The Lithuanian Parliament finally passed the new Law on Legal Protection of Personal Data June 30. Lithuania was named among the EU outliers that failed to sort the national laws prior to the May 25 deadline.
The adopted law came into effect July 16. The State Data Protection Inspectorate and the Office of the Inspector for Journalist Ethics — both tasked with supervision and enforcement of the Law and the GDPR in Lithuania — are obliged to adopt implementing orders until July 15.
The law, which consists of 35 articles, is fairly concise, and mostly aimed at particularizing the powers of the supervisory authorities. Among other notable provisions are the following:
Territorial scope. The law applies to controllers and processors established in Lithuania, as well as to controllers following the Lithuanian law by virtue of the public international law. With respect to the businesses offering goods or services or monitoring of behavior of data subjects in the EU, the law applies only to those controllers and processors that have designated a representative in Lithuania. This seems to imply that if, for example, an Asian business targets data subjects in Lithuania, but has designated a representative in Germany, or is exempt from designating a representative (Article 27(2) of the GDPR) or hasn’t designated a representative in breach of Article 27 of the GDPR, it will not be under an obligation to comply with the law.
National identification number. The law makes use of the margin of maneuver afforded to the member states under Article 87 of the GDPR, and maintains a previously established prohibition to process national identification number for direct marketing or to make the ID number public.
Personal data and freedom of expression. According to the law, Article 8(child’s consent), Articles 12-23 (rights of data subjects), 25 (data protection by design and by default), 30 (records of processing activities), 33-39(breach notifications, DPIA and DPO), 41-50 (monitoring of code of conduct, certification and international transfers), 88-91 (processing in the employment context, for the purposes of public interest, obligation of secrecy and data protection rules of churches) of the GDPR do not apply in their entirety when personal data is processed for journalistic purposes and the purposes of academic, artistic or literary expression.
Processing in the context of employment. The law provides for more specific rules with respect to processing of personal data in the employment context. These rules must be read together with the employer’s obligations under the new Labour Code. The law explicitly prohibits processing of prospective employees’ data about criminal convictions and offenses, unless such processing is necessary to determine the person’s suitability to fulfill requirements for the position under the relevant laws. Employers can collect information about the prospective employee’s qualifications or professional qualities from their former employers only after informing the candidate about such processing, whereas to collect the same information from the person’s current employer, they will need to obtain the employee’s prior consent. Also, employers have a new obligation to inform employees, in line with Article 13 of the GDPR, about video or audio surveillance, behavioral, location or movement tracking.
Child’s digital consent. Lithuania (along with Bulgaria, Austria and Cyprus) opted for 14 as the age of “digital consent.” Fourteen-year-olds can consent alone to the processing of their personal data in relation to the direct offer of information society services.
Powers of the supervisory authorities
Supervision and enforcement powers are shared between the State Data Protection Inspectorate and the Office of the Inspector for Journalist Ethics. The latter’s competence is limited to overseeing the processing of personal data for journalistic purposes and the purposes of academic, artistic or literary expression. When exercising its powers, the Inspector for Journalist Ethics must cooperate with the DPA to ensure the consistent application of the data protection laws.
The law further provides for additional powers of the DPA and specifies certain procedures to be followed by both supervisory authorities.
Certification. The law provides for a new power of the DPA to accredit certification bodies. These bodies, in line with Article 43 of the GDPR, will issue certification under the data protection certification mechanisms. The rules for accreditation will be developed by the DPA.
Ex officio investigations. TheDPA has a right to carry out checks and investigations ex officio. As a rule, such checks and investigations should be completed within four months, however, the time period may be extended by two more months. As an outcome of the investigation, the DPA can use its corrective powers under Article 58(2) of the GDPR, including a power to impose an administrative fine. All the decisions of the DPA can be appealed against before the administrative courts.
Dawn raids. As previously, when undertaking the investigation, the DPA has a right to access premises of natural (subject to a court order) and legal persons (no court order is required) without prior notice. Also, the DPA has a right to request natural and legal persons to provide information orally or in writing as well as to provide additional testimonies in person at the DPA’s premises.
General considerations regarding fines. With respect to the statute of limitations, the law specifies that administrative fines may be imposed only within two years from the date of the infringement, or, in case of a continuous violation, from the date the infringement became known. The lower fine threshold for the public authorities and bodies is set at 0.5 percent of the institution’s annual budget and income received during the preceding year, whereas the higher fine threshold is set at 1 percent. The fine cannot exceed 30.000 EUR and 60.000 EUR respectively. If the institution or body engages in commercial activity, it can be subject to the GDPR-level fines.
Procedure for imposing fine. The controller or processor has 10 working days to respond to the findings of the supervisory authority and the proposed fine. The supervisory authority will then have 20 working days to make a final decision regarding the fine and its amount, usually, in the course of a written procedure. In certain cases, the supervisory authority may decide to organize an oral hearing, and to invite all the parties to the case. Such hearings will be public unless decided otherwise.
Representation of data subjects. The law allows a data subject to mandate a not-for-profit body, organization or association to submit a complaint before the supervisory authorities on her behalf. Such entity will need to provide documentation proving that it operates in the field of data protection. The law does not indicate what documents must be provided, most likely, this will be assessed on case by case basis. The law also does not provide privacy rights organizations a right to lodge a complaint independently of the data subject’s mandate (Article 80(2) of the GDPR).
Clearly, the law does not provide all the answers that Lithuania-based controllers and processors were looking for. Many important questions, including the processing operations requiring a mandatory DPIA, a procedure for a prior consultation with the DPA, and the requirements for certification bodies, will be addressed in rules that are yet to be adopted by the supervisory authorities.
Natalija Bitiukova, CIIP/E, data protection consultant at IT Governance Europe, board member at HRMI.More >
According to 15min.lt, two Lithuanian businesswomen were caught organizing “training sessions” during which they would take heads of companies to interact with psychiatric patients. The visits would take place in the Vilnius City Mental Health Center. During these sessions, the trainees would pose as students and speak to patients without first obtaining their consent, or informing their families or the Center’s management.
According to those responsible for the “training,” these visits sought to teach managers “to find a point of contact with any type of person, as well as to enhance their sales skills and emotional intelligence.”
Unauthorized individuals are prohibited from accessing the center or speaking to the patients without their consent. Typically, only university students are allowed in for study purposes. That seems to be the reason why “trainees” had to pretend they were students.
It appears that the visits took place with the knowledge of Alvydas Navickas, head of the Psychiatry Clinic of the Faculty of Medicine (Vilnius University) and current Chair of the Lithuanian Psychiatric Association. He did not find these activities to be problematic – according to him, this allegedly helped break down stereotypes surrounding people with mental disorders.
Sought “emotional charge”
The training sessions were leaked to the media by an outraged participant, who claimed that he was not informed of what he’d have to do and didn’t know that he’d be taken to interact with psychiatric patients.
Once the story went public, the organizers of these “Character Building Groups” (the so-called training) tried to justify their activities as serving a social purpose. According to them, the visits helped fight the stigmatization of vulnerable groups, and that people would be taken to see not only psychiatric patients, but also visit shelters and infants’ homes.
However, the “Character Building Groups” website doesn’t mention reducing stigma anywhere. It presents the training as an opportunity to step out of a person’s comfort zone and to undergo “very emotionally charged” experiences.
It turned out that this training was also commissioned by the employees of the Bank of Lithuania. They agreed to pay €7,700 for the services.
The exploitation of psychiatric patients for commercial purposes outraged mental health experts and the human rights community.
“How limitless the human imagination when it comes to human rights violations!” wrote Professor Jonas Ruškus, member of the United Nations Committee on the Rights of Persons with Disabilities, on Facebook.
According to him, such behavior violates several articles of the Convention on the Rights of Persons with Disabilities, such as the patients’ right to privacy, personal freedom and security, their right not to be exploited, as well as the provisions of the Convention calling for the elimination of negative stereotypes about people with disabilities.
The Young Psychiatrists’ Association issued a statement condemning any potential violation of patients’ rights. The statement said that “patients should not be exploited for commercial, personal, or other purposes which are not related to promoting their health.”
Formal inquiry launched
Karilė Levickaitė, director of NGO Mental Health Perspectives, also condemned the activity as a cynical business model based on the exploitation and manipulation of vulnerable persons.
“Try to imagine this: you or a loved one with mental health problems end up hospitalized, and the psychiatrist brings in someone claiming to be a student, but who in reality is participating in a commercial course to improve their sales skills. No one informs you of this. Even if you become aware of it, you’re told that this is a way to reduce patient stigma,” she wrote to manoteises.lt.
Mental Health Perspectives asked the Prosecutor General’s Office to launch a pre-trial investigation into unlawful collection of data concerning private life, unlawful business activities and incitement to discrimination on the basis of disability.
The Office of the Equal Opportunities Ombudsperson has launched its own inquiry into this incident.More >