[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Czech Republic

Constitutional Privacy Framework

The 1993 Charter of Fundamental Rights and Freedoms provides for extensive privacy rights. Article 7(1) states, "The inviolability of the person and of privacy is guaranteed. They may be limited only in cases provided for by law." Article 10 states, "(1) Everyone has the right to demand that his human dignity, personal honor, and good reputation be respected, and that his name be protected. (2) Everyone has the right to be protected from any unauthorized intrusion into her private and family life. (3) Everyone has the right to be protected from the unauthorized gathering, publication revelation, or other misuse of his personal data." Article 13 states, "Nobody may violate confidentiality of letters or other papers or records, whether privately kept or sent by post or by some other means, except in cases and in the manner specified by law. The confidentiality of communications sent by telephone, telegraph or other such devices is guaranteed in the same way."[1952]

Statutory Rules on Privacy

On May 1, 2004, the Czech Republic joined nine other countries in entering the European Union (EU), formally linking itself to the EU and to the EU regulatory framework for data protection.[1953] In preparation for accession, the Czech Republic enacted a new act "On Personal Data Protection," which went into effect on June 1, 2000.[1954] The Act replaced the 1992 Act on Protection of Personal Data in Information Systems.[1955] The Act implements the requirements of the EU Data Protection Directive, granting exceptions from several key provisions to the police and intelligence services in matters of public and national security in accordance with the directive. Data controllers were required to register their systems and fully comply with the Act by June 1, 2001. A May 2001 amendment exempted political parties, churches, sports clubs, and other civic organizations engaged in standard and legitimate activities from some of the Act's requirements, such as registering their data processing activity or obtaining consent of individuals before collecting personal information.

A June 2004 amendment to the Banking Act[1956] completed harmonization with EU Data Protection Directive (1995/46/EC). The amendment refines certain terms, as well as, introduces new terms in accordance with the EU directive. The amendment includes terms regulating the granting of consent for personal data processing, the relationship between data controllers and data subjects, the notification duty of controllers, and indemnification of data subjects for breaches of duty committed by data controllers or data processors.[1957]

Data Protection Authority

The Act also established an Office for Personal Data Protection (the Office) as an independent oversight body.[1958] The Office is responsible for supervising the implementation of the Act; maintaining a register of databases; investigating complaints; imposing fines for violations; conducting audits and providing consultations on data protection; and commenting on legislative proposals. Igor Němec is the President of the Office, appointed to a five-year term that began September 1, 2005. The President of the Czech Republic also appointed seven independent inspectors, each position carrying a 10-year term.

During 2006, the Office for Personal Data Protection processed 1,195 registrations by data controllers, maintaining 26,249 registration notices in total. The Control Department of the Office received 476 complaints and petitions. The number of processed complaints in 2006 increased 53% from 2005, while the number of complaints received remained comparable to that of 2005. Almost two-thirds of complaints were ultimately dismissed as unjustified.

The Office also commenced 113 investigations and completed 77 in 2006.[1959] Inspections were aimed at telecommunications carriers, media outlets, police, financial institutions such as banks and credit lenders, transportation authorities, law offices, city and municipality bodies, retail chains, Internet business, schools, social and health care facilities. The Office imposed 88 fees for as many breaches of the data protection Act. The Office authorized 18 of the 38 requests for the transfer of personal data abroad.[1960]

Many 2006 complaints continued to refer to excessive utilization of birth certificate numbers based on an incorrect opinion that a birth certificate number is an absolute identifier of a natural person and thus a natural supplement to the name and the surname. An attempt to improve this area was brought about in 2004 by the adoption of an amendment to Act No. 133/2000 Coll. on Register of Population and Birth Numbers, through Act No. 53/2004 Coll. The Amendment to the Act on Register of Population and Birth Numbers imposed supervisory duties on the Office in the area of management of birth certificate numbers.[1961] The Amendment’s detailed new rules concerning the use of birth certificate numbers came into effect January 1, 2006. Article 13c(1)(c) prohibits the use of birth certificate numbers in the private sphere unless the number holder has given free and informed consent. Article 13(1)(a) of the Act continues to grant authorization to State administrative bodies to use the birth certificate number as an identifier. Despite this measure, however, the Office noted that it was still common to treat the birth certificate number as a unique identifier.[1962]

Complaints also followed similar patterns as in the past, including lack of awareness by controllers of their notification duties under the Personal Data Protection Act, unclear sources of data used to address clients in direct marketing, excessive use of birth certificate numbers, inappropriate copying and retention of personal documents, and publishing of lists of debtors as a method of exacting debts.

Beginning in 2004, the Control Department, as a rule, no longer addressed the entity against which the petition was aimed. Where the circumstances indicate that a criminal offense was committed, the matter is promptly submitted to the bodies actively engaged in criminal proceedings, and then the Control Department further cooperates with these bodies. The department continues to fully engage in resolving of these issues within its responsibility until the criminal proceedings are closed.[1963]

In the course of supervision, the Office followed the principle that, as a rule, the identity of the complainant is not disclosed to third persons in the framework of the relevant enquiries; his or her identity is revealed only when necessary and after obtaining his consent. The Control Department also does not refuse to handle anonymous complaints.

Financial penalty for proven misconduct usually accompanies remedial and indemnification measures and it facilitates remediation of the defective state of affairs in the course of the Office’s supervisory activities. The Personal Data Protection Act distinguishes between misconduct of controllers and processors, who are liable to a fine of up to CZK 10 million (CZK 20 million for repeated torts), and misdemeanors of natural persons, which are subject to a fine of up to CZK 25,000, or, as the case may be, CZK 50,000. The Act does not stipulate the amounts of fine applicable for individual torts; however, consideration must always be taken of the general criteria stipulated by the act, including the nature, seriousness and manner of conduct, degree of fault, duration and consequences of the misconduct.[1964]

As of December 21, 2006 the Office for Personal Data Protection consisted of 89 employees.[1965] In January 2006, the Department of Complaints and Consultations was established to improve public services. The new Department was charged with responding to telephone inquiries, providing personal consultations, responding to electronic petitions, and assessing complaints. In most cases, the Department was able to respond to inquiries within half of the 30-day statutory deadline.[1966]

The Office actively engages in making the relevant information about its activities public. The Office holds regular press conferences. It also publishes two journals: the official one (five issues per year) includes positions of the Office and European documents relevant for personal data protection. A quarterly is designed for the public at large. It provides information on the Office’s activities, as well as worldwide news concerning personal data protection.[1967]

At the end of 2004, a campaign for citizens was launched. It involved publication of leaflets related to the Act on Personal Data Protection, rights and responsibilities of data subjects and risks that they ought to prevent. About 300,000 issues were distributed (to the regional and local administrative bodies and high schools – with the cooperation of the Ministry of Education). The campaign has been supported by TV, radio stations and newspapers. The Office also cooperated with media (354 publications and broadcasting items through the year 2004).[1968]

The Office reported some gain in public awareness in 2005, illustrated in the increased number of complaints and inquiries since 2004, as well increased media coverage. Nonetheless, the Office still concluded that overall awareness among controllers and the general public was largely uncultivated.[1969]

In 2006 the Office again focused on raising public awareness of personal data protection. The Office acted as co-authors in a 13-part television series on the subject titled “Ignorance does not excuse. Everyone has secrets.” The series was viewed by an audience of 160,000 to 310,000. The Office’s conclusion was somewhat more optimistic in 2006. Citing higher numbers of complaints, consultations and requests for assistance, the Office believed that public awareness of data privacy was constantly increasing.[1970]

Wiretapping and Surveillance Rules

Electronic surveillance, wiretapping, and the interception of mail by the police are regulated under the criminal process law and require a court order.[1971] A judge can approve an initial wiretap order for up to six months. There are special rules for intelligence services. However, legal grounds for secret services' wiretapping do not guarantee that it is used only in necessary cases, as they rely on the discretion of secret service to decide whether the wiretapping violates fundamental rights and freedoms. In case it does not constitute such a violation, according to the secret service's judgment, no court permission is needed. The right to demand data on telecommunications traffic is granted to secret services by laws on secret services, and no court permission is needed.[1972]

Electronic surveillance, the tapping of telephones, and the interception of mail require a court order, in case when wiretapping is ordered by the Custom Administration[1973] and the Prison Service. Law on wiretapping, as a whole, lacks remedies, in case of wiretapping being illegal or when the court permission is void. Absence of proper public control of wiretapping (especially conducted by intelligence services) is often discussed as a concerning issue by politicians and media. In practice, the special commission of the Chamber of Deputies[1974] has almost no oversight power to deal with this issue. In addition, there are insufficient safeguards for interception of spaces outside individual’s home (e.g. car), as no court permission is necessary.

In 2006 the President of the Office for Personal Data Protection, Igor Němec, cited the expansion in wiretapping surveillance as a factor in the average privacy protection ranking Privacy International conferred on the Czech Republic. Němec stated that he hoped to devote increased resources to the issue of securing access to police documents, and ensuring that police recordings were in full accord with the law. He noted that ‘an alarmingly high number of persons can access police recordings,’ making it impossible to prevent leakage to the media.[1975]

There have been continuous attempts to legalize and to expand secret services' wiretaps. In 2001, there were attempts to grant powers to require information on telecommunications traffic and some other information from public bodies to the police and BIS by adding such provisions to a bill that dealt with a different subject matter (asylum law).[1976] This was prepared by members of the Lower Chamber's Security and Defense Committee and apparently coordinated by secret services. The Senate did not approve this part of the proposed law.

In April 2003, the government proposed an amendment to the Act on BIS,[1977] which would entitle BIS to require information on telecommunications traffic, and impose a duty on telecommunications service providers to have wiretapping equipment. The Chamber of Deputies rejected this bill.

Under the 2005 Electronic Communications, Act, telecommunication carriers are required to provide secure access to electronic communication information to the Czech Police in accordance with Article 88 of the Code of Criminal Procedure. Under Section 97 of the Act, such access includes the means by which the Police may decrypt or decode messages in order to tap and record them. Section 97 also requires carriers to retain operating and location data for 12 months, as well as a database of information of all customers, and to permit Czech Police access upon legal request.[1978]

An Act on Electronic Communications was adopted by the Parliament in February 2005, implementing the "packet" of EU directives on telecommunications.[1979] The law contains an obligation for telecommunications providers to retain telecommunications data for a 12-month period, referring details to an ordinance issued by the Ministry of Informatics. Section 88 of the Act requires telecommunications carriers to develop multiple means to protect the personal data of their users, and also requires that carriers inform their customers of specific disturbances in network security and, if necessary, way to remedy data breaches. Under Section 90, carriers must render anonymous any user location data they collect without user consent.[1980]

The law amending Act on Measures against Money Laundering (implementation of acquis[1981]), proposed by the government in March 2003, aimed to limit lawyer-client privilege and obliged solicitors to report their client´s “suspicious” financial transactions to the Ministry of Finance. Resistance and lobbying by Czech Bar Association led to less intrusive text of the Act. Suspicious activities are reported via Czech Bar Association serving as control body. This wording appears in the final text of the Act, which was approved in April 2004.[1982]

The Penal Code covers the infringement of the right to privacy in the definitions of criminal acts of infringement of the home,[1983] slander,[1984] and infringement of the confidentiality of mail.[1985] There are also sectoral acts concerning statistics, medical personal data, banking law, taxation, social security and police data. Unauthorized use of personal data systems is considered a crime.[1986] The new draft Penal Code Bill[1987] contains higher protection from privacy infringements. Unauthorized wiretapping and recording of private conversation is considered crime as well as unauthorized use of private documents, records or electronics data files.[1988]

Employer monitoring employees' e-mail is an important issue as well. The Data Protection Office issued a legal opinion finding employers' reading of the content of employee's e-mail to be illegal. However, the Office allowed monitoring the titles of employees' e-mail correspondence. Scholars and practitioners broadly discussed this issue. The Electronic Communications Act of 2005 stipulates that the location and ownership of electronic equipment cannot compromise an individual’s right to confidentiality in communications. However, little debate has occurred to date as to the precise line between an employee’s right to privacy and an employer’s authority and economic interests.[1989]

Medical Privacy

A privacy issue of continued importance is the status of medical registries in the Czech Republic. The Czech Republic maintains a number of medical registries that consolidate information from groups such as oncological patients, expectant mothers, women who undergo abortions, people with professional diseases, and drug addicts.[1990] The legal status of these registries was uncertain, as they had existed on the basis of lower-level legal regulations that could not be maintained after January 2004. The Czech Medical Association advised doctors in February 2004 to refrain from providing data to the national registers to reduce the risk of liability for infringement of privacy laws.[1991] A bill allowing for continued operation of the registries and use of birth identification numbers passed the Chamber of Deputies but was vetoed by President Vaclav Klaus who preferred that registry data be entirely anonymous, citing privacy concerns echoed by the Data Protection Office. The Chamber of Deputies overrode President Klaus's veto in March 2004, however, creating the necessary legal basis for the medical registries.[1992]

Unsolicited Commercial E-mails ("Spam")

Act No. 480/2004 Coll. on Several Services of Information Society was approved at the end of 2004. It addresses spam and limits liability of the providers as far the content of communicated information is concerned.

The application of new supervisory competence of the Office in the field of unsolicited commercial communications under the new Act No. 480/2004 Coll., which implements provisions of the EU Directive on Privacy and Electronic Communications,[1993] brought considerable enlargement of the agenda of handled complaints. The Certain Information Society Services Act, enacted September 7, 2004, introduced new duties in the sphere of dissemination of commercial communications. The Act established the Control Department as a supervisory body to commercial electronic communications, including those via e-mail, faxes, texting, and telemarketing. Such communications must abide by an opt-in principle whereby the messages may only be sent to those who have offered prior consent thereto. An entity sending a commercial communication must be able to demonstrate this consent at any time.

In 2006 the Office received 1503 complaints regarding unsolicited commercial communications, an increase of 50% from 2005. The Office dealt with 1108 complaints, finding 255 unjustified and 76 untraceable. The Office found that most commercial entities did not consistently comply with the opt-in principle, nor were their communications clearly and plainly designated as commercial, as required by the Act. In 2006 the Office also found that the number of spam e-mails the Office itself received increased eightfold since 2005.

At the end of 2004 authorities endowed with anti-spam enforcement powers from 13 European countries including the Czech Republic (represented by the Office) established CNSA – Contact Network of Spam Enforcement Authorities - as a common platform for cooperation in investigating complaints about cross-border spam within the EU, and enforcing Article 13 of the Privacy and Electronic Communication Directive 2002/58/EC.[1994] The CNSA meets 3-4 times per year, and it has set up a cooperation procedure that aims to facilitate the transmission of complaint information or other relevant Intelligence between National Authorities. The CNSA is an active member of the StopSpamAlliance.[1995]

Video Surveillance

There is an increase in video surveillance; closed circuit television (CCTV) systems are being used both by private institutions and local governments. Although using CCTV and other camera systems for recording is considered to be processing personal data, almost no organization using such systems registered with the Office for Personal Data Protection, which is a legal duty imposed by the Personal Data Protection Act. The Office has no capacity for oversight and cannot penalize those routine breaches of law. Moreover, no legal duties concerning video surveillance conditions are embodied in any law (e.g. duty of notice, maximum period of storage of records, ban of data attachments, no discrimination on the basis of record) and no legal initiative is currently being prepared.

The Office fielded inquiries from a wide variety of sources on the subject, including police bodies, courts, public administration, municipal government, economic entities, trade unions, apartment cooperatives, and many individuals.[1996] In 2005, the Office levied a fine on a housing co-operative that installed a camera monitoring system in the building without tenants’ consent.[1997] In January 2006, the Office issued Position No. 1/2006, reiterating that operation of a video recording system is considered personal data processing if it can identify individuals, and thus must serve a legally protected interest and not excessively interfere with an individual’s privacy.[1998]

Identity Cards

In August 2006 the Office issued Position No. 08/2006 with regard to the issuance of electronic cards. According to the Position, such cards are being increasingly used in many areas of everyday life, including to gain entry to buildings and to obtain discounts and various services. The Position noted that personal data is collected in practically all instances in which such cards are produced, thus certainly bringing such activity within the competence of the Office’s authority under the Personal Data Protection Act. The Position advised cardholders to exercise caution and card issuers to observe the law regarding privacy protection.[1999]

Open Government

The Parliament approved the Freedom of Information Law in May 1999.[2000] The law provides for citizens' access to all government records held by State bodies, local self-governing authorities, and certain other institutions, except for classified information, trade secrets, or personal data.[2001] Section 8 of the Law stipulates that information revealing evidence of one’s personality and privacy, especially with regard to race, nationality, membership in political parties and movements, religion, health, sexual life and property, may not be disclosed without prior written consent by the relevant individual or without authorization by a special law.[2002] In 2002, the government rejected a Senate-sponsored amendment to the Law that would have required applicants to pay only for material costs rather than having to pay for the costs associated with searching.[2003] A 1998 act governs access to environmental information.[2004] In April 1996, the Parliament approved a law that allows any Czech citizen to obtain his or her file created by the Communist-era secret police (StB). Non-citizens are not allowed to access their records. The Interior Ministry holds 60,000 records, but it is estimated that many were destroyed in 1989.

In 2003, the Interior Ministry decided to publish a list of Communist StB secret service collaborators. The Office for the Protection of Personal Data, which offered comments on the original legislation that allowed for the release of the information, stated that such a release would not be in conflict with the law on the protection of personal data.[2005]

Anti-terrorism Measures

Security interests clashed strongly with privacy interests as the United States began to demand that the Czech air carrier CSA provide data on all its passengers. Terrorism was cited as the rationale for this demand, as well as, threats of fines and denial of U.S. landing rights in case of non-compliance. CSA agreed to provide the requested data, but the release of data was likely to infringe the existing privacy laws. CSA had been granted permission from the Data Protection Office to transfer the data, but its validity was limited by the Czech Republic's accession to the European Union in May 2004. CSA has also increased checks of airport property, passengers, luggage and transported goods.[2006]

The Office also expects a continued emphasis on data mining by police and customs groups. The data processing of greatest interest is related to Europol, Eurodac, technology development work for customs systems, and eventually, to accession to an enlarged Schengen system.[2007] Other issues the Office will likely address include, prevention of identity theft stemming from unauthorized collection of personal data or inadequate protection of personal data, processing of biometric data, and regulation of consent given to financial institutions. In 2005 the Office imposed a fine on a state body for scanning biometric data and pictures of fingerprints. The data was acquired in violation of law as a matter of routine.[2008]

A document called Analysis of Security System of the Czech Republic (the Analysis)[2009] prepared by the Ministry of Interior based on National Anti-terrorist Plan[2010] drafted by the Lower Chamber Defense and Security Committee, recommends to extend powers of police and security services. In particular, it calls for obligation of individuals and companies to provide their personal data to security services. This program document is to be implemented by legislative proposals. The document also plans for public-private partnership in investments into security projects. Terrorism threat is stated as the main reason for creating the Analysis. The United Kingdom's "Anti-terrorism, Crime and Security Bill" and the U.S. "Patriot Act" are quoted in the Analysis, as examples of desirable strengthening of investigation powers.

Other privacy-invasive legislation is intended to be launched by the Ministry of Informatics. It calls for linking up different personal data databases run by different government agencies and to concentrate it on the central level (it will enable linking data about certain individual from different databases). Proponents of this initiative argue that this would make the public administration more efficient; however, the Data Protection Office opposes this plan. The government agreed that the Ministry on Informatics could prepare the first draft of the Act on Public Administrations Data Sharing.[2011] The Ministry has drafted legislation creating a data exchange system aimed at unifying public and administration files, registers and other electronic databases. The Ministry states that the legislation would grant new rights to public authorities to request data, as well as new related duties to the administrators of information systems.[2012]

Significantly, in relation to the proposal above, the Ministry of Informatics states it is pursuing the development of public administration registers for the forthcoming data exchange system. Such base registers would include registers of inhabitants, territorial identification and addresses, property and an economic register.[2013]

The Bill of law on Protection of Classified Information[2014] granted powers to secret services to require personal data from various public and even private databases (social security system, health insurance institutions, private insurance companies, banks etc.) for purposes of "security proceedings."[2015] Although objections against this provision were raised by Coalition of NGOs (Iuridicum remedium, Transparency Intl ČR and Open Society) during the whole 2004 (in the phase of pre-parliamentary proceedings), in February 2005 the unchanged bill was submitted to the Parliament. However, the coalition of above-named NGOs prepared proposals to omit these provisions and asked several MPs to raise these proposals in legislative procedure. They were partially successful in Defense and Security Committee, but Section 58 of the final version of the Bill still permitted all members of the government access to otherwise classified information without a security clearance, although they must still keep the information confidential. The bill also allowed for some technical activities (certification of cryptographic or technical facility or electromagnetic rays measuring in order to qualify equipment to classified information disposal) to be done by private companies and sole entrepreneurs. The Act came into force on January 1, 2006.[2016]

International Obligations

The Czech Republic is a member of the Council of Europe and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. In September 2000, the Czech Republic signed the Council of Europe Convention No. 108;[2017] it was ratified on July 9, 2001. The Czech Republic is also a member of the Organization for Economic Cooperation and Development (OECD). It has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Although the Czech Republic became a signatory to the European Council’s Convention on Cybercrime in February 2005, it has not yet ratified the treaty.[2018]

[1952] Charter of Fundamental Rights and Freedoms, 1993, available at <http://test.concourt.cz/angl_verze/rights.html>.

[1953] Official Journal of the European Union, Vol. 4 L 168, May 1, 2004, available at <http://eur-lex.europa.eu/JOHtml.do?uri=OJ:L:2004:168:SOM:EN:HTML>.
[1954] On Personal Data Protection, No. 101 Coll. (2000).
[1955] On Protection of Personal Data in Information Systems, No. 256/92 Coll. (1992).

[1956] Act No. 439/2004 Coll. (2004).
[1957] Office for Personal Data Protection Annual Report 2004, supra at 31.

[1958] Office for Personal Data Protection, <http://www.uoou.cz/>.

[1959] Office for Personal Data Protection Annual Report 2006, at 7, available at <http://www.uoou.cz/rep_2006.pdf>.
[1960] Id.

[1961] E-mail from Karel Neuwirt the President of the Office for Personal Data Protection, to Ula Galster, International Policy Fellow, Electronic Privacy Information Center, May 18, 2005, (on file with EPIC). See also Office for Personal Data Protection Annual Report 2004, supra at 4.
[1962] Office for Personal Data Protection Annual Report 2006, supra at 39.

[1963] Id.

[1964] Id.

[1965] Office for Personal Data Protection Annual Report 2006, supra at 72.
[1966] Id. at 29.

[1967] Id.

[1968] Id at 9.

[1969] Office of Personal Data Protection Annual Report 2005, at 2, available at <http://www.uoou.cz/rep_2005.pdf>.

[1970] Office for Personal Data Protection Annual Report 2006, supra at 34.

[1971] Code of Criminal Procedure, Act No. 141/1961 Coll., Article 88.
[1972] Security and Information Service Act, No. 154/1994 Coll. (1994); Military Defense Intelligence Agency Act, No. 67/1992 Coll. (1992).

[1973] On Customs, No. 13/1993 Coll. (1993); On Prison Service and Justice Guard No. 555/1992 (1992).
[1974] Commission for Intelligence Technics´ Control (Komise pro kontrolu zpravodajské techniky).

[1975] Office of Personal Data Protection Annual Report 2006, supra at 3.

[1976] Document of April 30, 2001,No. 921 of Chamber of Deputies, III election period.

[1977] Document of April, 29, 2003, No. 308 of Chamber of Deputies, IV. election period.

[1978] Electronic Communications Act, No. 127/2005 Coll. (2005).

[1979] Electronic Communications Act, No. 127/2005 Coll. (2005).
[1980] Id.

[1981] Directive No. 91/308/EEC, as amended.
[1982] Act No. 284/2004 Coll., amending Act on Measures Against Money Laundering and other laws (2004).

[1983] Penal Code, Section 238.
[1984] Id. at Section 206.
[1985] Id. at Section 239.
[1986] Centre de Recherches Informatique et Droit, Legal Aspects of Information Services and Intellectual Property Rights in Central and Eastern Europe, February 1995.
[1987] Document of July 27, 2004, No. 744 of Chamber of Deputies, IV. election period.
[1988] Penal Code Bill, supra at Sections 158, 161 and 162.

[1989] European Industrial Relations Observatory On-line, “New technology and respect for privacy at the workplace,” April 10, 2007, available at <http://www.eurofound.europa.eu/eiro/2007/02/articles/cz0702029i.html>.

[1990] "Chamber Approves Medical Registers, Overriding Klaus's Veto," CTK National News Wire, March 24, 2004.
[1991] "CLK Appeals to Doctors not to Send Data Statements to Register," CTK National News Wire, February 20, 2004.
[1992] Act No. 156/2004 Coll., amending Act on Public Health Care (2004).

[1993] E-mail from Ivan Procházka, Head of Department of Foreign Relations for the Office for Personal Data Protection, Czech Republic, to Clifford Chen, Law Clerk, Electronic Privacy Information Center, June 11, 2004 (on file with EPIC). See also Office for Personal Data Protection, Annual Report 2004, at 41, available at <http://www.uoou.cz/rep_2004.pdf>.

[1994] Id.
[1995] StopSpamAlliance information page, at <http://stopspamalliance.org/?page_id=11>. The StopSpamAlliance is a joint international effort initiated by APEC, the CNSA, ITU, the London Action Plan, OECD and the Seoul-Melbourne Anti-Spam group.

[1996] Id., at 29.
[1997] Article 29 Working Party on Data Protection, Ninth Annual Report (2006), at 28.
[1998] Office for the Protection of Personal Data, Position No. 1/2006, (2006), available at <http://www.uoou.cz/index.php?l=en&m=left&mid=02:113&u1=&u2=&t=>.

[1999] Office for Personal Data Protection, Position No. 8/2006 (2006), available at <http://www.uoou.cz/index.php?l=en&m=left&mid=02:116&u1=&u2=&t=>.

[2000] On Free Access to Information, Act No. 106/1999 Coll. (1999).
[2001] "Freedom of Info Clears Last Hurdle," The Prague Post, May 19, 1999.
[2002] On Free Access to Information, supra.
[2003] "Czech Cabinet Rejects Legislation Facilitating Access to Information," CTK News Agency, August 5, 2002.
[2004] On the Right to Information About the Environment, No. 123/1998 Coll. (1998).

[2005] "Internet publication of Czech communist era agents' names legal," CTK news agency, March 17, 2003, available at <http://www.mvcr.cz>.

[2006] United Nations Security Council, Report by the Czech Republic to the Counter-Terrorism Committee, S/2001/1302, 9- 10.

[2007] See E-mail from Ivan Procházka, supra.
[2008] See Article 29 Working Party on Data Protection, Ninth Annual Report, at 29.

[2009] Analýza bezpečnostního systému ČR, available at <http://www.mvcr.cz/2003/odbor/obp/dokumenty_odbor_info.html>.

[2010] Governmental resolution of April 10, No. 385, available at <http://wtd.vlada.cz/vlada/cinnostvlady_usneseni.htm>.

[2011] Government resolution of November 3, 2004, No. 1064, available at <http://wtd.vlada.cz/vlada/cinnostvlady_usneseni.htm>.

[2012] Czech Republic Ministry of Informatics, Legislation, available at <http://www.micr.cz/legislativa/default_en.htm>.

[2013] Id.

[2014] Documents of January 27, 2005, No. 880 and 881 of Chamber of Deputies, IV. election period.
[2015] Proceedings according to Law on Protection of Classified Information, which include screening of person who applied for certificate allowing access classified information.
[2016] On the Protection of Classified Information, Act No. 412/2005 Coll., (2005).

[2017] See Council of Europe Treaty Office, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, available at <http://conventions.coe.int/Treaty/EN/Treaties/Html/108.htm>.
[2018] Council of Europe Treaty Office, Convention on Cybercrime, available at <http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=20/12/01&CL=ENG>.