"With reference to Article 7 of the Law on Prevention of Money Laundering and Terrorist Financing, we ask you to provide us with the data of all clients that have been issued a Paysera Visa card (name, last name, personal identity code/date of birth, document No., issuing authority, card number and date of issue)."
The above is a request that the Financial Crime Investigation Service (FCIS) submitted to EVP International. In addition, not only did the FCIS ask the company to provide the agency with the data of all users of the Visa card, it also asked for the details of all of their past transactions – that is, who withdrew money or used their card, the location of where it was done, and how much money was involved.
"We consider this request to be tantamount to mass surveillance," claimed EVP International lawyer Julija Šlekonytė in an interview with delfi.lt. According to her, the FCIS did not specify what they needed the data for and did not provide any information about an ongoing investigation. Furthermore, the agency did not request information on a specific person or sum of money, but rather that general info be provided on each client.
The company approached the FCIS, asking why it needed information on every client, but the response given was vague: as an electronic money institution registered in the Republic of Lithuania, the company was required by law "to monitor clients' business relationships and to give access to the information held."
FCIS chief evasive
When delfi.lt got in touch with other major financial services providers, it turned out that they haven't been quite as forthcoming. Two major banks, Swedbank and SEB, said that they cooperate with the authorities and provide information once they review the request. Both institutions declined further comment, claiming that the very same law prevented them from talking about it.
As if that wasn't enough, the head of the FCIS, Kęstutis Jucevičius, also failed to explain why his agency needed so much data on all of Visa Paysera's clients. He limited his response to vague statements on the general functions of the agency.
According to Jucevičius, the FCIS is responsible for the prevention of money laundering and terrorist financing, and it is for this purpose that the agency analyzes information on financial transactions and deals.
"The law outlines the rights of the agency to procure information and documents necessary to carry out these functions," said Jucevičius, commenting on the situation.
Authorities 'prone to abuse authority'
Karolis Liutkevičius, a legal expert with the Human Rights Monitoring Institute, claimed that, in this particular instance, law enforcement authorities interpret their right to obtain information too broadly and ignore fundamental principles concerning the protection of privacy.
How should we view such actions of the FCIS? Does the law really allow for the collection of private data on such a massive scale?
From the point of view of data protection or the right to respect for private life, the actions of the FCIS are very objectionable. In essence, it is mass surveillance, the collection of non-individualized financial information concerning private individuals and surveillance of the same.
International human rights standards provide that a person's private life may only be interfered with when it is necessary to do so, using proportionate measures. It is highly unlikely that mass surveillance, by holding all users of a particular card brand to be potential money launderers or financiers of terrorism, is a proportionate measure.
The Law on Money Laundering and Terrorist Financing, which the FCIS relies on for its collection of data, is not particularly clear. The law provides that the FCIS has the right to obtain "information and documents on financial transactions and deals required to carry out its functions" from financial institutions.
It seems that the FCIS likes to interpret its powers very broadly, as a right to obtain any information it finds interesting. However, when applying this particular provision, we cannot ignore the aforementioned international human rights standards, and as such the collection of data itself must be carried out in a proportionate manner – that translates to getting specific data on particular people or groups as opposed to the mass collection of non-individualized data.
The collection of data is further limited by the Constitution of the Republic of Lithuania, which provides that, without exception, information on a person's private life may only be collected if there is a court order to that effect.
In any case, the way the law is currently phrased clearly allows authorities to abuse their power by collecting undefined private financial information.
It is likely that other companies have also received similar requests, but from their responses it would seem that they are neither outraged nor surprised by this practice. Far from it – it would seem that they are actually afraid of sanctions. Why do you think EVP International decided to speak out on this issue?
There is currently not a lot of public information available on the cooperation between law enforcement agencies and financial institutions, so we can only hazard a guess. I would personally guess that EVP International doesn't have as much experience in dealing with law enforcement agencies as some of the larger financial institutions that have been operating in Lithuania for a longer period of time, and thus they were honestly surprised by the request from the FCIS.
What does this situation say on the state of private data protection in Lithuania?
The Constitution of Lithuania sets out strong principles for the protection of private life and, consequently, to the protection of private data. However, it appears that these principles are rarely followed in practice and the authorities (especially law enforcement) look for ways to circumvent them or simply ignore them.
The problem is further exacerbated by our legislation, which sets a low level of protection. Unfortunately, there is little to no public discourse on these problems and the issue attracts comparatively little interest.
If some companies refuse to defend their clients' rights, is there anything the people themselves could to do oppose mass surveillance?
The avenues that consumers of financial services can pursue are limited, but they are there: first of all, you can take an active interest in the matter and ask your service provider to clarify how it protects your personal data, who and under what circumstances may access it, what steps were taken to protect your privacy. If their response does not satisfy you, change your service provider to one that protects your private life.