blogger facing pressure over a video shared on Facebook

Azerbaijani blogger Elmar Aziz was called into questioning on December 1 over what the blogger said was a video he shared about the traffic police. According to Turan News Agency, in the video shared by Aziz, traffic police are seen taking bribes from drivers. Aziz shared the video on Facebook.

In an interview with Meydan TV, Aziz said he posted the video of traffic police bribing drivers on Facebook and tagged the head Elshad Hadjiyev – the head of press relations at the Ministry of the Interior. 

The blogger was forced to remove the video after the questioning at the police station. Aziz told Meydan TV that police threatened to keep him less he removed the video. 

After Aziz told the local media about the pressure from the police, the blogger was called back into the questioning together with his parents. 

Speaking to Turan News Agency, the head of press relations at the Ministry of the Interior, Elshad Hadjiyev refuted the blogger’s claim that he was questioned together with his parents by the local police after informing the media that he was forced to remove the video from Facebook. 

former member of the parliament faces criminal charges

Gultekin Hajibeyli, the former member of the parliament told Meydan TV she is facing criminal charges over a comment she left on Facebook. According to Meydan TV reporting, Hajibeyli was held at the airport on her return from a work trip to Brussels and was informed she is facing slander charges. Hajibeyli said she was then taken to the Nasimi district police station after two-hour-long questioning at the airport. 

In an interview with Meydan TV, Hajibeyli said, the complaint was filed by a woman named Leyla Arif. “Imagine that I am facing criminal charges over a comment I posted under a post shared by a user named Leyla Arif on Facebook. That post was later deleted. So I am facing criminal charges over a post that no longer exists.”

Arif then posted an explanation on her Facebook saying she was called a “separatist” by Hajibeyli. 

In Azerbaijan, hasty legislative measures in response to cyber threats, leave protection of personal data on the back burner  

In an increasingly digitalized world, collection, retention, and processing of private data have an essential role for both private and public bodies for the purpose of their services to citizens or clients/users. However, in the absence of strong data protection regulations and cybersecurity, privacy infringements are inevitable. The analysis shared below indicates that in Azerbaijan, the national legislation on personal data protection does not effectively protect individuals against the arbitrary use of their personal data by both public and private entities.

The analysis also indicates that the national laws restrict and control personal data with intrusive measures, such as equipping telecom networks with special devices, and real-time access to vast amounts of personal data, in the absence of a criminal investigation or judicial order. As such, the absence of clear and enforceable regulations to protect personal data against arbitrariness and flawed systems due to negligence puts personal data at a higher risk of infringements.

To effectively illustrate how in practice, no control and legal remedies are implemented in relation to the collection and processing of personal data in the context of Azerbaijan, we specifically looked at the telecom industry and a wave of hacks into state-run databases containing vital citizens’ personal data.

Our findings underline the need to strengthen national laws and the practice of protecting individuals’ personal data in light of the growing number of infringement incidents of individuals’ personal data collected by state authorities and corporate entities as a result of existing legal loopholes and a wave of in recent years connected with personal data protection in Azerbaijan.

International standards

The protection of personal data which falls within the scope of the right to privacy is recognized internationally as a human right and countries are required to respect it. This right is enshrined in different international human rights treaties ratified by the Republic of Azerbaijan. These include the Universal Declaration on Human Rights (Article 12), International Covenant on Civil and Political Rights (Article 17), Convention on the Rights of the Child (Article 16), and International Convention on the Protection of All Migrant Workers and Members of Their Families (Article 14).

At the regional level, the right to privacy is protected by the European Convention on Human Rights. Article 8 (Right to respect for private and family life, home and correspondence) of the convention holds that telephone data, emails, and Internet use (Copland v. the United Kingdom, 2007 §§ 41-42), and data stored on computer servers (Wieser and Bicos Beteiligungen GmbH v. Austria, § 45), fall within the scope of protection of Article 8. The European Court of Human Rights also acknowledges that the protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life, home, and correspondence, as guaranteed by Article 8 of the Convention (Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland [GC], 2017, § 137; Z v. Finland, 1997, § 95).

The mere storage of personal data can violate a user’s right to privacy. The violation depends on the context in which the data is collected, the way it is collected, processed and used, and the outcome of the user data collection (S. and Marper v. the United Kingdom, 2008).

This right is further promoted and reinforced by the Council of Europe Convention 108 and a number of recommendations in relation to the protection of personal data adopted by the Committee of Ministers of the Council of Europe.

Azerbaijan has ratified various international and regional human rights treaties providing protection to the right to privacy and personal data, and as such, committed to ensuring relevant international human rights standards in relation to personal data protection. In 2009, the country joined Convention 108 also known as the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data. However, Azerbaijan is not a party to the Additional Protocol to Convention 108 which requires each party to establish an independent authority to ensure compliance with data protection principles and lays down rules on trans-border data flows.

A legally binding international data protection treaty establishes a number of principles for the signatory states to ensure that data is collected and processed fairly and through procedures established by law, for a specific purpose, in which collected data is stored for no longer than a set time, and for a specific purpose, and that individuals have a right to have access to, amend or erase their data. 

Practice in Azerbaijan

The rights related to personal data are guaranteed by Article 32 of the Constitution of Azerbaijan, which provides the right to privacy of personal and family life, including information transmitted by various means of communication, including correspondence, telephone, mail, and telegraph. The Constitution prohibits acquiring, storing, using, and spreading information about a person’s private life without his/her consent.

The main law covering personal data in Azerbaijan is the Law on Personal Data adopted on May 11, 2010 [No 998-IIIQ available in Azerbaijani here]. Article 6, of the Law on Personal Data sets out the forms of state regulation,[2] which are regulated through different normative legal acts. 

In this context, personal data refers to determining – directly or indirectly – the information about the identity of the person [The Law on Personal Data, article 2.1.1]. This information includes name, last name, patronymic, date of birth, and other information contained in the documents of identity, as well as data revealing racial or ethnic origin, marital status, religious faith and beliefs, and health or criminal record of an individual.

The Law on Personal Data does not contain an exhaustive list of data that is deemed to be “personal data”. Thus, what constitutes personal data must be assessed on a case-by-case basis. Personal data is defined as any information referring directly or indirectly to an identified or identifiable individual (the “data subject”). The Data Protection Law also sets forth special categories of personal data. These cover information referring to a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, personal health, sex life, and criminal record. In addition, the processing of biometric data is regulated by the Data Protection Law.

As per, the Decision of the Cabinet of Ministers of Azerbaijan about “the requirements for the protection of personal data” adopted on September 6, 2010, seven state institutions are granted the authority to supervise the fulfillment of the requirements for the protection of personal data. These are the Ministry of Digital Development and Transportation; the State Security Service; the Foreign Intelligence Service; the Ministry of Internal Affairs, the Ministry of Justice; the Special State Protection Service; the Special Communication and Information Security State Service; and the Financial Markets Control Chamber.

Under the Law on Personal Data, collection, processing, and cross-border transmission of personal data of any physical person are permitted only with the written consent of that person. Similarly, Article 6 of the Convention for the Protection of Individuals with Regard to the Processing of Personal Data states that only where appropriate safeguards are enshrined in law, complementing those of this Convention that special categories for revealing personal data shall be allowed. Such safeguards shall guard against the risks that the processing of sensitive data may present for the interests, rights, and fundamental freedoms of the data subject, notably the risk of discrimination.

In the context of Azerbaijan, the country’s Law on Personal Data (Article 13.2.1) provides an exception where personal data can be made accessible to third parties without the consent of the subject. This exception is based on Article 5.4 of the Law on Personal

A recent wave of cyber threats and Azerbaijan’s response 

Azerbaijani citizens have long suffered significant harm from hacks into the database of key public institutions or from monopolistic companies transferring personal user data without users’ consent. This has been the case at least since 2011.

2022 was no exception. Multiple data leak incidents involving the personal data of millions of citizens obtained from allegedly government agency databases were reported in the course of this year. Officials say cyber-attacks have increased in the aftermath of the second Karabakh war [September 2020] and peaked once again during the September border clashes this year. Weak protection mechanisms have placed Azerbaijan 40th among 194 countries in the Global Cybersecurity Index in 2021.

The most recent cyber-attack took place on August 8, 2022. Large-scale cyber-attacks against a number of state institutions and banks in Azerbaijan were reported by the State Service for Special Communication and Information Security. No further details of the hack and how much data was stolen remained unclear.

On April 20, 2022, the website of the Compulsory Insurance Bureau of Azerbaijan was compromised. The perpetrator(s) of the hack claimed that the entire system of the Compulsory Insurance Bureau was destroyed, and more than 40 million pieces of information were seized. The online platform of the State Motor Transport Service ( was also among hacked institutions.

According to the June 2020 “Cybersecurity guidelines for the Eastern Partnership countries,” released by the European Union’s EU4Digital Initiative, the main obstacles and gaps in the area of cybersecurity in Azerbaijan were the country’s outdated national legislation and insufficient commitment of national authorities to cybersecurity matters.[3]

The country’s own Cybersecurity Governance Assessment Report published in November 2020, indicated that there was a lack of cybersecurity benchmarks for digital web providers, due to the absence of a competent authority in the field of cyber/information security to supervise public and private digital service providers with regard to the implementation of cyber/information security requirements.

In light of recent cyber threats, the government of Azerbaijan has come up with several legislative and policy measures – a document on the security of critical information infrastructure and information and cyber security strategy. On September 21, 2022, the head of the department of the State Service for Special Communication and Information Security of Azerbaijan, Tural Mammadov, stressed that the cyber strategy submitted to the Cabinet of Ministers will be approved soon. The “National Strategy of the Republic of Azerbaijan on Information Security and Cybersecurity for 2020 – 2025” has been in the works since March 2020.

New legislative amendments

On April 17, 2021, President Ilham Aliyev, signed an order “On some measures in the field of ensuring the security of critical information infrastructure.” The order authorized the State Security Services of Azerbaijan to ensure the security of critical information infrastructure including the fight against cyber threats.[4]

In May 2022, the parliament approved amendments to the Law of the Republic of Azerbaijan “On information, informatization, and protection of information.” The amendments included 9 new concepts and a new chapter, named “Security of critical information infrastructure,” which consisted of 6 articles. Amendments that entered into legal force on July 6, 2022, brought new concepts such as critical information infrastructure, cyber security service provider, information security, cyber threat, cyber-attack, and cyber incident to the national legislation. In connection with the adoption of amendments to the Law “On information, informatization, and protection of information” two new articles were added to the Code of Administrative Offenses providing administrative liability for the violation of the order ensuring the security of critical information infrastructure.

Article 371-1 envisages liability for violation of the rule of ensuring the security of critical information infrastructure. Article 602-3 envisages liability for failure to fulfill the requirements of the authorized body (official) in the field of ensuring the security of critical information infrastructure.

On July 16, 2022, the decree of the Cabinet of Ministers was tasked to prepare draft rules for ensuring security and proposals on the criteria of critical information infrastructure and facilities within 2 months.

Personal data vs. surveillance and commercial use of personal data   

How do national laws protect personal data in the telecom industry?

Collection, processing, and protection of personal data, including individual information created by means of technology [sms, phone calls and etc.] are mainly regulated by several laws [on Telecommunications, On information, informatization, and protection of information, and on Personal Data] and normative legal acts of the Cabinet of Ministers and other central executive powers.

In Azerbaijan, customers entering into a contract with mobile operators [to complete SIM card registration] are obligated to provide an extensive amount of personal data. This is regulated by Article 40 of the law On Telecommunications and the decision of the Cabinet of Ministers dated July 7, 2005, “On the approval of the conditions required for the sale and use of communication facilities by communication enterprises (operators), as well as their dealers.”[5] The collected user data is then stored in the single database of operators and on AzInTelecom (State company of the Ministry of Digital Development and Transportation) in an electronic format.[6] According to a decision of the Cabinet of Ministers, the Information Computing Center of the Ministry of Digital Development and Transport where the personal data are gathered and processed is established together with the Ministry of Internal Affairs and State Security Service.[7]  

Pursuant to purposes, and operation-search activities and solve relevant organizational and technical issues in relation to such activities within the operators’ information systems.[8]

The Presidential Decree No. 507 dated June 19, 2001 (IV) “On the division of powers of search operations’ entities while carrying out search operations,” ensures that the Ministry of Internal Affairs and the State Security Service can autonomously connect to the communication networks of telecom operators.[9] That being said, the presidential order regulating the conduct of this kind of search and operation activity in the telecom industry dated February 15, 2017, is not public.[10]

The above-mentioned legal environment makes subscribers’ personal data accessible to the law-enforcement authorities given that all collected user personal data is accumulated in the database established together with the law enforcement authorities or is equipped with the technical means allowing law-enforcement authorities access users’ personal information. Also, according to Article 11 (IV) of the Law on Operation and Search Activities, the decision of the court (judge) or investigative body or the authorized subject of operative search activity on the implementation of operation-search measures can be accepted not only when there is an initiated criminal case but also in a wide range of circumstances including in an event the state security and/or its

Pursuant to article 445 of the Criminal Procedure Code, search operations such as interception of telephone conversations; monitoring of mail, telegraph, and other correspondence; and extraction of information from technical communication channels and other technical devices are carried out only on the basis of a court decision.[11] However, according to Article 10, paragraph 4 of the Law on “Operation and Search Activities”, and Article 177.4 of the Criminal Procedure Code, these search operations may also be carried out without a court decision, based on a reasoned decision of an authorized officer of the body carrying out the search operation.[12] This decision must be presented to the court conducting judicial oversight and to the prosecutor conducting the procedural management of the preliminary investigation within 48 hours after the relevant measures are taken. In practice, most of the investigations carried out based on a reasoned decision of an authorized person have [13]

The selling/giving of personal data to third parties for commercial purposes

Azerbaijani media and social networks regularly discuss the reports and complaints connected with the processing (transfer/sale) of SIM card users’ personal data without their consent for commercial purposes.

In accordance with article 23.1 of the Law of the Azerbaijan Republic “On Advertising” dated May 15, 2015, No. 1281-IVQ, the telecom operator and provider may broadcast advertisements based on the contract concluded with the advertiser. The telecom operator and provider can send the advertisement to the subscriber individually only if the sending of the advertisement is agreed upon in the written contract concluded between the company and the subscriber. The existing law obligates the telecom operator and the provider to give the subscriber the option to opt-out from receiving advertisements at any time or to broadcast only the advertisements the subscribers wish to receive ads from telecom operators.[14] Similar provisions are envisaged in Article 50-1 of the Law “On Telecommunications.”[15]

According to Article 9.10 of the Law on Personal Data, personal data collected and processed in corporate information systems may be presented to third parties for a fee. This procedure is regulated by the Decision of the Cabinet of Ministers, “Regulation on the transfer of personal data collected and processed in corporate information systems to third parties on a paid basis” which was adopted on March 2, 2011.[16] According to this regulation, the sale/transfer of data to a third party only applies to the open category of personal data.[17] The open category of personal data refers to the (i) information which has been anonymized in a specified manner, (ii) made public by the subject, or (iii) entered into the information system created for general use, with the subject’s consent. The Regulation (article 2.1) further requires a contractual agreement between the owners of personal data and the third party intending to obtain the personal data and additional permission of the state body that maintains the state register of information systems (Ministry of Digital Development and Transport).[18] The Regulation (article 2.3) also determines mandatory contractual clauses for the agreement on the transfer of personal data collected and processed in corporate information systems to third parties on a paid basis. It establishes specific duties[19] for the third parties who intend to obtain personal data.

However, agreements between operators and providers, and third parties on the sale of personal data are not provided to owners of personal data (individuals whose personal data was transferred) or published. Therefore, individuals are deprived to know the scope of the data sold and further specifics of the use of their personal data.

However, the Law on Personal Data (article 7.1.2.) provides that owners of data have the right to request the legal justification for the collection, processing, and transfer of personal data about themself and to receive information about the legal consequences (for themselves) of the collection, processing, and transfer of this data to third parties.

How is the consent given?

There are over ten million mobile phone subscribers in Azerbaijan.[20] Azercell LLC, Bakcell LLC, and Azerfon LLC (A brand of Nar) are the three major mobile phone operators. Subscription contracts of all three major mobile operators reveal that all contracts include many similar conditions because of the Law on Telecommunication which sets the mandatory clauses for such contracts between operators and subscribers.[21] As such, there is little difference in the way the operators use personal data. The subscription agreements individuals enter with mobile operators (at least in the subscription agreements distributed on the websites of Bakcell LLC and Azercell LLC) include provisions indicating “giving consent to receive advertising SMS”. Individuals often overlook these conditions or pay no attention.

A review of the consent clauses in the subscription agreements demonstrates that such provisions are not clearly reflected and do not explicitly state concrete implications for subscribers when choosing “to receive advertisement SMS” and what this means from the protection of personal data perspective.

However, the Law on Personal Data (article 8.2) sets out that the individuals’ written consent for the processing of personal data must include the purpose for collecting and processing personal data, the lists of personal data consented to be processed by the subject, and their processing operations, the validity period of the subject’s consent and the conditions for its withdrawal, conditions for destruction or archiving of personal data collected about the subject in accordance with the legislation after the expiration of the specified period of storage of personal data in the relevant information system or after the subject’s death.

As the contracts between the advertising companies and mobile operators are not public, it is not clear how the mobile operators allow third parties “to send advertising SMS” to subscribers. Being aware that the operators use the personal information of subscribers to sell targeted ads, subscribers do not know whether such contracts also ensure the transfer of the phone numbers to third parties. Or what concrete personal data is used by mobile operators to identify eligible subscribers to send advertising SMS?

None of the three main telecom operators have published Privacy Policies in relation to the protection of personal data in regard to using Sim Cards. Azercell LLC[22] and Azerfon LLC[23] do have privacy policies in relation to their policies on data protection.

In the example of the subscription agreement of Bakcell LLC[24], the contract includes one article that refers to advertisement:  “4.3. On the basis of this Agreement, the Subscriber agrees to the automatic sending of information, entertainment, and advertising SMS to their number, and if the Subscriber refuses to receive any type of SMS, the sending of such SMS to the corresponding number is stopped.”

In the sample contract of Azercell LLC [25], the provision of “whether the subscriber consents to receive advertising SMS” requires an affirmative answer. This is good, especially in comparison to the sample contract of Azerfon LLC (Nar)[26], where there is no clause regarding obtaining consent for such advertisement services. Instead, provision 6.4. of the contract states, “By signing this contract, the subscriber agrees to receive advertising or entertainment SMS or any other information to the number(s) he/she is using”. In addition to that, the Azerfon LLC (“Nar”) Privacy Policy states that “the subscriber accepts that Azerfon is not responsible for the disclosure of his/her information to third parties through the “Nar+” service application”.

In practice, individuals buying the sim cards are offered standard contracts and are not offered an opportunity to effectively refuse to give consent to receiving such services. It seems that the subscriber is offered the opportunity to unsubscribe from ads only after activating the sim card. It is then the subscriber’s responsibility to contact the operator and ask for a specific code that would stop this service.

None of the three mobile operators’ contracts contain a provision on the operators’ responsibility in relation to the protection of subscribers’ personal data even though operators receive an extensive amount of personal information during the sale of sim cards. The operators also oblige subscribers to update the operators in case of any changes to their personal data.[27] Such clauses in the contracts in the case of all three mobile operators are clearly undisputable as mobile operators design their contracts unilaterally, and the subscriber has no effective option to remove those conditions from the contract except in the subscription contract of Azercell LLC.

Different Council of Europe instruments refers to consent about the processing of users’ personal data. Bearing in mind that provisions of the Council of Europe Convention for the Protection of Individuals with Regard to the Processing of Personal Data apply to the automated data processing activities of network operators and parties providing telecommunication services, the telecom companies must respect the requirements of the Convention, which Azerbaijan is a party to.  Thus, Article 5 (2)– “Legitimacy of data processing and quality of data” of the Convention stipulates that “each Party shall provide that data processing can be carried out on the basis of the free, specific, informed and unambiguous consent of the data subject or of some other legitimate basis laid down by law.”

Recommendation (95)4 of the Committee of Ministers of the Council of Europe to Members States[28] recommends that the collection and processing of personal data in the area of telecommunications services should take place and develop within the framework of data protection policy, taking into account the provisions of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and in particular the principle of purpose specification (3.1). The mentioned Recommendation also envisages that “Domestic law should provide the appropriate guarantees and determine the conditions under which subscriber data may be used by network operators, service providers, and third parties for the purposes of direct marketing by telephone or by other telecommunications means (7.8).

The “Principles underpinning privacy and the protection of personal data” (2022) adopted by the UN Special Rapporteur on the Right to Privacy analyses international law in relation to consent and stresses the consent of the subject (owner of the personal data) as one of the legitimate grounds for the processing of personal data.[29] The UN Special Rapporteur concludes that the principle of consent is closely linked to the principle of legality, as it is the most common internationally recognized permissible ground for the processing of personal data (paragraph 31).


Do mobile operators give subscribers’ phone numbers and other personal information to other companies?

In the absence of publicly available information about contracts between mobile operators and third parties concerning the sale or transfer of private data; the lack of privacy policies of telecom companies, including the lack of any comprehensive data on protective legislation and oversight, it is difficult to say that SIM users’ personal data is not shared with other private and public databases, is not used for enabling the companies and states to create specific profiles of individual citizens, and is enabling other third parties to access a vast amount of data for commercial purposes.

In March 2017, Azerbaijan’s Supreme Court judgment “Viza” Law Firm v. “Azercell Telecom” LLC and “Sindbad” LLC established that one of the main mobile telecom companies – Azercell LLC transferred one of its subscribers (client) to another company which used the provided number, to send advertisement SMS despite there being no legal ground (contract) between the company sending advertisement and the user receiving the notifications via SMS. The Supreme Court judgment allows concluding, that mobile operators may share users’ personal data with third parties for direct marketing without explicitly mentioning this in the subscription contracts.

In July 2019, Azerbaijan’s Commissioner for Human Rights expressed concern over serious problems in data protection in the telecom industry where mobile operators were distributing users’ personal data without their knowledge and consent.[30]

Do the law-enforcement authorities have access to personal data gathered in the telecommunication systems beyond the rule-based surveillance regime

The existing system around SIM card registration allows law-enforcement agency access and permission to govern an extensive database of vast private data of SIM card users. This puts individuals at risk of being tracked or targeted and having their private information misused. Such access undermines the ability of users to communicate anonymously and one’s right to privacy.[31]

This also poses a threat to vulnerable groups and facilitates an environment of state surveillance making tracking and monitoring of users, easier for law enforcement authorities.

One prominent example illustrating this trend was documented in January 2019 when after an opposition protest rally, scores of rally participants received calls on their mobile phones from the local executive authorities and the police. All were interrogated about their participation in the rally. As such, mobile operators have long been accused by activists of providing their mobile numbers to the authorities.[32] Responding to these claims, the mobile operators said the data shared with law enforcement was provided based on legislation and official request.[33] Meanwhile, the Ministry of Interior confirmed that the rally participants were indeed called in for questioning on the grounds that this was a “police activity, and the police were carrying out both public and operation-search and other investigative activities.”[34]

Some experts suggest that having mandatory SIM card registrations further fuels their illicit use. It creates a need for a black market, as people want to communicate anonymously and it encourages identity fraud as people try to evade the system altogether.[35]


National legislation of Azerbaijan regulating the telecommunication sector must be reviewed in line with the established principles and standards of the European Convention on Human Rights, including the Convention for the Protection of Individuals with Regard to the Processing of Personal Data.

The national laws must be designed in a way where personal data is processed lawfully (with free, informed, unambiguous consent of the data subject or on the basis of law) for clearly defined legitimate purposes. In a context where national security and public safety interests are so often used to justify unprecedented intrusions on human rights and freedoms, it is crucial to ensure that new legislative and policy response to cyber threats does not harm individuals’ personal data.

In particular, all national legal frameworks in the areas of surveillance, interception, protection of personal data, and other relevant areas, must be accessible to an individual in question, who must be able to foresee the consequences of its application to him/her.

Government must adopt effective legal remedies and procedural safeguards against arbitrary and unlawful control of personal data with excessive and wide discretion. Minimum safeguards for the exercise of discretion by public authorities must include detailed rules on (i) the nature of the offenses (grounds) which may give rise to an interception order; (ii) duration, scope, and effective review of interception orders; (iii) the precautions to be taken when communicating the data to other parties. Nationally, an independent regulatory authority should be established to ensure supervision and review complaints related to personal data breaches.

The laws must also be formulated with sufficient clarity and precision to give citizens an adequate understanding of the conditions and circumstances in which the authorities are empowered to resort to this secret and potentially dangerous interference with the right to respect for private life and correspondence.

National laws also must be amended in order to ensure that telecommunication services offer guarantees for users’ privacy, the secrecy of their correspondence, and the freedom of communication. Furthermore, existing rules equipping and enabling the use of special tools within the telecommunication networks must be re-designed in order to provide privacy for users and mitigate risks of abuse of personal data by the authorities.

National legal frameworks should encourage the private sector (in particular in the areas of mass personal data collection and processing) to develop data protection policies.

on increasing cyber security within the critical information infrastructure should recognize that the private sector is responsible for cyber security however it should not enhance government control over the personal data collected and processed by the private sector. The government’s appetite to control telecom infrastructure and information in cyberspace is unlikely to bring positive changes with respect to personal data protection in Azerbaijan.

In this context, the cyber security measures must put personal data at the heart of the planned legislative and policy measures, in particular removing the risk of abuse of personal data by telecommunications service providers and state authorities.


[1] Rec(2002)9 18/09/2002 on the protection of personal data collected and processed for insurance purposes;  Rec(95)4 07/02/1995 on the protection of personal data in the area of telecommunication services, with particular reference to telephone services;

Rec(91)10 09/09/1991 on the communication to third parties of personal data held by public bodies;  Rec(85)20 25/10/1985 on the protection of personal data used for the purposes of direct marketing.

[2] i) establishing the legal basis for the collection and processing of personal data; (ii) ensuring basic human and civil rights and freedoms during the collection and processing; (iii) licensing of activities on collection and processing of personal data; (iv) conducting state registration of information systems of personal data; (v) certification of information systems of personal data and other ICT tools; and etc.

[3] According to the report findings, national law on the protection of personal data is outdated, and national legislation does not require data breach notifications. The report also identifies the main challenges as insufficient funding, lack of qualified personnel and resources in the cybersecurity area, and insufficient commitment of national authorities to cybersecurity matters. The report also indicated that security audits are carried out for verifying whether baseline cybersecurity measures are implemented only banking sector. It further notes that there is no formal definition of Critical Information Infrastructure (CII) and CII operators are not identified at the national level.

[4] The State Security Service of Azerbaijan performs those functions jointly with the State Service of Special Communication and Information Security of Azerbaijan toward the state bodies, and public legal entities created on behalf of the state, in relation to legal entities belonging to the state.

[5] The Cabinet of Ministers dated July 7, 2005, requires the collection of personal data from subscribers such as subscriber’s Sim card number, parameters of the subscriber identification module (IMSI, etc.), mobile device’s international identification number (IMEI), ID card or Passport (with photo), concrete and detailed address and place of residence of the subscriber, bank account and registration details for legal entity subscribers and etc.;

[6] The implementation of the changes to the mobile number sale rules is being finalized, portal,

[7] It is noted in the decision (preamble) of the Cabinet of Ministers that the rule (auth: a mandatory collection of personal data and establishing a unified database of sim card holders) was adopted in order to implement the provisions specified in Articles 39.1 of the Law “On Telecommunications”, Articles 9 and 12 of the Law “On Operation-Research Activities” and 17.4 of the Law “On Intelligence and Counter-Intelligence Activities” that obliging telecommunication companies to create conditions to for search and operational activities of law enforcement authorities. Thus, provisions in various legal acts referred to, as well as these regulations, allow law enforcement agencies (Ministry of Internal Affairs and State Security Service) to jointly form a database where personal data collected by communication enterprises is collected (paragraphs 3 and 4 of the Regulations).

[8] Pursuant to article 10.5 of the Law on Personal Data, article 39.1 of the Law on Telecommunications, and according to article 17.4 of the Law on Intelligence and Counterintelligence Activities, telecom operators must create conditions for conducting intelligence and counterintelligence, and operation-search activities in accordance with law and solve relevant organizational and technical issues in relation to such activities within the operators’ information systems.

[9] In accordance with the Presidential Decree No. 507 dated June 19, 2001 “On the division of powers of search operations’ entities while carrying out search operations,” legal entities and individuals providing communication services are required to install special equipment that provides access to information for the search and operation purposes.

[10] On the approval of the “Rules on ensuring information security during the implementation of operational search measures in communication networks” approved by the Presidential order on 2 October 2015,

[11] Wiretapping of telephone conversations ad extraction of information from technical communication channels and other technical means are carried out by the Ministry of Internal Affairs and the State Security Service in accordance to Presidential Decree No. 507 dated June 19, 2001 “On the distribution of authorities of entities of operative-searching activity in the implementation of investigation and search operations” available (in Azerbaijani)

[12] In this case, the authorized official of the body conducting the search operation shall, within 48 hours of carrying out the search, submit the reasoned decision on the conduct of the search operation to the court exercising judicial supervision and the prosecutor.

[13] Dissent opinion of judge Isa Najafov, in the decision of the Plenum of the Constitutional Court “On the interpretation of some provisions of Articles 137 and 445.2 of the Code of Criminal Procedure of the Republic of Azerbaijan” February 12, 2015. Available (in Azerbaijani) at:

[14]  The telecommunication operator and provider shall be responsible for sending advertising without the consent of the subscriber or contrary to the provisions of this Law. Law on Advertising (Article 23),

[15] The Law On Telecommunications,

[16] “Regulation on the transfer of personal data collected and processed in corporate information systems to third parties on a paid basis” adopted on March 2, 2011,

[17] The person’s name, surname, and patronymic are permanent open personal information. (The Law on Personal Data, Article 5.3).

[18] State registration of Information Systems and cancellation of state registration is carried out by the Ministry of Digital Development and Transport of the Republic of Azerbaijan as determined by the Decision (article 1.3) of the Cabinet of Ministers On approval of “Rules for state registration of information systems of personal data and cancellation of state registration” dated on August 17, 2010.

[19] The contract should specify the content of the provided data, purposes of acquisition, fields of use, and methods, and the following obligations of the third party acquiring personal data should be provided: ensuring the protection of obtained personal data and the rights of personal data subjects in accordance with the Law of the Republic of Azerbaijan “On Personal Data”; not to give or transfer the obtained personal data to other persons in any way; exclusion of all threats and dangers for personal data subjects when using personal data, and not making offers that may cause them unwanted or additional costs, as well as anonymous or misleading personal data subjects. The material, technical and organizational capabilities of third parties who obtain personal data collected and processed in corporate information systems or their personal data operators must be in accordance with the purpose of data acquisition and the requirements for their protection.

[20] 2022 CEIC Data, an ISI Emerging Markets Group Company,

[21] Article 40 of the Law on Telecommunications requires that the following provisions are reflected in the contract and other documents should be a part of it: i) the period (time) and conditions of connection and use of end equipment to the telecommunications network; ii) conditions of termination and cancellation of the contract; iii) duties, rights and responsibilities of the parties; iv) the subscriber’s consent (objection) to the implementation of the duty specified in Article 33.1.3-1 of this Law; v) his/her consent (objection) to the display of information about the subscriber in survey-information sources; vi) other conditions not contrary to law. A copy of the photo ID of the subscriber must be attached to that contract.

[22] Azerfon LLC (“Nar”) respects your privacy. This Privacy Policy explains the collection, use, and sharing of information from or about you in connection with your use of the services. The term ” Services” refers to our video service, including the selection of television shows, clips, movies, and other content we offer (collectively, the “Content”) and our player for viewing the Content (the “Video Player”), as well as any other products, features, tools, materials, or other services offered from time to time by Nar through a variety of Access Points. The term “Access Points” refers to, collectively, the website (the “Nar Site”), applications, and other places through which the Services may be accessed, including websites and applications of Nar’s third-party distribution partners and other websites where users or website operators are permitted to embed or have otherwise entitled to publish the Video Player.

[23] Privacy Policy about the application “Azercell Kabinetim”, “Azercell Kabinetim” is created by “Azercell Telecom” LLC as a FREE application. This SERVICE is rendered by “Azercell Telecom” LLC free of charge and is intended to be used the way it exists.  This web page is used for providing information about our policy on collection, usage and disclosure of personal data of customers determined to use our Service. If you choose to use this Service, you consent to the collection and usage of information in accordance with the present policy. The collected Personal Data is used for rendering and improving this Service. We undertake not to use or share your data with anyone except for those cases described in this Privacy Policy. The provisions used in this Privacy Policy have the same meaning as the Terms and Conditions set forth in my Cabinet unless otherwise stated in the Privacy Policy.

[24] Subscription Agreement of the Bakcell LLC,

[25]Subscription Agreement of the Azercell,

[26] Subscription Agreement of the Azerfon,

[27] In accordance with article 4.2.7 of the Contract provided by Bakcell LLC, the Subscriber is responsible for the correctness of the information related to the Subscriber, reflected in this Agreement and submitted by the Subscriber to “Bakcell”, and immediately informs “Bakcell” about changes in the registration address, questionnaire data, contact number and other information related to this Agreement. 2 (no later than two) calendar days) must provide written information. The subscriber does not object to the display of this information in the survey information sources.

[28] “On The Protection of Personal Data in the Area of Telecommunication Services, With Particular Reference to Telephone services”

[29] The “Principles underpinning privacy and the protection of personal data” report adopted by the UN Special Rapporteur on the right to privacy, 2022,

[30] On 6 July 2019, during the meeting of the Working Group on “Business and human rights” held at the Ombudsman office (the meeting was dedicated to the topic “Ensuring the right to access information in the context of business and human rights”) the Commissioner noted that despite the existence of serious reforms in the relevant field, mobile operators distribute personal data without the knowledge and consent of the data owners, as a result of which they are inconvenienced and materially damaged and the investigation of complaints of citizens are carried out by companies without the participation of the complainant which also results with the lack of consideration of the complainant’s position in many cases; The Commissioner noted that such issues must be resolved.

[31] A SIM card is more than a phone number. It allows authorities to easily track people’s locations and movements. All of their online activity—websites visited, search queries, purchases, and more—can be traced back to their device.

[32] “Mobile operators have prepared a list of rally participants”, 28 January 2019,

[33] “Mobile operators responded to the accusations of the opposition”, 30 January 2019,

[34] How is personal information protected in Azerbaijan? BBC News in Azerbaijani. February 7, 2019.

[35]Access to Mobile Services and Proof of Identity 2021. The GSMA Association. April 2021,

Azerbaijan’s Media Registry leaves media platforms in limbo

In Azerbaijan according to the new law on media that was adopted in January 2022 and approved by the President in February 2022, all online media outlets as well as journalists working for online media platforms or working as freelance journalists were ought to register with a new media registry system. This media registry system began to operate on October 14, 2022, according to reporting by Turan News Agency. The law itself was heavily criticized by the local civil society prior to its adoption, and many anticipated many of its restrictive features put in practice. AIW published this overview of the law in March 2022 describing some of its most problematic features including the media registry clause.   

According to the new law, Azerbaijan must establish a registry system of online media outlets and journalists working for online media platforms or working as freelance journalists. This and other additional provisions of the law raise a number of questions regarding the compliance of the law with the international standards on media freedom.

Article 62.1 reads that permission from state bodies is not required for setting up online media. But Article 62.2 requires that an online media entity must apply to the relevant executive authority (Media Registry) 7 days prior to the publication or dissemination of the relevant media material.  In other words, while there is no need to apply for creating an online media platform, there is a requirement to apply for a permit once the online resource becomes operational and starts publishing. Article 62.4 requires an additional opinion issued by the State Committee for Work with Religious Organizations before an online media focusing on religion and religious content is set up. In addition, Article 78.3 obligates online media to apply to the Media Registry within 6 months since the platforms become operational.

Article 60.5 requires online media to publish at least 20 articles per day to qualify as an online media platform.

Article 26 obligates the founder of the online media to be a citizen of the Azerbaijan Republic permanently residing in the Azerbaijan Republic. In case the founder is a legal entity, then the highest share (75 percent) in the authorized capital must belong to a citizen (citizens) of Azerbaijan permanently residing in the country.

The Cabinet of Ministers has been instructed to prepare regulation on the provision of registration at the Media Registry within 3 months as per presidential order “on the application of the Law of the Republic of Azerbaijan ‘On Media’ and regulation of a number of issues arising from it” dated February 8, 2022. And Article 60 of the new law requires that online media outlets disclose their organizational information on their respective websites. Article 60.2 also requires online media to register with the tax authorities, and identify and appoint a person responsible for editorial.

Article 26.3 prohibits previously convicted individuals from setting up media platforms. The list of previous convictions is exhaustive including serious or especially serious crimes; crimes against public morality; persons whose convictions have not been expunged or revoked; including political parties (excluding print media); and religious organizations (excluding print media). Prohibiting religious and political organizations from establishing online media is a failure to comply with the international standards on the right to freedom to seek, receive and impart information and ideas of all kinds.

Importance of registering with the Media Registry for online media platforms

The Media Register is an electronic information resource managed by a Media Development Agency which is managed by the Supervisory Board consisting of the Chairman and 6 (six) members appointed by the President of the Republic of Azerbaijan. In order to be registered at the Media Registry as a media entity (subject), a media entity can apply either as a legal entity or as a sole entrepreneur (Article 74).

Article 74.2 sets out a list of requirements journalists must comply with for their inclusion in the registry. These requirements include a degree in higher education as well as another number of different merit-based criteria. Article 74.2.5 requires that journalists obtain and provide an employment contract with a media entity. Individuals or freelance journalists must have a civil contract with at least one media entity registered at the Media Registry in order to be able to register at the media registry.

Those outlets who succeed at registering with the Media Register are issued certificates (which grant access to government events, press conferences and etc.), and journalists are issued press cards (valid for three years and subject to renewal upon request). Media entities, including online media outlets not included in this registry, will not be considered mass media, and subsequently, unable to hire journalists. Also, in case the online media platform is not registered by the registry, journalists who have contracts with these online media platforms, won’t be admitted to the Media Registry and won’t be issued press cards.

Registration with the Media Register is one of the main guarantees for the free operation of media outlets and journalists. For example, according to Article 72.6 of the Law, only media entities and journalists included in the Media Register may carry on with their work during military and/or state of emergency situations, in special operations against religious extremism, and in operations against terrorism.

In the absence of certificates issued exclusively by the register, journalists may also not be allowed to conduct polls on the streets.

These and other requirements as outlined in the law, create additional challenges for freelance journalists working (on contracts) with international media outlets or local online media outlets not registered with the Media Register.

Now, according to Turan News Agency, at least 15 online news platforms have been denied registry. Among them is – a news website that remains blocked in Azerbaijan according to AIW/OONI measurement reports. To bypass censorship, the founders of the website, created a new URL which according to the website’s director Vugar Gurjanly is still accessible. However, in an interview with Turan News Agency, Gurjanly lamented the registration process and getting it denied. Gurjanli believes the decision was not justified and aimed at eventually stopping the news site from working. “Our website meets all the necessary criteria,” Gurjanly told Turan News Agency. According to Article 78.3 of the new Media Law, active mass media must apply to the Agency within six months from the day the Registry starts working. In the event media fails to do so, or the information provided during the registration process is found incorrect the agency has a right to take the media to court. 

Speaking to Azadliq Radio, Azerbaijan Service for Radio Liberty, media law expert, Khalid Aghaliyev said, the currently applied regulations on media platforms trying to register with the Agency are unconstitutional because according to the law, the registration regulations of the new law should apply to the media platforms established after the said law was adopted. “The media that existed prior to the adoption of the law should be registered automatically,” said Aghalyev. 

But this is not the only problem concerning media platforms. The law also demands that the media platform must publish at least 100 news items per week. But the agency already showing a biased approach to this specific regulation. According to Aghaliyev, a number of news sites that were registered have failed to meet the criteria, and yet those that have met the 100 items per week criteria have been denied registry. 

Articles 74.1.2 and 60.5 of the Law, define the criteria of published content as well as what the Media Agency means when it demands a continuity of activities. As such, media platforms applying for registration must demonstrate continuity in their work for at least 20 days a month and publish a minimum of 20 news items per day for their activity to be considered “continuous.” 

Those who have been denied the registry are now planning to appeal in local courts. According to information provided by the Media Agency, it has so far registered 100 media platforms, denied 15, and is reviewing 40 applications.

political activist says he faced pressure by local police after refusing to share his phone password

A member of D18 political movement, Afiaddin Mammadov, who was arrested on November 11 and sentenced to 30 days in administrative detention said during his appeal court that all the claims about him allegedly breaking a windshield and resisting police were untrue. Instead, he was taken against his will on November 11 by six plain-clothed men and brought to the Main Police Station according to Meydan TV reporting. 

Mammadov also said that police demanded he shared the password for his mobile device and when he refused he was tortured. He was then sentenced to 30 days in administrative detention without any further investigation into the alleged crime he committed. The activist said he was also refused a lawyer.  

According to Meydan TV reporting, Mammadov said in court, that shortly before his detention, he was interviewed by an online news platform Toplum.TV. In the interview, he said he will stage a demonstration less police provided information on the whereabouts of another D18 member, Orkhan Zeynalli. Zeynalli was detained by the local police on November 11 and was sentenced to 30 days in administrative detention on November 12, according to reporting by Turan News Agency. 

During Mammadov’s court hearing despite lawyer Zibeyde Sadighova’s attempts to get the judge to overrule the decision and release the activist as well as provide traffic camera footage to confirm alleged crimes committed by Mammadov and investigate the torture Mammadov faced during detention, none were met. 

Police detains political activist over Facebook posts

A member of a political movement D18 was detained by the police on November 11. Speaking to the local media the head of the movement Ahmad Mammadli said the activist, Orkhan Zeynalli was taken by the police over his Facebook posts that were critical of the police. 

According to Mammadli, the problem started a month ago when Zeynalli went to the police to file a complaint over a stolen bike [Zeynalli worked as a courier delivering food]. The police offered a different kind of assistance – a fee in an exchange for them to help him find his stolen bike. Zeynalli wrote about this exchange on his Facebook after which police called him in asking to remove the post. They were unaware of his political activism prior to seeing his post on Facebook. 

Assured, Zeynalli hid the post, but a month later, after receiving no news, Zeynalli shared another ironic post about the police force, explained Ahamd Mammadli in an interview with Meydan TV. 

Zeynalli was asked to visit the police station yet again, this time, Zeynalli refused, given there was no official letter from the police. 

That day, Zeynalli went out of his home to fix the electricity outage which according to Mammadli, was caused by the police. “Plain-clothed police officers detained Zeynalli on the spot. Zeynalli’s wife watched all of this happen,” noted Mammadli. Zeynalli was sentenced to 30 days in administrative detention on November 12, according to reporting by Turan News Agency. D18 had another member sentenced to 30 days in administrative detention on November 12 as well – Afiaddin Mamedov – but on what grounds remains unclear.

This is not the first time, political and civil activists are detained by the police over their social media posts. Most recently police detained another political activist, a member of the opposition Popular Front party over social media posts. According to reporting by Meydan TV, Emin Akhundov was briefly detained by the police on October 31 over a post in which he criticized disproportionate police violence against political activists. Akhundov was released the following day. 


police briefly detains a member of an opposition party over social media posts

Police in Baku detained a member of the opposition Popular Front party over social media posts according to reporting by Turan News Agency. Emin Akhundov was taken from his home on October 31 wrote Akhundov’s father on his Facebook. “Extraordinary things are happening in our country. Yesterday evening at around 19.30, two people from the Absheron district police department came to us, looking for my son (Emin Akhundov). I asked what was going on, and they said it was a minor issue, and that my son would be back home shortly.” Emin Akhundov was let go the next day according to members’ statements shared on Facebook. 

It was not immediately clear what post or posts were the cause for Akhundov’s arrest. In a Facebook post, Emin Akhudnov shared shortly after his release, the activist did not share any additional information only that he was released and that he will continue his activism. Other members of the Popular Front Party took Akhundov’s detention as continued pressure against the party, especially in light of the recently organized protest in the capital Baku. 


in Azerbaijan a reserve colonel gets jail time

On October 6, the Baku Military court, sentenced reserve Colonel Elnur Mammadov to six months in prison. The court found Mammadov guilty of slander. Mammadov voiced criticism of the Ministry of Defense on social networks accusing it of cronyism and nepotism. The accusations were also leveled against the Ministry of Defense, Zakir Hasanov. 

According to local media reports, the Ministry of Defense earlier responded to Mammadov’s criticism by refuting the colonel’s claims. 

Mammadov said his arrest and sentence were directly linked to his social media commentary. 

In one of his recent videos, Mammadov said despite his attempts to speak with the Ministry about ongoing nepotism and cronyism within the Army no one listened. Instead, he was dismissed. In its response, the MoD said Mammadov was discharged because of his illness. 

OONI Measurements Report September 2022

This new OONI report provides an update based on the analysis of OONI measurements collected from Azerbaijan between May 2022 to September 2022. Access to the full report is available here

Key findings 

Blocked websites – measures show that at least 7 news media websites previously reported as blocked, remain inaccessible in the country. Among them are Radio Liberty, Azerbaijan Service for Radio Liberty, Meydan TV, and others. In addition, the measurements indicated that the authorities continue to block access to the Russian state-owned RIA-Novosti news site. This access block rolled out in June of this year. On June 4, the Ministry of Digital Development and Transport said in a statement the decision to block the Russian news website was a result of the news site running a story that was of defamatory nature against Azerbaijan. Specifically, the statement was referring to an interview published by RIA Novosti with Artak Beglaryan, the Minister of State of the disputed territory of Karabakh. In response, Azerbaijan Foreign Ministry accused Russia of “spreading slanderous information against the territorial integrity of Azerbaijan and promoting separatism” and violating “the 1997 Agreement on Friendship, Security, and Strategic Partnership between Azerbaijan and Russia, as well as the 2022 Declaration on Allied Cooperation, which requires both countries ‘to refrain from any activity directed against the principles of the UN Charter and each other’s sovereignty and territorial integrity,’ as well as ‘counter the threats of separatism.” On June 10, local media said RIA-Novosti removed the interview however, the site remained blocked in Azerbaijan. 

Since Russia’s invasion of Ukraine, both Russia and Azerbaijan have blocked or discussed blocking each other’s news sites. The most recent OONI measurements show that the Russian internet regulator– Roskomnadzor blocked access to at least five Azerbaijani media domains from within the country. 

Blocking of circumvention tool websites remained. TunneBear, Psiphon, Torproject were among circumvention tool websites that indicated signs of blocking. It is worth noting that not all networks were blocking these sites. And while the Psiphon and Tor Project websites might be blocked in Azerbaijan, their tools appear to work in the country (at least on tested networks).

Azerbaijan temporarily blocked access to the social media platform TikTok – the block remains in place according to the most recent measurement.  

Stay tuned for the next quarterly report on measuring internet censorship in Azerbaijan. 

Facebook user questioned over a Facebook status post

Seymur Aghayev, a student, said police unlawfully took him to a police station where he was held for some two hours on September 27. The men who first asked Aghayev to confirm his identity were ununiformed explained Aghayev following his release. When Aghayev asked the reason for this inquiry his questions remained unanswered. The men put him in a car against his will and took him to the Baku Police Station. 

“I was standing outside a grocery store when two men approached me, asking if I was Seymur. I told them that was my name. They were plainclothed and only later at the police station did I learn that the two men were the officers at Criminal Search department at the Baku City Police Station. They left my questions unanswered as we drove [to the police station],” Aghayev wrote the following day on his Facebook profile.

At the station, Aghayev was told the reason he was brought in was a Facebook status Aghayev shared about police violence against citizens. 

In an interview with Toplum TV, Aghayev said, the status was referring to an old video of police using physical violence against a citizen. At the station, following the questioning (police officers also asked about his family members, their employment history, and any religious affiliation) Aghayev was forced to remove his Facebook status. 

In its response to media inquiries, the Ministry of the Interior said there was nothing unlawful in Aghayev’s visit to the police. “He was questioned upon an invite. This is not unlawful,” said the Ministry’s media spokesperson in an interview with Meydan TV.