Lithuanian authorities still collect personal data on a mass scale, even though the EU directive requiring these measures has been struck down more than two years ago.
The Human Rights Monitoring Institute, an NGO operating in Lithuania, has asked the Ministry of Justice to evaluate whether the law requiring mass collection of people’s data was itself lawful.
Data collected under EU directive
In response to the 2005 terror attacks in London, in 2006 the EU adopted the Data Retention Directive as a tool for combating serious crime and terrorism.
The directive obliged member states to collect the data of the users of electronic communications. As such, all EU service providers had to collect data on who EU citizens were calling, what websites they were visiting, how long the connection lasted, as well as data that would give the location of the mobile connection. This information had to be retained for up to two years and turned over to law enforcement authorities on request.
In Lithuania, the provisions of this directive were transposed into the Law on Electronic Communications in 2008 by obliging service providers to retain users’ traffic and location data for six months.
Mass collection of data violates rights
In 2014, however, the Court of Justice, having examined referrals from the courts of Ireland and Austria, struck down the Data Retention Directive. The court stressed that the data retained under this directive revealed precise details concerning people’s private lives: their place of residence, daily habits and activities, daily movements, social relationships and circles. According to the court, this unreasonably interfered with the rights to privacy and data protection of almost all citizens of Europe.
The court reaffirmed its position in 2016 by recognizing that national laws prescribing analogous requirements were also unlawful.
Lithuanian laws need to be reviewed
Despite these judgments, the provisions of the Law on Electronic Communications that were meant to transpose the Data Retention Directive had barely changed. Any reference to the directive was quietly removed in 2011, but the transposed provisions were not changed. The requirement to collect and retain users’ personal data for six months is still in force.
The Constitution of the Republic of Lithuania prohibits the collection of information on a person’s private life without judicial authorization. Seeing as the directive is also no longer in force, there are serious doubts whether it is lawful to continue the mass collection of Lithuanian residents’ data.