currently under review by Joint Parliamentary committee. The bill provides for protection of personal data of individuals. _________________ Please note that according to a recent legal study published by the European Data Protection Board "on Government access to data in third countries", the researchers found that "[...] the Indian government has a track record of infringing both rights [to privacy and personal data protection] extensively", while the "regulations foresee widespread exemptions for governmental access to personal data". Please see the country report for India as part of the study "State of Privacy" conducted by Privacy International. | ||||||||||||||||||||||||||||||||||||||||
British Indian Ocean Territory (British Overseas Territory) | Africa | IO | |||||||||||||||||||||||||||||||||||||||||||||||||||
Iraq | IQ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ||||||||||||||||||||||||||||||||||||||||||||||
Iran | IR | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ||||||||||||||||||||||||||||||||||||||||||||||
Iceland | IS | (EEA member state) | ✔️ | ✔️ | ✔️ | ✔️ | ❌ | S, R, E: 01/07/1991 | S | ✔️ | |||||||||||||||||||||||||||||||||||||||||||
Italy | IT | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/07/1997 | S | ✔️ | Filippo Bianchini | |||||||||||||||||||||||||||||||||||||||||
Jersey | Europe | JE | ✔️ See here | ✔️ | ✔️ | ✔️ | ✔️ | ||||||||||||||||||||||||||||||||||||||||||||||
Jamaica | North America | JM | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Jordan | Asia | JO | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | N/A Please see the country report for Jordan as part of the study "State of Privacy" conducted by Privacy International. | ||||||||||||||||||||||||||||||||||||||||||||
Japan | Asia | JP | ✔️ See here | ✔️ Only covers private sector organisations. | ❌ | ❌ | ✔️ See here or here | ✔️ | ✔️ | ✔️ | ✔️ | Takaya Terakawa, CIPP/E, CIPM, Tehnica Zen (CEO) Takaya is a certified privacy professional as well as a data governance consultant in Japan. Takaya runs his own enterprise, Technica Zen, and provides consultation and training services to companies. Takaya is a child online safety advocate and Head of Cybersafety.org Japan, an NPO established by recognized cybersecurity U.S. attorney, Parry Aftab. | Japanese rule reflects the OECD guideline. It incorporates the concepts included in the OECD guidelines such as collection limitation and purpose specification. The personal information protecting rules for administrative organs is specified in the “Act on the Protection of Personal Information Held by Administrative Organs” (“APPI-AO”), and for incorporated administrative agencies is specified in the “Act on the Protection of Personal Information Held by Incorporated Administrative Agencies, etc.” (“APPI-IAA”). Both administrative organs and incorporated administrative agencies must follow the rules below to the extend necessary for conducting processes under its jurisdiction provided by laws and regulations. The rules include:
Regarding the criteria given in the Art. 29 Working Party's Working Paper 237, you cannot find any information in those Acts since these rules relating to handling personal information focuses on general topics and do not pick up the surveillance specifically. Japan has “Telecommunications Business Act”, but this only applies to private organizations. | As mentioned in the “Guarantee A”, rules for governmental organizations includes OECD guideline principles clearly.
| No independent organization supervises governmental organizations in Japan. Responsible minister manages administrative organs and incorporated administrative agencies. The Minister of Internal Affairs and Communications may collect reports on the status of enforcement of “Act on the Protection of Personal Information Held by Administrative Organs” from the heads of Administrative Organs. The Minister of Internal Affairs and Communications may collect reports on the status of enforcement of “Act on the Protection of Personal Information Held by Incorporated Administrative Agencies, etc.” from the incorporated administrative agencies, etc. | Individuals are granted for requesting for disclosure, correction, and suspension of use of their personal information held by government. If the request is not accepted, individuals are entitled to appeal for review of any inaction related to the request. | The Japanese APPI applies to private organizations. Since the PPC is defined in the APPI, the power of the PPC is also restricted to private organizations. (See Art. 2 (5) APPI and Art. 61 APPI) The only exception when the PPC may monitor governmental organizations is when governmental organizations handle “Anonymized Personal Information”, which is pseudonymized governmental data. When you see Japanese personal information protecting acts, you will notice that the assumption is “government will not do harms”. Although Japan does have acts for governmental organizations, the oversight mechanism is unclear. | ||||||||||||||||||||||||||||||||||||
Kenya | Africa | KE | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | N/A Please see the country report for Kenya as part of the study "State of Privacy" conducted by Privacy International. | ||||||||||||||||||||||||||||||||||||||||||||
Kyrgyzstan | Asia | KG | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Cambodia | Asia | KH | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ASEAN Model Contractual Clauses for Cross Border Data Flows (2021) Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021) | ✔️ | |||||||||||||||||||||||||||||||||||||||||||
Kiribati | Oceania/Australia | KI | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Comoros | Africa | KM | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Saint Kitts and Nevis | North America | KN | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
North Korea | Asia | KP | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
South Korea | Asia | KR | ✔️ See here | ❌ | ❌ | ❌ | ✔️ See here or here | ❌ | ✔️ | ✔️ | |||||||||||||||||||||||||||||||||||||||||||
Kuwait | Asia | KW | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Ms. Tripti Dhar, Partner – Reina Legal
|
According to Article 1 of Law No. 61 of 2015 each camera and security surveillance device is used to capture, transfer, and record the image, in order to monitor and observe the security situation.
The existing laws in the region are silent on this subject.
Article 5 of Law No. 61 of 2015 prescribes a period to keep to recordings of the survelliance for a period of 120 days and shall destroy the recordings immediately after the expiry of that period.
The existing laws in the region are silent on this subject.
Article 6 of Law No. 61 of 2015 prohibits the extradition or transfer, store, send or publish any of the recordings referred to, except with the written consent of the competent point of the investigation or the competent court.
|
The existing laws in the region are silent on this subject.
Article 3 of Law No. 61 of 2015 Prescribed by the minister of technical specifications for the cameras and surveillance equipment and security according to what is locally and internationally certified, and identifies the competent authority places and points status and number in the facilities.
Article 9 of Law No. 61 of 2015 Prohibiting the installation of cameras and security surveillance in the stomach places to live or to sleep or physical therapy rooms or dressing and restrooms, health institutes and women's salons women or any positions contrary to put cameras where with personal privacy and shows in the Regulations rooms, may be a decision of the Minister to add other possibility
Article 6 of Law No. 61 of 2015 Without prejudice to the provisions of Article (5) prohibits the extradition or transfer, store, send or publish any of the recordings referred to, except with the written consent of the competent point of the investigation or the competent court. |
According to Article 1 of Law No. 61 of 2015, the competent authority is the designation specified by the Minister of Interior.
Article 7 of Law No. 61 of 2015 Owners of facilities and those responsible for managing maintenance of cameras and security surveillance and updated periodically and continuously, to ensure a good performance for its purposes, and the continuity of compliance with the technical specifications. Article 8 of Law No. 61 of 2015 The employees who are appointed by the competent minister to adjust the violations set forth in this law, the status of law enforcement officers, and to them in order to fulfill their entry facilities and inspect and adjust the material irregularities and the subject of the offense and the liberalization of the necessary records and forwarded to the relevant point of the investigation. Article 10 of Law No. 61 of 2015 In terms of the investigation or the court may consider registrations made by surveillance cameras and security devices, as a guide. The onus is more on the owners of the facility. Actions are taken once a violation occurs. |
According to Article 36 of Law No. 20 of 2014, A) Individuals are allowed to request the bodies authorized by law, governmental bodies, agencies, public institutions, companies, non-governmental bodied or employees to delete or amend any of their personal data or information which the bodies keep in their records or electronic processing systems if they were found to be invalid or non-conforming with reality. The Individuals may also request such information to be replaced according to the amendments thereto.B) The Executive By-law of this law sets forth the procedures and controls that must be followed regarding the requests submitted by individuals for the deletion or amendment of their personal data registered at one of the aforementioned bodies. | The information provided above is from unofficial English translation. | |||||||||||||||||||||||||||||||||||||||
Cayman Islands | North America | KY | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Kazakhstan | Europe | KZ | ❌ | ❌ | ❌ | ❌ | ✔️ See here or here | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Laos | Asia | LA | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ASEAN Model Contractual Clauses for Cross Border Data Flows (2021) Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021) | ✔️ | |||||||||||||||||||||||||||||||||||||||||||
Lebanon | Asia | LB | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | N/A Please see the country report for Lebanon as part of the study "State of Privacy" conducted by Privacy International. | ||||||||||||||||||||||||||||||||||||||||||||
Saint Lucia | North America | LC | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Liechtenstein | Europe | LI | (EEA member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | S, R, E: 01/09/2004 | S | |||||||||||||||||||||||||||||||||||||||||||
Sri Lanka | Africa | LK | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Samantha de Soysa | ||||||||||||||||||||||||||||||||||||||||||||
Liberia | Africa | LR | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Lesotho | Africa | LS | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Lithuania | Europe | LT | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/10/2001 | S, R | ✔️ | |||||||||||||||||||||||||||||||||||||||||
Luxembourg | Europe | LU | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/06/1988 | S | ✔️ | Nicolas Hamblenne | ||||||||||||||||||||||||||||||||||||||||
Latvia | Europe | LV | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/09/2001 | S | ✔️ | |||||||||||||||||||||||||||||||||||||||||
Libya | Africa | LY | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Morocco | Africa | MA | ❌ | ❌ | ❌ | ❌ | ❌ See here | ✔️ | R (Accession), E: 01/09/2019 | N/A Please see the country report for Morocco as part of the study "State of Privacy" conducted by Privacy International. | |||||||||||||||||||||||||||||||||||||||||||
Monaco | Europe | MC | ❌ | ❌ | ✔️ | ✔️ | ✔️ | ✔️ | S, R, E: 01/04/2009 | S | Olivier Guillo | ||||||||||||||||||||||||||||||||||||||||||
Moldova | Europe | MD | ❌ | ❌ | ❌ | ❌ | ✔️ | ✔️ | S, R, E: 01/06/2008 | Veronica Mocanu | |||||||||||||||||||||||||||||||||||||||||||
Montenegro | Europe | ME | ❌ | ❌ | ❌ | ❌ | ✔️ | ✔️ | S, R, E: 06/06/2006 | Mina Crnogorac | |||||||||||||||||||||||||||||||||||||||||||
Madagascar | Africa | MG | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Marshall Islands | Oceania/Australia | MH | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Mali | Africa | ML | ❌ | ❌ | ❌ | ❌ | ✔️ See here or here | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Myanmar [Burma] | Asia | MM | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ASEAN Model Contractual Clauses for Cross Border Data Flows (2021) Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021) | ✔️ | |||||||||||||||||||||||||||||||||||||||||||
Mongolia | Asia | MN | ❌ | ❌ | ❌ | ❌ | ✔️ See here or here | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Macau | Asia | MO | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Northern Mariana Islands | Oceania/Australia | MP | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Martinique (French Overseas Department and Region) | North America | MQ | (EU member state) | ✔️ | ✔️ | ✔️ | |||||||||||||||||||||||||||||||||||||||||||||||
Mauritania | Africa | MR | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Montserrat | North America | MS | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Malta | Europe | MT | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/06/2003 | S, R | Farman Ali Shah Sayed | |||||||||||||||||||||||||||||||||||||||||
Mauritius | Africa | MU | ❌ | ❌ | ❌ | ❌ | ✔️ | ✔️ | R (Accession), E: 01/10/2016 | S, R | Deepshi Hujoory, LLB(Hons), CIPP/E, CIPT | I would refer to four pieces of legislation in Mauritius to elaborate on the nature of offences which may give rise to a surveillance or interception order:
Link to the ICTA: https://www.icta.mu/docs/laws/ict_act.pdf
Link to act: http://www.ncb.mu/English/Documents/Legislations/COMPUTER_MISUSE.pdf
Link to the Constitution: http://mauritiusassembly.govmu.org/English/constitution/Pages/constitution2016.pdf
Section 44 of the DPA goes even further and exempts processing of personal data from all provisions of the DPA where, in the opinion of the Prime Minister of Mauritius (“PM”), same would be required for the purpose of safeguarding national security, defence or public security. In such a case, a certificate under the hand of the PM would be needed to constitute conclusive evidence of such an exemption. Link to the DPA: http://dataprotection.govmu.org/English/Legislation/Pages/Data-Protection-Act-2017-.aspx
It can only be inferred that the categories of people that might be subject to surveillance are those who are suspected of being in contravention with the laws, or who are parties to criminal proceedings. However, it can also be inferred that anyone from the general public of Mauritius could be subject to surveillance if it concerns protection of national security, defence or public security. This is currently the case with the Safe City Project of the actual Government, whereby some 4000 video surveillance cameras, equipped with facial recognition, have been installed in public areas for the prevention of crime, and to aid in identifying and retracing criminals. Another example is the Online Content Filtering system put in place by the ICT Authority which filters attempts to access Child Sexual Abuse (“CSA”) sites by Mauritian Users and blocks those websites since year 2011 to date.
While the Safe City Project and the CSA filtering are here to stay, other cases of surveillance and inception orders would last once the investigation is complete and/ or the person is prosecuted for the offence committed. The ICTA specifies that an order of the Judge shall remain valid for a period not exceeding 60 days. There are, in my opinion, grey areas with respect to detailed procedures to be followed in spite of the listed duties of Police Force detailed in the Police Act, especially when we are moving towards a highly digitalised environment. For the Safe City Project for instance, the then Leader of the Opposition raised concerns on how to prevent abuse, misuse, surveillance of all types against civil servants, how data access is going to be and how secure the system would be, amongst others. The then Minister of Defence replied that the system was secure and would be solely under the control of trained Police Officers. Furthermore, he also highlighted that the Commissioner of Police, together with the Data Protection Commissioner were working towards the formulation of a Code of Practice to be issued by the Government for filling in the procedural void. | The legislative framework of Mauritius does bind collection, processing or storage of personal data with respect to interception or surveillance by the Government or Government Bodies to what is strictly necessary by specifying and limiting the scenarios in which these can be done. The main reasons are, as listed in detail above, for the protection of national security, defence or public security and for the purposes of investigation, prosecution or prevention of offences. As regards to what personal data may be stored, this would be subject to the reasons for which such surveillance or interception order is required; for example, an interception or preservation order falling under the ambit of part III the Cybercrime Act would include storage of traffic data and subscriber information, while interception under Section 32 of the ICTA only finds the latter describing the message which should be collected and stored, irrespective of what personal data the message could carry, as long as the message can reasonably be termed as indecent, abusive or likely to endanger public order and safety, amongst other reasons listed above. However, since legislative provisions do go hand in hand with one another, the principles relating to processing personal data, inter alia, to only collect data for legitimate purposes and to only collect data which is adequate, relevant and necessary for the purposes of processing, as listed in Section 21 of the DPA, should normally be followed while proceeding as per what other Mauritian laws lay down.
Concerning the Safe City Project, the question of data retention was raised by the then Leader of the Opposition as to how long the data captured would be stored. The vague response provided by the Government was “…for a reasonable time, depending on the circumstances.” We would most certainly require further precise information on this, either via the aforementioned Code of Practice to be issued, or via another specific law to be passed for this project, as requested by the Data Protection Commissioner to the Government. It is to be noted nonetheless that the DPA, in its Section 21(e) provides that data should not be stored for any longer than necessary for the purposes for which the data was processed. The ICTA talks more specifically about data which has been collected for the purposes of criminal investigations in its Section 17 and thereby does not allow for data to be used for any other purpose other than that for which it was originally sought unless the Court or a Judge ordered otherwise, or it has become necessary to do so in the public interest, or for the further prevention of offences and losses. I would also highlight a recent local news article [source: https://www.lexpress.mu/article/377987/donnees-personnelles-mra-tenue-detruire-toutes-informations-fournies-pendant] which documented views of the ex-Chairman of the ICTA with regard to retention of personal data collected during the lockdown period. In Mauritius, lockdown started in March and ended on the 30th of May. In this period, Government Authorities were bound to collect personal data while processing applications for Work Access Permits or other applications under the Government Wages Assistance Scheme and the Self-Employed Assistance Scheme, all of which were measures set up to sustain the business sector amidst this period of crisis. The ex-Chairman highlighted that Government Authorities and the Police are all obliged under the DPA to delete all personal data collected for these purposes since they will no longer be necessary after the lockdown period. | Under both the ICTA and the Cybercrime Act, the independent oversight mechanism rests on entrusting control to a judge at the first stage of surveillance, i.e. real time interception and collection of data may only be done by order of a Judge in Chambers, after the latter is satisfied that such an action is necessary for the investigation or prosecution of an offence. I would also highlight that the independence of the Mauritian legal system lies in the doctrine of separation of powers, upon which our constitution is based, where the Judiciary is separate and independent from two other organs of the State, which are the Executive and the Legislature. Moreover, we have a Data Protection Office in Mauritius, which is a public office established under Section 4 of the DPA to act with complete independence and impartiality, and not to be subject to the control of any other person or authority. Currently, the head of the Data Protection Office - the Data Protection Commissioner, has been holding office since August 2007 irrespective of the composition of either the Executive or the Legislature. Under Section 44 of the DPA, the Data Protection Commissioner is empowered to apply for a Judge’s order to protect the rights of individuals where the data protection laws have been breached, but apart from that, I opine that the Commissioner could, on his/ her own, act as an independent oversight mechanism. Our Data Protection Act does not specifically mention at which stage of processing should the Data Protection Commissioner be involved for an independent oversight; instead, Section 5 of the DPA lists down the functions of the Commissioner, which I would interpret as broad enough to encompass a constant monitoring process – “The Commissioner shall […] monitor developments in data processing and ensure that there is no significant risk or adverse effect of any developments on the privacy of individuals.” Furthermore, if we take as example the aforesaid case of the Safe City Project, as mentioned by the then Minister Mentor in the National Assembly, the Data Protection Commissioner was involved in the matter, to provide advice as well as in the exercise of issuing of a Code of Practice, before the system became operational. | Sections 37 and 38 of the DPA list down the rights of data subjects, namely, the right of access and the right of rectification, erasure or restriction of processing. In the event, these rights are not respected, data subjects have a possibility to lodge a complaint with the Data Protection Commissioner. The latter is empowered under Section 6 of the DPA to:
If required, in the event the DPA has been breached and rights of data subjects have not been respected, as aforementioned under Guarantee C, the Commissioner may apply for a Judge’s order. | Hansard of the National Assembly of Mauritius dated 21 Mat 2019 – Safe City Project, available at http://mauritiusassembly.govmu.org/English/hansard/Documents/2019/hansard0819.pdf | |||||||||||||||||||||||||||||||||||||
Maldives | Asia | MV | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Malawi | Africa | MW | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Mexico | North America | MX | ❌ Potential future candidate (p. 52) for adequacy? | ❌ | ❌ | ❌ | ✔️ | ✔️ | The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021). | R (Accession), E: 01/10/2018 | ✔️ | ✔️ | N/A Please see the country report for Mexico as part of the study "State of Privacy" conducted by Privacy International. | ||||||||||||||||||||||||||||||||||||||||
Malaysia | Asia | MY | ❌ | ❌ | ❌ | ❌ | ✔️ See here or here | ❌ | ASEAN Model Contractual Clauses for Cross Border Data Flows (2021) Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021) | ✔️ | ✔️ | George Mathews | |||||||||||||||||||||||||||||||||||||||||
Mozambique | Africa | MZ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Namibia | Africa | NA | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
New Caledonia (French special collectivity) | Oceania/Australia | NC | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||||
Niger | Africa | NE | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Norfolk Island | Oceania/Australia | NF | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Nigeria | Africa | NG | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | Invitation valid until 06 July 2022 | Ridwan Oloyede, Partner (Privacy & Data Protection) Tech Hive Advisory | The nature of the offences which may give rise to an interception or surveillance order: Section 29 of the Terrorism Prevention Amendment Act provides that the “relevant law enforcement agency with the approval of the Attorney - General of the Federation may, with the approval of the Coordinator on National Security for the purpose of the prevention of terrorist acts or to enhance the detection of offences related to the preparation of a terrorist act or the prosecution of offenders under” the Act can apply to a judge for an “interception of communication order”. The Cybercrimes Act do not have a similar provision, but it establishes basis for interception, which includes investigation of crimes under the Act.
A definition of the categories of people that might be subject to surveillance: The Terrorism Prevention Amendment Act, the Cybercrimes Act and the Lawful Interception of Communications Regulations, 2019 allows interception of communications of an individual for the purposes of investigation of crimes, in the national security, interest of public safety and emergency and for giving effect to any international mutual agreement Nigeria is a party to.
A limit on the duration of the measure: Section 14 of the Lawful Interception of Communications Regulations, 2019 provides that a warrant to intercept communication shall be granted for an initial period of 3 months, a lesser period or renewed for a maximum period of 3 month or a lesser period. Section 6 of the Lawful Interception of Communication Regulation provides that intercepted communication shall only be stored for the duration of the investigation, and should be destroyed upon completion. The provision of the Regulation did not specify a timeline, but grants the Nigerian Communication Commission and law enforcement agencies the information from telecommunication companies. Further, Section 29(3) of the Terrorism Prevention Act, 2013 provides that an order made under the Section “shall specify the maximum period for which a communications service provider may be required to retain communications data”. Section 6(3) of the Lawful Interception of Communications Regulation provides that intercepted communications “may be” stored for 3 years and destroyed thereafter.
The procedure to be followed for examining, using and storing the data obtained: The provision of the Regulation did not specify a timeline, but grants the Nigerian Communication Commission and law enforcement agencies the power to request for information from telecommunication companies. Interception can be by warrant or without a warrant. An exparte application is made to the Judge in compliance with the relevant law. Section 38(4) of the Cybercrimes Act, 2015 provides that information obtained should only be used by the law enforcement agency for only legitimate purpose under the law. Further, Section 38(5) of the Cybercrimes Act prescribes that the law enforcement agency exercising this function should safeguard the confidentiality of the data retained, processed or retrieved for the purpose of law enforcement“. In addition, Section 6(3) of the Lawful Interception of Communications Regulation provides that intercepted communication shall be stored confidentially for the “purpose of investigation and prosecution in criminal proceedings in accordance with these Regulations“. Section 18 (1) of the Lawful Interception of Communication Regulation imposes a duty of secrecy on the Agency and officials involved in the interception. The secrecy can only be waived subject to the derogations which are; if it is required for investigations of crime, required as an evidence before a court of law, if any person or any other person “who of necessity requires it in the performance of his or her function under these Regulations“.
The precautions to be taken when communicating the data to other parties: Section 10(1) (c) of the Lawful; Interception Communications Regulations mandates licensees to provide safeguards for data during transmission. Similarly, Section 38(5) of the Cybercrimes Act prescribed confidentiality duty on law enforcement agencies. Section 6(c) of the Guidelines for the Provision of Internet Service (the NCC Guidelines) by the Nigerian Communications Commission (NCC) requires internet Service Providers (ISPs) to provide information that may be requested by the Commission or any legal authority with respect to a user or the content of their communication.
The circumstances and substantive and procedural conditions relating to the access of the competent authorities: Interception can also be carried out in the absence of a warrant. According to Section 12 (4) of the :Lawful Interception of Communication Regulation, an authorised law enforcement Agency may initiate interception without a warrant where there is a risk of immediate danger of death or serious injury to any person, the activities threatens national security, or the activities has a characteristics of organised crime. Section 25 (1) of Terrorism Prevention Amendment Act specifies where there is a verifiable urgency, or a life is threatened, or prevention of crime. In both instances, a warrant must be sought within 48 hours. The Guidelines above do not provide for any substantive or procedural conditions for access.
Is the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued? The laws have an expectation of confidentiality and limited use to legitimate purpose. However, the practices are largely obscured by lack of transparency. | In general, do the national laws impose such a limitation to what is “strictly necessary”? Section 7(3) of the Lawful Interception Communications Regulation provides that a warrant can only be given for if it is in the interest of National Security, for prevention of crime, for protecting and safeguarding the economic wellbeing of Nigerians, in the interest of public emergency or safety, or giving effect to any international mutual assistance which Nigeria is a party. Similar conditions are found under Section 45 (3) of the Cybercrimes Act. Further, Section 38(5) of the Cybercrimes Act and Section 2(e) of the Lawful Interception of Communication provides that anyone exercising the function under the law shall have recourse to the safeguard for right to privacy provided in the Nigerian Constitution. Lastly, Section 37 of the Nigerian Constitution guarantees broadly the right to “privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected“. However, Section 45(1) provides derogations which include the interest of defence, public safety, public order, public morality or public health; or for the purpose of protecting the rights and freedom of other persons.
What objective criteria are used to determine which personal data of individuals are stored? Section 7(1)(b) of the Lawful Interception Regulation restricts the data to what is disclosed, in the warrant of such intercepted communication. There are no clear-cut processes or criteria to be observed before personal data of individuals are stored in any of these legislations.
Does national legislation require any relationship between the data which must be retained and a threat to public security? Public security is one of the conditions allowed for interception of communication.
Does national legislation restrict the data retention in relation to …?
The law did not make any clear distinction on the basis highlighted above. Section 29 (4) of the Terrorism Prevention Amendment Act 2013 allows data intercepted outside the country is valid for evidence before the Nigerian Court. Section 6 of the Lawful Interception of Communication Regulation provides a period of 3 years to store data and which it must be destroyed thereafter. Also, a warrant lawfully sought provides and limits the scope of the power that can be exercised under it. There are no clear systems of transparency that are built into these laws to ensure accountability.
Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)? Yes. Section 16 of the Freedom of Information Act provides that a public institution may deny an application for information that is subject to legal practitioner-client privilege, health workers-client privilege, journalism confidentiality privilege and any other professional privilege protected by another Law. | Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how? The Cybercrimes Act, the Terrorism Prevention Amendment Act and the Lawful Communications Interception Regulation provides that an application for surveillance should be brought before a Judge.
At which “stage” during the lifecycle of a data processing operation does (independent) oversight in relation to surveillance measures take place? If oversight only takes place at the third (last) stage, is such an oversight initiated ex officio? It is initiated at the first stage. However, surveillance done without warrant still has to be brought under the review of a judge within 48 hours under Section 12(4) of the Lawful Interception of Communication Regulation. Further surveillance done without obtaining the warrant is considered unlawful. | Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data? The Nigeria Data Protection Regulation provides for rights of data subjects. Article 3.1 (1) provides the right to access personal information held about them. Such data should be provided in an intelligible form and within one month of such request. Article 3.1 (11) of the Regulation also provides both right to rectification of data held about a data subject. Similarly, the Regulation contemplates the right to erasure.
Who should the individual address (see, Guarantee C)? The National Information Technology Development Agency and the Central Bank of Nigeria. The data subjects also have the right to lodge a complaint before a court of law.
Does the court/control committee have access to all relevant information, including closed materials? This laws are silent on access to all relevant information. However, Section 29(4) of Terrorism Prevention Amendment Act provides that all materials are considered valid as evidence before the court. Section 17 of the Lawful Interception of Communications Regulation provides that “the use of any information obtained pursuant to these Regulations as evidence in any prosecution, is subject to the consent of the presiding Judge in an application that such evidence be tendered by the party seeking to rely on it“. | To fully understand the extent of surveillance in Nigeria, it can only be appreciated through the Budgetary allocation for the function. Between 2014 – 2017, the country through the three Intelligence Agencies spent a combined sum of N127,987,715,414 ($418,260,507.89) on surveillance equipment and capacity development. This is in addition to the fact that Nigeria does not have a comprehensive and specific primary legislation on data protection.
| ||||||||||||||||||||||||||||||||||||||
Nicaragua | North America | NI | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Netherlands | Europe | NL | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/12/1993 | S | ✔️ | |||||||||||||||||||||||||||||||||||||||||
Norway | Europe | NO | (EEA member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | S, R, E: 01/10/1985 | S | ✔️ | Lars Vinden - Privacy Lawyer | Yes. The legal basis for intercepting communications is found in the Criminal Procedure Act chapter 16 a section 216 a, whereas the basis for other seizures and surrender orders are given in chapter 16 and chapter 16 b to 16 d. Further rules for lawful intercept is provided in the he Lawful Intercept Regulation. The Police Security Service has additional legal bases for collecting data in the Police Act section 17d. General procedural rules for processing the data is found in the Police Register Act. | Yes, the rules may be regarded as necessary and proportional. Interceptions of communications, seizures and surrender orders shall as a general rule be issued by the courts, or in exceptional circumstances be reviewed by courts as part of on-going investigation of a limited number of criminal acts that for the most part may lead to imprisonment of 10 years or more, and the information must be relevant to the on-going investigation (see for instance the Criminal Procedure Act section 216 a). There are restrictions for information that is subject to a statutory duty of confidentiality, see the Criminal Procedure Act section 204. | Yes. Ex ante oversight is conducted by the general courts that authorises surveillance measures (see Criminal Procedure Act chapter 16 to 16 d). Ex post / ex officio oversight is conducted by:
| Yes. The right to be notified of surveillance measures are provided in the Criminal Procedure Act section 216 j and the Lawful Intercept Regulation chapter 3. Further individuals rights, such as the right to access, rectification or eraser is provided by the Police Register Act chapter 8. | Public reports from the oversight committees are available at https://eos-utvalget.no and https://www.kk-utvalget.no/rapporter.473489.no.html (Norwegian only). Please note that there are various legislative initiatives that may affect the “essential guarantees”, most notably a new intelligence surveillance act and the government is also considering implementing a data retention act that somewhat mirrors EU’s repealed data retention directive (but with the aims of adding essential guarantees making the mandatory retention lawful). | ||||||||||||||||||||||||||||||||||||
Nepal | Asia | NP | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Nauru | Oceania/Australia | NR | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Niue | Oceania/Australia | NU | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
New Zealand | Oceania/Australia | NZ | ✔️ See here | ✔️ | ✔️ | ✔️ | ✔️ See here or here | ✔️ | Information Privacy Principle 12: Comprehensive guidance by New Zealand's Privacy Commissioner (including templates and a Model Contract Clauses Agreement Builder) | Invitation valid until 24 September 2025 | ✔️ | ✔️ | ✔️ | ||||||||||||||||||||||||||||||||||||||||
Oman | Asia | OM | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Ms. Tripti Dhar, Partner – Reina Legal
|
According to Article 30 of Royal Decree No. (101/96) Promulgating the Basic Statute of the State, the freedom of correspondence by post, telegraph, telephone conversations, and other means of communication is protected and its confidentiality is guaranteed. It is not permissible to monitor, search, disclose the confidentiality of, delay, or confiscate the same, except in cases specified by the Law and in accordance with the procedures stated therein.
The existing laws in the region are silent on this subject.
The permission specified in Article 90 of the Penal Procedure Law promulgated by Royal Decree 97/1999, as amended (“CPL”) may only be issued by the Public Prosecutor, who would only permit audio or video recording of an individual if there is sufficient evidence of a an offence or misdemeanor punishable by imprisonment for a period exceeding three months. Once granted, the permission is valid for a renewable period not exceeding 30 days, during which the audio or video evidence must be obtained.
The existing laws in the region are silent on this subject.
The existing laws in the region are silent on this subject.
The existing laws in the region are silent on this subject.
|
The existing laws in the region are silent on this subject.
The existing laws in the region are silent on this subject.
|
|
| ||||||||||||||||||||||||||||||||||||||||
Panama | North America | PA | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021). | Marycarmen González M. | |||||||||||||||||||||||||||||||||||||||||||
Peru | South America | PE | ❌ | ❌ | ❌ | ❌ | ✔️ See here or here | ❌ | The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021). | ✔️ | |||||||||||||||||||||||||||||||||||||||||||
French Polynesia (French Overseas Collectivity) | Oceania/Australia | PF | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Papua New Guinea | Oceania/Australia | PG | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Philippines | Asia | PH | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ASEAN Model Contractual Clauses for Cross Border Data Flows (2021) Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021) | ✔️ | N/A Please see the country report for the Philippines as part of the study "State of Privacy" conducted by Privacy International. | ||||||||||||||||||||||||||||||||||||||||||
Pakistan | Asia | PK | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | N/A Please see the country report for Pakistan as part of the study "State of Privacy" conducted by Privacy International. | ||||||||||||||||||||||||||||||||||||||||||||
Poland | Europe | PL | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/09/2002 | S, R | ✔️ | |||||||||||||||||||||||||||||||||||||||||
Saint Pierre and Miquelon (French Overseas Collectivity) | North America | PM | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Pitcairn Islands | Oceania/Australia | PN | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Puerto Rico | North America | PR | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Alejandro Mercado, Esq. | ||||||||||||||||||||||||||||||||||||||||||||
Palestinian Territories | Asia | PS | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Portugal | Europe | PT | (EU member state) | ✔️ | ✔️ | ❌ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator. The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021). | S, R, E: 01/01/1994 | S | ✔️ | |||||||||||||||||||||||||||||||||||||||||
Palau | Oceania/Australia | PW | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Paraguay | South America | PY | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | N/A Please see the country report for Paraguay as part of the study "State of Privacy" conducted by Privacy International. | ||||||||||||||||||||||||||||||||||||||||||||
Qatar | Asia | QA | ❌ | ❌ | ❌ | ❌ | ✔️ See here or here | ❌ | The Qatar Financial Centre has recognized a number of countries as providing adequacy (see, List of Adequate Jurisdictions). For jurisdictions not providing adequate protection, the Qatar Financial Centre has published four sets of SCCs (available here) similar to the 2021 SCCs by the EU Commission. | Ms. Tripti Dhar, Partner – Reina Legal
|
Law No. 9 of 2011 (Law No. 9 of 2011 regulating the use of Security and Surveillance CCTV Camera and devices) mandates that surveillance cameras be installed in residential compounds, hospitals, malls, banks, hotels, warehouses and other locations, and is enforced by the MOI's Security Systems Department (SSD). However, these systems are prohibited in private areas like bedrooms, treatment or patient rooms in hospitals, changing rooms and toilets. Article 19 of Law No. 3 of 2004 on Combating Terrorism grants the authorities extensive powers to conduct surveillance by any means for 90 days prior to any judicial review and to seize any forms of communication whenever this is useful in “uncovering the truth” regarding “terrorist crimes”.
The existing laws in the region are silent on this subject.
Article 6 of Law No. 9 of 2011, the Facilities shall keep the recordings for a period of one hundred and twenty (120) days, shall not make any adjustments thereto and shall hand them over to the Competent Department upon request. The Competent Department shall destroy the recordings immediately after the end of that period.
The existing laws in the region are silent on this subject.
According to Article 7 of Law No. 9 of 2011, save as with the approval of the Competent Authority, the transfer, save, sending or publishingof any of the recorded data, shall be prohibited.
|
The existing laws in the region are silent on this subject.
Article 6 of Law No. 9 of 2011, the Facilities shall keep the recordings for a period of one hundred and twenty (120) days, shall not make any adjustments thereto and shall hand them over to the Competent Department upon request. The Competent Department shall destroy the recordings immediately after the end of that period.
The existing laws in the region are silent on this subject.
Article 8 of Law No. 9 of 2011 It shall be prohibited to install Surveillance Camera and devices in the bedrooms, physiotherapy rooms, toilets, changing rooms and places dedicated for women
|
|
| |||||||||||||||||||||||||||||||||||||||
Réunion (French Overseas Department and Region) | Africa | RE | (EU member state) | ✔️ | ✔️ | ✔️ | ❌ | ||||||||||||||||||||||||||||||||||||||||||||||
Romania | Europe | RO | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/06/2002 | S | Iulian Matache | |||||||||||||||||||||||||||||||||||||||||
Serbia | Europe | RS | ❌ Potential future candidate (p. 52) for adequacy? | ❌ | ❌ | ❌ | ✔️ | ❌ | Standard Contractual Clauses („Службени гласник РС“, број 5/2020) | S, R, E: 01/01/2006 | S, R | Ivan Milosevic, Partner JPM Jankovic Popovic Mitic and Andrea Cvetanovic, Senior Lawyer JPM Jankovic Popovic Mitic | I. The nature of the offences which may give rise to an interception or surveillance order:
2) aggravated murder (Art. 114 of Criminal Code), abduction (Art. 134 of Criminal Code), presenting, procuring and possession of pornographic material and exploiting a minor for pornography (Art.185 para 2 and 3 of Criminal Code), robbery (Art. 206, para 2 and 3 of Criminal Code), extortion (Art. 214 para 4 of Criminal Code), abuse of position by responsible person (Art. 227 of Criminal Code), misuse in public procurement (Art. 228 of Criminal Code), receipt of bribe in performing business activities ( Art. 230 of Criminal Code), giving bribe in performing business activities (Art. 231 of Criminal Code), counterfeiting money (Art. 241 para 1-3 of Criminal Code), money laundering (Art. 245, para 1-4 of Criminal Code), unlawful production and putting into circulation of narcotics (Art. 246 para 1-4 of the Criminal Code), compromising independence (Art. 305 of Criminal Code), compromising territorial integrity (Art. 307 of Criminal Code), attack against the constitutional order (Art. 308 of Criminal Code), sedition on a violent change of the constitutional order (Art. 309 of Criminal Code), diversion (Art. 313 of Criminal Code), sabotage (Art. 314 of Criminal Code), espionage (Art. 315 of Criminal Code), disclosing a state secret ( Art. 316 of Criminal Code), instigation national, racial and religious hatred and intolerance (Art. 317 of Criminal Code),violation territorial sovereignty (Art. 318 of Criminal Code), conspiracy for unconstitutional activity (Art. 319 of Criminal Code), preparation acts against the constitutional order and security of Republic of Serbia (Art. 320 of Criminal Code), grave offences against the constitutional order and security of Republic of Serbia (Art. 321 of Criminal Code), unauthorized production, possession, carrying and transport of weapons and explosive materials (Art. 348, para 3 of Criminal Code), illegal crossing of state border and human trafficking (Art. 350, para 2 and 3 of Criminal Code), abuse of official duty (Art. 359 of Criminal Code ), influence peddling (Art. 366 of Criminal Code), receipt of bribe (Art. 367 of Criminal Code), giving bribe (Art. 368 of Criminal Code), human trafficking (Art. 388 of Criminal Code), endangering persons under international protection (Article 392 of Criminal Code) and criminal offence under the Art. 98, para 2 - 5 of Data Secrecy Law.
special evidence collecting – secret tracking and interception, secret surveillance of communication and computer data searching criminal offences for which sentence to imprisonment of 4 years or longer period and warrant has been issued (Article 60 of Law on Police (“Official Herald RS" Nos. 6/2016, 24/2018 and 87/2018) – “target search measures”. C) Actions processed by Security-Informative Agency “special measures”: i) secret surveillance and recording of communication regardless the form and technical means by which measures are implemented or surveillance of electronic or other address; ii) statistical electronic surveillance and information systems to obtain data on communication or location of used mobile terminal equipment; iii) secret surveillance and recording of communication at public place and at places where access is limited or in closed area; iv) computer search of processed personal and other data and their comparison with data obtained in items i) – iii). Along with “special measures”, secret surveillance and recording of places, closed areas and subjects, including devices for automated processing of data and equipment where data are stored or where electronic records can be stored can be determined in case where reasonable grounds to suspect exists that actions directed against security of Republic of Serbia are performed or planned and where circumstances of the case indicated that such actions could not be discovered, prevented or proved or where it would cause disproportionate difficulties and grave danger (Art. 13 and 14 of Law on Security-Informative Agency, “Official Herald RS” Nos. 42/2002, 111/2009, 65/2014 – Decision of the Constitutional Court, 66/2014 and 36/2018) D) Actions processed by Military Security Agency Military Security Agency shall collect data by means of special procedures and measures when it is not possible to collect data otherwise or when their collection involves excessive risk to life and health of people and property, i.e. excessive costs. Special procedures and measures are implemented primarily for the purpose of prevention, i.e. with the aim to prevent threats against the Ministry of Defence and the Serbian Armed Forces (Law on Military Security Agency and Military Counterintelligence Service (“Official Herald RS” Nos. 88/2009, 55/2012 – Decision of the Constitutional Court and 17/2013). Special measures and procedure can include the following measures: i) secret surveillance of persons in the open space and in public places by applying technical means; ii)secret electronic surveillance of telecommunications and information systems in order to collect data on telecommunication traffic and the locations of the users without the insight in the content; iii) secret recording and documenting of conversations in the open space and in the closed areas by using technical means; iv) secret surveillance of the content of letters and other means of communication including covert surveillance of the content of telecommunications and information systems; v) secret surveillance and recording of the interior of facilities, closed areas and objects.
II. A definition of the categories of people that might be subject to surveillance: A) Categories of people that might be subject to surveillance to process offences by criminal courts Pursuant to Art. 161 para 1 of Criminal Code Procedure, special evidence collecting – secret tracking and interception, secret surveillance of communication and computer data searching can be determined against a person for whom reasonable grounds to suspect that she/he has committed criminal offence prescribed in Art. 162 of Criminal Code Procedure exists, if evidences for criminal prosecution cannot collected in other manner or their collection could be have significantly exacerbated. In accordance with para 2 of the same Article of the same Law, as exception, special evidence collecting – secret tracking and interception, secret surveillance of communication and computer data searching can be determined and against a person for whom reasonable grounds to suspect that she/he has committed criminal offence prescribed in Art. 162 of Criminal Code Procedure exists and circumstances of the case indicate that criminal offence could not be discovered, prevented or proved or this would cause disproportionate obstacles or significant danger. In accordance with para 3 of the same Article of the same Law, when deciding on determination and duration of the said special evidence collecting, the body which is responsible for the procedure shall in particular, evaluate whether the same result could be achieve in the manner by which rights of citizens are less limited. In case by execution special evidence collecting material on criminal offences and offender of criminal offence which/who have not been covered by decision on such special evidence collecting has been collected, such material can be used in the procedure only if it is related to criminal offences prescribed by Art. 162 of the Criminal Procedure Code (Art.164 of the Criminal Procedure Code – accidental finding). To arrest and bring a person to competent authority in case of reasonable grounds to suspect that a person has committed criminal offence for which a sentence of imprisonment of four year or more is prescribed and for whom a warrant is issued and under assumption that police officers cannot arrest this person applying other measures or actions, i.e. when such arrest is connected to disproportionate difficulties, “target search measures” can be determined against such person as well as against other persons for whom reasonable grounds to suspect exists that these persons assist such person to hide. Special procedures and measures can be implemented against person, group or organisation “Special measures” can be determined against a person, a group or an organisation in case where reasonable grounds to suspect exists that actions directed against security of Republic of Serbia are performed or planned and where circumstances of the case indicated that such actions could not be discovered, prevented or proved or where it would cause disproportionate difficulties and grave danger. D) Categories of people that might be subject to surveillance to by Security Military Agency Special measures and procedures are applied against a person, a group or organisation to prevent threats against the Ministry of Defence and the Serbian Armed Forces.
III. A limit on the duration of the measure: Secret surveillance of communication and secret tracking and interception can last 3 months and can be prolonged for another maximum 3 months due to necessity of further collection of evidences. In case of criminal offences for which the competence of public prosecution of special competence is prescribed by special law is prescribed, secret surveillance of communication can be exceptionally prolonged two times for 3 months. This special evidence collection shall be terminated as soon as reason for its application cease to exit. Computer data searching can last maximum 3 months and can be exceptionally prolonged two times for 3 months due to necessity of further collection of evidences. This special evidence collection shall be terminated as soon as reason for its application cease to exit. B) Limit of duration of the measures applied by the Ministry of Interior (police departments) “Target search measures” can last maximum 6 months and can be prolonged for another six months. “Special measures” can last 3 months and can be prolonged three times for three months if necessary to discover, prevent or obtain evidences. Special measures and procedure can last 6 months and can be, upon new proposal, prolonged for another 6 months. IV. The procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; the circumstances and substantive and procedural conditions relating to the access of the competent authorities; Assessment whether the number of persons who can access the stored data is limited to what is “strictly necessary” in view of the objective pursued
In accordance with Rulebook on Requirements for Devices for Legitimate Interception of Electronic Communications and Technical Requirements for Fulfillment the Obligation of Retention of Data on Electronic Communications (“Official Herald RS” No. 88/2015), competent body shall maintain record containing decision of the court which represents legal ground for access or deliverance of retained data and date and time of access/deliverance.
an assessment may be made that number of persons who can access the stored data is limited to what is “strictly necessary” in view of the objective pursued.
B) Procedure before Criminal Courts
An assessment may be made that number of persons who can access the stored data is limited to what is “strictly necessary” in view of the objective pursued. |
Data can be processed to accomplish the following goals:
In accordance with Article 5 of Serbian Law on Personal Data Protection (“Official Herald RS” No. 87/2018) which transposed provisions of Directive (EU) 2016/680 prescribes that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’). Further, Article 7 of the same Law prescribes that personal data collected by competent state bodies for special purposes shall not be processed for the purpose different than initial one, except in case when further processing is prescribed by law. Purpose of processing different than one for which personal data are collected is allowed only in case the following conditions are cumulatively met:
No.
No.
Judges, prosecutors and doctors must report preparation of criminal offence for which sentence of five years imprisonment or harsher sentence is prescribed (Article 331 of Criminal Code). They must report criminal offence for which sentence of five years imprisonment or harsher sentence is prescribed and offender for which they learned in the course of performance of their duty (Article 332 of the criminal code). Lawyers have right to disclose professional secret in case it is necessary to prevent serious criminal offence (Codex of lawyers’s professional ethics). |
Judges are responsible for overseeing surveillance measures. Judge are independent in performance of their duties.
The judge issues/approves order for application of surveillance measures and terminates the order. In case the public prosecutor does not initiate criminal procedure within 6 months upon the moment when he has been familiar with the file or states that he will not use it in the procedure or will not request criminal procedure against the suspected person, a judge for preliminary procedure shall order decision on destruction the collected material. |
Yes. In accordance with Article 32 of Law on Personal Data Protection, in case that competent bodies process personal data for special purpose, data subject has right to erasure and controller is obliged to erase personal data without undue delay if provisions of Art. 5, 13 and 18 (data protection principles, lawfulness of processing by competent body and processing of special categories of data) have been breached by such processing and personal data shall be erased due to legal obligation of controller.
The Commissioner for Information of Public Importance and Protection of Personal Data.
| |||||||||||||||||||||||||||||||||||||
Russian Federation | Asia | RU | ❌ | ❌ | ❌ | ❌ | ✔️ | ✔️ | S, R, E: 01/09/2013 | S | Konstantin Tiazhelnikov, country Data Protection Responsible for Russia at Carlsberg Group | The nature of the offences which may give rise to an interception or surveillance order: Under the Federal Law N144-FZ of 12.08.1995 “On operative investigation activity” (hereinafter referred to as “OIA Law”), these are only offences of a criminal nature, i.e., leading to criminal liability (as opposed to either administrative or civil liability). However, it is not necessary to commit a criminal offence to face interception of communication as this measure may be lawfully applied for the purposes of detection and prevention of crimes, as well as to identify individuals preparing them (i.e., before a crime is actually committed). The only exemption the OIA Law specifies in this relation is that wiretapping of telephone and other conversations cannot be applied in relation to individuals suspected or accused of committing minor crimes, as well as individuals who may have information about such crimes (however, this exemption does not cover surveillance itself and written communications for unknown reasons). The above description appears too broad and thus leaves significant room for abuse (despite the fact the OIA Law formally sets out the law enforcement agencies’ obligation to respect the right to private life, personal and family privacy, and privacy of correspondence). Indeed, almost any individual may arbitrarily be regarded as an offender who, e.g.,, appears to be preparing a crime only to be subsequently prosecuted on formal grounds and to initiate investigation activities, including surveillance and interception of communication. On top of that, the OIA Law allows operative investigation activity (including surveillance and interception) to be carried out covertly which (by its nature) leads to a lack of transparency and control over how the respective data is collected and further processed by law enforcement agencies and their officials. It should also be noted that surveillance and interception of communications are also lawful in cases not directly connected to offences (with the exemption mentioned above), e.g., if used for obtaining information about events or actions (resp. omissions) that pose a threat to the state, military, economic, information or environmental security of Russia. This entails the same issue of potential abuses coupled with a lack of control and transparency as described above. There are also other legal grounds set out in the OIA Law that might be relied upon (see Articles 2 and 7 of the OIA Law). The OIA Law generally lays down that citizenship, national origins, gender, place of residence, property, official and social status, membership in public associations, religious and political beliefs cannot be deemed as an obstacle to conducting operative investigation activities (including surveillance) in respect of individuals, unless otherwise provided by Federal law. At the same time, specific laws may provide for exemptions from this general rule, e.g., under the Law of the Russian Federation N3132-1 of 26.06.1992 “On the status of judges in the Russian Federation”, judges are inviolable, which includes secrecy of correspondence and other forms of communication; inviolability also applies to the communication of a deputy of the State Duma of the Russian Federation or a member of the Federation Council (under the Federal Law N3-FZ of 08.05.1994 "On the status of a member of the Federation Council and the status of a Deputy of the State Duma of the Federal Assembly of the Russian Federation"). In such specific cases, a special procedure must be followed to obtain the respective measure. There are no specific rules on this. From the general provisions of the Federal Law N152-FZ of 27.07.2006 “On personal data” (hereinafter referred to as ‘Data Law’) (backed by the overall logic of the investigation legislation) it can be concluded that the respective measures may be applied for as long as necessary to achieve the purpose of its application. There are only isolated and unsystematic legislative provisions in this regard. Examination of the obtained data is not addressed in the applicable legislation and is thus left to the discretion of law enforcement agencies and their officials. As for the use, the OIA Law only contains a very broad and generic list of ways of how the results of operative investigation activity may be used. For example, the data may be used to conduct operative investigation activities, to search for fugitive offenders, for the purposes of tax authorities, as well as factual grounds to initiate criminal proceedings, etc. (Article 11). Storage of the data obtained seems to be unsystematically and broadly regulated in the same manner, giving individuals insufficient control over whether their data is stored and for how long. Under the OIA Law (Articles 5 and 8): (i) The materials obtained as a result of operative investigation activities in respect of individuals whose guilt in committing a crime has not been proved are stored for one year and then destroyed, unless official interests or justice require otherwise. Phonograms and other materials obtained as a result of wiretapping or interception of other conversations of individuals against whom criminal proceedings have not been initiated shall be destroyed within six months from the date when the interception ends. It stems from the above that there are only retention periods in particular cases which have been specified and not storage conditions themselves. In addition, in fact, this means that the data might potentially be uncontrollably stored by law enforcement agencies for an indefinite amount of time, hiding behind unclear ‘official interests’, with no possibilities to exercise control over such storage. (ii) If a criminal case is initiated against an individual whose telephone and other conversations were wiretapped, the phonogram and the hard copy of the recording shall be transferred to the investigator as material evidence. Under the Criminal Procedure Code of the Russian Federation (hereinafter referred to as ‘CPC’), such phonograms and hard copies:
However, there is no further guidance as to whom the terms ‘third parties’ and ‘rightful owner’ are meant to describe and how the degree of possible harm shall be evaluated which again raises the issue of insufficient clarity and a lack of transparency. The precautions to be taken when communicating the data to other parties: No specific measures and/or precautions identified in the applicable laws. The circumstances and substantive and procedural conditions relating to the access of the competent authorities: Under the OIA Law (Article 8): - investigative activities restricting constitutional rights to the secrecy of correspondence, telephone conversations, postal, telegraph and other messages transmitted over electric and postal networks are allowed based on a court decision, providing that there is information on prepared or committed illegal acts, on individuals preparing them, or on events or actions (omissions) that pose a threat to the state, military, economic, information or environmental security of Russia. - in urgent cases that can lead to committing a serious or particularly serious crimes, as well as where there is information on events or actions (inactions) that pose a threat to the state, military, economic, information or environmental security of Russia, the investigative activities are allowed if conducted on the basis of a reasoned decision of one of the heads of an investigative body, followed by the mandatory notification of the court (judge) within 24 hours. The court decision must be obtained within 48 hours, otherwise, the respective investigative activities shall be discontinued. The above provisions were initially designed as an expression of the system of “checks and balances” with courts supervising competent investigative authorities and ensuring the rule of law. However, at this stage of the legal and social reality in Russia, courts unfortunately tend to embody a formal rather than a real line of defense, often serving the interests of investigators and glossing over inadequacies in investigating practices. The same is true for the right set out in Article 5 of the OIA Law, under which investigative activities might be appealed to a superior body carrying out investigative activities, to the procuracy or the court. Is the number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued? This principle is not fully met. Interception of communications or surveillance may be lawfully performed by investigatory authorities upon requests of other investigatory authorities, with superior bodies, courts, and/or the procuracy being ad hoc involved in this process. This implies the involvement of multiple officials and employees (including those performing solely back-up tasks) in the data processing lifecycle with no strict distribution of roles in terms of data access. Thus, within the law enforcement system, access to the data stored can overall be seen as uncontrolled and unmanaged rather than otherwise. With a higher degree of certainty, we can conclude that the respective data cannot be accessed by third parties outside the law enforcement system. At the same time, as long as there are no specific precautions taken when communicating data to other stakeholders (including external), this cannot be said with absolute certainty. Nor can the formal confidentiality obligation under Article 5 of the OIA Law (‘investigatory authorities are forbidden to disclose information concerning private life, personal and family secrets, dignity and good name that became known in the course investigative activities, without the consent of citizens, except in cases provided for by federal laws’) be deemed as an effective safeguard. | In general, do the national laws impose such a limitation to what is “strictly necessary”? ‘Limit to what is strictly necessary’ is a general principle outlined in the Data Law. However, this principle does not have any specific understanding in the context of investigative activities, nor is it further supported by specific legislation (incl. the OIA Law). From ‘Guarantee A’ section it can be seen that the legal grounds for obtaining (using, storing, …) data are broadly and vaguely (rather than clearly) described without easily understandable ‘building blocks’ of the notion of the ‘strict necessity’. It becomes clear that we cannot speak of an effective implementation of this principle in the specific investigation laws. The Data Law declares the ‘data minimization’ principle, i.e., the data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are stored. In other words, the storage must not happen purposelessly. But, here again, this general approach is not supported in the specific investigation laws which identify no further criteria. In practice, investigative authorities tend to adopt an approach that can be roughly described as ‘let’s keep it and then see if we need it’, arguing that there might appear intelligence-related (or similar) purposes in the future that they are unaware of at the moment of collection. At the same time, in some cases, the connection to the issues of public security is required: e.g., as mentioned in ‘Guarantee A’ section, wiretapping of telephone and other conversations must be connected to a crime of a particular gravity, either committed or suspected (i.e., there must be a particular degree of threat to public security).
Does national legislation provide for any exception for persons under an obligation of professional secrecy (e.g., doctors, judges, public prosecutors, lawyers)? No. The laws only set out several professional categories whose representatives may not be interrogated in the capacity of witnesses under an obligation of professional secrecy (judges, attorneys, priests, etc.). | Who is responsible for overseeing surveillance measures? A judge or a different executive body, such as a control committee? Is their sufficient impartiality and independence from the executive/government safeguarded, and if so, how? Surveillance measures are supervised by a judge. A court decision is generally required to commence the respective activities and get access to the data (unless this is a matter of urgency, see ‘Guarantee A’ section for more details in this regard). Judges are formally declared independent and are bound only by law. However, as described above (see ‘Guarantee A’ section), in practice they are unlikely to be seen as a real line of defense for those under surveillance. Rather, in the investigation context, a judge in a contemporary political and social environment is often a part of the investigative mechanism with a formal approach, instead of being an epitome of various guarantees characteristic of a democratic society. Thus, in the context of ‘Guarantee C’, it seems unlikely that there is a clear and really independent system of judicial controls over how surveillance measures are applied. It takes place before and is a formal prerequisite of the investigation measure (i.e., processing operation), unless there is a matter of urgency. There are no other oversight stages as such. Under the OIA Law, the validity period of the respective court decision may not exceed six months, unless otherwise specified in the decision itself. If there is a need of an extension, the judge makes a new court decision based on the newly submitted materials. | Does national legislation provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data? Traditionally, there are only isolated and unsystematic legal provisions in this regard. Under the OIA Law, an individual who was not found guilty in a criminal offence has a right of access to data concerning him or her. However, this right is only applicable: (i) if the individual believes that his or her rights were violated—thus, literally, the right of access may not be effectively exercised in the ordinary course of events when no violations occur; (ii) to the extent allowed by the requirements of secrecy and excluding the possibility of disclosure of state secrets—such blurred categories with barely defined boundaries leave room for arbitrary discretion and various abuses. From the description above it becomes clear that the applicable laws do not address: (i) the notions of the right to rectification and the right to erasure as such; (ii) the situations when the data was obtained by investigation authorities outside the context of a committed or suspected criminal offence (e.g., when deciding on providing access to the information that constitute a State secret). Thus, the right of access exists on a very limited scale, while the rights of rectification and erasure are not addressed at all and theoretically (rather than practically) can only be derived from the general Data Law. The respective investigation authorities storing the data should be approached. The refusal may be appealed to the courts (although, as described above, this is mostly a formal guarantee, amid the absence of real independence of judges). No restrictions are established in this relation. Upon request, a judge must be provided with all the information related to the refusal being appealed, unless this involves information on officials infiltrated into criminal groups, regular undercover employees of agencies that carry out operative investigative activities, or individuals who assist them on a confidential basis. | Overall assessment Based on the observations outlined above it would be fair to conclude that none of the described Guarantees A-D are fully met in the applicable legislation and judicial practice. The existing provisions cannot be deemed as clear and precise, nor do they epitomize principles of necessity and proportionality in terms of an interference with the right to privacy and the protection of personal data. At the same time, existing oversight mechanisms are of limited nature and cannot be seen as truly independent and efficient in a democratic society. Remedies and rights to redress set out therein are insufficient and have rather formal (than enforceable) character. Remark 1. Telecommunications providers are a “willing companion” of the respective investigation authorities as they are under a legal obligation to store (Article 64 of the Federal Law N126-FZ of 07.07.2003 “On communications”): (i) information about the facts of receiving, transmitting, delivering and (or) processing of voice information, text messages, images, sounds, video or other messages sent by users of communication services (retention period: 3 years); (ii) text messages sent by users of communication services, voice information, images, sounds, video, and other messages sent by users of communication services (retention period: up to 6 months). The information described above must be provided to the investigation authorities, when prescribed by the applicable laws. In the media, the law introducing the legal obligations of telecommunications providers described above is often mentioned as the “Yarovaya Law” (passed in 2016). Remark 2. For a better understanding of the context of how surveillance, resp. interception of communications works, it is recommended to study examples of real criminal investigations. One of the most known cases is the case of Oxana Sevastidi accused of high treason in 2016. She was sentenced to seven years in prison for texting in 2008 about a Russian train full of military equipment heading toward the Georgian breakaway region of Abkhazia during the short war between Russia and Georgia. Subsequently, she was pardoned by the President of Russia. Allegedly, the case was politically motivated. To learn more: https://www.rferl.org/a/russia-sevastidi-released-text-georgian-war-jailed/28364651.html The case of Oxana Sevastidi was not the only one based on the arbitrarily intercepted text message as a Georgian citizen Ekaterina Kharebava was accused of the same crime (formally of espionage) in 2014 and subsequently sentenced to six years in prison. She was recognized as a political prisoner by the human rights organisation “Memorial”. Remark 3. To access the Russian legislation in English language, the following online resource can be used: https://english.garant.ru Subscription is available for a fee. | |||||||||||||||||||||||||||||||||||||
Rwanda | Africa | RW | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Pius Ntazinda | ||||||||||||||||||||||||||||||||||||||||||||
Saudi Arabia | Asia | SA | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Ms. Tripti Dhar, Partner – Reina Legal
|
The Article 40 of Saudi Arabian Constitution, protects the right to privacy, although it states that correspondences “may not be confiscated, delayed or read, and telephones may not be tapped except as laid down in the law. Article 9 of the Telecommunications Law and Regulations states that the privacy and confidentiality of telephone calls and information transmitted or received through public telecommunications networks shall be maintained. Disclosing, listening or recording the same is not permitted, except for the cases stipulated by the relevant Acts. Article Nine of Telecom Act Royal Decree No. (M/12) dated 12/03/1422H: The privacy and confidentiality of telephone calls and information transmitted or received through public telecommunications networks shall be maintained. Disclosing, listening or recording the same is not permitted, except for the cases stipulated by the relevant Acts. Privacy-related offences under Article 3(1) of the Anti-Cyber Crime Law include: 'spying on, interception or reception of data transmitted through an information network or computer without legitimate authorisation'
Chapter 10 : Violations and Penalties Article Thirty-seven of the Telecom Act Royal Decree No. (M/12) dated 12/03/1422H states that Any of the following actions by any operator, individual or a juridical person constitutes a violation Interception of any telephone call or data carried on the public telecommunications networks in violation of the provisions of this Act
The existing laws in the region are silent on this subject.
The existing laws in the region are silent on this subject.
The existing laws in the region are silent on this subject.
The existing laws in the region are silent on this subject.
|
|
|
| ||||||||||||||||||||||||||||||||||||||||
Solomon Islands | Oceania/Australia | SB | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Seychelles | Africa | SC | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Sudan | Africa | SD | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Sweden | Europe | SE | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/10/1985 | S | ✔️ | |||||||||||||||||||||||||||||||||||||||||
Singapore | Asia | SG | ❌ Potential future candidate (p. 52) for adequacy? | ❌ | ❌ | ❌ | ✔️ See here or here | ❌ | ASEAN Model Contractual Clauses for Cross Border Data Flows (2021) Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021) | ✔️ | ✔️ | Lanx Goh, CIPM, CIPP/A/E/US, FIP | |||||||||||||||||||||||||||||||||||||||||
Saint Helena (British Overseas Territory) | Africa | SH | |||||||||||||||||||||||||||||||||||||||||||||||||||
Slovenia | Europe | SI | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/09/1994 | S | ✔️ | |||||||||||||||||||||||||||||||||||||||||
Slovakia | Europe | SK | (EU member state) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR See, SCC Generator | S, R, E: 01/01/2001 | S | ✔️ | |||||||||||||||||||||||||||||||||||||||||
Sierra Leone | Africa | SL | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
San Marino | Europe | SM | ❌ | ❌ | ❌ | ❌ | ✔️ | ✔️ | S, R, E: 01/09/2015 | S | |||||||||||||||||||||||||||||||||||||||||||
Senegal | Africa | SN | ❌ | ❌ | ❌ | ❌ | ❌ | ✔️ | R (Accession), E: 01/12/2016 | Adama Diouf | |||||||||||||||||||||||||||||||||||||||||||
Somalia | Africa | SO | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Suriname | Africa | SR | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Abigaïl Z.M. de Rijp LLM
| I. Rules regarding general processing In Suriname, the general processing of data is not based on clear, precise and accessible rules, because Suriname has not yet legalized the right to privacy and the protection of personal data. In this regard, there is no legal basis that would justify interference in case of general surveillance- you can’t legally interfere into that which you have not legalized. However, there are different rules with regard to the prosecution of criminals and criminal conduct. II. Rules regarding processing in light of the detection of crimes and criminal prosecution A. Detection of crimes (in general) Cybercrime is penalized in Suriname through the Surinamese Criminal Code (WSr). Article 187i WSr penalizes the use of hidden cameras in homes. According to article 187j WSr, the publication of these images also constitutes a criminal offense. The Surinamese Ministry of Justice and Police initiated the ‘Safe City Project’. This project is originally intended to fight crime through detection thereof. Through its ‘Command Center’, this project, via video surveillance, collects data of the activities of Surinamese citizens within our capitol, Paramaribo, and the district Wanica. Since these recordings are taken on public roads, the protection article 187i WSr provides is not applicable. Unfortunately, this form of ‘crime detection’ has no legal basis. The only requirements this project meets are describing the nature of the offences and the people subject to surveillance – it applies to all crimes and all people who use public roads. This is presumably an execution of article 44 of the Surinamese Code on Criminal Procedure (WSv) which concerns arrests in flagrante delicto (catching someone red handed). As a result of the abovementioned, the absence of a clear legal basis for these recordings and the subsequent unregulated use of the obtained data in a Court of Law, clearly constitute gross contradictions of this Guarantee. B. Criminal prosecutionArticle 89 WSv of regards the interception of individual communications. During the preliminary judicial investigation, the examining judge may, ex officio or at the request of the prosecuting officer, in crimes ex. art. 56 WSv, and if the investigation urgently requires, rule that: 1) telephone calls in which it is suspected that the suspect participates or will participate in, may be overheard or intercepted by an investigating officer;
The provisions of this article are (largely) in accordance with the requirements of Guarantee A:
|
|
|
| Notwithstanding the abovementioned, Suriname has drafted its first Data Protection Bill which is currently still under advisement of the National Parliament. | |||||||||||||||||||||||||||||||||||||||
São Tomé and Príncipe | Africa | ST | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
El Salvador | North America | SV | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Karla Alas | ||||||||||||||||||||||||||||||||||||||||||||
Syria | Asia | SY | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Eswatini (Swaziland) | Africa | SZ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Turks and Caicos Islands | North America | TC | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Chad | Africa | TD | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
French Southern Territories | Africa | TF | ❌ | ||||||||||||||||||||||||||||||||||||||||||||||||||
Togo | Africa | TG | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Thailand | Asia | TH | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ASEAN Model Contractual Clauses for Cross Border Data Flows (2021) Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021) | ✔️ | N/A Please see the country report for Thailand as part of the study "State of Privacy" conducted by Privacy International. | ||||||||||||||||||||||||||||||||||||||||||
Tajikistan | Asia | TJ | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Tokelau | Oceania/Australia | TK | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Timor-Leste | Asia | TL | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Turkmenistan | Europe | TM | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Tunisia | Africa | TN | ❌ | ❌ | ❌ | ❌ | ❌ See here | ✔️ | R (Accession), E: 01/11/2017 | S | Invitation valid until 8 February 2023 | N/A Please see the country report for Tunisia as part of the study "State of Privacy" conducted by Privacy International. | |||||||||||||||||||||||||||||||||||||||||
Tonga | Oceania/Australia | TO | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Turkey | Europe | TR | ❌ | ❌ | ❌ | ❌ | ✔️ | ✔️ | The Turkish Data Protection Authority has published two sets of SCCs: Controller-to-controller (Turkish; English); Controller-to-Processor (Turkish; English) | S, R, E: 01/09/2016 | ✔️ | Oğuz Kartöz, CIPP/E | |||||||||||||||||||||||||||||||||||||||||
Trinidad and Tobago | South America | TT | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Mukta Balroop | ||||||||||||||||||||||||||||||||||||||||||||
Tuvalu | Oceania/Australia | TV | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Taiwan | Asia | TW | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Bobby Piao-Hao Hsu is senior lead specialist of privacy and data protection at TPV Technology Group, where he is responsible for daily execution of regulatory compliance cross more than 17 jurisdictions. Before joining TPV, he was Public Policy Counsel of LINE Taiwan Limited, where he had the opportunities to represent the LINE operations in Taiwan in various contexts and to advocating Group's interests via diversified channels, planning and executing of in-depth covered programs both locally and overseas, together with the support mobilized cross-functions within the Group globally.
Until April 2017, he worked as Legal Researcher at Science and Technology Law Institute (STLI), Institute for Information Industry, where he is responsible for policy research in the field of privacy, energy law and innovative technology. It is also during his post at STLI, that he started his policy research in the field of internet governance, data protection and other regulatory mechanisms favor development of tech/ innovative enterprises, including the trends of IoT, Big Data, renewable energy and the right to be forgotten. Prior to STLI, Hsu worked as Senior Assistant Research Fellow at Taiwan Research Institute (TRI), Direct Dialogue Campaigner at Greenpeace (East Asia, Taipei) and Program Associate at Human Rights in China (Hong Kong Office). As a jurist not specialized in criminal procedures, Hsu would like to thank all the support other practicing professionals both in public and private sectors have generously provided during the process. | In principle, the interception of communications is regulated by The Communication Security and Surveillance Act (CSSA).I
According to Art. 5 and Art 6 of CSSA, only under certain enumerated offences can an “interception warrant” to be issued by the approval of the court. In addition, an access warrant could also be issued by the prosecutor under Section III of Article 11-1 when it comes to investigation of a number of more serious offencesII, instead of by the court.
Art. 7 of CSSA, on the other hand, stipulates the interception regarding foreign forces. In this case, an interception warrant is still needed. Nevertheless, unlike the scenario in Article 5 and 6, where the interception warrant could only be issued when involving certain specific crimes as prescribed in various criminal codes, when it comes to “foreign forces”, the only criterion for determination of the legitimacy of the interception warrant is the necessity “to conduct surveillance on … communications III in order to collect intelligence on foreign forces or hostile foreign forces to protect national security”
As stipulated by Article 11, the following information must be documented on the interception warrant:
Section I of Article 12 further adds: the communication surveillance duration of Articles 5 and Article 6 is not to exceed 30 days each time; while the communication surveillance duration of Article 7 is not to exceed one year each time. If it is necessary to continue the surveillance, specific reasons must be specified, and the last date for petition should be no later than two days before the expiration date. However, the period of continuous surveillance under Articles 5 and 6 shall not exceed one year. If the enforcement authority deems it necessary to continue surveillance, a new application shall be filed in accordance with Articles 5 and 6.
About the examination and usage of data, Section 4 of Article 5 stipulates, ” [t]he enforcement authority shall file at least one report every 15 days during the period of communication surveillance, describing the progress of conducting the surveillance, and/or if there is the necessity to continue implementing the surveillance. ” In terms of storage, there is a 5 year-limitation according to Section I of Article 17.IV
According to Section I of Article 18, “[i]nformation obtained from the communications surveillance pursuant to this Act shall not be provided to other agencies (institutions), groups or individuals. However, this restriction does not apply to those complying with the surveillance objective as described in Article 5 or Article 7, or other laws and regulations.” If we take closer look, we would find it not difficult to fulfil the condition prescribed in Article 18. Nevertheless, in practice, it is also challenging for different investigation bodies to share information or intelligence gathered due to lack of incentive from the institutional structures.
|
In the Section II of Article 5, it is stipulated that “[r]elevant documents and investigation information about the residence of the target of interception should also be attached, specifying that there is sufficient reason to believe that the contents of communications are related to the case, that prior investigation has been conducted in another manner without success, or that it is reasonably clear that investigation in another manner will not achieve the purpose or creates material risk. The prosecutor should respond within four hours after accepting the application. If the case is complex, the deadline may be extended for four hours with the consent of the Chief Prosecutor. The court should reply within 48 hours after receiving the application case as approved by and transferred from the prosecutor. If the case is in trial proceedings, the warrant should be issued ex officio by the judge. The judge may also enter appropriate instructions to the enforcement officers on the interception warrant.” Article 13 also provide related limitation in the respect of actual implementation of the interception.VI In light of the regulatory content above, it could be argued that the legislative structure has limited the use of surveillance (wiring of the phone, Jian Ting [監聽]) to a necessity test. Nevertheless, the high approval rate, especially from the Prosecutor, may not be the positive indicators demonstrating a “strict” necessity examination.VII |
Before the issuance of the interception warrant: About the issuance of an interception warrant, Section III of Article 5 provides: “[i]f the application as referred to in the preceding Paragraph is inconsistent with the legal procedure, lacks reason, is not specified or not sufficiently specified, it shall be denied by the court. The decision to deny an application by the court shall not be challenged.”
During the interception surveillance: Section VI, Article 5 provides: the enforcement authority shall file at least one report every 15 days during the period of communication surveillance, describing the progress of conducting the surveillance, and/or if there is the necessity to continue implementing the surveillance. The prosecutor or the judge that issued the interception warrant may also order the enforcement authority to submit a report at any time. If a situation arises where the surveillance should not be conducted continuously, the judge shall consider, by free evaluation based on the rules of experience and logic, withdrawing the issued interception warrant.
Examination mechanism post surveillance: It has been criticized that, unlike the French or other models, the current interception surveillance lack of a mechanism for individual to challenge the State interference even after the surveillance at issue is over. There is, nonetheless, a general obligation for the State to compile aggregated transparency report is prescribed in Article 16-1.VIII
If we considered the wired content as the data at issue, the relative independent review of the wiring action may not take place until 15 days after the wiring. Section IV of Article 5 provides that: the enforcement authority shall file at least one report every 15 days during the period of communication surveillance, describing the progress of conducting the surveillance, and/or if there is the necessity to continue implementing the surveillance. It is provided in the same Section that the prosecutor or the judge that issued the interception warrant may also order the enforcement authority to submit a report at any time. If a situation arises where the surveillance should not be conducted continuously, the judge shall consider, by free evaluation based on the rules of experience and logic, withdrawing the issued interception warrant. However, at this stage, what a judge or prosecutor is only authorized by law to review whether or not there is legitimate necessity for the enforcement authority to continue carrying out the surveillance. |
According to Article 15 of CSSA, the enforcement authority of communication surveillance cases as described in Article 5, Article 6, and Article 7, Paragraph 2 should, when the communication surveillance is over, state the name, permanent address or contact address of the person under surveillance, the Subparagraph under Article 11, Paragraph 1 that is applicable to the surveillance case and reference number of the authority issuing the interception warrant, the actual period of surveillance, whether communications information corresponding to the purpose of the surveillance has been obtained and the remedy procedure in the report, to the prosecutor, or the authority overseeing national intelligence. The prosecutor, or the authority in turn should report to the court, so that the person under surveillance may be notified. Nevertheless, the individuals being weird would not have direct access to the transcript of what has been documented about him or her. In practice, if the content of the surveillance transcript is used in the proceedings later, it could then be challenged by the data subjects. However, if the surveillance never leads to any actual indictment, it is uncertain whether the data subjects would have the access to it. This could be indirectly inferred from Section I of Article 18, where it is stipulated: Information obtained from the communications surveillance pursuant to this Act shall not be provided to other agencies (institutions), groups or individuals. So we could probably infer: if there is any indictment, charges pressed involving the use of transcript of the surveillance content, it is highly impossible for the data subjects to have access to the content of the surveillance transcript and it would probably be destroyed after 5 years. | 【End notes】: I Tong Xun Bo Zhang Ji Jian Cha Fa [通訊保障及監察法], originally promulgated in July 14, 1999, last amened on May 23rd, 2018. Available at https://law.moj.gov.tw/ENG/LawClass/LawAll.aspx?pcode=K0060044 (last visited: July 4, 2020). 1) Domestic communications of foreign forces, hostile foreign forces, or their agents. 2) Cross-border communications of foreign forces, hostile foreign forces, or their agents. 3) Off-shore communications of foreign forces, hostile foreign forces, or their agents.
| |||||||||||||||||||||||||||||||||||||||
Tanzania | Africa | TZ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Lucy Minde | ||||||||||||||||||||||||||||||||||||||||||||
Ukraine | UA | ❌ | ❌ | ❌ | ❌ | ✔️ | ✔️ | S, R, E: 01/01/2011 | NGO “Privacy HUB” represented by: Dmitry Korchynskyi, CIPP/E, CIPM, FIP, Senior Data Protection Specialist at PrivatBank Artem Kobrin, CIPP/E, CIPM, FIP, CDPSE, Data Protection Specialist at PrivatBank Vlad Nekrutenko, CIPP/E, CIPM, FIP, Head of privacy at Legal Nodes All of those mentioned are serving as:
| Executive summary: In light of the CJEU’s “Schrems II” ruling of July 16th, 2020 and EDPB’s Recommendations 02/2020, transfers of personal data from the EU to Ukraine can be carried out using the mechanism adopted by the European Commission’s Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (the “Standard contractual clauses” or “SCC/s”). Research on data protection guarantees shows that surveillance measures in Ukraine pursue legitimate objectives and are necessary for ensuring the stability of a democratic society. However, several gaps were identified, hence it is not possible to conclude that Ukraine provides an essentially equivalent level of data protection established compared to that in the EU. For instance, we assume that the rules lack certainty regarding the precise scope of personal data that can be accessed. Also, the necessity and proportionality of such processing activities do not need to be assessed by governmental representatives. Moreover, while an independent oversight mechanism exists, it fails to provide sufficient judicial scrutiny of necessity and proportionality of surveillance measures.
On the other hand, the gap between the European and Ukrainian regimes can be compensated by the safeguards provided by the Standard contractual clauses. The Ukrainian law does not allow indiscriminate and silent surveillance activities, which would impede the contractual protection by the SCCs. Hence, the Ukrainian data importer will be able to inform the data exporter if they are subject to surveillance measures with regard to the data transferred. In that regard, EU data protection supervisory authorities will be in the position to audit the data importer, which is one of the main prerequisites for SCCs to be valid. Additionally, affected data subjects will be able to exercise their rights with the data importer as prescribed by the SCCs.
There is no law that would oblige data importers to derogate from the applicable data protection laws beyond the necessary extent in a democratic society. Ukraine has declared its intention to join the EU by signing mutual treaties on association and cooperation. Such treaties combined with the fact that Ukrainian judicial practice recognises foreign laws provide a solid basis to assume that the Standard Contractual Clauses allow organisations to ensure compliance with GDPR requirements while transferring personal data to Ukraine.
Along with the mutual treaties on association and cooperation between the European Union and Ukraine, as well as the court practice in Ukraine recognising foreign laws, we conclude that the SCCs allow organisations to ensure compliance with the GDPR requirements while transferring personal data to Ukraine.
In particular, the following legislative acts were taken into account:
Nature of the offences which may give rise to an interception or surveillance order:
Article 246 CPC: Interception and surveillance of communications can only be conducted in criminal proceedings in cases of severe crimes or crimes of a specific gravity. Such crimes are defined in Article 12.4 and Article 12.5 CPC. It is worth mentioning that interception and surveillance may also be conducted to prevent crimes in preparation. Such activities are governed by a different law, namely the Law of Ukraine on “Operative Investigation Activity”.
Law of Ukraine “On Intelligence”, Article 15 provides for a list of intelligence measures that could be conducted on the territory of Ukraine based on the judicial authorities. The list contains the different types of surveillance measures. The law does not split the surveillance measures into separate categories, but rather provides a single broad category of intelligence measures. Intelligence measures are defined as a set of actions and decisions of the intelligence body, which, in cases specified by laws of another entity, are conducted using different methods, staff, and means of intelligence. The main purpose of intelligence measures is defined as the promotion to realise national interests, preserving national security from external threats, and the timely provision of intelligence information to the recipients (i.e., the main state officials).
A definition of the categories of people that might be subject to surveillance: Article 6 OIA defines the following categories of people that might be subject to surveillance:
Limit on the duration of the measure: According to Article 246 CPC and depending on the circumstances, the limit on the duration may be up to eighteen months. However, according to Article 219, the limit on the duration may be repeatedly extended at the motivated request of the prosecutor for the term of pre-trial investigation. The procedure to be followed for examining, using, and storing the data obtained: According to Article 10 OIA, materials of the operative search activity may be used as follows:
As per the CPC, Article 254 on the measures of protection of information that were obtained through covert investigative (detective) actions envisages the following safeguards:
Article 255 describes the measures for protecting the information, which is not used in criminal proceedings:
Article 259. Preservation of information
The precautions to be taken when communicating the data to other parties: Article 222. Inadmissibility of disclosing information of pre-trial investigation:
According to Article 252, all of the measures taken during the covert investigation should be properly captured and documented, including the information about third parties which got access to such data.
The circumstances and substantive and procedural conditions relating to the access of the competent authorities: See above: Article 10 OIA, Article 254, 255, 259 CPC.
The number of persons who can access the stored data limited to what is “strictly necessary” in view of the objective pursued: The scope of those who can request investigative actions is defined by Articles 246 and Article 222 (see above) of the CPC:
Additional information on the procedures for the surveillance measures is provided in the Joint order of the General Prosecutor of Ukraine, Ministry of Internal Affairs of Ukraine, Security Service of Ukraine, Administration of The State Border Service of Ukraine, Ministry of Finance of Ukraine, Ministry of Justice of Ukraine on the adoption of the Instruction on the organisation of covert investigative (detective) actions and the use of their results in criminal proceedings.
Summary:
| In general, do the laws of your country impose such a limitation to what is “strictly necessary”?
The Law of Ukraine “On Operative Investigation Activity” (Article 9) provides retention limitations to what is necessary for conducting investigations. However, the rules might lack precision and a certain degree of discretion remains, hence the criteria of “strictly necessary” is blurred.
Article 9. Guarantees of lawfulness during the implementation of operational and investigative activities Information obtained as a result of operational and investigative activities concerning personal life, honour, human dignity, provided that it does not contain information about the commission of actions prohibited by law, is not subject to storage and must be destroyed. Information obtained as a result of operational and investigative activities on the preparation for terrorist acts or their commission by individuals and groups is stored for up to 5 years. The results of operative-search activity, which per the legislation of Ukraine constitute a state secret, as well as information concerning personal life, honour, human dignity, shall not be subject to transfer and disclosure. For the transmission and disclosure of this information, employees of operational units, as well as persons to whom this information was entrusted in the course of operational and investigative activities or became known for service or work, are liable under applicable law, except in cases of disclosure of information about illegal actions that violate human rights. Surveillance of a person, object, or location, as well as audio, video surveillance of a location, may be carried out to collect data about the person and their connections, if there are facts that confirm that they are preparing to commit a serious crime or specific serious offence to obtain information indicating signs of such a crime, to ensure the safety of court and law enforcement officers and persons involved in criminal proceedings, members of their families and close relatives of these persons, as well as to obtain intelligence in the interests of society and the state.
Law of Ukraine on “Personal Data Protection” Article 15. Deletion or destruction of personal data
Article 9-1. Term of conducting operational and investigative cases Conducting operational and investigative cases is carried out: 1) in respect of unidentified persons who are preparing to commit a criminal offence, as well as persons who are hiding from bodies of pre-trial investigation, investigating judge, court or who are evading serving a criminal sentence - until their establishment or search, but not for longer than is provided by the statute of limitations or the statute of limitations for the execution of a conviction; 3) in respect of persons missing in special circumstances, including in connection with armed conflict, hostilities, riots within the state or in connection with emergencies of a natural or man-made nature or other events that may cause mass deaths, before establishing their whereabouts, burial place or location of remains; 4) in respect of persons on whom there is data on participation in the preparation for the commission of a criminal offence before establishing and record factual data on illegal acts, liability for which is provided by the Criminal Code of Ukraine, but not more than six months; 6) in respect of persons on whom there is evidence of their participation or involvement in terrorist activity, terrorist group or terrorist organisation, as well as material, organisational or other assistance to the establishment of a terrorist group or terrorist organisation - up to 5 years. If there is data obtained during the operational and investigative case on the participation of a person in the preparation of a serious or especially serious crime, the term of the case may be extended up to 12 months + further extension of the term of the operational and investigative case, but not more than 18 months. Defence counsels and clergymen are subject to specific safeguards. All of the listed persons enjoy the protection: Article 258 CPC: General provisions related to the interference in private communication.
The criminal Procedure Code prohibits disclosing information of pre-trial investigation without the prior written consent of the investigator or the prosecutor. The investigator or the prosecutor informs persons who obtained information of their duty not to disclose such information without the permission of the investigator or the prosecutor. Also, it is prohibited to make copies of protocols on conducting covert investigative (detective) actions and appendices to them.
Yes, in part, see above.
No.
No provision would restrict data retention. However, the CPC provides certain confidentiality guarantees to protect the anonymity of whistleblowers.
Article 130-1. Payment of remuneration to the whistleblower
Yes.
Article 258. General provisions related to the interference in private communication
Summary:
| Depending on the stage and the exact surveillance measure, the supervisory bodies can carry out a general data protection oversight, as well as other bodies performing judicial oversight after surveillance measures. The following bodies should be taken into account:
Law of Ukraine “On Intelligence”. Surveillance measures could be deployed solely based on a court order. (Article 15-16 of the Law of Ukraine “On Intelligence”). This is a positive factor as the ECtHR considered that the procedure of judicial authorisation of surveillance measures is the best practice that provides a solid safeguard against the arbitrates of surveillance. On the other hand, the mere existence of the fact of judicial supervision is not sufficient. The ECtHR identified that the judiciary must be capable to verify the existence of a reasonable suspicion against the person that may give rise to the necessity of secret surveillance measures, conducting proportionality tests, and verifying whether it is possible to achieve the result of surveillance by less restrictive measures. According to the OIA, a request to the court for authorisation of surveillance measures has to contain the following information related to the justification of surveillance measure (there are other requirements as well, however, they are not listed below as they are not relevant to the present issue):
Further, the law prescribes that the judge, considering the request for authorisation of a surveillance measure shall establish the sufficiency and validity of the grounds for granting such an authorisation. The system of judicial authorisation of surveillance measures contains a substantial gap, as it is not required from the court to fully assess the existence of a reasonable suspicion against the person, to conduct the proportionality assessment of the measures requested, and to verify whether it is possible to achieve the result of surveillance by less restrictive measures. Also, there is an issue with the absence of ex-post oversight over the implementation of surveillance measures that shall be one of the main safeguards of human rights protection. Judicial oversight of operative investigation measures. As for the operative investigation measures, judicial oversight is carried when the measure is first ordered by the investigator or prosecutor, and, in exceptional cases, when it is carried out. Article 247 CPC. The investigating judge who considers petitions concerning covert investigative (detective) actions
Article 248. Examination of the request to obtain permission for the conducting of a covert investigative (detective) action
1) a designation and registration number of the criminal proceedings concerned; 2) a brief description of the circumstances of the crime within the framework of investigation of which the request is filed; 3) a legal qualification of the crime with an indication of Article (section of Article) of the Criminal Code of Ukraine; 4) information on the individual (individuals), location, or object in whose respect it is necessary to conduct covert investigative (detective) action; 5) the circumstances that provide grounds for suspecting the individual of committing the crime; 6) the type of covert investigative (detective) action to be conducted, and substantiation of the time limits for the conducting thereof; 7) a substantiation of the impossibility to obtain knowledge by other means on the crime and the individual who committed it; 8) information, depending on the type of covert investigative (detective) action, on identification signs which will allow to uniquely identify the subscriber under surveillance, transport telecommunication network, and terminal equipment, etc.; 9) a substantiation of the possibility to obtain in the course of covert investigative (detective) action further evidence which, alone or in concurrence with other evidence, may be significantly important for the clarification of the circumstances of the crime or the identification of perpetrators thereof.
General data protection oversight. As for the general data protection oversight, data protection supervision and control in Ukraine are carried out by the Verkhovna Rada’s Commissioner for Human Rights as provided for by the Law of Ukraine “On personal data protection”. The commissioner is not a standalone data protection authority but rather a Parliamentary ombudsperson overseeing human rights protection in general. As an example of the Ombudsman’s oversight of the surveillance measures, it recently found violations of data protection law by the cyber police department of the National Police of Ukraine. At the same time, the data protection oversight in Ukraine does have certain issues related to staffing and budget. In 2019, journalism organisation Ukrayinska Pravda made an official request regarding the composition of the commissioner's secretary and published the response they received. The department for personal data protection consisted of only 13 people and its budget consisted of no more than 150,000 euros. This serves as evidence that the body is not sufficiently resourced. | Right to be informed on investigative actions. Law of Ukraine on “Personal Data Protection” Article 21. Notification of personal data processing
1) transfer of personal data upon request in the performance of tasks of operative-search or counter-intelligence activity fight against terrorism. Article 253 CPC. Notifying individuals subject to covert investigative (detective) actions
Access, rectification, or erasure of data collected for the purposes of surveillance. An affected individual can obtain such rectification through court review, as well as by contacting a public prosecutor or Ombudsman. In this case, general rules on data protection apply (Art. 8 of the Law of Ukraine “On personal data protection”). Who should the individual address? Depending on the area of competence and stage of the action, individuals may address the prosecutor, public investigator, or investigative judge. If data subjects do not receive access to the data relating to them, they may file a complaint with the Ombudsman and with a court (Art. 15, 22, 23 of the Law of Ukraine “On personal data protection”).
Summary:
| Overall, the guarantees A-D are only to a limited extent de jure present in Ukrainian laws. De facto, guarantees provided by law are often violated or circumvented by authorities as the rules are not sufficiently clear and some provisions may be governed by internal documents or acts. For example, the Ukrainian data protection supervisory authority recently found violations of the data protection law by the cyber police department of the National Police of Ukraine (accessible at https://ombudsman.gov.ua/ua/all-news/pr/zaxistu-personalnix-danix-departamentom-k%D1%96berpol%D1%96cz%D1%96%D1%97-nacz%D1%96onalno%D1%97-pol%D1%96cz%D1%96%D1%97-ukra%D1%97ni/). | |||||||||||||||||||||||||||||||||||||||
Uganda | Africa | UG | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | N/A Please see the country report for Uganda as part of the study "State of Privacy" conducted by Privacy International. | ||||||||||||||||||||||||||||||||||||||||||||
United States of America (USA) | North America | US | ❌ The Privacy Shield framework has been invalidated by the CJEU, see here (See also DoC List) | ❌ | ❌ Organisations adhering to the US-Swiss Privacy Shield on the US DoC list guarantee individuals in Switzerland special protective rights. However, they do not meet the requirements of an adequate level of protection within the meaning of the Swiss Federal Data Protection Act. (See also: List of Countries, Swiss DPA Policy Paper, DoC List) | ❌ | ❌ | ✔️ Limited to the "Privacy Shield" Framework. Unclear if this continues to apply after its invalidation by the CJEU in Schrems II. | ✔️ | N/A Please note that the German DPAs published an expert opinion on US surveillance laws drafted by Stephen Vladeck, who discusses surveillance powers of US intelligence agencies, including under FISA 702, Executive Order 12.333 and CLOUD Act. See also, among many other resources related, inter alia, to the Schrems II case before the CJEU, epic.org's information on the Foreign Intelligence Surveillance Court (FISC). | |||||||||||||||||||||||||||||||||||||||||||
Uruguay | UY | ✔️ See here | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | Resolución N° 41/021: Contenido mínimo de Cláusulas Contractuales para transferencias internacionales a países no adecuados. The Red Iberoamericana de Protección de Datos (RIPD) has developed guidance (as of Sep 2022) on the use of model contractual clauses as an alternative for international transfers of personal data (see also prior draft model international transfer agreement for controller-to-processor and controller-to-controller transfers as of 2021). | R (Accession), E: 01/08/2013 | S | Martín Pesce Cutri | ||||||||||||||||||||||||||||||||||||||||||
Uzbekistan | UZ | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | ||||||||||||||||||||||||||||||||||||||||||||||
Vatican City | VA | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ||||||||||||||||||||||||||||||||||||||||||||||
Saint Vincent and the Grenadines | North America | VC | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Venezuela | South America | VE | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Vrikson Iván Acosta Velásquez I am a systemic thinker, oriented to creating, and also managing solutions, with J.D., SysEng and a M.B.A. degrees, and a Ph.D. (cand), with many years of experience on internet related topics, such as digital rights, internet governance, literacy, inclusion, and policy making, among other areas. https://twitter.com/Vrikson_Acosta | The law about the protection of the privacy of the communications is vague and not updated to the current Constitution, which might be unconstitutionally changed by the regime controlling the country, and that have to be changed once freedom is restored. | The law has a vague limitation to what is strictly necessary, and does not provide any exception for persons under an obligation of professional secrecy. | There is no independent oversight mechanism for judges are not independent and there is no sufficient impartiality and independence in the surveillance process. | There is no law regarding habeas data, although there is a limited, incomplete, vague, procedure create via “normative jurisdiction”, enable non pertinent courts to deal with data protection issues, for which neither judges nor the judiciary system has capabilities for these issues, especially regarding with technology. | Updates to follow as soon as there is any meaningful change. | |||||||||||||||||||||||||||||||||||||||
British Virgin Islands | North America | VG | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
U.S. Virgin Islands | North America | VI | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Vietnam | Asia | VN | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | ASEAN Model Contractual Clauses for Cross Border Data Flows (2021) Implementing Guidelines for ASEAN Data Management Framework and Cross Border Data Flows (2021) | ✔️ | ✔️ | ||||||||||||||||||||||||||||||||||||||||||
Vanuatu | Oceania/Australia | VU | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Wallis and Futuna (French Overseas Collectivity) | Oceania/Australia | WF | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||||
Samoa | Oceania/Australia | WS | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Kosovo | Europe | XK | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Yemen | Asia | YE | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Mayotte (French Overseas Department and Region) | Africa | YT | (EU member state) | ✔️ | ✔️ | ✔️ | |||||||||||||||||||||||||||||||||||||||||||||||
South Africa | Africa | ZA | ❌ Potential future candidate (p. 52) for adequacy? | ❌ | ❌ | ❌ | ✔️ See here or here | ❌ | N/A Please see the country report for South Africa as part of the study "State of Privacy" conducted by Privacy International. | ||||||||||||||||||||||||||||||||||||||||||||
Zambia | Africa | ZM | ❌ | ❌ | ❌ | ❌ | ✔️ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Zimbabwe | Africa | ZW | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Nompilo Simanje | ||||||||||||||||||||||||||||||||||||||||||||
North Macedonia | Europe | MK | ❌ | ❌ | ❌ | ❌ | ✔️ | ✔️ | S, R, E: 01/07/2006 | S | Dimitar Gjeorgjievski | ||||||||||||||||||||||||||||||||||||||||||
Cabo Verde (Cape Verde) | Africa | CV | ❌ | ❌ | ❌ | ❌ | ✔️ | ✔️ | R (Accession), E: 01/10/2018 | Djamilson Pinto | |||||||||||||||||||||||||||||||||||||||||||
Holy See | Europe | VA | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
South Sudan | Africa | SS | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |||||||||||||||||||||||||||||||||||||||||||||
Saint Martin (French Overseas Collectivity) | North America | MF | (EU member state) | ✔️ | ✔️ | ✔️ | |||||||||||||||||||||||||||||||||||||||||||||||
Saint Barthélemy (St. Barts, French Overseas Collectivity) | North America | BL | ❌ |