Legal overview: legal remedies (or lack thereof) in cases of online targeting

In the last decade, the rise of the repressive policy by the government of Azerbaijan against digital rights necessitates the discussion of the legislation and legal remedy aspects of it. As such, in our following legal review, together with a legal expert, we chose to focus on how the state has been resorting to unlawful persecution measures against critics online, in particular, human rights defenders, activists, journalists, and lawyers. 

In the analysis presented below, we look at the general trends of online targeting, the existing legal remedies in domestic law, and their effectiveness.

Background information

During 2022, Azerbaijan Internet Watch documented numerous cases of prison sentences handed out on charges of defamation, the arbitrary application of provisions of the Administrative Penalty Code and the Law “On information, informatization and information protection” to limit freedom of expression on the internet, including increased reports of cyber-attacks against activists and media professionals.

In its recent annual report published on 16 December 2022, AIW indicated that overall, 2022 has been no different than recent years in terms of online attacks and internet censorship. Human rights defenders, activists, politicians, and media professionals in Azerbaijan are increasingly becoming victims of cybercrimes, including electronic surveillance, privacy infringement, and cyberstalking, due to their independent and legitimate professional activities. The online targeting of individuals critical of the government has become increasingly frequent and constant. And yet neither of these cases has been effectively investigated, and the perpetrators have not been identified.

Despite the active use of the criminal and administrative offenses legislation, including other technical resources to limit freedom of expression on the internet [including the blocking of key opposition and independent news websites, summoning and punishing individuals for critical opinions distributed online], the state systematically fails to provide effective investigation on the complaints of the individuals subject to unlawful covert surveillance (Pegasus), cyber-attacks, online blackmailing and hacking attempts against activists and media professionals. In most cases, reveal that online harassment against government critics is organized by the government or government-linked institutions.

In April 2022 report, Meta reported that it removed a hybrid network operated by the Ministry of Internal Affairs of Azerbaijan that combined cyber espionage with Coordinated Inauthentic Behavior (CIB) to target civil society in Azerbaijan by compromising accounts and websites to post on their behalf.

Domestic remedies against cybercrimes often committed against HRDs, activists, and media

In recent years, scores of human rights defenders, civic activists, journalists, and politicians in Azerbaijan have been complaining about hacking attempts (or hacking) into their personal and professional e-mails, social media accounts, and instant messaging (WhatsApp) accounts. Other complaints include impersonating social media accounts, disseminating false information on their behalf, and publishing their private correspondence, intimate photos, and videos, breaching privacy resulting from intrusion in the intimate life of individuals through illegal tapping. Furthermore, political activists sometimes face pressure from local police to share their phone passwords during arrests.

Once personal information is unlawfully seized at least several constitutional rights and freedoms, such as the right to privacy (Article 32 of the Constitution), the right to honor and dignity (Article 46 of the Constitution), and the right to freedom of thought and speech (Article 47 of the Constitution) are at stake.

Lawyers in Azerbaijan mostly use various available legal mechanisms to protect the rights of targeted individuals. Illegal interception of personal data, violation of the confidentiality of correspondence and other information, and violation of privacy, including certain cybercrimes such as illegal intrusion, illegal acquisition, and unlawful interference with computer systems are criminalized by the criminal law of Azerbaijan. As such, lawyers rely on existing criminal law when submitting complaints to law enforcement authorities, requesting to conduct a criminal investigation regarding the alleged committed act prohibited by the criminal law.

What remedies are available to counter online harassment? To what extent are they effective?

Lawyers with extensive experience defending human rights defenders and activists targeted by cybercrimes say that the Azerbaijani law enforcement authorities and the judiciary are systematically rejecting investigations of cybercrimes committed against government critics.

So in which circumstances and conditions legal safeguards and remedies are functioning and to what extent they are effective? We take a look.

General overview of the relevant legislation

Digital security rights, in a general manner, are safeguarded by the Azerbaijani legal framework. The Azerbaijani legal system enshrines the following legal regime concerning digital security.

General constitutional protection and incorporation of international law

The Constitution provides, inter alia, order public conditions on digital security. According to Article 32 of the Constitution, privacy rights are secured. The privacy rights that the Constitution prescribed are negative and positive in nature – these rights protect against possible governmental interference (negative aspect) and possible trespass by third parties. Constitutional privacy protection not only provides preservation against off-line intrusion but also implies online targeting according to its meaning. Therefore, Article 32 of the Constitution plays a role as a key to digital security rights. In addition, Article 68 of the Constitution determines the prohibition of arbitrary actions of state authorities and recognizes the right to compensation.

The Constitution also incorporates international human rights obligations of the Republic of Azerbaijan. The Azerbaijani Constitution adopts a monist type of international law implementation which means direct integration of international law rules concerning human rights regulation.

The Republic of Azerbaijan has ratified the International Covenant on Civil and Political Rights (1966) (ICCPR) and European Convention on Human Rights (1950) (ECHR). Both ICCPR (Article 19) and ECHR (Article 8), as well as, the jurisprudence of the implementation bodies (in the case of the ICCPR is the Human Rights Committee (HRC) and in the case of the ECHR is the European Court of Human Rights (ECtHR)) safeguard digital security rights as a part of privacy rights. Moreover, the Convention on Cybercrime (a.k.a. the Budapest Convention) (2001) of the Council of Europe – seeking to address Internet and computer crime (cybercrime) by harmonizing national laws, improving investigative techniques, and increasing cooperation among nations – was ratified by Azerbaijan in 2009.

Both ICCPR and ECHR honor contracting states with two types of obligations – negative and positive. This means, that the state authorities shall not directly involve the right to privacy including digital security rights against the requirements of domestic law, without legitimate aims and against the requirement of democratic necessity, and with violation of proportionality (tripartite requirement of interference of qualified civil rights). In addition, the state authorities have a positive obligation to protect digital security under privacy rights from third parties, also to initiate effective procedural safeguards.  

As such, Azerbaijani legislation prescribes constitutional (order public) protection for digital security and harmonizes international law protection with domestic law. However, mere general constitutional protection is not enough for the effective implementation of human rights. The next level is ordinary legislation.

Substantive law

The substantive legal norms concerning digital privacy rights are mainly set out in criminal law and, in nature, prohibitory sanction rules.

Criminal law provisions are arranged in the Criminal Code. Criminal Code prescribes both general privacy rights violations and specific cybercrimes. General privacy rights violations are Articles 155 (violations of correspondence privilege) and 156 of the Criminal Code (violations of privacy rights). Specific cybercrimes are set out in Articles 271-273 of the Criminal Code (Article 271 prohibits illegal intrusion, Article 272 bans illegal acquisition, and Article 273 forbids unlawful interference). In addition, Criminal Code also proscribes violation of operational-search activity by law-enforcement bodies concerning privacy and digital rights. Both state and non-state actors are liable for violations of the above-mentioned criminal law sanctions. According to Criminal Code (Articles 156.2.1, 271.2.3, 272.2.3, 273.3.3 of the Code), the commission by the state officials of the above-mentioned criminal law rules is considered an aggravated circumstance.

In addition to criminal law, civil law/code provisions also offer protection against the violations of privacy and digital rights. codes prescribe protection for digital security. Criminal code safeguards are general protections and not specified for purposes of digital security. Article 1096 of the Civil Code sets general criminal code rules for delictual (civil wrong) liability. On the other hand, Article 1100 of the Civil Code specifies delictual liability for state authorities.

It must be noted that different codes of conduct for state officials and law enforcement bodies also enshrine the protection of privacy rights (which also implies digital security) and require disciplinary sanctions against the perpetrators.

The substantive law also contains relevant remedies for covert surveillance. The state control over compliance of the covert surveillance-related-obligations of the telecommunication operators and providers is regulated largely via the Law “On Telecommunications”, the Law on “On Personal Data”, the Law on “On Operational Search Activities”, the Criminal Procedure Code and Decrees of the President of the Republic of Azerbaijan and Decisions of the Cabinet of Ministers of the Republic of Azerbaijan.

AIW’s legal analysis on the State of Internet Freedom in Azerbaijan, a legal overview (July 29, 2021) reveals the gaps within the legislation, policy, and practice that fail to comply with international legal standards in the field of covert surveillance.

Article 11 of the Decision of the Cabinet of Ministers No. 174 dated November 7, 2002 “On additional conditions required for the issuance of special permits (licenses) depending on the nature of the activity”[2] requires the telecommunication service providers to install special-purpose equipment, determined by the State Security Service (SSS) and the Ministry of Internal Affairs. This equipment allows the security services and the ministry of the interior to access data and information across all types of telecommunication networks for the purpose of ensuring national security. And legislation requires the installment of the special equipment as an additional requirement for granting special consent (license) for the cellular (mobile) communication services/companies. In case of a refusal to install this equipment, companies/services are refused operational licenses.

Procedural law and jurisdiction

Pursuant to Articles 215.2, 215.3, and 215.5 of the Code of Criminal Procedure, if it is identified that the privacy (digital) rights violations are conducted by third parties (non-state actors), then the jurisdiction to investigable falls within the Ministry of Internal Affairs or the State Security Service (depending on their competence).

According to Articles 204-207 and 215 of the Code of Criminal Procedure, the local or qualified body of the ministry of the interior or the state security services shall initiate the criminal case based on reports of the victim or others. If the initial inquiry finds more evidence of a breach of rights, then a preliminary investigation has to be conducted. Based on the results of the preliminary investigation, perpetrators might be identified and brought to trial. Violations of privacy rights (including digital security) are considered less serious crimes by Criminal Code and therefore, the trial jurisdiction lies on ordinary district courts.

It is identified that the privacy (digital) rights violations are conducted by state officials (including law enforcement officials), then investigative jurisdiction falls within the Office of the General Prosecutor. The subordinate prosecutor’s offices or qualified bodies of the prosecutor’s office shall initiate the criminal case against officials or based on the fact, shall conduct a preliminary investigation. Based on the conclusions of the preliminary investigation, relevant official (officials) might be held accountable and brought to trial. The trial jurisdiction again belongs to the ordinary district courts.

If the relevant investigatory bodies fail to initiate the criminal case, interested parties have the right to challenge the decision or action on non-initiation of the criminal case under judicial review procedure pursuant to Articles 122 and 449 of the Code of Criminal Procedure.

Criminal Code procedures shall be conducted with ordinary district courts or administrative courts. If the statement of claim is directed against a third party, then it is accepted as a civil case and should be heard by an ordinary civil court. The relevant trial procedures are prescribed by the Code of Civil Procedure. If the statement of claim is directed against state bodies, then it is an administrative law dispute and must be heard by an administrative court following the trial procedures based on the Code of Administrative Procedure.

Disciplinary actions are initiated based on complaints or ex officio, by relevant state bodies and follow procedures that prescribe the codes of conduct or internal disciplinary reviews.

In addition, concerning cyberattacks, there is another review body within the Ministry of Digital Development and Transport – the Cyber Security Service. While the cyber security service does not possess sanctions against authorities, it does have the authority to review the cyberattack claims and issue general warnings concerning cyberattacks. Furthermore, this body may inform other investigative authorities if the problem concerns these authorities.

Specifics of the criminal law sanctions and operational-search remedies

According to Article 156 (violation of the inviolability of private life) of the Criminal Code, actions that breach the inviolability of private life are prohibited and subject to criminal liability. According to Article 156.1 of the Code, the dissemination, illegal sale or transfer, and illegal collection of information that constitutes a secret of private and family life, as well as the documents, video and photographic materials, and audio recordings containing such information, are all subject to criminal liability.

It should be noted that private life information may be collected on legal grounds and conditions in the manner prescribed by law. Relevant state bodies can do this on the grounds provided by law. However, there are no such grounds provided by law in the complainant’s case. Therefore, the collection of information about the complainant in this manner should be considered as the acts provided for in Article 156.1 of the Criminal Code, that is, the collection of information or an attempt to collect such information, which is a secret of private and family life.

According to Article 271.1 of the Criminal Code, accessing a computer system or any part of it without the right to access it or any part of it by breaching security measures in order to collect computer information stored there or with other personal intent calls for criminal liability. It should be noted that Articles 271 and 272 of the Criminal Code pertain to cybercrime and are primarily concerned with computer information. However, smartphone devices already have the potential to contain all or part of traditional computer data. In this regard, part of the complainant’s computer data is contained in the relevant parts of his/her smartphone. So when scores of civil society activists in Azerbaijan were targeted with Pegasus spyware, the perpetrators thus illegally infiltrated the complainant’s computer system and illegally acquired computer information. This action demonstrates the commission of a criminal offense under Article 271.1 of the Criminal Code.

In the case the latter offense was committed by an official while abusing his/her official interests, the act is then considered an aggravating circumstance according to Article 271.2.3 of the Criminal Code.

According to Article 272.1 of the Criminal Code, the intentional gathering of computer information not intended for public use, transmitted to the computer system, from the computer system, or within the system, including electromagnetic radiation from the computer systems, which are carriers of such computer information, using technical means by a person not entitled thereto, causes criminal liability. The above-mentioned legal analysis of Article 271.1 of the Criminal Code also applies to Article 272.1 of the Criminal Code.

Article 302 of the Criminal Code (“Violation of the legislation on operational search activities”) criminalizes violation of the law on operational search activities. According to Article 302.1 of the Criminal Code, among other things, the implementation of such activities by authorized persons in the absence of any ground established by law, entails criminal liability, if it causes a significant violation of the rights and legally protected interests of the person. According to Article 302.2 of the Criminal Code, the violation of the law on operational search activity with the intent to secretly obtain information using technical means is considered an aggravating circumstance.

The Operational-Search Activity Act (OSA) and Code of Criminal Procedure allow targeted persons to raise complaints concerning covert surveillance.

Art 4(4) of the OSA stipulates, “[a]ny person, whose rights and liberties have been violated as a result of the actions of the agents of the operative search activity, shall be entitled to complain to the head of the authority – higher in rank to the agents of the operative search activity, prosecutor or the court.”

  • The first type of claims available under Azerbaijani law is ‘internal claims’ – claims against the head of the alleged authority that conducted the surveillance.
  • The second type of claim is a claim to a prosecutor.
  • A third type of claim is a claim to a Court.

Effectiveness of legal remedies in the light of international human rights obligations

Legal remedies concerning covert surveillance

The available remedies shared above, concerning covert surveillance are not effective in practice due to the following reasons:

Firstly, given that there is no method of notification as to whether they were under surveillance or not, no domestic remedies are available to challenge and investigate instances of covert surveillance by authorities, given their inextricable link (Zakharov v Russia at [234]; see also Association for European Integration and Human Rights and Ekimdzhiev v Bulgaria App No. 62540/00, 28.06.07 at [91]; Szabo and Vissy v Hungary App No. 37138/14, 12.01.16 at [86]).

As mentioned above Art 4(4) OSA sets out relevant remedies. However, this provision does not establish a freestanding claim under the OSA – rather it merely reflects that claims are available under other procedures.

‘Internal claims’ remedies (the first type of remedy) are claims against the head of the alleged authority that conducted the surveillance. The ECtHR has found that such complaints are ineffective as they “do not meet the requisite standards of independence needed to constitute sufficient protection against the abuse of authority” (Zakharov at [292]). As such, any available internal remedies are ineffective.

Prosecutorial review is the second type of remedy. This remedy is not effective either, because it is based on prosecutorial discretion. Once the prosecutor refuses jurisdiction over a complaint or initiates a criminal case,  this remedy becomes ineffective.

In the Pegasus spyware case prosecutor general’s refusal of jurisdiction over complaints, challenged the potential victims’ procedural rights. The prosecutor general remitted the complaints to the state security services which in the case of Pegasus, were a party of interest,  and therefore, constituted a conflict of interest. By passing the investigation to the state security services, the investigation lost the requisite degree of independence given the same body was involved in carrying out the covert surveillance, which is contrary to the case-law standards (c.f. Kennedy v UK at [167-8]) of the European Court of Human Rights.

Judicial claim avenues are a third type of legal remedy. Azerbaijani legislation offers no bespoke judicial remedy for illegal surveillance (c.f. the IPT in Kennedy v UK). Instead, there are only general methods of judicial review either under the criminal procedural code or under civil or administrative law. These are ineffective remedies as well:

  • Whilst it is theoretically possible to judicially review a judicial order authorizing covert surveillance, it is impossible in practice. The decision to authorize covert surveillance is done via the closed court in the absence of the target (CPC Art 447.3.3), and targets of surveillance do not have the right to receive the judge’s decision implementing the operational-search measure (CPC Art 448.6). Whilst a decision of the judge implementing operative-search measures may be appealed within three days after the announcement of the court decision (Arts 452-54 CPC), given that the target neither has the right to be present at the hearing nor receive the decision, this right has no practical value in cases of covert surveillance;
  • A claim in the civil courts is impossible. Applicants bear the burden of proof (Code of Civil Procedure Art 77), and given that proper notification of covert surveillance is unavailable, it is impossible to meet this burden to bring a claim against an authority that also contradicts the views of the European Court of Human Rights (Zakharov at [296]);
  • While a claim under the administrative courts is theoretically possible, it is equally ineffective. Whilst an administrative court is obliged to undertake an objective investigation on their own motion (Art 24 Code of Administrative Procedure (CAP)), in practice this is not observed and a de facto burden of proof is placed on an applicant to provide prima facie evidence of the improper administrative act. Without any evidence of the body conducting alleged covert surveillance, it is impossible to lodge an administrative complaint against authorities. Further, the administrative courts have no jurisdiction over criminal procedures (CAP Art 3.2.1), and if an authority claims that an individual is under criminal investigation the administrative courts will not accept the jurisdiction. Further, the administrative court may refuse to hear cases involving an administrative act in connection with the prevention or elimination of the threat that may cause damage to public or state interests (CAP Art 21.3.2);
  • Finally, a complaint to the Constitutional Court of Azerbaijan is not an effective remedy either (Ismayilov v. Azerbaijan No 4439/04, 17 January 2008).

Remedies against cyber attacks

The above-mentioned conclusion, mutatis mutandis, is effective for cyberattacks also. For cyberattacks, the main relevant remedy is a criminal complaint to law enforcement bodies. However, due to technical issues, many people do not have the information about whom they were targeted. Under normal circumstances, such kind of technical issues should be tackled by an investigation. However, due to prosecutorial discretion and lack of effective investigation against state officials, the criminal complaint mechanism is not effective in practice. In addition, the Cyber Security Center is not an effective remedy in practice. Because this body also is not independent and has no relevant legal powers to conduct an investigation. Consequently, criminal law and administrative law remedies are not effective. In such cases, civil law remedies also cannot be effective due to burden of proof issues (see above).

Specific case studies

There are several case studies that demonstrate that law enforcement authorities are not interested in protecting digital privacy rights despite having an ex officio power to conduct a criminal investigation:

  • On May 4, 2021, a well-known lawyer Fuad Aghayev said there was an attempt to hack into his Facebook account. Lawyer said that an unknown person wrote to him from Ilham Huseyn’s (active member of Azerbaijani Popular Front Party) account and asked him to download a program similar to “Zoom”, but “safer” for an interview. The lawyer after refusing to download the “unknown app”, called Ilham Huseyn’s phone and realized that Huseyn’s account was hacked and that the message sent to the lawyer was from the perpetrator behind the hacking.
  • On March 1, 2021, a well-known lawyer Elchin Sadigov, said that smear campaigns against activists were not investigated properly and despite lodged complaints about targeted online attacks, in many cases, the courts do not investigate these complaints.
  • On May 15, 2020, the opposition Azerbaijani Popular Front Party (APFP) accused the government of cyberattacks against party activists’ social media accounts. In a statement, the Party noted that as a result of hacker attacks, the Facebook accounts of Emil Selim, Ilham Huseyn, Orkhan Selimzade, and Emin Maniyev were hijacked. In addition, fake social media accounts were created impersonating members of the party’s presidium – Fuad Kahramanli, Asif Yusifli, and Mammad Ibrahim, with the intention to harm their reputation and create chaos in society from these accounts.
  • On March 17, 2021, Bakhtiyar Hajiyev and Narmin Shahmarzade accused the Azerbaijani authorities and law enforcement agencies of the cyber-attacks they were facing. Shahmarzade’s Facebook profile was hacked and her personal images and correspondence were disseminated without her consent. One of the unlawfully disseminated correspondence was Shahmarzade’s conversation with social activist Bakhtiyar Hajiyev.
  • Another activist, Gulnara Mehdiyeva, was also targeted online. Her social media accounts, email, and communication apps were compromised. So were her backups (archives were backed on Google drive to which she lost access after her personal email was compromised). Although Mehdiyeva regained access to her accounts the damage was extensive. From the account logs, the activist discovered that the perpetrator prepared large bundles of data for download – likely including her email and social media archives, photographs, and other data. The hacker also deleted three Facebook groups dedicated to LGBTQI+ and women’s rights, which Mehdiyeva administered. The attack also exposed the identities of those in the private groups – placing many people, including minors and other vulnerable individuals, at potential risk. Forensics investigation identified two IP addresses from where the attack was carried out. One was previously used in other attacks against independent media in Azerbaijan and was connected to the internet infrastructure of the Ministry of Interior.

In Gulnara Mehdiyeva’s case, the applicant’s lawyer appealed to the Yasamal District Police, where the latter refused to launch a criminal investigation on  October 6, 2022. The lawyer appealed the decision of the Yasamal district police to the Yasamal District Court. The applicant’s lawyer referred to the legal grounds that the applicant’s account on social networks was illegally hacked and her personal information was seized, making a claim that this event creates the constituent elements of Articles 155, 156, 272, and 273 of the Criminal Code.

Dismissing the applicant’s appeal, the District Court considered that the criminal act in Article 272 of the Criminal Code is related to the interception of computer data but not the data of the social media accounts noting that computer data and social network data are different from each other.

Furthermore, the Court also considered that the criminal acts in Articles 155 and 156 of the Criminal Code are related to breaching the confidentiality of correspondence, telephone conversations, mail, telegraph, and other information and illegal gathering of confidential information of personal and family life which is not relevant to the applicant’s case.

Interestingly the Court concluded that since the hacking was of the activist’s social media account, the information shared there, was public, and thus could not be considered a secret, and that “social network was not a place where information considered “secret” was protected.”

Lawyers appealed these conclusions of the District Court, which were wrong and were a narrow interpretation of the national and international legislation in this field. The lawyer, in the appeal complaint, explained in detail, how the District Court’s misinterpretation of the national legislation contradicted the relevant international law by referring to the respective provision (Article 271.2) of the Criminal Code and article 1 of the Convention “On Cybercrime”.

The lawyer also claimed that the applicant’s information on the social network such as her personal photos, videos, and personal email correspondence were also intercepted and that all this information constituted private information, therefore, the Court’s conclusion was unfounded. The applicant’s appeals were dismissed by the Appeal and Supreme Courts and the applicant submitted a complaint to the European Court of Human Rights.

  • On November 3, 2021, the founders of Toplum TV, an online news platform, said their Facebook page was hacked. Hackers(s) removed several videos, including a discussion with an opposition politician Ali Karimli. The hacker(s) accessed the page through another founder’s Facebook account, deleted videos, and page likes, and changed the name of the page.
  • The Committee of Ministers of the Council of Europe (to which Azerbaijan is a party) mandates that member states comply with the judgments and certain decisions of the European Court of Human Rights. And yet, the court’s decision on Khadija Ismayilova group v. Azerbaijan (Application No. 65286/13) calling on Azerbaijan to duly investigate committed acts, where they [the authorities] failed to do so, and any possible connection and links between crimes committed against journalists and their professional activities, was not complied with.[3]

The cases illustrated here, are by no means exhaustive. These and other examples previously documented by Azerbaijan Internet Watch and elsewhere illustrate that the legal remedies for cyber-attacks and covert surveillance are not effective in practice. In all of the cyber-attack and covert surveillance cases that have been brought before the courts in Azerbaijan, the prosecuting authorities failed to initiate a criminal case and the district courts backed prosecuting authorities’ decisions even in cases where evidence exposed state authorities and/or related persons/entities being behind the attacks.

Conclusions

Our goal in putting together this legal overview was to demonstrate that digital security rights are not protected effectively in Azerbaijan. As we illustrate, violations of digital security rights occur on two levels: cyber-attacks and covert surveillance. Both types of violations are sophisticated and require contemporary preventive and procedural safeguards. However, existing legal remedies are not effective.

Most remedies set out in the legislation have shortcomings: there is no automatic notification system concerning covert surveillance; there is no independent internal review body; lack of rules against prosecutorial discretion; no mechanism in place addressing the conflict of interest between law enforcement and state security bodies; and challenges regarding judicial avenues.

Moreover, on cyber-attack issues the relevant qualified body-the Cyber Security Center-lacks proper legal power to conduct an investigation and is not independent. The issue of independence is important when attacks, as findings of independent digital security rights watchdogs demonstrate, are carried out by state authorities or related entities.

Practical case studies show that despite the scale of cyber-attacks, prosecuting authorities did not initiate even a single criminal case concerning attacks. This creates a culture of impunity regarding violations of digital security rights and has a chilling effect on activists’ right to freedom of expression and other political rights. Similar problems also exist in cases concerning covert surveillance – the lack of progress on Pegasus spyware investigations attests to the prosecuting authorities having no interest in initiating criminal cases.  

Consequently, digital security rights and their human rights protection both in a preventive and procedural manner and negative and positive obligations dimension have profound problems in Azerbaijan. Available domestic legal remedies are not effective both in legislation and practice to tackle the current problems.

[1] Paragraph 1 of article 39 of the Law on Telecommunications states that “operators, providers are obliged to create conditions for conducting search operations, intelligence, and counter-intelligence activities in accordance with the law; to provide telecommunications networks with additional technical means in accordance with the conditions established by the relevant executive authority; to resolve organizational issues; and to keep secret the methods used in conducting these events.” Paragraph 2 of the article states that “The operator, the provider shall be liable for the violation of these requirements in accordance with the law.”

[2] The Decision of the Cabinet of Ministers No. 174 of 7 November 2002 “On additional conditions required for the issuance of special permits (licenses) depending on the nature of the activity”, https://e-qanun.az/framework/946

[3] Case Description: Khadija Ismayilova (App. 65286/13). The shortcomings identified in the Court’s judgment need to be remedied, in particular:

  • to investigate the potential link between the applicant’s professional activity and the receipt of a threatening letter;
  • to properly question an important witness, Mr. N.J., an employee of Baktelekom, who could shed light on the identity of the possible authors of the crime regarding the installment of a hidden camera in the applicant’s flat;
  • to investigate the identity of the person who sent the threatening letter to the applicant from Moscow;
  • to investigate the websites where the intimate videos of the applicant were posted;
  • to investigate the words “SesTV Player” on the video and its potential connection with the Ses newspaper.
    • https://hudoc.exec.coe.int/eng?i=004-52409

religious activist claims his arrest was over his social media posts

Mahir Azimov, 40, is a member of the Muslim Union Movement. Azimov was arrested on drug possession charges according to reporting by Azadliq Radio, Azerbaijan Service for Radio Liberty. But activist claims the accusations are bogus, and that the real reason behind his arrest was his online activism – namely, critical posts on the state of war veterans in Azerbaijan.   

Azimov is just one of several movement members arrested in recent weeks. According to monitoring by Azerbaijan bulletin, another citizen of Azerbaijan, based in Turkey Imran Mammadli was detained and his deportation is expected. Mammadli too was critical of the Azerbaijani state on social media reports Azerbaijan bulletin. 

In his own statement, Azimov said, the day he was arrested and taken to the local police for questioning, he was questioned over his social media posts in which he criticized the authorities over their treatment of Karabakh war veterans. “They [police] showed me these posts. This is why I have been arrested,” said Azimov. 

As a result of the pressure faced during the questioning, Azimov signed a confession letter in which the religious activist claimed indeed he had drugs on him. However, in court, Azimov said the statement was signed under duress. 

A year in review – from online attacks to overall environment of internet censorship in Azerbaijan

The following overview covers some of the prolific trends which illustrate the scope of digital authoritarianism and information controls in Azerbaijan observed and documented in the past year. 

Introduction 

This report covers the online attacks targeting personal information and devices of human rights defenders, activists, and democracy advocates in 2022. The data is collected through media monitoring and information that was made available by targeted individuals who received support and assistance in mitigating the targeting.  

Overall, 2022 has been no different than recent years in terms of online attacks and internet censorship observed in Azerbaijan. Activists, human rights defenders, and democracy advocates received phishing attacks and were summoned to law-enforcement bodies for criticism voiced online where their personal data and devices were often interfered with in the absence of the owner’s consent. 

In some cases, there were reported hacking attempts and installed spyware programs. In January – December 2022, we observed overall 10 such cases.

Hacking and phishing attacks usually targeted the social media and email accounts of targeted community members. These were possible through the interception of SMS messages (set up as 2FA). In fact, SMS interception has been the main practice, leading to the hacking of scores of personal accounts, the paralyzation of social media accounts, the deletion of online posts, and the dissemination of personal information belonging to the targets.

Among some of the prominent cases was political activist Bakhtiyar Hajiyev whose social media accounts were targeted on multiple accounts. Hajiyev was also kidnapped twice in April and August 2022 and he was taken to the law-enforcement bodies. Police gained access to his social media accounts by force and removed posts that were critical of the authorities and state institutions. Hajiyev was arrested on December 9, on bogus charges, and sentenced to 50 days in administrative detention [shortly after his arrest Hajiyev announced he was going on a hunger strike. According to media reports, he stopped the strike on December 29, 2022]. 

Another civil society member, Imran Aliyev was also kidnapped by the Main Department for Combatting Organized Crime where his devices and social media accounts were compromised against his will.

Abulfaz Gurbanli, also an active member of civil society, was phished through an email and WhatsApp messages in February 2022. A file disguised as grant-related information from a known donor organization containing a virus was sent to Gurbanli via his email. On WhatsApp, the activist received a message from someone impersonating herself as a BBC Azerbaijan Service journalist. The targeting resulted in the installation of spyware on his device and the hacking of his social media accounts. 

At the time, Az-Net Watch requested assistance from Qurium media to analyze the link shared in the email and despite the journalist’s assurances, the link did contain a virus. “The mail pointed to a RAR compressed file in Google Drive that once downloaded required a password to be decrypted. The password to decrypt the file was included in the phishing e-mail: bbc. Compressed files that are password protected are common in malware phishing attacks as the files can not be scanned by antivirus,” concluded Qurium in its preliminary report. The further forensic report identified malware written in AutoIT. Once the link (in our case the link to a drive where the alleged journalist left questions for the political activist) was opened, the hacker through the deployed malware installed a persistent backdoor in the system. “The software connects to the domain name smartappsfoursix{.}xyz to download the rest of his software requirements. It downloads gpoupdater.exe and libcurl.dll which look responsible for uploading files to the command and control server. During the execution of the malware several (10) screenshots of the Desktop were uploaded to the server,” read the Qurium analysis.

Meanwhile, after taking over Gurbanli’s Facebook account, the hacker also deleted all of the content on at least seven of the community pages, where Gurbanli was an admin (screenshots below are from just two pages). 

Az-Net Watch previously documented attacks through phishing emails sent to civil society activists last year. At the time, an email impersonating a donor organization was sent to a group of activists encouraging them to apply for a Pegasus Grant. Preliminary forensic results carried out at the time indicated that the malware sent around in this email was similar to a phishing campaign from 2017, that was widely covered and reported by Amnesty International: “The victims and targets identified, as well as the political theme of bait documents, indicate that the campaign is largely targeting human rights activists, journalists, and dissidents. This campaign also aligns with findings by VirtualRoad.org in their report, “News Media Websites Attacked from Governmental Infrastructure in Azerbaijan”, which links some of the same network address blocks with “break-in attempts” and “denial of service attacks” against several independent media websites. “The malware that was observed is not sophisticated and is in some manner extremely crude. However, combined with social engineering attempts and an unprepared public, these tactics can remain effective against many targets.”

In another case, an online media outlet – ToplumTV – social media accounts were hacked by intercepting incoming SMS, set up as a two-step authentication method. This resulted in the removal of countless news posts as well as subscribers to the channel’s social media account. The media outlet was previously targeted in September and November 2021 – in both instances, the social media accounts were hacked by SMS interception.

Feminist activists also witnessed a surge in online phishing attacks and hacking attempts ahead of the International Women’s Day protest scheduled to take place on March 8, 2022. At least three activists received support to ensure online safety during this period. Similar attacks and targeting were documented last year. In addition to compromised accounts, some feminist activists have faced account impersonation. Most recently, activist Narmin Shahmarzade reported to Az-Net Watch, that a fake Instagram account impersonating the activist shared Sharmazade’s photos in the absence of her consent with inappropriate captions. Az-Net Watch is currently working with the platform to remove the fake account. 

Users of social media platforms, who posted critical of the government comments and posts, were also summoned to law- enforcement bodies where they were either forced to hand in their devices and passwords to their social media accounts or to delete their posts that were critical of the government. At least in 5 cases, activists and bloggers faced administrative arrests and interference with their social media accounts for their criticism online and activism. 

One of the most recently documented cases includes a blogger who was called into questioning after sharing a video on Facebook of the traffic police accepting a bribe. The blogger was forced to remove the video after the questioning at the police station. Aziz told Meydan TV that police threatened to keep him less he removed the video. After Aziz told the local media about the pressure from the police, the blogger was called back into the questioning together with his parents. 

In November, prominent lawyer, Elchin Sadigov said the law enforcement refused to return his mobile devices after the lawyer, would not share his passwords. Sadigov was arrested in September 2022 together with an editor of an independent outlet. In an interview with Meydan TV, Sadigov said, he considered demands that he shares his login credentials were a violation of privacy. 

Also in November, a member of D18 political movement, Afiaddin Mammadov, who was arrested on bogus charges and sentenced to 30 days in administrative detention said he was tortured by the local police officers after refusing to share his password to his device.

Other documented instances of social media users targeted over their online criticism this year include: 

In April, Meta released its pilot quarterly Adversarial Threat Report in which the platform said it identified “a hybrid network operated by the Ministry of the Internal Affairs.” According to the document, this network relied on, what Meta refers to as, “Coordinated Inauthentic Behavior [CIB]” in combination with cyber espionage, “compromising accounts and websites to post” on behalf of the Ministry. According to the report, these coordinated online cyberattacks targeted journalists, civil society activists, human rights defenders, and members of opposition parties and movements in Azerbaijan. The ministry’s press office was quick to dismiss the findings, saying the findings were fictitious. 

Azerbaijan was also among countries identified in Pegasus leaks targeting some 80 government critics among one thousand other Azerbaijanis identified in the targeting with Pegasus spyware. 

The attacks and support provided, in the course of the past year, illustrate that no matter how well-prepared political activists and members of civil society are in Azerbaijan, digital security awareness is insufficient in autocratic contexts like Azerbaijan. 

We also observed that existing legal remedies in the country are insufficient to find perpetrators behind such targeting and hold them to account. While in a few instances targeted community members filed official complaints, the investigative authorities showed reluctance in effectively investigating the incidents. 

This year, Az-Net Watch published this detailed report about litigating Pegasus in Azerbaijan in which together with a legal expert we conclude that existing national legislation concerning privacy and surveillance is insufficient, and is left to vague and often overt interpretation in the hands of law enforcement and prosecutor office. As such, Azerbaijan continues to systematically fail in providing effective legal remedies and sound investigations against state-sponsored digital attacks and surveillance. Moreover, despite evidence-based reports of targeted and coordinated cyber attacks against activists, the government thus far has not investigated and/or provided effective legal guarantees. And in all cases filed for investigations, nearly a year later after Pegasus spyware has been identified to be in use, the law enforcement authorities are yet to take formal investigative actions. 

In another report published this year together with a legal expert, Az-Net Watch identified serious gaps in data privacy protection mechanisms in Azerbaijan. Our analysis indicated that the national legislation on personal data protection does not effectively protect individuals against the arbitrary use of their personal data by both public and private entities. The analysis also indicated that the national laws restrict and control personal data with intrusive measures, such as equipping telecom networks with special devices, and real-time access to vast amounts of personal data, in the absence of a criminal investigation or judicial order. 

Conclusion 

These and other instances of digital threats and offline persecution for online activism illustrate that internet freedom in Azerbaijan continues to decline with no signs of abating. For yet another year, Azerbaijan was ranked “not free” in Freedom on the Net 2022 report released by Freedom House. In addition to scores of news websites currently blocked in the country (a practice observed since 2017), the state has also resorted to blocking or throttling access to social media platforms and communication applications in recent years. In September 2022 the state demonstrated its control over the internet by blocking access to TikTok on the grounds the platform was casting a shadow over military activities, revealing military secrets, and forming wrong public opinion. The blocking was carried out amid renewed military tensions between Armenia and Azerbaijan. Other users said they experienced issues accessing WhatsApp, Telegram, and slow internet connectivity speeds. Previously, during the second Karabakh war (in 2020), users in Azerbaijan faced internet restrictions as well. 

Civic activists in Azerbaijan express concern over state control of the internet at a time, when social media platforms, and independent as well as opposition online news sites have become the sole sources of alternative information accessible to the public outside of traditional media. 

The present environment is further exacerbated by the continued crackdown on civic activists as in the case of Bakhtiyar Hajiyev mentioned earlier in the report. In addition, a number of critical bills approved by the parliament this year, demonstrate a profound lack of interest on behalf of the state to ensure basic freedoms including freedom of the media and of association. As of February 2022, a restrictive new media law compels online media outlets to register with the government agency and has imposed a number of other critical requirements and criteria that critics say only serve the purpose of silencing independent journalists and news platforms. 

On December 16, 2022, the parliament also approved a critical bill on political parties, introducing a new set of exhaustive restrictions on political parties. 

As such, Azerbaijani civil society is facing a turbulent year ahead both offline and online in an environment dominated by state control on all forms of dissent leaving many wondering how far the state is willing to go to silence the critics. 

police arrests opposition activist over critical social media posts

According to Turan News Agency, a member of the opposition Popular Front Party Elnur Hasanov was sentenced to 30 days of administrative detention over critical posts shared on social media. 

The press service of the Ministry of the Interior refuted the claims the arrest of the activist was political.

Scores of political activists have been facing pressure, arrests, and detentions in recent months in Azerbaijan over their comments, and posts on Facebook. In May 2022, AIW published a legal analysis of content regulation in Azerbaijan. At the time, an uptick in cases in which social media users faced punitive measures by the Prosecutor’s General Office for their online activism indicated that the Office has taken on a temporary role of taking measures against activists, journalists, and media within the scope of laws on information and media. But continuing involvement of the Office in handing out fines and warnings may indicate that in addition to punitive measures, there is a plan to introduce legal measures on social media platforms. 

blogger facing pressure over a video shared on Facebook

Azerbaijani blogger Elmar Aziz was called into questioning on December 1 over what the blogger said was a video he shared about the traffic police. According to Turan News Agency, in the video shared by Aziz, traffic police are seen taking bribes from drivers. Aziz shared the video on Facebook.

In an interview with Meydan TV, Aziz said he posted the video of traffic police bribing drivers on Facebook and tagged the head Elshad Hadjiyev – the head of press relations at the Ministry of the Interior. 

The blogger was forced to remove the video after the questioning at the police station. Aziz told Meydan TV that police threatened to keep him less he removed the video. 

After Aziz told the local media about the pressure from the police, the blogger was called back into the questioning together with his parents. 

Speaking to Turan News Agency, the head of press relations at the Ministry of the Interior, Elshad Hadjiyev refuted the blogger’s claim that he was questioned together with his parents by the local police after informing the media that he was forced to remove the video from Facebook. 

former member of the parliament faces criminal charges

Gultekin Hajibeyli, the former member of the parliament told Meydan TV she is facing criminal charges over a comment she left on Facebook. According to Meydan TV reporting, Hajibeyli was held at the airport on her return from a work trip to Brussels and was informed she is facing slander charges. Hajibeyli said she was then taken to the Nasimi district police station after two-hour-long questioning at the airport. 

In an interview with Meydan TV, Hajibeyli said, the complaint was filed by a woman named Leyla Arif. “Imagine that I am facing criminal charges over a comment I posted under a post shared by a user named Leyla Arif on Facebook. That post was later deleted. So I am facing criminal charges over a post that no longer exists.”

Arif then posted an explanation on her Facebook saying she was called a “separatist” by Hajibeyli. 

In Azerbaijan, hasty legislative measures in response to cyber threats, leave protection of personal data on the back burner  

In an increasingly digitalized world, collection, retention, and processing of private data have an essential role for both private and public bodies for the purpose of their services to citizens or clients/users. However, in the absence of strong data protection regulations and cybersecurity, privacy infringements are inevitable. The analysis shared below indicates that in Azerbaijan, the national legislation on personal data protection does not effectively protect individuals against the arbitrary use of their personal data by both public and private entities.

The analysis also indicates that the national laws restrict and control personal data with intrusive measures, such as equipping telecom networks with special devices, and real-time access to vast amounts of personal data, in the absence of a criminal investigation or judicial order. As such, the absence of clear and enforceable regulations to protect personal data against arbitrariness and flawed systems due to negligence puts personal data at a higher risk of infringements.

To effectively illustrate how in practice, no control and legal remedies are implemented in relation to the collection and processing of personal data in the context of Azerbaijan, we specifically looked at the telecom industry and a wave of hacks into state-run databases containing vital citizens’ personal data.

Our findings underline the need to strengthen national laws and the practice of protecting individuals’ personal data in light of the growing number of infringement incidents of individuals’ personal data collected by state authorities and corporate entities as a result of existing legal loopholes and a wave of in recent years connected with personal data protection in Azerbaijan.

International standards

The protection of personal data which falls within the scope of the right to privacy is recognized internationally as a human right and countries are required to respect it. This right is enshrined in different international human rights treaties ratified by the Republic of Azerbaijan. These include the Universal Declaration on Human Rights (Article 12), International Covenant on Civil and Political Rights (Article 17), Convention on the Rights of the Child (Article 16), and International Convention on the Protection of All Migrant Workers and Members of Their Families (Article 14).

At the regional level, the right to privacy is protected by the European Convention on Human Rights. Article 8 (Right to respect for private and family life, home and correspondence) of the convention holds that telephone data, emails, and Internet use (Copland v. the United Kingdom, 2007 §§ 41-42), and data stored on computer servers (Wieser and Bicos Beteiligungen GmbH v. Austria, § 45), fall within the scope of protection of Article 8. The European Court of Human Rights also acknowledges that the protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life, home, and correspondence, as guaranteed by Article 8 of the Convention (Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland [GC], 2017, § 137; Z v. Finland, 1997, § 95).

The mere storage of personal data can violate a user’s right to privacy. The violation depends on the context in which the data is collected, the way it is collected, processed and used, and the outcome of the user data collection (S. and Marper v. the United Kingdom, 2008).

This right is further promoted and reinforced by the Council of Europe Convention 108 and a number of recommendations in relation to the protection of personal data adopted by the Committee of Ministers of the Council of Europe.

Azerbaijan has ratified various international and regional human rights treaties providing protection to the right to privacy and personal data, and as such, committed to ensuring relevant international human rights standards in relation to personal data protection. In 2009, the country joined Convention 108 also known as the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data. However, Azerbaijan is not a party to the Additional Protocol to Convention 108 which requires each party to establish an independent authority to ensure compliance with data protection principles and lays down rules on trans-border data flows.

A legally binding international data protection treaty establishes a number of principles for the signatory states to ensure that data is collected and processed fairly and through procedures established by law, for a specific purpose, in which collected data is stored for no longer than a set time, and for a specific purpose, and that individuals have a right to have access to, amend or erase their data. 

Practice in Azerbaijan

The rights related to personal data are guaranteed by Article 32 of the Constitution of Azerbaijan, which provides the right to privacy of personal and family life, including information transmitted by various means of communication, including correspondence, telephone, mail, and telegraph. The Constitution prohibits acquiring, storing, using, and spreading information about a person’s private life without his/her consent.

The main law covering personal data in Azerbaijan is the Law on Personal Data adopted on May 11, 2010 [No 998-IIIQ available in Azerbaijani here]. Article 6, of the Law on Personal Data sets out the forms of state regulation,[2] which are regulated through different normative legal acts. 

In this context, personal data refers to determining – directly or indirectly – the information about the identity of the person [The Law on Personal Data, article 2.1.1]. This information includes name, last name, patronymic, date of birth, and other information contained in the documents of identity, as well as data revealing racial or ethnic origin, marital status, religious faith and beliefs, and health or criminal record of an individual.

The Law on Personal Data does not contain an exhaustive list of data that is deemed to be “personal data”. Thus, what constitutes personal data must be assessed on a case-by-case basis. Personal data is defined as any information referring directly or indirectly to an identified or identifiable individual (the “data subject”). The Data Protection Law also sets forth special categories of personal data. These cover information referring to a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, personal health, sex life, and criminal record. In addition, the processing of biometric data is regulated by the Data Protection Law.

As per, the Decision of the Cabinet of Ministers of Azerbaijan about “the requirements for the protection of personal data” adopted on September 6, 2010, seven state institutions are granted the authority to supervise the fulfillment of the requirements for the protection of personal data. These are the Ministry of Digital Development and Transportation; the State Security Service; the Foreign Intelligence Service; the Ministry of Internal Affairs, the Ministry of Justice; the Special State Protection Service; the Special Communication and Information Security State Service; and the Financial Markets Control Chamber.

Under the Law on Personal Data, collection, processing, and cross-border transmission of personal data of any physical person are permitted only with the written consent of that person. Similarly, Article 6 of the Convention for the Protection of Individuals with Regard to the Processing of Personal Data states that only where appropriate safeguards are enshrined in law, complementing those of this Convention that special categories for revealing personal data shall be allowed. Such safeguards shall guard against the risks that the processing of sensitive data may present for the interests, rights, and fundamental freedoms of the data subject, notably the risk of discrimination.

In the context of Azerbaijan, the country’s Law on Personal Data (Article 13.2.1) provides an exception where personal data can be made accessible to third parties without the consent of the subject. This exception is based on Article 5.4 of the Law on Personal

A recent wave of cyber threats and Azerbaijan’s response 

Azerbaijani citizens have long suffered significant harm from hacks into the database of key public institutions or from monopolistic companies transferring personal user data without users’ consent. This has been the case at least since 2011.

2022 was no exception. Multiple data leak incidents involving the personal data of millions of citizens obtained from allegedly government agency databases were reported in the course of this year. Officials say cyber-attacks have increased in the aftermath of the second Karabakh war [September 2020] and peaked once again during the September border clashes this year. Weak protection mechanisms have placed Azerbaijan 40th among 194 countries in the Global Cybersecurity Index in 2021.

The most recent cyber-attack took place on August 8, 2022. Large-scale cyber-attacks against a number of state institutions and banks in Azerbaijan were reported by the State Service for Special Communication and Information Security. No further details of the hack and how much data was stolen remained unclear.

On April 20, 2022, the website of the Compulsory Insurance Bureau of Azerbaijan was compromised. The perpetrator(s) of the hack claimed that the entire system of the Compulsory Insurance Bureau was destroyed, and more than 40 million pieces of information were seized. The online platform of the State Motor Transport Service (e-fn.danx.gov.az) was also among hacked institutions.

According to the June 2020 “Cybersecurity guidelines for the Eastern Partnership countries,” released by the European Union’s EU4Digital Initiative, the main obstacles and gaps in the area of cybersecurity in Azerbaijan were the country’s outdated national legislation and insufficient commitment of national authorities to cybersecurity matters.[3]

The country’s own Cybersecurity Governance Assessment Report published in November 2020, indicated that there was a lack of cybersecurity benchmarks for digital web providers, due to the absence of a competent authority in the field of cyber/information security to supervise public and private digital service providers with regard to the implementation of cyber/information security requirements.

In light of recent cyber threats, the government of Azerbaijan has come up with several legislative and policy measures – a document on the security of critical information infrastructure and information and cyber security strategy. On September 21, 2022, the head of the department of the State Service for Special Communication and Information Security of Azerbaijan, Tural Mammadov, stressed that the cyber strategy submitted to the Cabinet of Ministers will be approved soon. The “National Strategy of the Republic of Azerbaijan on Information Security and Cybersecurity for 2020 – 2025” has been in the works since March 2020.

New legislative amendments

On April 17, 2021, President Ilham Aliyev, signed an order “On some measures in the field of ensuring the security of critical information infrastructure.” The order authorized the State Security Services of Azerbaijan to ensure the security of critical information infrastructure including the fight against cyber threats.[4]

In May 2022, the parliament approved amendments to the Law of the Republic of Azerbaijan “On information, informatization, and protection of information.” The amendments included 9 new concepts and a new chapter, named “Security of critical information infrastructure,” which consisted of 6 articles. Amendments that entered into legal force on July 6, 2022, brought new concepts such as critical information infrastructure, cyber security service provider, information security, cyber threat, cyber-attack, and cyber incident to the national legislation. In connection with the adoption of amendments to the Law “On information, informatization, and protection of information” two new articles were added to the Code of Administrative Offenses providing administrative liability for the violation of the order ensuring the security of critical information infrastructure.

Article 371-1 envisages liability for violation of the rule of ensuring the security of critical information infrastructure. Article 602-3 envisages liability for failure to fulfill the requirements of the authorized body (official) in the field of ensuring the security of critical information infrastructure.

On July 16, 2022, the decree of the Cabinet of Ministers was tasked to prepare draft rules for ensuring security and proposals on the criteria of critical information infrastructure and facilities within 2 months.

Personal data vs. surveillance and commercial use of personal data   

How do national laws protect personal data in the telecom industry?

Collection, processing, and protection of personal data, including individual information created by means of technology [sms, phone calls and etc.] are mainly regulated by several laws [on Telecommunications, On information, informatization, and protection of information, and on Personal Data] and normative legal acts of the Cabinet of Ministers and other central executive powers.

In Azerbaijan, customers entering into a contract with mobile operators [to complete SIM card registration] are obligated to provide an extensive amount of personal data. This is regulated by Article 40 of the law On Telecommunications and the decision of the Cabinet of Ministers dated July 7, 2005, “On the approval of the conditions required for the sale and use of communication facilities by communication enterprises (operators), as well as their dealers.”[5] The collected user data is then stored in the single database of operators and on AzInTelecom (State company of the Ministry of Digital Development and Transportation) in an electronic format.[6] According to a decision of the Cabinet of Ministers, the Information Computing Center of the Ministry of Digital Development and Transport where the personal data are gathered and processed is established together with the Ministry of Internal Affairs and State Security Service.[7]  

Pursuant to purposes, and operation-search activities and solve relevant organizational and technical issues in relation to such activities within the operators’ information systems.[8]

The Presidential Decree No. 507 dated June 19, 2001 (IV) “On the division of powers of search operations’ entities while carrying out search operations,” ensures that the Ministry of Internal Affairs and the State Security Service can autonomously connect to the communication networks of telecom operators.[9] That being said, the presidential order regulating the conduct of this kind of search and operation activity in the telecom industry dated February 15, 2017, is not public.[10]

The above-mentioned legal environment makes subscribers’ personal data accessible to the law-enforcement authorities given that all collected user personal data is accumulated in the database established together with the law enforcement authorities or is equipped with the technical means allowing law-enforcement authorities access users’ personal information. Also, according to Article 11 (IV) of the Law on Operation and Search Activities, the decision of the court (judge) or investigative body or the authorized subject of operative search activity on the implementation of operation-search measures can be accepted not only when there is an initiated criminal case but also in a wide range of circumstances including in an event the state security and/or its

Pursuant to article 445 of the Criminal Procedure Code, search operations such as interception of telephone conversations; monitoring of mail, telegraph, and other correspondence; and extraction of information from technical communication channels and other technical devices are carried out only on the basis of a court decision.[11] However, according to Article 10, paragraph 4 of the Law on “Operation and Search Activities”, and Article 177.4 of the Criminal Procedure Code, these search operations may also be carried out without a court decision, based on a reasoned decision of an authorized officer of the body carrying out the search operation.[12] This decision must be presented to the court conducting judicial oversight and to the prosecutor conducting the procedural management of the preliminary investigation within 48 hours after the relevant measures are taken. In practice, most of the investigations carried out based on a reasoned decision of an authorized person have [13]

The selling/giving of personal data to third parties for commercial purposes

Azerbaijani media and social networks regularly discuss the reports and complaints connected with the processing (transfer/sale) of SIM card users’ personal data without their consent for commercial purposes.

In accordance with article 23.1 of the Law of the Azerbaijan Republic “On Advertising” dated May 15, 2015, No. 1281-IVQ, the telecom operator and provider may broadcast advertisements based on the contract concluded with the advertiser. The telecom operator and provider can send the advertisement to the subscriber individually only if the sending of the advertisement is agreed upon in the written contract concluded between the company and the subscriber. The existing law obligates the telecom operator and the provider to give the subscriber the option to opt-out from receiving advertisements at any time or to broadcast only the advertisements the subscribers wish to receive ads from telecom operators.[14] Similar provisions are envisaged in Article 50-1 of the Law “On Telecommunications.”[15]

According to Article 9.10 of the Law on Personal Data, personal data collected and processed in corporate information systems may be presented to third parties for a fee. This procedure is regulated by the Decision of the Cabinet of Ministers, “Regulation on the transfer of personal data collected and processed in corporate information systems to third parties on a paid basis” which was adopted on March 2, 2011.[16] According to this regulation, the sale/transfer of data to a third party only applies to the open category of personal data.[17] The open category of personal data refers to the (i) information which has been anonymized in a specified manner, (ii) made public by the subject, or (iii) entered into the information system created for general use, with the subject’s consent. The Regulation (article 2.1) further requires a contractual agreement between the owners of personal data and the third party intending to obtain the personal data and additional permission of the state body that maintains the state register of information systems (Ministry of Digital Development and Transport).[18] The Regulation (article 2.3) also determines mandatory contractual clauses for the agreement on the transfer of personal data collected and processed in corporate information systems to third parties on a paid basis. It establishes specific duties[19] for the third parties who intend to obtain personal data.

However, agreements between operators and providers, and third parties on the sale of personal data are not provided to owners of personal data (individuals whose personal data was transferred) or published. Therefore, individuals are deprived to know the scope of the data sold and further specifics of the use of their personal data.

However, the Law on Personal Data (article 7.1.2.) provides that owners of data have the right to request the legal justification for the collection, processing, and transfer of personal data about themself and to receive information about the legal consequences (for themselves) of the collection, processing, and transfer of this data to third parties.

How is the consent given?

There are over ten million mobile phone subscribers in Azerbaijan.[20] Azercell LLC, Bakcell LLC, and Azerfon LLC (A brand of Nar) are the three major mobile phone operators. Subscription contracts of all three major mobile operators reveal that all contracts include many similar conditions because of the Law on Telecommunication which sets the mandatory clauses for such contracts between operators and subscribers.[21] As such, there is little difference in the way the operators use personal data. The subscription agreements individuals enter with mobile operators (at least in the subscription agreements distributed on the websites of Bakcell LLC and Azercell LLC) include provisions indicating “giving consent to receive advertising SMS”. Individuals often overlook these conditions or pay no attention.

A review of the consent clauses in the subscription agreements demonstrates that such provisions are not clearly reflected and do not explicitly state concrete implications for subscribers when choosing “to receive advertisement SMS” and what this means from the protection of personal data perspective.

However, the Law on Personal Data (article 8.2) sets out that the individuals’ written consent for the processing of personal data must include the purpose for collecting and processing personal data, the lists of personal data consented to be processed by the subject, and their processing operations, the validity period of the subject’s consent and the conditions for its withdrawal, conditions for destruction or archiving of personal data collected about the subject in accordance with the legislation after the expiration of the specified period of storage of personal data in the relevant information system or after the subject’s death.

As the contracts between the advertising companies and mobile operators are not public, it is not clear how the mobile operators allow third parties “to send advertising SMS” to subscribers. Being aware that the operators use the personal information of subscribers to sell targeted ads, subscribers do not know whether such contracts also ensure the transfer of the phone numbers to third parties. Or what concrete personal data is used by mobile operators to identify eligible subscribers to send advertising SMS?

None of the three main telecom operators have published Privacy Policies in relation to the protection of personal data in regard to using Sim Cards. Azercell LLC[22] and Azerfon LLC[23] do have privacy policies in relation to their policies on data protection.

In the example of the subscription agreement of Bakcell LLC[24], the contract includes one article that refers to advertisement:  “4.3. On the basis of this Agreement, the Subscriber agrees to the automatic sending of information, entertainment, and advertising SMS to their number, and if the Subscriber refuses to receive any type of SMS, the sending of such SMS to the corresponding number is stopped.”

In the sample contract of Azercell LLC [25], the provision of “whether the subscriber consents to receive advertising SMS” requires an affirmative answer. This is good, especially in comparison to the sample contract of Azerfon LLC (Nar)[26], where there is no clause regarding obtaining consent for such advertisement services. Instead, provision 6.4. of the contract states, “By signing this contract, the subscriber agrees to receive advertising or entertainment SMS or any other information to the number(s) he/she is using”. In addition to that, the Azerfon LLC (“Nar”) Privacy Policy states that “the subscriber accepts that Azerfon is not responsible for the disclosure of his/her information to third parties through the “Nar+” service application”.

In practice, individuals buying the sim cards are offered standard contracts and are not offered an opportunity to effectively refuse to give consent to receiving such services. It seems that the subscriber is offered the opportunity to unsubscribe from ads only after activating the sim card. It is then the subscriber’s responsibility to contact the operator and ask for a specific code that would stop this service.

None of the three mobile operators’ contracts contain a provision on the operators’ responsibility in relation to the protection of subscribers’ personal data even though operators receive an extensive amount of personal information during the sale of sim cards. The operators also oblige subscribers to update the operators in case of any changes to their personal data.[27] Such clauses in the contracts in the case of all three mobile operators are clearly undisputable as mobile operators design their contracts unilaterally, and the subscriber has no effective option to remove those conditions from the contract except in the subscription contract of Azercell LLC.

Different Council of Europe instruments refers to consent about the processing of users’ personal data. Bearing in mind that provisions of the Council of Europe Convention for the Protection of Individuals with Regard to the Processing of Personal Data apply to the automated data processing activities of network operators and parties providing telecommunication services, the telecom companies must respect the requirements of the Convention, which Azerbaijan is a party to.  Thus, Article 5 (2)– “Legitimacy of data processing and quality of data” of the Convention stipulates that “each Party shall provide that data processing can be carried out on the basis of the free, specific, informed and unambiguous consent of the data subject or of some other legitimate basis laid down by law.”

Recommendation (95)4 of the Committee of Ministers of the Council of Europe to Members States[28] recommends that the collection and processing of personal data in the area of telecommunications services should take place and develop within the framework of data protection policy, taking into account the provisions of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and in particular the principle of purpose specification (3.1). The mentioned Recommendation also envisages that “Domestic law should provide the appropriate guarantees and determine the conditions under which subscriber data may be used by network operators, service providers, and third parties for the purposes of direct marketing by telephone or by other telecommunications means (7.8).

The “Principles underpinning privacy and the protection of personal data” (2022) adopted by the UN Special Rapporteur on the Right to Privacy analyses international law in relation to consent and stresses the consent of the subject (owner of the personal data) as one of the legitimate grounds for the processing of personal data.[29] The UN Special Rapporteur concludes that the principle of consent is closely linked to the principle of legality, as it is the most common internationally recognized permissible ground for the processing of personal data (paragraph 31).

KEY FINDINGS

Do mobile operators give subscribers’ phone numbers and other personal information to other companies?

In the absence of publicly available information about contracts between mobile operators and third parties concerning the sale or transfer of private data; the lack of privacy policies of telecom companies, including the lack of any comprehensive data on protective legislation and oversight, it is difficult to say that SIM users’ personal data is not shared with other private and public databases, is not used for enabling the companies and states to create specific profiles of individual citizens, and is enabling other third parties to access a vast amount of data for commercial purposes.

In March 2017, Azerbaijan’s Supreme Court judgment “Viza” Law Firm v. “Azercell Telecom” LLC and “Sindbad” LLC established that one of the main mobile telecom companies – Azercell LLC transferred one of its subscribers (client) to another company which used the provided number, to send advertisement SMS despite there being no legal ground (contract) between the company sending advertisement and the user receiving the notifications via SMS. The Supreme Court judgment allows concluding, that mobile operators may share users’ personal data with third parties for direct marketing without explicitly mentioning this in the subscription contracts.

In July 2019, Azerbaijan’s Commissioner for Human Rights expressed concern over serious problems in data protection in the telecom industry where mobile operators were distributing users’ personal data without their knowledge and consent.[30]

Do the law-enforcement authorities have access to personal data gathered in the telecommunication systems beyond the rule-based surveillance regime

The existing system around SIM card registration allows law-enforcement agency access and permission to govern an extensive database of vast private data of SIM card users. This puts individuals at risk of being tracked or targeted and having their private information misused. Such access undermines the ability of users to communicate anonymously and one’s right to privacy.[31]

This also poses a threat to vulnerable groups and facilitates an environment of state surveillance making tracking and monitoring of users, easier for law enforcement authorities.

One prominent example illustrating this trend was documented in January 2019 when after an opposition protest rally, scores of rally participants received calls on their mobile phones from the local executive authorities and the police. All were interrogated about their participation in the rally. As such, mobile operators have long been accused by activists of providing their mobile numbers to the authorities.[32] Responding to these claims, the mobile operators said the data shared with law enforcement was provided based on legislation and official request.[33] Meanwhile, the Ministry of Interior confirmed that the rally participants were indeed called in for questioning on the grounds that this was a “police activity, and the police were carrying out both public and operation-search and other investigative activities.”[34]

Some experts suggest that having mandatory SIM card registrations further fuels their illicit use. It creates a need for a black market, as people want to communicate anonymously and it encourages identity fraud as people try to evade the system altogether.[35]

Conclusion

National legislation of Azerbaijan regulating the telecommunication sector must be reviewed in line with the established principles and standards of the European Convention on Human Rights, including the Convention for the Protection of Individuals with Regard to the Processing of Personal Data.

The national laws must be designed in a way where personal data is processed lawfully (with free, informed, unambiguous consent of the data subject or on the basis of law) for clearly defined legitimate purposes. In a context where national security and public safety interests are so often used to justify unprecedented intrusions on human rights and freedoms, it is crucial to ensure that new legislative and policy response to cyber threats does not harm individuals’ personal data.

In particular, all national legal frameworks in the areas of surveillance, interception, protection of personal data, and other relevant areas, must be accessible to an individual in question, who must be able to foresee the consequences of its application to him/her.

Government must adopt effective legal remedies and procedural safeguards against arbitrary and unlawful control of personal data with excessive and wide discretion. Minimum safeguards for the exercise of discretion by public authorities must include detailed rules on (i) the nature of the offenses (grounds) which may give rise to an interception order; (ii) duration, scope, and effective review of interception orders; (iii) the precautions to be taken when communicating the data to other parties. Nationally, an independent regulatory authority should be established to ensure supervision and review complaints related to personal data breaches.

The laws must also be formulated with sufficient clarity and precision to give citizens an adequate understanding of the conditions and circumstances in which the authorities are empowered to resort to this secret and potentially dangerous interference with the right to respect for private life and correspondence.

National laws also must be amended in order to ensure that telecommunication services offer guarantees for users’ privacy, the secrecy of their correspondence, and the freedom of communication. Furthermore, existing rules equipping and enabling the use of special tools within the telecommunication networks must be re-designed in order to provide privacy for users and mitigate risks of abuse of personal data by the authorities.

National legal frameworks should encourage the private sector (in particular in the areas of mass personal data collection and processing) to develop data protection policies.

on increasing cyber security within the critical information infrastructure should recognize that the private sector is responsible for cyber security however it should not enhance government control over the personal data collected and processed by the private sector. The government’s appetite to control telecom infrastructure and information in cyberspace is unlikely to bring positive changes with respect to personal data protection in Azerbaijan.

In this context, the cyber security measures must put personal data at the heart of the planned legislative and policy measures, in particular removing the risk of abuse of personal data by telecommunications service providers and state authorities.

Footnotes

[1] Rec(2002)9 18/09/2002 on the protection of personal data collected and processed for insurance purposes;  Rec(95)4 07/02/1995 on the protection of personal data in the area of telecommunication services, with particular reference to telephone services;

Rec(91)10 09/09/1991 on the communication to third parties of personal data held by public bodies;  Rec(85)20 25/10/1985 on the protection of personal data used for the purposes of direct marketing.

[2] i) establishing the legal basis for the collection and processing of personal data; (ii) ensuring basic human and civil rights and freedoms during the collection and processing; (iii) licensing of activities on collection and processing of personal data; (iv) conducting state registration of information systems of personal data; (v) certification of information systems of personal data and other ICT tools; and etc.

[3] According to the report findings, national law on the protection of personal data is outdated, and national legislation does not require data breach notifications. The report also identifies the main challenges as insufficient funding, lack of qualified personnel and resources in the cybersecurity area, and insufficient commitment of national authorities to cybersecurity matters. The report also indicated that security audits are carried out for verifying whether baseline cybersecurity measures are implemented only banking sector. It further notes that there is no formal definition of Critical Information Infrastructure (CII) and CII operators are not identified at the national level.

[4] The State Security Service of Azerbaijan performs those functions jointly with the State Service of Special Communication and Information Security of Azerbaijan toward the state bodies, and public legal entities created on behalf of the state, in relation to legal entities belonging to the state.

[5] The Cabinet of Ministers dated July 7, 2005, requires the collection of personal data from subscribers such as subscriber’s Sim card number, parameters of the subscriber identification module (IMSI, etc.), mobile device’s international identification number (IMEI), ID card or Passport (with photo), concrete and detailed address and place of residence of the subscriber, bank account and registration details for legal entity subscribers and etc. https://e-qanun.az/framework/10541;

[6] The implementation of the changes to the mobile number sale rules is being finalized, E-Gov.az portal, https://www.e-gov.az/az/news/read/349

[7] It is noted in the decision (preamble) of the Cabinet of Ministers that the rule (auth: a mandatory collection of personal data and establishing a unified database of sim card holders) was adopted in order to implement the provisions specified in Articles 39.1 of the Law “On Telecommunications”, Articles 9 and 12 of the Law “On Operation-Research Activities” and 17.4 of the Law “On Intelligence and Counter-Intelligence Activities” that obliging telecommunication companies to create conditions to for search and operational activities of law enforcement authorities. Thus, provisions in various legal acts referred to, as well as these regulations, allow law enforcement agencies (Ministry of Internal Affairs and State Security Service) to jointly form a database where personal data collected by communication enterprises is collected (paragraphs 3 and 4 of the Regulations).

[8] Pursuant to article 10.5 of the Law on Personal Data, article 39.1 of the Law on Telecommunications, and according to article 17.4 of the Law on Intelligence and Counterintelligence Activities, telecom operators must create conditions for conducting intelligence and counterintelligence, and operation-search activities in accordance with law and solve relevant organizational and technical issues in relation to such activities within the operators’ information systems.

[9] In accordance with the Presidential Decree No. 507 dated June 19, 2001 “On the division of powers of search operations’ entities while carrying out search operations,” legal entities and individuals providing communication services are required to install special equipment that provides access to information for the search and operation purposes.  https://e-qanun.az/framework/3569#_ednref12

[10] On the approval of the “Rules on ensuring information security during the implementation of operational search measures in communication networks” approved by the Presidential order on 2 October 2015, https://e-qanun.az/framework/30840

[11] Wiretapping of telephone conversations ad extraction of information from technical communication channels and other technical means are carried out by the Ministry of Internal Affairs and the State Security Service in accordance to Presidential Decree No. 507 dated June 19, 2001 “On the distribution of authorities of entities of operative-searching activity in the implementation of investigation and search operations” available (in Azerbaijani)  http://e-qanun.az/framework/3569

[12] In this case, the authorized official of the body conducting the search operation shall, within 48 hours of carrying out the search, submit the reasoned decision on the conduct of the search operation to the court exercising judicial supervision and the prosecutor.

[13] Dissent opinion of judge Isa Najafov, in the decision of the Plenum of the Constitutional Court “On the interpretation of some provisions of Articles 137 and 445.2 of the Code of Criminal Procedure of the Republic of Azerbaijan” February 12, 2015. Available (in Azerbaijani) at: https://constcourt.gov.az/az/decision/1159

[14]  The telecommunication operator and provider shall be responsible for sending advertising without the consent of the subscriber or contrary to the provisions of this Law. Law on Advertising (Article 23), https://e-qanun.az/framework/30348

[15] The Law On Telecommunications, https://e-qanun.az/framework/10663

[16] “Regulation on the transfer of personal data collected and processed in corporate information systems to third parties on a paid basis” adopted on March 2, 2011, https://e-qanun.az/framework/21385

[17] The person’s name, surname, and patronymic are permanent open personal information. (The Law on Personal Data, Article 5.3).

[18] State registration of Information Systems and cancellation of state registration is carried out by the Ministry of Digital Development and Transport of the Republic of Azerbaijan as determined by the Decision (article 1.3) of the Cabinet of Ministers On approval of “Rules for state registration of information systems of personal data and cancellation of state registration” dated on August 17, 2010. https://e-qanun.az/framework/20039

[19] The contract should specify the content of the provided data, purposes of acquisition, fields of use, and methods, and the following obligations of the third party acquiring personal data should be provided: ensuring the protection of obtained personal data and the rights of personal data subjects in accordance with the Law of the Republic of Azerbaijan “On Personal Data”; not to give or transfer the obtained personal data to other persons in any way; exclusion of all threats and dangers for personal data subjects when using personal data, and not making offers that may cause them unwanted or additional costs, as well as anonymous or misleading personal data subjects. The material, technical and organizational capabilities of third parties who obtain personal data collected and processed in corporate information systems or their personal data operators must be in accordance with the purpose of data acquisition and the requirements for their protection.

[20] 2022 CEIC Data, an ISI Emerging Markets Group Company, https://www.ceicdata.com/en/indicator/azerbaijan/number-of-subscriber-mobile

[21] Article 40 of the Law on Telecommunications requires that the following provisions are reflected in the contract and other documents should be a part of it: i) the period (time) and conditions of connection and use of end equipment to the telecommunications network; ii) conditions of termination and cancellation of the contract; iii) duties, rights and responsibilities of the parties; iv) the subscriber’s consent (objection) to the implementation of the duty specified in Article 33.1.3-1 of this Law; v) his/her consent (objection) to the display of information about the subscriber in survey-information sources; vi) other conditions not contrary to law. A copy of the photo ID of the subscriber must be attached to that contract.

[22] Azerfon LLC (“Nar”) respects your privacy. This Privacy Policy explains the collection, use, and sharing of information from or about you in connection with your use of the services. The term ” Services” refers to our video service, including the selection of television shows, clips, movies, and other content we offer (collectively, the “Content”) and our player for viewing the Content (the “Video Player”), as well as any other products, features, tools, materials, or other services offered from time to time by Nar through a variety of Access Points. The term “Access Points” refers to, collectively, the nar.az website (the “Nar Site”), applications, and other places through which the Services may be accessed, including websites and applications of Nar’s third-party distribution partners and other websites where users or website operators are permitted to embed or have otherwise entitled to publish the Video Player. https://www.nar.az/promo/nar-tv-privacy/index-en.html

[23] Privacy Policy about the application “Azercell Kabinetim”, “Azercell Kabinetim” is created by “Azercell Telecom” LLC as a FREE application. This SERVICE is rendered by “Azercell Telecom” LLC free of charge and is intended to be used the way it exists.  This web page is used for providing information about our policy on collection, usage and disclosure of personal data of customers determined to use our Service. If you choose to use this Service, you consent to the collection and usage of information in accordance with the present policy. The collected Personal Data is used for rendering and improving this Service. We undertake not to use or share your data with anyone except for those cases described in this Privacy Policy. The provisions used in this Privacy Policy have the same meaning as the Terms and Conditions set forth in my Cabinet unless otherwise stated in the Privacy Policy. https://www.azercell.com/my/assets/policy/privacy_policy_en.html

[24] Subscription Agreement of the Bakcell LLC, https://www.bakcell.com/az/abune-muqavilesi

[25]Subscription Agreement of the Azercell, https://www.azercell.com/assets/files/abunechi-muqavilesi/azercell_abune-muqavilesi.pdf

[26] Subscription Agreement of the Azerfon, https://www.nar.az/uploads/documents/Nar_abunechi_muqavilesi_new.pdf

[27] In accordance with article 4.2.7 of the Contract provided by Bakcell LLC, the Subscriber is responsible for the correctness of the information related to the Subscriber, reflected in this Agreement and submitted by the Subscriber to “Bakcell”, and immediately informs “Bakcell” about changes in the registration address, questionnaire data, contact number and other information related to this Agreement. 2 (no later than two) calendar days) must provide written information. The subscriber does not object to the display of this information in the survey information sources.

[28] “On The Protection of Personal Data in the Area of Telecommunication Services, With Particular Reference to Telephone services”

[29] The “Principles underpinning privacy and the protection of personal data” report adopted by the UN Special Rapporteur on the right to privacy, 2022, https://documents-dds-ny.un.org/doc/UNDOC/GEN/N22/594/48/PDF/N2259448.pdf?OpenElement

[30] On 6 July 2019, during the meeting of the Working Group on “Business and human rights” held at the Ombudsman office (the meeting was dedicated to the topic “Ensuring the right to access information in the context of business and human rights”) the Commissioner noted that despite the existence of serious reforms in the relevant field, mobile operators distribute personal data without the knowledge and consent of the data owners, as a result of which they are inconvenienced and materially damaged and the investigation of complaints of citizens are carried out by companies without the participation of the complainant which also results with the lack of consideration of the complainant’s position in many cases; The Commissioner noted that such issues must be resolved. https://ombudsman.az/az/view/news/1354/ombudsman-yaninda-biznes-ve-insan-huquqlari-uzre-ishchi-qrupun-novbeti-toplantisi-kechirilib

[31] A SIM card is more than a phone number. It allows authorities to easily track people’s locations and movements. All of their online activity—websites visited, search queries, purchases, and more—can be traced back to their device.

[32] “Mobile operators have prepared a list of rally participants”, 28 January 2019, https://yenisabah.az/mobil-operatorlar-mitinq-istirakcilarinin-siyahisini-hazirlayib

[33] “Mobile operators responded to the accusations of the opposition”, 30 January 2019, https://www.azadliq.org/a/mitinq-bakcell-azercell-azerfon/29741836.html

[34] How is personal information protected in Azerbaijan? BBC News in Azerbaijani. February 7, 2019. https://www.bbc.com/azeri/azerbaijan-46875038

[35]Access to Mobile Services and Proof of Identity 2021. The GSMA Association. April 2021, https://www.gsma.com/mobilefordevelopment/wp-content/uploads/2021/04/Digital-Identity-Access-to-Mobile-Services-and-Proof-of-Identity-2021_SPREADs.pdf

Azerbaijan’s Media Registry leaves media platforms in limbo [Updated January 5, 2023]

[Update] The first media platform to take State Media Registry into court became the online news site, 24saat.org according to reporting by Meydan TV. The site was refused its registry on the grounds that the activities on the said news website were not regular. The site’s management claims the decision was unlawful. 

***

In Azerbaijan according to the new law on media that was adopted in January 2022 and approved by the President in February 2022, all online media outlets as well as journalists working for online media platforms or working as freelance journalists were ought to register with a new media registry system. This media registry system began to operate on October 14, 2022, according to reporting by Turan News Agency. The law itself was heavily criticized by the local civil society prior to its adoption, and many anticipated many of its restrictive features put in practice. AIW published this overview of the law in March 2022 describing some of its most problematic features including the media registry clause.   

According to the new law, Azerbaijan must establish a registry system of online media outlets and journalists working for online media platforms or working as freelance journalists. This and other additional provisions of the law raise a number of questions regarding the compliance of the law with the international standards on media freedom.

Article 62.1 reads that permission from state bodies is not required for setting up online media. But Article 62.2 requires that an online media entity must apply to the relevant executive authority (Media Registry) 7 days prior to the publication or dissemination of the relevant media material.  In other words, while there is no need to apply for creating an online media platform, there is a requirement to apply for a permit once the online resource becomes operational and starts publishing. Article 62.4 requires an additional opinion issued by the State Committee for Work with Religious Organizations before an online media focusing on religion and religious content is set up. In addition, Article 78.3 obligates online media to apply to the Media Registry within 6 months since the platforms become operational.

Article 60.5 requires online media to publish at least 20 articles per day to qualify as an online media platform.

Article 26 obligates the founder of the online media to be a citizen of the Azerbaijan Republic permanently residing in the Azerbaijan Republic. In case the founder is a legal entity, then the highest share (75 percent) in the authorized capital must belong to a citizen (citizens) of Azerbaijan permanently residing in the country.

The Cabinet of Ministers has been instructed to prepare regulation on the provision of registration at the Media Registry within 3 months as per presidential order “on the application of the Law of the Republic of Azerbaijan ‘On Media’ and regulation of a number of issues arising from it” dated February 8, 2022. And Article 60 of the new law requires that online media outlets disclose their organizational information on their respective websites. Article 60.2 also requires online media to register with the tax authorities, and identify and appoint a person responsible for editorial.

Article 26.3 prohibits previously convicted individuals from setting up media platforms. The list of previous convictions is exhaustive including serious or especially serious crimes; crimes against public morality; persons whose convictions have not been expunged or revoked; including political parties (excluding print media); and religious organizations (excluding print media). Prohibiting religious and political organizations from establishing online media is a failure to comply with the international standards on the right to freedom to seek, receive and impart information and ideas of all kinds.

Importance of registering with the Media Registry for online media platforms

The Media Register is an electronic information resource managed by a Media Development Agency which is managed by the Supervisory Board consisting of the Chairman and 6 (six) members appointed by the President of the Republic of Azerbaijan. In order to be registered at the Media Registry as a media entity (subject), a media entity can apply either as a legal entity or as a sole entrepreneur (Article 74).

Article 74.2 sets out a list of requirements journalists must comply with for their inclusion in the registry. These requirements include a degree in higher education as well as another number of different merit-based criteria. Article 74.2.5 requires that journalists obtain and provide an employment contract with a media entity. Individuals or freelance journalists must have a civil contract with at least one media entity registered at the Media Registry in order to be able to register at the media registry.

Those outlets who succeed at registering with the Media Register are issued certificates (which grant access to government events, press conferences and etc.), and journalists are issued press cards (valid for three years and subject to renewal upon request). Media entities, including online media outlets not included in this registry, will not be considered mass media, and subsequently, unable to hire journalists. Also, in case the online media platform is not registered by the registry, journalists who have contracts with these online media platforms, won’t be admitted to the Media Registry and won’t be issued press cards.

Registration with the Media Register is one of the main guarantees for the free operation of media outlets and journalists. For example, according to Article 72.6 of the Law, only media entities and journalists included in the Media Register may carry on with their work during military and/or state of emergency situations, in special operations against religious extremism, and in operations against terrorism.

In the absence of certificates issued exclusively by the register, journalists may also not be allowed to conduct polls on the streets.

These and other requirements as outlined in the law, create additional challenges for freelance journalists working (on contracts) with international media outlets or local online media outlets not registered with the Media Register.

Now, according to Turan News Agency, at least 15 online news platforms have been denied registry. Among them is 24saat.org – a news website that remains blocked in Azerbaijan according to AIW/OONI measurement reports. To bypass censorship, the founders of the website, created a new URL az24saat.org which according to the website’s director Vugar Gurjanly is still accessible. However, in an interview with Turan News Agency, Gurjanly lamented the registration process and getting it denied. Gurjanli believes the decision was not justified and aimed at eventually stopping the news site from working. “Our website meets all the necessary criteria,” Gurjanly told Turan News Agency. According to Article 78.3 of the new Media Law, active mass media must apply to the Agency within six months from the day the Registry starts working. In the event media fails to do so, or the information provided during the registration process is found incorrect the agency has a right to take the media to court. 

Speaking to Azadliq Radio, Azerbaijan Service for Radio Liberty, media law expert, Khalid Aghaliyev said, the currently applied regulations on media platforms trying to register with the Agency are unconstitutional because according to the law, the registration regulations of the new law should apply to the media platforms established after the said law was adopted. “The media that existed prior to the adoption of the law should be registered automatically,” said Aghalyev. 

But this is not the only problem concerning media platforms. The law also demands that the media platform must publish at least 100 news items per week. But the agency already showing a biased approach to this specific regulation. According to Aghaliyev, a number of news sites that were registered have failed to meet the criteria, and yet those that have met the 100 items per week criteria have been denied registry. 

Articles 74.1.2 and 60.5 of the Law, define the criteria of published content as well as what the Media Agency means when it demands a continuity of activities. As such, media platforms applying for registration must demonstrate continuity in their work for at least 20 days a month and publish a minimum of 20 news items per day for their activity to be considered “continuous.” 

Those who have been denied the registry are now planning to appeal in local courts. According to information provided by the Media Agency, it has so far registered 100 media platforms, denied 15, and is reviewing 40 applications.

political activist says he faced pressure by local police after refusing to share his phone password

A member of D18 political movement, Afiaddin Mammadov, who was arrested on November 11 and sentenced to 30 days in administrative detention said during his appeal court that all the claims about him allegedly breaking a windshield and resisting police were untrue. Instead, he was taken against his will on November 11 by six plain-clothed men and brought to the Main Police Station according to Meydan TV reporting. 

Mammadov also said that police demanded he shared the password for his mobile device and when he refused he was tortured. He was then sentenced to 30 days in administrative detention without any further investigation into the alleged crime he committed. The activist said he was also refused a lawyer.  

According to Meydan TV reporting, Mammadov said in court, that shortly before his detention, he was interviewed by an online news platform Toplum.TV. In the interview, he said he will stage a demonstration less police provided information on the whereabouts of another D18 member, Orkhan Zeynalli. Zeynalli was detained by the local police on November 11 and was sentenced to 30 days in administrative detention on November 12, according to reporting by Turan News Agency. 

During Mammadov’s court hearing despite lawyer Zibeyde Sadighova’s attempts to get the judge to overrule the decision and release the activist as well as provide traffic camera footage to confirm alleged crimes committed by Mammadov and investigate the torture Mammadov faced during detention, none were met. 

Police detains political activist over Facebook posts

A member of a political movement D18 was detained by the police on November 11. Speaking to the local media the head of the movement Ahmad Mammadli said the activist, Orkhan Zeynalli was taken by the police over his Facebook posts that were critical of the police. 

According to Mammadli, the problem started a month ago when Zeynalli went to the police to file a complaint over a stolen bike [Zeynalli worked as a courier delivering food]. The police offered a different kind of assistance – a fee in an exchange for them to help him find his stolen bike. Zeynalli wrote about this exchange on his Facebook after which police called him in asking to remove the post. They were unaware of his political activism prior to seeing his post on Facebook. 

Assured, Zeynalli hid the post, but a month later, after receiving no news, Zeynalli shared another ironic post about the police force, explained Ahamd Mammadli in an interview with Meydan TV. 

Zeynalli was asked to visit the police station yet again, this time, Zeynalli refused, given there was no official letter from the police. 

That day, Zeynalli went out of his home to fix the electricity outage which according to Mammadli, was caused by the police. “Plain-clothed police officers detained Zeynalli on the spot. Zeynalli’s wife watched all of this happen,” noted Mammadli. Zeynalli was sentenced to 30 days in administrative detention on November 12, according to reporting by Turan News Agency. D18 had another member sentenced to 30 days in administrative detention on November 12 as well – Afiaddin Mamedov – but on what grounds remains unclear.

This is not the first time, political and civil activists are detained by the police over their social media posts. Most recently police detained another political activist, a member of the opposition Popular Front party over social media posts. According to reporting by Meydan TV, Emin Akhundov was briefly detained by the police on October 31 over a post in which he criticized disproportionate police violence against political activists. Akhundov was released the following day.