The rapid development and dissemination of digital technologies put more and more challenges in front of the society with regard to personal data protection. The problems are so deeply rooted that need both legal and institutional reforms, as well as new technical solutions. From this perspective, it is also important to study the international experience, particularly the experience of neighboring Georgia, where the problem of personal data protection has been addressed at government level much earlier than in Armenia; for this purpose the Georgian Government established an independent authority that has already produced some tangible achievements by now.
Keeping in mind the urgency of problems in the sector, the Committee to Protect Freedom of Expression (CPFE), with the assistance of Open Society Foundations – Armenia, organized on December 6 in Yerevan a public discussion on the topic of “Personal Data Protection in Armenia and Georgia: Challenges and Priorities”. The list of participants included representatives of public agencies, NGOs, international institutions and mass media.
In his opening speech the CPFE Chairman Ashot Melikyan said that the protection of personal data in the environment of rapid development and dissemination of information technologies is a relatively new task for his organization. The Law on Personal Data Protection was adopted in Armenia only one-and-half years ago, in May 2015, and the respective public agency for enforcement of the Law was established in October 2015 as a separate subdivision of the Ministry of Justice. “The sector has not been properly studied before, and for this reason the identification of sector priorities and the development of priority action plans should be a public process requiring the joint effort of the Government and the Society”, said Ashot Melikyan.
Larisa Minasyan, the Executive Director of Open Society Foundations – Armenia, greeted the forum and among other things emphasized the fact that even the countries with deeply rooted rule-of-law traditions encounter quite serious controversies in this sector. “This seemingly narrow segment of law is associated with numerous problems ranging from transboundary issues to health care, education and privacy matters. How to regulate all these? This discussion will allow us to review and compare the situation in Armenia and Georgia, and to understand how this right is protected in the two countries”, said Larisa Minasyan.
The main speakers at the forum were the Head of the Personal Data Protection Agency of the Ministry of Justice of Armenia Shoushan Doydoyan and the Personal Data Protection Inspector of Georgia Tamar Kaldani.
Shoushan Doydoyan presented the work done by her agency so far and mentioned that although personal data protection problems occur almost in all sectors, the Agency focused its activities during the first year of operations in three priority fields, namely: use of video surveillance data, dissemination of unsolicited electronic messages and protection of personal data of children and minors. The Agency developed and adopted Video Surveillance Guidelines which are not mandatory but are recommended for use by all entities that carry out video surveillance.
With regard to the issue of dissemination of unsolicited electronic messages to recipients, Shoushan Doydoyan informed the forum that no messages of commercial content shall be sent at the mobile phone of a person if the person has not given his/her prior consent to this; and even in case of giving such consent, the person shall have the right to withdraw it. To safeguard these rights a draft law has been developed and presented to the Cabinet of Ministers.
The third issue on which the Agency focused its attention: the protection of personal data of children and minors, is in the opinion of Shoushan Doydoyan one of the highest priorities for our country and our people. “There were a number of controversial cases recently, when personal data and photos of children were published in media. Presently, we are in the process of developing a set of guidelines on this matter; guidelines will be adopted after public hearings and discussions.” – said the Head of the Agency. Shoushan Doydoyan informed the forum that the Agency, within the scope of its law-enforcement responsibilities, instigated 8 administrative proceedings during one year; however, no decision has been taken so far by the Administrative Court under any of these proceedings. “Although the most effective and practical law-enforcement tool in Armenia is the fine, our agency has adopted a soft policy of consulting and informing. Only after using due diligence on awareness raising we will pick-up the fine-bat and start the process of punishing”, said Shoushan Doydoyan.
It appeared, however, that in Georgian the Authorities had already picked-up the “fine-bat”, as the Personal Data Protection Inspector of Georgia Tamar Kaldani said. Authorities have been dealing with data protection issues here for around 4 years. Tamar Kaldani informed the forum that administrative proceedings and fines yielded quite good results in her country. Data Protection Inspector’s functions in Georgia are highly prioritized and the Inspector, therefore, has a wide range of responsibilities and powers. “We amended the Legislation to somehow harness the under-cover operations, particularly cover-listening operations. To carry out any such operation, the law enforcement agencies need to obtain our permission on it; and we, prior to issuing the permission, check if there is a legitimate Court Order for that”, said Tamar Kaldani. The law enforcement agencies have to justify that the proposed under-cover operation is the only possibility for obtaining the required evidences. The Inspector informed the forum that many judges in Georgia refuse to sanction cover-listening operations, considering such practice simply unacceptable. Tamar Kaldani said that the Inspector’s Office carries out both ex-ante and ex-post investigations. For instance, there were cases when law enforcers carried out the cover-listening operation despite the prohibiting verdict of the Court. “When we find out that the under-cover operation is being conducted with violation of the applicable procedure, we can order to stop it until we complete our audit; however, if the violation is of criminal nature, we notify about it the Prosecutor’s Office”, said the Inspector.
The Inspector presented a number of examples on how the Data Protection Inspection identified cases of illegal audio-video surveillance of citizens. For instance, it appeared that some pharmacies in addition to video surveillance were also audio-recording the conversations with their customers. When asked “why are you recording the audio?” they replied that it is needed for improving the quality of services. “So we prohibited this practice, imposed fines and required them to destroy all the existing audio records. Now they can carry out only video surveillance without recording the audio”, said Tamar Kaldani and added that in Georgia they all know – if the Inspector is at the door, the administrative proceeding is inevitable.
During the discussion Mr. Daniel Ionnisyan, Project Coordinator of the Union of Informed Citizens, expressed a concern about the fact that the Russian Federal Security Service has access to the electronic data system of the Border Control Service (EDS) of Armenia. “One of the largest storages of personal data in our country is the EDS of the Border Control Service that contains all the information about trans-boundary passenger traffic. According to the letter that we received from the National Security Service of the Republic of Armenia, the Border Control Department of the Russian Federal Security Service has access to the EDS of the Armenian Border Control Service. This means that the Russian Federal Security Service can see who crossed the Armenian border during the last seven years, in which crossing point, in which direction, what ID did he/she produce, what means of transportation did he/she use and in whose company did he/she travel. This raises concerns, since according to the decision of the Government of Armenia only governmental agencies of the Republic of Armenia can have access to the EDS of the Border Control Service; the Decision does not list any foreign organization or service.” – said Daniel Ionnisyan. He inquired if the Personal Data Protection Agency is planning to take any action on this matter. Shoushan Doydoyan responded by assuring that the matter will be carefully studied after which a formal proceeding will be initiated (if required). “This can be legal only in two cases: 1) the person gave his/her consent, or 2) there is an international treaty regulating this matter. In all other cases the access to data is illegal and if so we will proceed with implementation of our legal responsibilities.” – said the Head of the Agency.
Participants of the public discussion raised a number of other issues, including: the protection of personal data of patients in health care institutions, the practice of illegal collection, processing and storage of personal data of persons other than the driver of the car in case of incorrect parking of the vehicle, as well as other violations of the Law.
By the way, the First Deputy Minister of Justice Arthur Havhannisyan did not participate in the discussion despite a prior arrangement according to which he was supposed to deliver the opening speech. Regrettably, he did not even inform the forum about this change in his plans and the agreed schedule of the event.