11 Digital Evidence & Elec. Signature L. Rev. 162 (2014)
Data Protection Law and Personal Identification Numbers in Lithuania

handle is hein.journals/digiteeslr11 and id is 162 raw text is: Lithuania has been a member of the European Union
since 1 May 2004, and diligently follows the EU
guidance on regulating personal data protection. Data
protection has been comprehensively regulated in
Lithuania since 1996 by the special Law on Legal
Protection of Personal Data (the current legislation in
force is Law of 23 February 2008 (effective from 1
January 2009) with subsequent amendments effective
from 1 September 2011) (Lietuvos Respublikos
asmens duomeny teisines apsaugos istatymas 1996
m. birielio 11 d. Nr. 1-1374).
The Law on Legal Protection of Personal Data
implements the EU Data Protection Directive
95/46/EC,' and also provides specific national rules on
many additional issues of national importance, such
as the processing of personal identification numbers.
Other areas of specific national data protection
regulation include, but is not limited to regulations on
data protection in the healthcare and medical fields,
regulations on public polls, direct marketing,
management of debtor information, credit bureaus
and credit referencing and video surveillance.
Generally, the Lithuanian government officials and
judges have adopted strict approach to the
interpretation of the Law on Legal Protection of
Personal Data. Normally, the data subject is given the
benefit of the doubt and the legal regime tends to be
restrictive of personal data processing. The definition
of personal data in the Law on Legal Protection of
Personal Data is based on the standard definition of
personal data found in the EU Data Protection
Directive 95/46/EC. It applies to any data pertaining to
an identifiable individual. Case law and administrative
practice interprets the definition increasingly broadly.
Information is treated as personal data if publicly
available material can be used to indirectly identify
the relevant individual. In particular, IP addresses, car

1 Directive 95/46/EC of the European Parliament and of the Council
of 24 October 1995 on the protection of individuals with regard to the
processing of personal data and on the free movement of such data,
OJ L 281, 23/11/1995 P. 0031 - 0050.

license plates and postal addresses (excluding the
name) have been recognized as personal data.2
On the other hand, infringements of the data
protection regime are subject to insignificant financial
sanctions (up to 600 euro), and overall the
enforcement (especially against public data
controllers) leaves a lot of room for improvement. The
State Data Protection Inspectorate is the authorized
data protection authority and supervisor of the Law
on Legal Protection of Personal Data. In its activities it
most often relies on issuing administrative orders
demanding discontinuation of infringing data
processing, but is short on strong enforcement
powers.
Personal identification numbers in Lithuania were
introduced in the early 1990s. The personal
identification number is composed of 11 digits, is
uniquely attributed to each individual and is printed in
his passport and personal identity card.
Unfortunately, at the time when personal
identification numbers were introduced in Lithuania,
the privacy considerations were not ascertained and
the data protection regulations were not in place.
Because of this, the structure that was chosen for the
personal identification number in Lithuania was not
random. Instead, it directly provides information
about the sex (1 number out of 11) and the date of
birth (6 numbers out of 11) of the individual. Only the
last 4 digits in the Lithuanian personal identification
number are random and independent from the other
information about the individual. Thus, the Lithuanian
personal identification numbers by themselves are
carriers of extended private information, which
generally are additional to the personal identification
number.
This design flaw was recognized by the mid 1990s
when the Law on Legal Protection of Personal Data
was introduced, but by that time the practical and
cost considerations prevented the change of the
2 See for example 26 July 2012 ruling of the Higher Administrative
Court of the Republic of Lithuania in case No. A858-2133/2012 on
car license plates and the broad interpretation of 'personal data'.

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License

162

What Is HeinOnline?

With comprehensive coverage of government documents and more than 2,400 journals from inception on hundreds of subjects such as political science, criminal justice, and human rights, HeinOnline is an affordable option for colleges and universities. Documents have the authority of print combined with the accessibility of a user-friendly and powerful database.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline with pricing starting as low as $29.95

Already a HeinOnline Subscriber?