MENU
Documenting
war crimes in Ukraine

The Tribunal for Putin (T4P) global initiative was set up in response to the all-out war launched by Russia against Ukraine in February 2022.

Human rights in Ukraine – 2004. VI. RIGHT TO PRIVACY

13.10.2006   

1. Defining Privacy. Privacy in International Law[1]

The right to privacy has been recognized as one of the fundamental human rights in the UN Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and in many other international and regional treaties. Privacy is a concept which underpins human dignity and other key values such as freedom of association and freedom of speech. It has become one of the most important human rights issues of the modern age.

Of all the human rights in the international catalogue, privacy is perhaps the most difficult to define. Privacy has its roots deep in history. The Bible has numerous references to privacy. There was also substantive protection of privacy in the early Jewish culture, Ancient Greece and China. This protection mostly focused on the right to solitude. Definitions of privacy vary widely according to context and environment. In many countries, the concept has been merged with Data Protection, which interprets privacy in terms of management of personal data. Outside this context, protection of privacy is frequently seen as a way of drawing the line at how far society can intrude into a person’s private affairs. In the 1890s, the future U. S. Supreme Court Justice Louis Brandeis articulated the concept of privacy as an individual’s «right to be left alone». The Preamble to the Australian Privacy Charter states that, «a free and democratic society requires respect for the autonomy of individuals, and limits on the power of both state and private organizations to intrude on that autonomy…» Alan Westin, author of the work «Privacy and Freedom» (1967), defined privacy as the desire of people to choose freely under what circumstances and to what extent they will expose themselves, their attitudes and their actions. According to Ruth Gavison, there are three elements in privacy: secrecy, anonymity, and solitude. It is a state which can be lost, whether through the choice of the person themselves or through the actions of another person. The Calcutt Committee in the UK said that, «nowhere have we found a wholly satisfactory statutory definition of privacy». But the committee was satisfied that it would be possible to draw a legal definition and adopted this definition in its first report on privacy issues: «The right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information».

From a modern point of view, privacy can be divided into the following facets:

Information Privacy, which involves the establishment of rules governing the collection and handling of personal data such as credit information and medical records;

Bodily Privacy, which concerns the protection of people’s physical bodies against invasive procedures such as drug testing and cavity examination;

Communications Privacy, which covers the security and privacy of mail, telephone conversations, e-mail and other forms of communication;

Territorial Privacy, which concerns the setting of limits on intrusion into domestic and other environments such as the workplace or public space.

The modern privacy benchmark can be found in the 1948 Universal Declaration of Human Rights, which specifically protects territorial and communications privacy. Article 12 of the Declaration states: «No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks». Numerous international human rights treaties guarantee the protection of the right to privacy. The International Covenant on Civil and Political Rights, the UN Convention on Migrant Workers, the UN Convention on the Rights of the Child all share the same principles. At the regional level, the right to privacy finds even more protection. Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms provides the following protection for the right to privacy:

«1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others».

The European Court of Human Rights has not yet come up with any precise definition of «private» life. The Court quite deliberately steers away from any such attempts and prefers (as a rule) to focus on a specific issue. The number of cases related to the right to privacy, as it is often called, is relatively small. Besides, this concept merges with other concepts, which are also covered by Article 8 of the Convention, namely family life, home and correspondence. In a number of cases, this merging of concepts was demonstrated by the general approach the Court applied to violations of the provisions of Articles 8, without specifying the exact aspect of the violation. For example, in the case of Klass, the accusation regarding surveillance of communications (mail and telephone calls) was recognized by the Court as potential interference in the applicant’s family and private life, correspondence and home[2].

From the study of court precedents, it can be seen that the concept of privacy lies solely in the sphere of immediate personal autonomy. It covers aspects of physical and moral integrity. The concept extends beyond the narrow limits of guarantees of personal life free from unwanted publicity. It creates a field within which everyone can pursue his or her own personal development. It includes the right to self-identification, as well as the right and/or the possibility to develop interpersonal relations with other persons, including emotional and sexual relations.

Based on this concept, the Court ruled that the right to respect for privacy refers both to the physical and psychological integrity of the individual. The primary aim of the guarantees of Article 8 of the Convention is to ensure personal development of the individual without any interference from outside. The sex life of any individual undoubtedly belongs to the domain of privacy. Provisions of Article 8 also embrace the right to a first and last name, because the first and the last names serve as means of identification within a family and society.

Safeguard of personal data related to one’s private life is covered by Article 8. The same goes for the protection of medical records.

This approach of the Court suggests to the reader that privacy is not a clearly circumscribed and protected circle, but rather a vast area with fuzzy boundaries. These boundaries become even more nebulous as a person’s private life converges with their social activities. Strasbourg legal institutions from their very first rulings have emphasized that there must be certain limits with respect to private life. The State by many of its actions, directly or indirectly, affects the individual’s opportunities for self-fulfilment, but not all of them can be viewed as interference with a person’s private life within the meaning of Article 8. For example, the court decision of 1972 reflected the opinion that claims for respect to private life are automatically reduced as the person becomes more and more involved in public activities or infringes on third parties’ interests. Among the cases considered, there was a decision, which held that taking photographs of people participating in a public event did not interfere with those people’s right to privacy and which also referred to statements made during public hearings. It is possible to assert that privacy ends where social activities begin. In the case of Friedl, such approach was considered to be quite appropriate. It concerned the applicability of Article 8. Police had taken pictures of the applicant during a public event and kept them in police files. It was ruled that the photographing did not constitute invasion into the applicant’s private life as it had taken place during a public event. However, the decision stated that the questioning of the applicant that followed the incident and recording of the questioning had been an intrusion into the applicant’s private life, because these events referred more to the applicant’s personal affairs.[3]

Even though photo surveillance on people’s actions in public places without recording does not in itself constitute intrusion into their private lives, regular or continuous data recording can imply such intrusion. The Court confirmed this position in the recent case of Peck. The opinion was developed in the Court’s decision on another case, Perry v. the UK. The Court held that usual video surveillance in public places, in streets or in buildings, such as supermarkets or police stations where they serve lawful and foreseeable purposes, is not in itself a violation of Article 8. However, in the case of Perry, the police had changed the angle of the video camera in such a way as to get a clear image of the applicant. Later they edited the videotape and showed it to witnesses so that they could recognize the man in the course of criminal court proceedings. The decision was held that Article 8 was applicable to this case.

Therefore, the right to privacy should be viewed together with the rights of other individuals and of society. The Court interpreted Article 8 in such a way as to impose both a ban on unwarranted interference and a positive obligation to provide protection from interference of other individuals.

2. Overview of Protection of Privacy in Ukraine

At the state level, almost all the countries of the world recognize the right to privacy, which is directly enshrined in their constitutions. Ukraine is no exception. Article 30 of the Constitution of Ukraine protects territorial privacy («everyone is guaranteed the inviolability of his or her dwelling place»), Article 31 covers privacy of communications («everyone is guaranteed privacy of mail, telephone conversations, telegraph and other correspondence»), Article 32 refers to information privacy («no one shall be subject to interference in his or her personal and family life, except in cases envisaged by the Constitution of Ukraine», «the collection, retention, use and dissemination of confidential information about a person without his or her consent shall not be permitted»), and Article 28 guarantees protection of certain aspects of bodily privacy («no person shall be subjected to medical, scientific or other experiments without his or her free consent»). But the other paragraphs of Articles 30, 31, 32 of the Constitution, which provide an exhaustive list of grounds for impinging on the right to privacy and conditions for such impingement, have no sufficient affirmation in laws and by-laws. A rather obscure formulation or absence of any regulation whatsoever as to what interference can be permitted into an individual’s privacy, or as to the limits and methods of such interference are perhaps the least addressed problems in the legislative regulation of privacy protection, which lead to numerous infringements of the right to privacy in practice.

In our opinion, the worst infringements occur in the field of communications privacy. Current legislation does not stipulate either any clear grounds for interception of information from communication channels (phone tapping, mobile tapping, Internet tapping or e-mail tracking), or the specific period when such information is intercepted, or the circumstances in which the information should be destroyed and how it can be used. There are clearly not enough guarantees of the lawfulness of interception of information from communication channels. Consequently, no one can control the number of permits and the necessity for listening-in, and the individuals, in relation to whom such measures have been applied, are not aware of this fact and can, therefore, neither challenge such actions in court nor otherwise defend their right to privacy[4].

Wiretapping is carried out by court order, but in practice, the court considers such applications from law enforcement authorities automatically, granting permission in almost every case, without establishing the final date for the permitted wiretapping. As a rule, official statistics on wiretapping (for example, the number of permits issued by courts) cannot be obtained from State bodies, which rank such statistical information as classified. Nevertheless, information sometimes becomes publicly available. Thus, in 2002, the appeal courts granted more than 40 thousand permits for interception of information from communication channels, and in 2003 in one tiny region of Ukraine alone – Chernivtsi Region – 823 such permits were issued. The Law «On Investigative Operations» allows the use of investigative operations infringing the right to privacy only in cases of serious and particularly serious crimes. However at the stage of carrying out investigative operations, it is rather difficult to qualify a crime, and, comparing the above figures related to the number of permits with the number of serious and particularly serious crimes actually committed, it can be concluded that such investigative operations are used much more often. In the annex to this section, a list of the most famous reports of unauthorized tapping for the last year which became publicly known is given.

Seizure of correspondence and interception of information from communication channels as laid down in Criminal Procedure legislation also fail to meet international standards. Paragraph 3 of Article 187 of the Criminal Procedure Code of Ukraine allows such investigative measures to be taken before a criminal investigation is formally initiated with the aim of preventing a crime. At the same time, there are no limitations on the categories of crime, even though, according to the Law on Investigative Operations, such measures can only be taken in connection with serious or particularly serious crimes.

Nor does the procedure for carrying out a search comply with European standards. For example, a search of all premises, except for search of a dwelling place or other possessions of a person, is carried out on the basis of an order issued by the investigator with the sanction of the prosecutor, which means that such actions are outside the court’s control. Admittedly, even the court supervision of search procedures is more a formality, than actual, since courts virtually never refuse to authorize a search. The time limits and relevant search procedures are also often neglected.

Another problem is the absence of a legislative ban on monitoring the correspondence of prisoners or detainees, which is addressed to the European Court of Human Rights. The Ministry of Justice of Ukraine has prepared a relevant draft law on introducing amendments to the legislation. The draft law prepared by the Ministry of Justice proposes to introduce changes to the Criminal Procedure Code and the Law of Ukraine «On Pre-trial Detention», which will secure a legislative ban on checking correspondence sent from detention institutions to the European Court of Human Rights. However, Parliament has yet to pass this law.

The European Court of Human Rights has accepted 6 Ukrainian cases related to violation of the right to privacy with respect to correspondence of prisoners, their right to receive postal parcels and packages, restrictions on the number of meetings with relatives, and the conditions created for such meetings. In the cases Poltoratskyi vs. Ukraine, Kuznetsov vs. Ukraine, Aliyev vs. Ukraine, Nazarenko vs. Ukraine, Dankevich vs. Ukraine, Khokhlych vs. Ukraine, the Court recognized that there had been a violation of Article 8 of the Convention on the above grounds.

Privacy of information is also breached. This privacy is under threat of being undermined by all draft laws on registration and identification of individuals, which do not take into consideration the need to protect information about the individual (there is no basic law on personal data protection; parliament approved a relevant draft law at the first reading, but it still needs some serious improvement). All draft laws are based on the use of a single multi-purpose identification number for each individual, the introduction of which will violate all recognized principles of personal data protection, since it will create the possibility of uniting different registers, that is, data bases, which contain various kinds of personal data, without the consent of the person concerned.

With respect to adoption procedures, Ukrainian legislation does not take into account the interests of the adopted child. Adoption secrecy is guaranteed by means of providing the adoptive parents with the option of registering themselves as the child’s natural parents (Article 229 of the Matrimonial Code), changing the recorded birthplace within 6 months and changing the date of birth (Article 230 of the Matrimonial Code), and disclosure of adoption information is subject to criminal prosecution (Article 168 of the Criminal Code of Ukraine). However the right of the adopted child to know his or her natural parents (Article 7 of the UN Convention on the Rights of the Child) and the right to preserve his or her identity (Article 8 of the UN Convention on the Rights of the Child) seem to have been completely forgotten. The law contains provisions on keeping the adoption information secret even from the adopted child (Paragraph 2 of Article 226 of the Family Code).[5]

Another problematical issue remains that of forced medical examinations, as well as the intrusion by law enforcement agencies into the family life of individuals with non-traditional sexual orientation. For example, law enforcement officers are still obliged to provide the State Committee of Statistics with information on homosexuals they have identified and to keep their records as people belonging to an AIDS high risk group[6]. The general legislative approach to this issue remains outdated and ranks homosexuality together with prostitution, drug addiction and alcoholism.

Some of these issues are considered in more detail below.

3. Protection of Personal data

3.1. Principles of Personal data Protection

In Ukraine there is no proper legislative framework regulating personal data protection, which could define the grounds and procedure for gathering such information, its processing, protection and use. Accordingly, there is no relevant state authority maintaining independent control over collection, retention and use of personal data by state authorities.

Based on our analysis of international and Ukrainian experience, we can suggest certain criteria for defining whether personal data protection is carried out by proper means and whether it ensures observance of human rights, and then assess whether the present situation in Ukraine is in keeping with such criteria:

1) Personal data should be obtained in a lawful way: there should be clearly defined procedure for obtaining such information and liability for obtaining it by illegal methods. The laws of Ukraine do not define clearly legal ways of gathering information about an individual and do not envisage criminal liability for using illegal methods of personal data collection.

2) The knowledge and consent of the individual are required for the collection of personal data: administrative practice and the law authorize state authorities to collect personal data in the interests of national, economic and public safety or with the purpose of protecting the rights of an individual without his or her knowledge.

3) Personal data should be used solely for the purposes initially intended when collecting such information. The same applies to the ban on bringing all collected personal data for various purposes under one particular code (the identification code), which would pose a direct threat to human rights and fundamental freedoms. The above notwithstanding, this very concept is now being implemented by State authorities, who take advantage of the sad lack of a legislative framework that would guarantee protection of personal data. The State authorities’ concept is aimed at uniting all information about a person (medical records, permanent address, personal data, criminal and administrative records, tax history, credit history, retirement account, bank accounts, biometrics data and a lot of other information) into a uniform automated system under a particular code for every individual. A significant amount of personal data is intended to be incorporated into the electronic passport of every person. Such a concept is explained, inter alia, by supposedly new EU requirements for passports of aliens crossing its borders. It should be stressed that the accumulation of all collected personal data under one code runs counter to the practice of most democratic countries.

4) Only the minimum amount of personal data necessary to achieve the intended purpose should be collected. The laws of Ukraine do not prescribe the exact amount of collectable personal data. This is one of the reasons why the practice has become so widespread of gathering personal data which in no way serves the stated aim for collecting the information. Such practice is particularly used by State executive authorities, local authorities, and business corporations.

5) Personal data should be recorded accurately and made available to the person concerned (the bearer of such personal data). General administrative practice shows that individuals do not have access to the personal data on them which is held by a State authority. In most cases, the person is not even aware that his or her personal data is held by a particular State authority, because the latter is under no obligation to inform him or her of this.

6) Personal data should be destroyed after the intended purpose of its collection is achieved and such information is no longer needed. The law prescribes neither specific grounds and procedures for destruction of personal data, nor the procedure for its use after the intended purpose of its collection is achieved (for example, material from an investigative operation file relating to the person concerned).

Therefore, the laws of Ukraine provide no clear statutory framework that would fulfil any of the above mentioned criteria.

3.2. Analysis of the Draft Law «On Personal Data Protection»[7]

The Draft Law «On Personal Data Protection»[8] has thus far only been passed by parliament[9] in the first reading. Although this draft law still requires some additional thorough elaboration, we believe that it is necessary to facilitate the enactment of this important legal statutory act.

The foundation of this draft law lies in the concept of the individual’s right of ownership to his personal data. It is hardly possible to cover relations related to personal data through the concept of the right of ownership only. The right to personal data should be catalogued among individual non-property rights (regulation of individual non-property rights is prescribed by Book 2 of the Civil Code of Ukraine in the version of January 16, 2003). It is implicit, in particular, from the right to private life (privacy) guaranteed by Article 32 of the Constitution of Ukraine and Article 301 of the new Civil Code of Ukraine. The Council of Europe Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (1981) provides, first of all, for protection of the right to personal privacy. Personal data is not ranked as property and, usually, the legal transfer of personal data into use is carried out on a free-of-charge basis. The right to personal data is also not viewed as part of intellectual property rights. Furthermore, the emergence of the issue of the right to personal data is not based on any of the grounds, which give rise to the right of ownership to information under Paragraph 3 of Article 38 of the Law on Information. At the same time, personal data, as a kind of information, is certainly covered by provisions of the Law on Protection of information stored in automated systems. In its turn, the creation of personal information databases leads to the emergence of the issue of intellectual property rights in respect of such information (Item 3 of Paragraph 1 of Article 433 of the Civil Code of Ukraine). Therefore, this draft law should reflect the specific nature of the right to personal data.

However, enactment of the draft law, which interprets the right to personal data as the right of ownership to personal data, is likely to bring the Law on Personal Data Protection into collision with the Constitution of Ukraine, the Civil Code, and other statutory acts in terms of the definition of the status of personal data.

When defining the circle of people, it should be clearly specified to whom this law applies, without effectively creating an indefinite circle of people by adding the word ‘ etc’. (Article 1).

The provisions of Article 4 of the Draft Law stipulating that personal data about an individual, who is seeking or who holds an elective office (in representative bodies) or a high-ranking state office, shall not be treated as restricted information, are to be welcomed. However, in our opinion, it can hardly be expedient to restrict the list of such persons to candidates to elective offices and high-ranking state officials only. As we can see from the practice of the European Court of Human Rights, confidentiality of personal data can be restricted if an individual enters the public arena and becomes a public figure. This concept is embodied in Paragraph 9 of Article 30 of the Law of Ukraine «On Information», which allows dissemination of information of public significance without the consent of the person concerned.

There is a discrepancy between the provisions of the Draft Law (Article 5), which envisage the possibility of processing personal data without the individual’s consent, except as otherwise prescribed by this Law, and only in the interests of national, economic or public safety or for the purposes of protecting human rights, and the provisions of the Constitution, Paragraph 2 of Article 32 of which provides that «the collection, retention, use and dissemination of confidential information about a person without his or her consent shall not be permitted, except in cases determined by law, and only in the interests of national security, economic welfare and human rights».

Article 23 of the draft law prescribes that individuals should report any changes, amendments or destruction of their personal data, as well as any restrictions on access to such information, to State and local authorities, organizations, institutions and companies of all forms of ownership, to which such information should be submitted when it is required for protection of the interests of the person concerned. However, the objects (the bearers) of personal data receive no notice about changes, amendments or destruction of their personal data, which obviously infringes their right to personal data protection.

The draft law provides for the establishment of the institution of Commissioner on Personal data Protection and the creation of a Specially Designated Central Executive Authority on Personal data Protection. However, it seems redundant to have both the institution of Commissioner on Personal data Protection (Article 25) and Specially Designated Central Executive Authority on Personal Data Protection (Article 26) especially when their powers partially overlap.

It would seem expedient to create the institution of Commissioner on Personal Data Protection and Information Issues, who would exercise supervision over issues concerning not only personal data protection, but also the right to information. In our opinion, such a Commissioner should be appointed by the Verkhovna Rada. This institution could also be established as a separate subdivision of the office of the Human Rights Ombudsperson of the Verkhovna Rada of Ukraine. It is important to set out specific criteria for qualifying candidates to this office, such as educational qualifications, no criminal record, considerable professional experience or significant scientific achievements, public recognition, etc. The Commissioner on Personal Data Protection and Information Issues could also be given the authority to appoint regional representatives and determine the conditions for the functioning of these representative offices.

Although the draft law envisages the possibility of providing State authorities with statistical, sociological and scientific research reports, subject to the right of ownership to personal data and on condition that such records shall bear no direct reference to specific individuals (Article 29), it does not provide for the possibility of submitting such de-personalized personal data to scientific research institutions.

It is also important to allow for the transfer of personal data to archive institutions on condition that they ensure a proper level of protection of such personal data.

It seems that the draft law was initially intended to protect automated processing of personal data. There is no systematic attempt to regulate a filing system. For example, Article 12 «Collection of Personal Data» does not provide for the collection of data in organized file, etc. In our opinion, at the first stage, protection should be secured only for that personal data, which is subject to automatic processing (that is, the provisions of the law should not apply to manual files). Also, at this stage there is no need to apply this law to separate individuals, engaged in private practice. In future, it will be possible to extend the application of this law both to manual files and to such individuals.

Separate laws will need to be developed to regulate such categories of personal data as medical records, archive data, and personal data related to the sphere of telecommunications.

We would like to emphasize that the draft law does not consider such important problems as:

– a ban on merging personal data databases processed for different purposes;

– a ban on introducing a universal personalized multi-purpose identification code;

– regulation of procedures for destroying personal data;

– division of personal data into:

1) general personal details: name, surname, patronymic[10], date and place of birth, address;

2) special (sensitive) personal details: ethnic (racial) origin, political views and / or party membership, religious or other convictions, medical condition, sexual life, criminal record.

Such a division would make it possible to establish different procedure for using and disseminating personal details – more open for the first category, and with more restrictions for the second.

It should be noted that the enactment of this law will necessitate amendments to part 2 of Article 23 of the Law «On Information», in order to reconcile provisions of these two laws. The said article provides that, «General personal data includes information on a person’s nationality, education, marital status, religion, medical condition, as well as address, data and place of birth». It is obvious that sensitive information, such as religion and medical condition, should be excluded from the category of general personal data.

3.3. Information Privacy and Individual Registration

Of great concern are the efforts of the State authorities to introduce a Single unified register of all individuals, which would merge information from all existing registers.

A Draft Law on the registration of individuals in Ukraine (Draft Law No. 4002 dated May 12, 2004, submitted by State Deputies L. Kyrychenko, M. Onyshchuk and V. Sirenko) was rejected by the Verkhovna Rada on 16 November 2004. The Draft Law, like many others, had once again tried to legalize the creation of such a single register of individuals. Moreover, this Draft had been supported by the Parliamentary Committee on Legal Policy, which showed their total ignorance of the issues involving personal data protection. Another Parliamentary Committee, that on issues of European integration, had already in April recommended that Parliament reject the Draft Law on the registration of individuals in Ukraine as not being in compliance with European Union Provisions or Ukraine’s obligations before the Council of Europe (CE) and as being in contravention of the Constitution of Ukraine.

However, the State authorities are not frightened by the lack of a legislative basis. In a Decree from 30 April 2004, No. 500 «On the Creation of a Single State Register of Individuals», the President of Ukraine daringly took it upon himself to assume the functions of legislative power, thus simultaneously violating several articles of the Constitution of Ukraine. According to the Decree, the creation and maintenance of this single register shall be entrusted to the Ministry of Internal Affairs on the basis of a Single State Automated Passport System (hereafter – SSAPS), although it was left undecided which State body would answer for the single register. At that time, Parliament was considering several Draft Laws on the registration of individuals, which suggested various state authorities for running the Single Register (the Ministry of Internal Affairs, the Ministry of Justice, a separate specially empowered authority). Parliament, in its turn, on 8 September supported a query with regard to this Decree from State Deputy, O. Zarubinsky and later rejected Draft Law No. 4002.

In analyzing the Decree of the President, we are forced to the conclusion that this Register is being actively created without any legal basis. The question arises: using which rules and standards?

The President was not stopped by this setback, and on 9 December, he adopted an Addendum to his April document, where together with the enforcement of the system, it is necessary to introduce identification documents – carriers of personal data (driving license, military service record card, pension certificate, gun license and other identification documents.)

It is worth mentioning that the Concept for the creation of SSAPS was approved by the Prime Minister Pavlo Lazarenko in January 1997 (Resolution No.40 of the Cabinet of Ministers of Ukraine dated January 20, 1997.) According to this Concept, the tax identification number was to be used as a person’s single multipurpose code in all documents, from Birth Certificate and Passport to Driving License. SSAPS was commissioned by the Ministry of Interior Affairs and the Coordination Commission, upon its creation, was to include representatives of all Enforcement and Military Departments. Thus, the issue was of having the possibility to merge all registers into one single data bank, from which it would be possible to obtain all personal data by using the single multipurpose code. This constitutes a gross violation of the right to privacy. It is worth noting that in the majority of countries of the world, governments have tried to impose a single multipurpose identification code, but almost everywhere these attempts have encountered protests from society that prevented those attempts from being put into practice[11].. We provide an extract from the verdict of the Constitutional Court of Hungary in this regard[12]

«A universal, single personal identification code, the usage of which is unlimited (that is to say personal identification codes are assigned to all citizens and residents of the country according to a single principle) is considered to be non-constitutional.

The rationale behind a single personal identification code is to provide simple and reliable identification of information about individuals and also its collection with the help of a short and technically easy to operate code that is not subject to change and exchange with other persons. Thus, a personal code is irrevocably accompanied by a consolidated information saving system. Its introduction in Hungary and in other countries constituted part of a plan to create comprehensive data bases, with a centralized monitoring system. Moreover, a uniform personal code is the most appropriate for compiling, in the case of necessity, personal data from different registers. With its introduction, information becomes easy to access and can be compared if discrepancies arise.

Such technical advantages increase the effectiveness of information processing systems that use personal codes, and also improve the effectiveness of the corresponding administrative and technical operations. Similarly, this system saves time and expense for people who need to provide information, since it eliminates the need for constant updating of submitted information.

However these advantages are linked with a serious threat to the rights of the individual, especially to the right to information self-determination. Of particular danger to the rights of the individual is the personal identification code. If information is received from various data bases, without ‘bothering’ the interested party, bypassing him or her entirely, than that person is effectively excluded from the information flow and either limited or entirely deprived of the possibility of following where and how information directly about him or her is used. This method contravenes the fundamental principle of protection of information, according to which information should be received from the interested party and with the latter’s knowledge. The widespread use of a personal identification code leads to a narrowing of the sphere of private life, since information from even the most distant information retention systems, created for different purposes, can be used to create «a personal portrait», which is an artificial image which is applied to any randomly-chosen activities of the individual and invades his or her most private matters; such a portrait, given that it is compiled from data, taken out of context, provides, as a rule, a distorted image. Despite this, the individual who is processing the information will take decisions on the basis of this image, will use the given image to create and pass on information relating to the particular person. A large amount of such inter-dependent information, about which the interested party in the majority of cases has no idea, leaves the individual totally defenceless and creates unequal conditions in any forms of communication. If one side does not know what kind of information the other side has about him or her, this can create a humiliating situation and impede free decision-taking. The use of a personal identification code leads to an excessive increase in the power of State bodies. If a personal identification code can be used in other fields, as well as those linked with State administration, this not only gives the person processing the information power over the interested party, but also leads to an increase in power of the entire State, since, thanks to the use of this information, it moves beyond the reach of any possible control. All of this, when considered together, seriously jeopardizes freedom of self-identification and human dignity. Unlimited and uncontrolled application of a personal identification code can turn into tools of totalitarian control.

The logic behind introducing a personal identification code runs counter to basic elements of the right to protection of information, to principles of distribution of information systems, strict conformity to the objective as defined by legislation and, finally, the basic principle, according to which information must be received from interested parties with their knowledge and consent. If one is consistent in adhering to these principles of information protection, then a personal identification code loses any sense, given that its intrinsic ‘benefits’ can find no application.

A personal identification code is the most technically convenient tool for reliably merging information about an individual, as it makes it possible to use modern possibilities for processing information. It is clear that information about an individual can be linked to a surname or, where needed, to additional identifying elements, such as mother’s maiden name or home address. Considering the capacity of modern computers, the level of accuracy of information about an individual does not present serious problems. However «basic» information can change (for example, one’s surname can change on getting married, or can be changed by deed poll), and it is entirely possible that the following information will generate demands for additional identification; furthermore, in the case of information which tends to change (one’s home address, for example), constant updating and monitoring are needed. The associated technical difficulties and expenses can be a significant consideration when making a comparative analysis of profits and losses from information processing, which creates a kind of natural obstacle to the unjustified accumulation of information which might, otherwise, be encouraged by easily accessible personal identification codes. The limitations which arise from the right to information self-identification are applied, obviously, to all systems for collecting and processing information. Thanks to the technical sophistication of such systems, additional guarantees will be needed with personal identification codes to counter the mounting lack of security. If information about a person is renewed by a centralised system of information retention which is accessible using a personal identification code, then the information processing body responsible for the functioning of a similar system, for example, a register of inhabitants, holds a key position which requires, accordingly, especially accurate regulation of his or her activity on the basis of legal guarantees.

Thus, by its very nature, a personal identification code presents a particularly serious threat to the rights of each individual. Given the primary duty of the State to defend fundamental rights (Article 8 of the Constitution), it follows that this threat must be kept to a minimum, meaning that the use of a personal identification code must be limited by appropriate rules of security. This can be done in two ways: either the use of a personal identification code must be limited by clearly defined activities in information processing, or the access to the information which is linked with the personal identification code, and to the merged system for information retention which use the personal identification code, must be subject to strict restrictions and to control procedures»

Therefore, if this issue is not reconsidered, then fairly soon, wherever you may be, whatever you have done, the «centre» will know, as they will know about each of us by simply clicking a key on a computer keyboard.

4. Monitoring of Telecommunications

In Ukraine a system for monitoring messages and activities of individuals on the Internet, including messages sent by electronic mail, is being actively introduced, taking advantage of the lack of any legal norms regulating the establishment of such a system, its application, protection and use of information obtained, as well as of independent control bodies.

The existence of such a system was first officially acknowledged in a somewhat indirect fashion. Back in 2001, on the website of the Security Service of Ukraine (SSU), a text appeared, entitled: «On monitoring the Internet network»[13], where SSU acknowledged that they were carrying out monitoring of information which is transmitted or received using systems and methods of communication. Monitoring was defined as a procedure «which is carried out by authorized State bodies for the purpose of uncovering on lawful grounds information in the telecommunications space of our country, the contents of which could pose a direct or indirect threat to the political, economic, military or other security of the State». It is not, of course, clear what exactly is considered the telecommunications space of our country, since the Internet has no borders. Although the information sheet claims that monitoring is carried out «in strict compliance with the law», another excerpt from the same text refutes this: «Fundamentally new possibilities for forming an integrated telecommunications network on a global scale make it objectively impossible to apply national laws which are based on geographic borders and traditional conceptions of State sovereignty».

Order No. 122 of the State Communications Committee of Ukraine «On approving procedure for compiling and maintaining a list of enterprises (operators) providing access services to global networks of information transfer to State executive bodies, other State authorities, enterprises, institutions and organizations that obtain, process, disseminate and store information which is the property of the State and is protected in accordance with legislation» dated June 17, 2002 stipulated that only those Internet Providers that have installed a state monitoring system and have been issued an appropriate Certificate would have the exclusive right to provide their services to the State authorities (paragraph 5 of point 3.1 and paragraph 5 of point 4.1.). At that time, nobody understood what kind of system it was and why all of a sudden the providers were obliged to install it at their own expense (the approximate cost being 30-40 thousand US dollars). There were no legal grounds for taking such a decision.

In June 2004, the Internet Association of Ukraine (InAU) and Ukrainian Internet Community (UIC) filed a claim to the Economic Court of the city of Kyiv demanding that the points of the Order mentioned above be declared void. For three months InAU provided the necessary explanations and evidence justifying their demand. The court several times postponed hearings on the case due to the involvement of a third party to the case (at first the SSU, then the Department of Special Telecommunication Systems and Information Protection of the SSU), through the reorganization of the State Communications Committee carried out by its president. On August 30, the case proceedings were suspended by court decree supposedly on the grounds that InAU could not represent the interests of all members although it is in fact an association of enterprise-providers. InAU submitted an appeal to the Court of Appeal, however the latter left the court decree unchanged. In the Court’s opinion, InAU is not entitled to represent the interests of its association members without additional authority, that is, without their power of attorney. The court did not agree that the Order of the State Communications Committee infringed the interests of all members of InAU since the association included providers that had installed the given system of monitoring.

Understanding, nonetheless, that monitoring would need to be legalized, SSU prepared a Draft Law «On monitoring telecommunications», which effectively confirms the functioning of the existing system and technical requirements to it. This Draft Law was submitted to the Parliament under No. 4042. This Draft Law can be briefly described in the following way

– it introduces a system for monitoring telecommunications (the Internet and electronic mail) at the expense of the Internet providers, which ends up being passed on to the users, that is, the system of surveillance over Internet users is introduced at the expense of these very users;

– it provides no procedure as to the procedure for using the information received, its retention and destruction, nor any clear grounds for carrying out surveillance over a person;

– it does not allow for any independent control over the usage of such a system, making it possible to create a global uncontrollable system of surveillance of people without their knowledge.

One should note that, as far as guarantees against abuse are concerned, № 4042 is even worse than the Law on Investigative operations. There is no independent supervision over adherence to the law at all. Article 10 orders that information intercepted by mistake be destroyed. There is no other information about the retention of intercepted information, only a directive, that procedure for retaining and using a protocol for monitoring is determined by the Cabinet of Ministers of Ukraine. Article 12 states that any information concerning the personal life, honour and dignity of an individual which has become known through monitoring should not be divulged. That is all that is said.

Disagreeing at a conceptual level with such obvious risk of violations of the right to privacy and to the property rights of providers, human rights groups, in particular, the Kharkiv Human Rights Protection Group, together with Internet providers, decided to draw up an alternative draft law which would take into account international standards on receiving, retaining and using personal data. A working group was created which prepared the Draft Law «On the interception of telecommunications»[14]. In contrast to Draft Law №4042, the draft law of the civic organisations included clearly outlined procedure for gaining a court order for the interception of messages, and for periodic court monitoring over enforcement of interceptions and the rules for retaining, using and destroying collected material. The procedure for extracting information from channels of communication is more transparent thanks to the introduction of a regulation making it obligatory to inform the person whose messages were intercepted, after the cessation of interception and to allow the person to see the information that was intercepted provided that this does not contain information which is secret as part of a criminal investigation. In order to keep the public informed about the scale of secret interceptions of information, a regulation was included requiring the publication of an annual report which would contain information about the number of interception warrants issued with an indication of the types of crimes, in connection with which the decision to carry out interception had been taken, the number of refusals to issue a court warrant and other information. An institution was introduced which would provide independent supervision as to the lawfulness of monitoring, and the question about the financing for producing and implementing a system of monitoring was resolved.

The first version of the alternative Draft Law was tabled on 26 March 2004. Further refinements were made to the draft with the participation of the public, and in particular, the Public Council under the Committee of the Verkhovna Rada on Freedom of Speech and Information. Comments from the Security Service of Ukraine and the Chief Scientific and Specialist Administration of the Verkhovna Rada of Ukraine were also taken into consideration. The Draft was sent for comments to State executive bodies, civic organizations and representatives of the business sector. As a result, the refined Draft was introduced to replace the previous proposal. The Draft Law has passed through hearings in four committees of the Verkhovna Rada of Ukraine, and all of them have recommended that it be passed.

5. Recommendations

1. To pass legislation on protection of personal data in accordance with Standards of the European Council and European Union (in particular, Directive No. 95/46 of the European Parliament and the Council «On the protection of the individual with regard to automated personal data processing and the unimpeded movement of this information», Directive No. 97/66 of the European Union on the processing of personal data and protection of privacy in the sphere of telecommunications, the Convention of Europol, Recommendation No R (99)5 with regard to protection of private life in the Internet, Recommendation No R (81)1 on automated medical data bases, Recommendation No R (83)10 on scientific research and statistics; Recommendation No R (85)20 on direct marketing; Recommendation No R (86)1 related to social security issues, Recommendation No R (87)15 regarding the police; Recommendation No R (89)2 on seeking employment, Recommendation No R (90)19 related to salary payments and associated operations provided by the Cabinet of Ministers of the European Council, Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and others);

2. To sign and ratify international documents concerning the protection of personal data, in particular, the European Convention of 1981 on the protection of individuals in connection with automated processing of personal data, and the Supplementary Protocol to the Convention on the protection of individuals in connection with automated processing of personal data involving surveillance bodies and flows of information across borders;

3. To run training sessions for judges with regard to protection of privacy when considering cases on the protection of personal data, the issuing of search warrants, or warrants for wiretapping or other interception of information from channels of communication;

4. To introduce the practice of issuing a public annual report on the use of investigative operations which infringe upon the right to privacy (secret search, the interception of information from channels of communication), in which the number of court warrants issued for these measures, divided between the subdivisions who carry out investigative operations (the police, the tax police, SSU, etc), the effectiveness of the measures taken (the number of criminal investigations launched or submitted to court, etc) and other information.

5. To create a special State executive body to carry out independent supervision over adherence to law in the sphere of protection of personal data and access to information.

Information about interception operations
(Internet monitoring data for 2004)

Date of Interception

Objects of Interception

Source of information in the Internet

Consequences

March
2004

State Deputy David Zhvanya (bloc «Nasha Ukraina» (Our Ukraine), Russian politician Rybkin and Boris Berezovsky

http:// rupor. org/index. php? id=1092743112

Internet edition on human rights RUPOR.

The Security Service of Ukraine (SSU) was passed information saying that «Zhvanya is a criminal, because acting on a prior agreement with Boris Berezovsky he took part in the kidnapping (of Rybkin), and in the latter’s illegal detention …»

May 14,
2004

Serhy Nechyporenko, Prosecutor of Shevchenkivsky District of Kyiv

http://ua. proua. com/print. php? p=news/2004/05/26/134026. html

A bug was installed in the private office of Serhy Nechyporenko, the Prosecutor of Shevchenkivsky District of Kiev.

A criminal case was launched with regard to the interception. The Prosecutor’s office is investigating.

September
2004

Valeriy Probiy-Golova, authorized representative of Viktor Yushchenko for

territorial electoral district № 1, Head of his Crimea electoral headquarters

http:// khpg. org/index. php? id=1097697480

Bulletin of Kharkiv human rights group «Human Rights», No. 26, 2004

AR of Crimea: Telephones of V. Yuschenko’s supporters are tapped.

October 10,
2004

State Deputies, Parliament’s technical personnel, members of electoral headquarters and journalists

Internet publication «Telekrytyka» (Telecritics) and «Trybuna» (Tribune) – news report dated October 10.

A. Shkil, People’s Deputy of Ukraine, filed a request to G. Vasylyev, the General Prosecutor of Ukraine.

November 6,
2004

Father Vitaly Kosovsky (Ukrainian Orthodox Church of the Moscow Patriarchate) and Yuriy Levenets (member of V. Yanukovych’s electoral headquarters)

http://5tv. com. ua/pr_archiv/136/0/255/

Program «Zakryta Zona» [Closed Zone] on Channel 5.

Conversation about payment for priests’ campaigning activities.

November 9,
2004

Head of Department of Internal Control over Administrative Premises of the City Trade Complex «Kalynovsky Rynok» (Kalynovsky Market)

http:// gazeta. lviv. ua/articles/2004/11/12/36/

«Lvivska gazeta» (Lviv newspaper), November 12, 2004, № 208 (532)

A bugging device was detected in the private office of the Head of Department of Internal Control over Administrative Premises of the City Trade Complex «Kalynovsky rynok»

An act was directed to the Regional Prosecutor’s office and the regional department of the Security Service of Ukraine. At a press conference held at the Chernivtsy Regional Depart­ment of the Ministry of Internal Affairs of Mykola Kharabara, a Deputy Chief of this Department, stated that the detected device was «home-made, not professionally manufactu­red». He did not make public any detailed information about the bugging saying that it was not available.

October 20 – October 21,
2004

Viktor Medvedchuk, Serhiy Kluyev, Oleh Tsaryov and others from Viktor Yanukovych’s team

http:// zerkalo-nedeli. com/nn/show/526/48743/

«Dzerkalo Tyzhnya» No. 15 (526)

Phone conversations of Viktor Medvedchuk, Serhiy Kluyev, Oleh Tsaryov and other members of Viktor Yanukovych’s team during the second Presidential electoral campaign in Ukraine.

November 26, 2004

Heads of electoral headquarters of V. Yanukovych, Ukrainian Presidential Candidate

Interception records proving the falsification of elections were made public at the official press conference of the State Deputy O. Rybachuk.

December 23,
2004

Serhy Kluyev and an unidentified woman

http://5tv. com. ua/pr_archiv/136/0/265/

«Channel 5»

Serhy Kluyev has a conversation with an unidentified woman regarding the location of the opponent’s electoral headquarters and private office of Viktor Yushchenko.

January 2005

Administrative office of the company «Foxtrot» in Kyiv

http:// pravda. com. ua/archive/?5023-28-77

Ukrayinska Pravda»

A bugging device was detected in the administrative office of the company «Foxtrot» in Kyiv.

The Security Service of Ukraine (SSU) initiated a criminal investigation.

February 10, 2005

Citizens of Sumy

http:// rupor. org/index. php? id=1108047997

Internet edition on human rights RUPOR.

As reported by Yury Udartsov, the Regional Prosecutor, at the collegial panel convened on February 8, the staff of special police divisions are, without any grounds, carrying out investigative operation of «Protection» category based on the consent of Heads of interregional divisions of the Department for Fighting Organized Crime. This lets them carry out interception and surveillance operations.

February 17, 2005

Viktor Yuschenko and Yulya Tymoshenko

http:// cripo. com.ua/?sect_id=10&aid=3479

«Ukrayina Kryminalna» (Criminal Ukraine)

Security Service of Ukraine (SSU) have initiated a criminal investigation over wiretapping of Yuschenko and Tymoshenko last year.

The Security Service of Ukraine (SSU) has initiated a criminal investigation over wiretapping in 2004.



[1] For more detailed information, see: «Privacy and Human Rights». Privacy International Report – In «Freedom of Information and the Right to Privacy in Ukraine», Vol. 2. – Kharkiv: Folio, 2004, pp. 5-29; Dovydas Vitkauskas. The right to respect for privacy under Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms. /Freedom of Expression and Privacy, Issue # 1, 2004. – pp.15-29.

[2] ECHR, Klass and others v. Germany: Judgment 4 July 1978

[3] Friedl, (Peck, Perry)

[4] For more detailed information on privacy of communications, see article: Yevhen Zakharov. Criminal Investigation Activities and Communications Privacy. – In: Freedom of Information and the Right to Privacy in Ukraine, Vol.2. – Kharkiv: Folio, 2004. – pp. 45-60.

[5] Право на повагу до особистого та сімейного життя: цивільно-правові аспекти в законодавстві і судовій практиці України. Н.Петрова. Європейська Конвенція з прав людини: основні положення, практика застосування, український контекст / The right to respect for private and family life: civil and legal aspects in the laws and legal practice of Ukraine. N.Petrova. The European Convention on Human Rights: key provisions, application practice, the Ukrainian context / Edited by. O.L.Zhukovska. – Published by VIPOL CJSC, Кyiv, 2004. – p. 403.

[6] Report on results of the work of law enforcement authorities’ on fight against prostitution business, detection of AIDS risk groups and results of their AIDS testing, approved by Order No. 436 of the State Committee of Statistics of Ukraine dated December 10, 2002.

[7] This subsection was prepared by Ruslan Topolevsky, Kharkiv human rights group.

[8] The Draft Law No. 2618 of January 10, 2003 was proposed by State Deputies: M. Rodionov, S. Nikolayenko, I. Yukhnovsky, P. Tolochko, and K. Sytnyk. It passed through its first reading on May 15, 2003.

[9] Parliament or, using the Ukrainian term, Verkhovna Rada – these terms are used in the text interchangeably. State Deputies (to the Verkhovna Rada) are therefore Members of Parliament (translator’s note)

[10] A patronymic is one’s father’s name, used after one’s personal name: The use of name and patronymic is common in Russia and parts of Ukraine, in situations where Mr / Ms might be used in English. (translator’s note)

143 For more information see the section. «The Right to Privacy and Personal Identification» in the book «Freedom of Information and the Right to Privacy in Ukraine», v. 2. – Kharkiv: Folio, 2004. – p. 65-136.

144 Data protection: experience of Hungary. /Freedom of Speech and Privacy, No.3, 2003. – p. 28-33.

[13] www.sbu.gov.ua

[14] Draft Law № 4042-1 «On the interception and monitoring of telecommunications», introduced into parliament by State Deputy V, Lebedivsky

 Share this