[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Republic of Bulgaria

Constitutional Privacy Framework

The Bulgarian Constitution of 1991 recognizes rights of privacy, secrecy of communications and access to information. Article 32 states, "(1) The private life of citizens shall be inviolable. Everyone shall be entitled to protection against any illegal interference in his private or family affairs and against encroachments on his honor, dignity and reputation. (2) No one shall be followed, photographed, filmed, recorded or subjected to any other similar activity without his knowledge or despite his express disapproval, except when such actions are permitted by law." Article 33 states, "(1) The home shall be inviolable. No one shall enter or stay inside a home without its occupant's consent, except in the cases expressly stipulated by law. (2) Entry into, or staying inside, a home without the consent of its occupant or without the judicial authorities' permission shall be allowed only for the purposes of preventing an immediately impending crime or a crime in progress, for the capture of a criminal, or in extreme necessity."

Article 34 states, "(1) The freedom and confidentiality of correspondence and all other communications shall be inviolable. (2) Exceptions to this provision shall be allowed only with the permission of the judicial authorities for the purpose of discovering or preventing a grave crime." The right to freedom of expression is also protected by Article 39 of the Bulgarian Constitution, which states, “(1) Everyone shall be entitled to express an opinion or to publicize it through words, written and oral, sound or image, or in any other way. (2) This right shall not be used to the detriment of the rights and reputation of others, or for the incitement of a forcible change of the constitutionally established order, the perpetration of a crime, or the incitement of enmity or violence against anyone.” Article 41 states, "(1) Everyone shall be entitled to seek, obtain and disseminate information. This right shall not be exercised to the detriment of the rights and reputation of others, or to the detriment of national security, public order, public health and morality. (2) Citizens shall be entitled to obtain information from state bodies and agencies on any matter of legitimate interest to them which is not a state or other secret prescribed by law and does not affect the rights of others."[1496] The Constitution provides equality and protection against discrimination for the rights of the citizens.[1497] However, discrimination still exists, particularly against women and Roma.

Statutory Rules on Privacy

The Personal Data Protection Act (PDPA) was adopted by the National Assembly in December 2001 and came into effect in January 2002. Adoption of the law was a key part of the administrative reforms being undertaken in preparation for accession to the European Union (EU), which occurred on January 1, 2007.[1498] The law closely follows the EU Data Protection Directive. It sets out rules for the fair and responsible handling of personal information by the public and private sector. Personal information is defined as "any information relating to a natural person, legal entity or group of individuals revealing physical, psychological, mental, economic, cultural or public identity, regardless of the form or method used for its recording."[1499] Entities collecting personal information must inform people why their personal information is being collected and what it is to be used for; allow people reasonable access to information about themselves and the right to correct it if it is wrong; ensure that the information is securely held and cannot be tampered with, stolen or improperly used; and limit the use of personal information, for purposes other than the original purpose, without the consent of the person affected, or in certain other circumstances. Sensitive information, including information concerning racial or ethic origin, political or religious affiliation, health, sexual life, and beliefs, is given special protection and can only be processed with the express written consent of an individual.[1500] Some concerns have been raised that the law has too broad a scope. The Bulgarian Access to Information Programme (AIP) notes that the definition of "personal data" includes information relating to the performance of government officials and management or supervisory bodies of legal entities and as such may have a negative impact on access to information rights and government accountability.[1501]

AIP reports that the regulation of personal data protection has recently been changed in Bulgaria in quite inconsistent ways, and with very little public debate. The Personal Data Protection Act (adopted in 2002) was amended in 2004, 2005, and 2006; each time, some of the provisions of the law were changed in contradictory directions. For example, the initial text of the law introduced the requirement that a wide range of data controllers register with the Personal Data Protection Commission. In 2005 the range of data controllers was narrowed down, while in 2006 it was expanded again. In 2005, after a public debate between the first and second readings, Parliament disapproved of the suggestion to repeal Art. 35 of the law, which guaranteed free access to personal data as long as they are part of a public register or are contained in public documents. In 2006, however, Art. 35 was repealed, which meant that access to such data would be regulated by the general access to information regime and that the consent of the data subject would be required. The provisions in Art. 35 gave data controllers some clarity, which can only be restored with the establishment of good practices.[1502]

Supervisory Authority

The law creates a Commission on Protection of Personal Data (the Commission) to supervise compliance and implementation, maintain a national register of data controllers, examine complaints and take legal action for violations. The members of the Commission and the Chairperson serve a five-year term and may be re-elected once. They are nominated by the President and approved by the National Assembly. The first Commission was established by a parliamentary decision in May 2002 and started work in June 2002. The Commission currently has 34 full-time staff, a significant increase from last year’s staff of approximately 12.[1503] Under the PDPA the Commission must adopt internal rules regulating its activities, describing the structure of its administration, the procedures for registering data controllers and considering appeals, issuing orders and imposing sanctions. The PDPA mandates registration for all data controllers that hold information about more than two people.

The poor implementation of the PDPA was among the most serious critiques in the two 2006 Regular Reports on Bulgaria's progress towards EU accession by the European Commission. Prior to the PDPA’s 2005 amendment, registration procedures for data controllers was complex; as a result, the Data Protection Commission certified only 31,970 out of a total of 274,446 registration requests submitted between 2003 and 2006, i.e. a little over 10% for four years. The 2005 amendment simplified the registration procedure and no longer required small businesses of one or two people to register their systems. However, as the 2006 amendments re-instated the original registration requirements, the backlog is not likely to be dealt with in the near future.[1504]

The Commission handled 102 complaints of violations of personal privacy in 2006, as well as 61 requests for transfers of data to third countries, and 54 inspections of data controllers. The Commission also wrote an Ethic Code of Behavior of Data Controllers, which sets out specific legal obligations and attempts to “balance between the interests of the persons and the interests of the data controllers within the frames of the law on adequate measures for personal data protection.”[1505]

Statutory Rules Related to Privacy

In 2004, the Ombudsman Act came into effect, and set up a formal system of advocacy in cases when actions as well as inactions of state or municipal authorities violate the rights and freedoms of individuals. The Act stipulates that the Ombudsman has no right to publicize any circumstances that came into his knowledge during the execution of his specific functions, and are state, official or trade secrets, or have a personal nature.[1506] In April 2005, almost 2 years from the adoption of the Ombudsman Act, the Parliament appointed Mr. Ginjo Ganev (77, MP of Coalition for Bulgaria, led by the Socialist Party) as the first Ombudsman.

The Family Code provides adequate protection of personal data for birth parents, adopted children and adoptive parents. The regulation creates two new registers, one containing information about children subject to adoption, the other one about the parents wishing to adopt children. Both registers contain information about their health and family status, property, as well as various details about the personal and family life of the concerned individuals.

In accordance with the requirements of CoE's Convention No. 108, amendments were adopted in the Health Insurance Act.[1507] They require health insurance companies to protect information concerning persons' health insurance contracts and related information. The Human Cells, Tissues, and Organs Transplantation Act, which entered into force in 2004, regulates the donation, processing of personal data related to transplantations. The Act provides for the creation of a public and "official-use-only" register for keeping information about transplantations.

The National Assembly passed the Protection Against Discrimination Act (PADA) aims to prohibit discrimination on the grounds of race, sex, religion, disability, age, and sexual orientation. It provides for the establishment of a nine-member anti-discrimination commission with powers to receive and investigate complaints, issue rulings, and impose sanctions.[1508] It sets up an administrative body with effective powers to investigate and punish discriminatory acts and shifts the onus from the victim to the perpetrator. Each direct or indirect instance of discrimination, based on gender, race, nationality, ethnics, recognition, origin, religion and faith, education, convictions, political affiliation, personal or public status, disability, age, sexual orientation, family status, property, or any other indications, stated in acts or in an international treaty under which Bulgaria is a party, is prohibited by the law.[1509]

Wiretapping and Surveillance Rules

In August 2004, the Appeal Prosecution of the city of Plovdiv issued an order, stating that all Internet clubs and cafes in Plovdiv should require and keep records of customers' social security numbers and personal data, as well as the time for which visitors accessed the Internet.[1510] On March 24, 2005, the National Service for combating organized crime to the Ministry of Interior delivered a “Direction for action” to Bulgarian web site hosting companies. It was issued and signed by the Chief of the Department of Intellectual Property, Trademark, Computer Crimes and Gambling. The document imposed an obligation on the ISP executives, stating: “in seven days term from the date of issuing this order you must terminate free hosting web space with quota bigger than 100 MB to anonymous users. More than 100 MB of web space should be given only to customers with signed user contract, accompanied with a copy of their ID card or other relevant document for identification”[1511]

Under the Bulgarian Penal Law, sanctions can only be imposed on individuals, not companies. This “Direction for action” is considered by the Internet community as an attempt to make the ISP liable for content. Such actions may result in legal suits, where content that the ISPs have mistakenly considered illegal has been removed. ISPs cannot be liable, unless the individual in question has been properly informed by the police about illegal content, and the individual refuses to remove it. This warning should be in a written form, so that the interests of all users are protected. The case was largely reviewed in Bulgarian and foreign media.[1512]

Electronic surveillance used in criminal investigations is regulated by the Code of Criminal Procedure and requires a court order.[1513] Failure to follow this procedure resulting in unlawful wiretapping is a crime.[1514] The Telecommunications Law also requires that agencies must ensure the secrecy of communications.[1515] Unlawful opening of e-mail correspondence is a criminal offense.[1516] The 1997 Special Surveillance Means Act regulates the use of surveillance techniques by the Interior Ministry for investigating crime but also for loosely defined national security reasons. A court order is generally required but the Ministry of the Interior has a discretionary power to authorize wiretaps without judicial review. The full extent of this power is not well known but there are regular complaints of abusive and illegal bugging of individuals.

In January 2001, it was announced that approximately 10,000 wiretaps were authorized during the year 2000. According to the Bulgarian Helsinki Federation, only two to three percent of the intercepts were ever used in criminal proceedings.[1517] No reasons for this surveillance were given.[1518] These statistics have not been updated since then, as the Prosecutor General denied public access to his 2001 report on the surveillance used. The case is still pending. In another case, the Supreme administrative court decided that the denial by the president of a district court to disclose the annual statistic of orders for intercepts was lawful. In December 2002, the media reported information about possibly unlawful telephone-tapings of public figures including the former National Security Service director and the Minister of Justice, and about the investigation of a person dubbed "Gnom."[1519] The Interior Minister partly confirmed the information. A Parliamentary Commission held hearings in 2001 on the activities of "public order" agencies, which include the National Intelligence Service, the National Bodyguard Service and the National Security Service.[1520] In October 2001, the Interior Ministry reported that they had found illegal wiretapping devices, in recording mode, in the Central Telephone Exchange in Sofia and preparations for such devices in several of the city's other exchanges. The bugging of telephone subscribers has been taking place since 1994 and was said to be economically motivated.[1521] In November 2001, the director of the NSS resigned from his position. Several allegations were made that he wiretapped politicians, but they were never substantiated.[1522] Earlier, in August 2000, listening devices were found in the apartment of the Prosecutor General Nikola Filchev and several politicians. Filchev blamed the bugs on the Interior Ministry's Criminal Intelligence Service (CIS). A parliamentary session was held after 53 Democratic Left Parliamentarians demanded a hearing.[1523] Following the debate, members of the opposition Bulgarian Socialist Party (BSP) submitted draft amendments to put in place a system of judicial oversight for the use of surveillance.[1524] In November 2000, the Movement for Rights and Freedoms (DPS), a party of ethnic Turks, reported that its leaders were being monitored by the security services.[1525]

In December 1998, the Bulgarian Committee for Post and Telecommunications issued an executive decree to licensed Internet Service Providers (ISPs). The decree gave governmental employees the authorization to enter ISPs' offices at any time and obtain any documentation, including user names and passwords, as well as other private information.[1526] The decision was extensively criticized by Internet users, service providers and others, including German Chancellor Gerhard Schroeder, who said that licensing was not appropriate. The Bulgarian Internet Society (ISOC) chapter filed a case at the Supreme Administrative Court to stop the decree in January 1999. The Court ordered a temporary restraint of the decree on June 17, 1999. In November 1999, the Bulgarian Prime Minister ordered the Minister of Telecommunications to negotiate an out of court agreement with ISOC. A few weeks later, the decree was changed, and the ISPs were removed from the licensing requirements and placed in the "free regime" category.

The Ministry of Interior Act (MIA) regulates the powers of police officers to collect, process and keep biometrics identification data about individuals, such as fingerprints, photographs, and DNA profile samples.[1527] The Act explicitly bans the collection of sensitive information revealing racial or ethnical origin, political opinions, or religious or other beliefs, as well as concerning health or sexual life. The MIA also provides an opportunity for every individual to access his/her own personal data collected or processed by the Ministry of Interior, even in cases when the collection or processing has been done without his/her knowledge or consent.[1528]

The MIA also authorizes the Ministry of Interior to fully or partially withhold personal data from data subjects' access in case their disclosure could jeopardize national security or public order, or when information classified as a state or official secret might be revealed.[1529] Access could also be restricted under the discretion of Ministry of Interior officials, when there is a danger of revealing information sources, or exposing the secret methods and procedures of information collection, or when disclosure of personal data to the data subject would hamper the implementation of the Ministry's activities. The formulation of Art. 182 has left an unduly broad opportunity for Ministry officials to withhold information from the data subjects.

The Telecommunications Act, adopted in 2003, introduces an obligation for telecommunications service providers to take technical measures guaranteeing the confidentiality of the communications.[1530] These measures cover the kind of service, its content and all information related to its provision. Besides technical coverage, service providers are prohibited from disclosing the content of the communications and related data that come to their knowledge when providing their services.[1531]

The Penal Code was amended to make criminal the publication or distribution of system or user passwords with subsequent disclosure of personal data. The penalty can be as high as one year of imprisonment, while in cases of malicious usage or where substantial harm is caused, lawbreakers can serve up to three years in prison.

There are additional provisions relating to privacy in laws such as the Statistics Law, Tax Administration Law, Insurance Law,[1532] and Social Assistance Law.[1533] The Radio and Television Act sets limits[1534] on broadcasting of personal information.

Open Government

The Access to Public Information Act (APIA), which provides access to government records, was enacted in June 2000 and went into force in July 2000.[1535] The law allows for access to records except in cases of state security or personal privacy. On June 7, 2007, the Bulgarian National Assembly passed amendments to APIA, including increased sanctions for public servants who fail to comply with the law or do not execute a court decision, and requirements that all administrative structures appoint public servants responsible for the provision of public information, and establish proper reading rooms within 6 months of passage. [1536]

No internal appeals mechanism exists in Bulgaria, nor is there an independent oversight body. Requestors are required to take their appeals to court. In 2006 AIP reported working on approximately 305 cases in which government institutions denied access to information. During the year the Supreme Administrative Court reviewed more than 40 appeals of denials.[1537] According to AIP, the most common refusal is an oral, unfounded refusal. The second most common kind of refusal is silence.[1538]

In 2004, the court ruled in several significant cases limiting the trade secrets and preparatory documents exemptions, the application of the Classified Information Act, mute refusals, and began requiring that documents be released following a decision, rather than referring the case back to the public body for reconsideration. One problem has been obtaining contracts with private corporations. In 2005, the SAC ruled that requestors had no right to a contract between the state and Microsoft. AIP, which litigated many of these cases, reported that these resolved some of the existing weaknesses with the text of the Act.

The amended State Archives Act[1539] states that besides the regular acts, directions, regulations, etc., it also keeps records of personal correspondence, including those in a digital form.[1540]

The Protection of Classified Information Act was passed in April 2002 and went into force in May 2002. It regulates state and official secrets and establishes a Commission on the Security of Information. The law abolished the 1997 Access to Documents of the Former State Security Service Act regulating the access, proceedings of disclosure and use of information kept in the documents of the former State Security Service. The Constitutional court rejected the claim of a group of Members of Parliament that the abolition and some other provisions of the new law are unconstitutional.[1541]

Corruption remains a concern in Bulgaria; however, the government took several actions to reform its agencies’ practices. In early 2006, the Council of Ministers adopted a National Strategy for Transparent Governance and Corruption Prevention for 2006 - 2008, which was accompanied with an Implementation Plan for 2006. The Public Procurement Act (2006 amendments) and the recently adopted Concessions Act created two new online registers, which AIP calls “a significant step in the right direction.”[1542]

International Obligations

Bulgaria is a member of the European Union and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[1543] It has adopted the CoE's Convention No. 108.[1544] Both conventions are part of the domestic legislation under Article 5, para. 4 of the Constitution and take precedence before contravening statutes. In November 2001, Bulgaria signed but still has not ratified the Council of Europe Cybercrime Convention (ETS No. 185).[1545] In 2003, Bulgaria signed a cooperation agreement with the European Police Office (Europol)[1546] that regulates the transfer of information, including personal data, between the Bulgaria and Europol. The agreement provides guarantees for data protection and integrity. Bulgaria takes whole responsibility for damages incurred by an individual as a result of factual or legal errors in any information exchanged as part of the data transfers between Bulgaria and Europol. On April 2, 2004, Bulgaria became a member of NATO. The ratification document was adopted by the National Assembly on March 18, 2004.

[1496] Constitution of the Republic of Bulgaria of July13, 1991, available at <http://www.uni-wuerzburg.de/law/bu00t___.html>.
[1497] Id. at article 6(2).

[1498] Europa Press Release, “Two New Members Join the EU Family,” December 28, 2006, available at <http://europa.eu/rapid/pressReleasesAction.do?reference=IP/06/1900>.
[1499] "Bulgarian Assembly Passes Personal Data Protection Bill on First Reading," BBC Worldwide Monitoring, November 13, 2001.
[1500] The Current Situation of the Access to Public Information in Bulgaria in 2001, Access to Information Program 2002, available at <http://www.aip-bg.org>.
[1501]Id. Access to Information Programme Foundation, Opinion of the Access to Information Programme on the Personal Data Protection Bill, October 24, 2001, available at <http://www.aip-bg.org/documents/zld_aip_eng.htm>.

[1502] AIP, “Access to Information in Bulgaria 2006,” at 19, available at <http://www.aip-bg.org/pdf/report2006-en-end.pdf>.

[1503] Republic of Bulgaria Commission for Personal Data Protection, <http://www.cpdp.bg/en_index.html>.

[1504] AIP, supra at 20.

[1505] Bulgaria Data Protection Commissioner Annual Report 2006, available at <http://www.cpdp.bg/otcheti/annual_report2006.pdf>.

[1506] The Ombudsman Act, Article 20, para. (2).

[1507] Health Insurance Act, promulgated in SG, issue 70/19.06.1998.

[1508] Country Reports on Human Rights Practices 2003. For more information see <http://www.state.gov/g/drl/rls/hrrpt/2003/27830.htm>.
[1509] PADA Article 4 para. 1.

[1510] Order No 30/27.07.2004 issued by Plovdiv Appeal Prosecution.
[1511] This order has been issued and sent personally to the ISP executives. Not available online.

[1512] See German Edition of “Heise.de” available at <http://www.heise.de/newsticker/meldung/58114>.

[1513]Article 111a - 111c (as amended SG, Nos 64/1997, 70/1999).
[1514] Article 171 (3) of the Criminal Code.
[1515] Telecommunications Law, Article 5.
[1516] Article 171 (1) item 3 (as amended SG No 92/2002) of the Criminal Code.

[1517]Annual Report of the Bulgarian Helsinki Committee, Human Rights in Bulgaria in 2000, March 2001, available at <http://www.bghelsinki.org/frames-reports.htm>.
[1518]Id.
[1519] "Bulgarian Government Faces New Bugging Scandal," RFE/RL, December 23, 2002, available at <http://www.rferl.org/newsline/2002/12/4-See/See-231202.asp>.
[1520] United States Department of State, Country Reports on Human Rights Practices 2001, March 4, 2002, available at <http://www.state.gov/g/drl/rls/hrrpt/2001/eur/8238.htm>.
[1521]"Bugging Affair 'Economically Motivated', Interior Ministry Says," BBC Worldwide Monitoring, October 4, 2001.
[1522] "Security Chief Says 'Low Confidence' in Office Led to Resignation," BBC Worldwide Monitoring, November 28, 2001.
[1523] "Buggate Scandalizes Bulgaria," Transitions online, July 31 - August 6, 2000.
[1524] "Courts Should Be Involved in Controlling Bugging Devices," BBC, August 09, 2000.
[1525] "Security Services Bugged Ethnic Turk's Leaders," BBC Worldwide Monitoring, November 26, 2000.

[1526]Committee for Post and Telecommunications, List of Telecommunication Services, December 18, 1998, State Gazette, December 29, 1998.

[1527] Ministry of Interior Act – Promulgated SG issue 122/19.12.1997; amended in issue 17/21.02.2003; Amending act in issue 26/21.03.2003, in force from 01.01.2003, SG issue 95/28.10.2003; amended issue 103/25.11.2003; amended issue 112/23.12.2003 in force from 1.01.2004; issue 114/30.12.2003.
[1528] Article 182, para. 4 of MIA.

[1529]Article 182, para. 7 of MIA. In practice this question was brought before the court in the case Yonchev v. the Ministry of Interior. See<http://www.aip-bg.org/library/dela/case25.htm>.

[1530] Telecommunications Act, promulgated in SG, issue 88/7.10.2003; entered into force on October 7, 2003.
[1531] A problem in the implementation of the Act could arise from the obligation of universal telecommunication services providers to publish a directory of their customers' telephone numbers. The Telecommunications Act contains no provisions requiring the telecommunications service providers to request their clients' consent before including their telephone numbers.

[1532] Insurance Law, Article 7 para. 1.
[1533] Social Assistance Law, Article 32 para. 2.
[1534] Radio and Television Act, Articles 10, 15.

[1535] Access to Public Information Act SG No. 55/7.07.2000, amended, SG No. 1/4.01.2002, effective 1.01.2002, SG No. 45/30.04.2002, SG No. 103/23.12.2005, available at <http://www.aip-bg.org/library/laws/apia.htm>.
[1536] Access to Information Programme News Release, June 7, 2007 <http://www.aip-bg.org/documents/press_070607_eng.htm>.

[1537] AIP 2006, supra at 46 available at <http://www.state.gov/g/drl/rls/hrrpt/2006/78805.htm>.
[1538] Id. at 47.

[1539] In force since January 1, 2002.
[1540] State Archives Act, Article 3, para. (1).

[1541] The Current Situation of the Access to Public Information in Bulgaria in 2002," Access to Information 2002, available at <http://www.aip-bg.org>.

[1542] AIP 2006, supra.

[1543] Signed May 10, 1992; ratified September 7, 1992; entered into force September 7, 1992.
[1544] Signed June 2, 1998; ratified on May 20, 2002; entered into force January 1, 2003.
[1545] Signed November 23, 2001.
[1546] Agreement on Cooperation between Bulgaria and the European Police Office (Europol), ratified on July, 31, 2003; entered into force on August 25, 2003; State Gazette issue 92/17.10.2003.