Kedainiai District Municipality sent out bills for waste disposal in envelopes displaying residents’ personal codes right next to their names. These codes are unique to each citizen and may be used to determine someone’s gender and date of birth.
The outraged citizens bombarded the municipality with questions, requesting an explanation as to why such sensitive personal data was written on envelopes. Some claimed they would seek damages in court. Most were afraid that the publicized data would be picked up by scammers and used to take out loans from payday loan companies in their name.
Lithuanian laws explicitly prohibit publicizing personal codes. A mistake of this kind and scale shows that the personal data protection was not given even a modicum of attention.
Data protection a priority?
According to Human Rights Monitoring Institute lawyer Karolis Liutkevičius, this example illustrates that even the public sector (to talk nothing of the private sector) does not see the right to data protection as something worth prioritizing.
"This is a serious problem. Data protection is a human right – ignoring it not only results in interference with people’s private lives and increases the risk of fraud, it also undermines basic human dignity," Liutkevičius said.
According to Liutkevičius, state and municipal authorities as well as private organizations should change their attitude towards data security. "We hope that further incentives will come from the EU's General Data Protection Regulation, which will come into force in May 2018 and set out harsher consequences for failure to follow data protection requirements."
According to the draft Lithuanian regulatory model, state and municipal institutions could be fined up to €60,000 for such violations.
Not the first time
This is not the first massive violation of personal data protection in Lithuania.
This spring, hackers broke into the databases of Grožio Chirurgija, a cosmetic surgery clinic, stealing and publicizing patients’ personal information and private photos. The clinic has come under harsh criticism for its failure to protect its customers’ data even on the the most basic level.