Project Acts

Home

  

 

Opinion
Of the Access to Information Programme on the Personal Data Protection Bill


I. General Considerations

The protection of personal data against wrongful collection and processing is a funbdamental human right, an unalienable element of the right to respect for private and family life. This right is explicitly stated in a number of international legal instruments, e.g. the Convention on the Protection of Persons in Connection with the Automatic Processing of Personal Data (hereinafter referred to as "the Convention") and Directive 95/46 EC (hereinafter referred to as "the Directive"), and the personal data protection legislation in individual European countries like Germany and Hungary. Further standards are given in Art. 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms (hereinafter referred to as "ECHR").

A personal data protection law should define its objective clearly and precisely, i.e. to guarantee the protection of personal data against wrongful collection and processing. The constitutional grounds for this type of legislation can be found in the safeguarding of privacy1 , as is seen in Art. 32 of the Constitution of the Republic of Bulgaria. Para 2 of this constitutional provision prohibits the collection of any personal data without the knowledge of that persons or regardless of the person's explicit objection, except for the cases provided by law.

In connection with the two personal data protection bills presented to the National Assembly, it is appropriate to make the following comments:

1. The objective of the law given in Art. 1, para 2, subpara 2 of the bill is not consistent with the scope of the legal regulation. The honour and dignity are not part of the protected subject-matter in this type of legislation.

2. The main legal definition of "personal data" given in Art. 2, para 1 is vague and quite ambiguous. For example, the concept of "identity" could be interpreted as objective identity (i.e. how a person is identified by the government or an authority or the community) or subjective identity (how the persons identifies himself/herself). Attributes like "cultural, social, psychological and other" related to the noun "identity" do not give any idea of the meaning of the expression.

3. The provision of Art. 2, para 2 of the government bill (Art. 1, para 3 of the private bill of a group of Members of Parliament) is unacceptable. The data of persons participating in the corporate governance and supervision bodies of legal entities are not and cannot be protected. On the one hand, such data do not relate to private life in order to be protected and, on the other hand, the security of business turnover requires such data to be public. Therefore such data are subject to entering into a number of public registries, e.g. the Companies Registers at the Regional Courts.

4. With a view to the principle of transparency of government, the informed choice of voters, the freedom of expression and the access to public information, it is PARTICULARLY IMPORTANT to leave a major category of personal data beyond the scoper of the law. We propose the following provisions to be inserted:
"The data of persons related to their activities in the course and on the occasion of the discharge of their duties in exercising state power or local self-government shall not be deemed personal data".
5. In systematic terms, the regulation of the transfer of personal data should be dealt with at a single place in the law. The law should apply to cases of personal data transfer beyond the territory of the country, regardless of the fact whether the legislation of the respective country offers equal, greater or less protection of personal data. The law should provide different legal regime of personal data protection in cases of transfer, depending on the level of protection in the respective recipient country. But the whole matter should be regulated in this law.

II. Specific Comments and Recommendations on Amendments to the Bill:

1. Art. 1, para 1: Use explicitly the words "guarantee the right to personal data protection as a part of the right to inviolability of privacy" Proposal:
"This Act shall guarantee the right to personal data protection as a part of the right to inviolability of privacy, while observing the principles, rights and freedoms guaranteed in the Constitution and this Act".

2. Art. 1, para 2, subpara 2 Delete.

3. Art. 2, para 2 of the government bill (Art. 1, para 3 of the private bill of a group of Members of Parliament): Delete. It is unnecessary to apply the principles of the law to the said categories of data. They either fall within the definition of the term "personal data" given in the law or they go beyond this definition. The data concerning members of corporate governance and supervision bodies of companies are included in company registers which are explicitly public for the sake of ensuring security of business turnover.
The provisions of the law apply also to the participation of individuals in general non-personified groups2. There exists no definition or even the slightest hint as to what type of groups are envisaged. Groups do not constitute a legal subject in the existing Bulgarian legislation, unless registered as legal entities.

4. Art. 2, para 1: The term "personal data" should be clearly defined in accordance with the arguments set out above.

5. Art. 14, para 2 of the government bill (Art. 13, para 1 of the private bill of a group of Members of Parliament): the destruction of personal data after the respectove purpose is attained is an underlying principle of this type of legislation. The word "may" should be deleted and the operational independence (discretionary powers) should be replaced with an imperative obligation. The discretionary powers under para 3 are sufficient and should be clearly stated in an imperative provision.

6. As to the powers of the Commission when seized: the word "may" should be replaced with the word "shall" (e.g. Art. 42, para 4 and Art. 43, para 1 of the government bill).

7. §1, subpara 3 of the Additional provisions (both bills): The detailed review of the bills leads to some questions that cannot find clear answers in the current wording. Personal data are stored not only in documents but also in data bases or letters and, where such data are subject to automatic processing, government authorities or private companies can get personal information about individual citizens. Therefore a definition of the term "personal data register" is needed (Additional provisions, §1, subpara 3). However, our experts are of the opinion that the definition of the term "personal data register" should be amended to read that it is an information array structured on the basis of a specific criteria rather than structured on the basis of several specific criteria.

8. As to the discrepancies in some time limits provided for in the two bills. In its Art. 28, paras 1 and 4, Art. 43 and §3, subpara 3, the government bill provides for appeal of the instruments of the Commission within 14 days, while the respective provisions of the other bill provide for seven-day time limits for appeal. With a view to ensuring better protection of citizens, we propose that the longer 14-day time limits be adopted or cases of appeal in the final text of the law.


Sofia
24 October 2001


1. The legislation of other countries and international legal instruments use the term "privacy". Cf Art. 1 of the Convention on the Protection of Persons in Connection with the Automatic Processing of Personal Data and Art. 1, para 2 of Directive 95/46 EC.
2. The term is used to denote groups or associations that are not registered as legal entities.

HOME | ABOUT US | APIA | LEGISLATIVE BASE | LEGAL HELP | TRAININGS | PUBLICATIONS | FAQ | FOIA net | SEARCH | MAP
English Version • Last Update: 05.01.2002 • © 1999 Copyright by Interia & AIP