Convention – Azerbaijan Internet Watch

Legal analysis of a COVID tracing app released last year in Azerbaijan

Posted on June 8, 2021 by aiw_admin

This is part three in a series of detailed legal reports and analyses on existing legal amendments, and new legislation affecting privacy, freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.

In July, of last year, authorities in Azerbaijan released their very own COVID tracing tracker application. Launched by Tebib (Azerbaijan Administration of Regional Medical Division) the app was quick to draw attention, especially over its privacy issues.

The mobile app is operated by the Data Processing Center (DPC), which is the main structure of the information technologies of the Ministry of Transport, Communications, and High Technologies. According to the app’s version history at App Store, the application “update” was done on 27 May 2021.

e-Tebib is just one of the deluge of apps unveiled during the height of the COVID-19 pandemic by various governments, promising to detect COVID-19 exposure and not only.

Below, we break down the pervasiveness of the app having analyzed existing national and international legislation.

Features and concerns

According to the app’s description, “E-Tebib is designed to inform users in real-time about the number of patients (both sick and recovered) in Azerbaijan.” Since the start of the pandemic, the official data for Azerbaijan on the number of infected patients and recoveries were made available here and the numbers were updated once a day – based on the numbers reported by the Operational Headquarters set up under the Cabinet of Ministers of the Republic of Azerbaijan (the unit was established on February 27, 2020). Already from the start, it was unlikely the app was going to provide real-time indicators when the main body in charge only shared the information once a day.

In addition, article 4.4 in the user agreement of the app, explicitly said that any information, obtained through the app, may not be precise, correct, or trusted. And yet, the app also claimed to reduce the number of infected patients by informing users of potential COVID infected patients around them via Bluetooth technology.

Although the app claimed it did not collect any personal data aside from the user’s phone number the article 5.3 of the license agreement stated, the center [the Ministry of Communication, Transportation and High Technologies who owns the app’s license] collected users’ names, last names, phone numbers, social media accounts, emails, national ID numbers, and location.

Article 5.1 mentioned the center was sharing this information with third parties. These third parties were allowed to analyze collected information including users’ browsing history [The center did claim that it did not allow third parties, to use the obtained information for other purposes]. Article 5.5.1 stated the center may share users’ information with government bodies and/or representatives’ legal requests; court orders; or under any other legal condition. Furthermore, article 5.6 stated that users’ information may be shared with third parties in other countries for security purposes.

What the law says

According to Article 5.1 of the Law on Personal Data personal information is protected from the moment it is collected and for this purpose, it is divided into confidential and public categories according to the type of access. Article 5.2 of the Law on Personal Data stipulates that confidential personal data must be protected by the owner, operator, and users who have access to this information on a level required by law. Confidential personal information may be disclosed to third parties only with the consent of the subject, except as provided by law. Article 5.3 of the Law on Personal Data defines open personal data as information anonymously duly declared, made public by the subject, or entered into the information system with the consent of the subject. The person’s name, surname, and patronymic are permanently open personal information.

The terms of the agreement [of the app] on sharing private information with the third parties are vaguely regulated and open to wide interpretation for unlawful transmission of the private information with third parties.

Furthermore, article 5.5.1 of the app’s agreement that states information might be shared upon the government representatives’ legal requests are problematic from the human rights perspective. It fails to specify on which grounds and under what conditions the state authorities might request the private information which is necessary for terms of procedural fairness and safeguards against arbitrariness.

Where personal information is stored for the interest of the protection of health, there should be adequate and effective guarantees against abuse by the state. The law in question, which allows the storing of such information, must indicate with sufficient clarity the scope and conditions of exercise of the authorities’ discretionary power. These standards to some extent are also backed in Article 11.2.2 of the Law on Personal Data which states that when collecting personal data, the owner or operator must notify the subject about the purpose of personal data that is being processed and the legal grounds of this purpose.

In other words, it is not clear whether any state authority can have access to private information simply upon requesting it without legal justification. This is also a requirement of the Law “About operational search activities” as per Article 10. Thus, Article 10 of the Law states that the extraction of information from technical communication channels and other technical means is carried out on the basis of the decision of the court [judge].

Article 5.10., of the app’s user agreement states that all user-related data is kept for a month. But it fails to explain whether the same expiry date applies to “third parties” that may have access[ed] [to the] users’ information. This is contrary to Article 8.2., of the Law on Personal Data. Law on Personal Data requires that for the purpose of collecting and processing of personal data (specifically Article 8.2.3.,) and conditions of destruction or archiving of personal data collected in the relevant information system after the expiration of the period of storage or after the death of the subject in the manner prescribed by law must include a written consent for the processing of the subject’s personal data.

Such vagueness is also contrary to the ECtHR’s well-established case law. In Aycaguer v. France case, the ECtHR ruled, there was a violation of Article 8 (right to respect for private life) of the Convention by “determining the duration of storage of […] personal data depending on the purpose of the file stored […]”. The Court noted that, to date, no appropriate action was taken on that reservation and that there was currently no provision for differentiating the period of storage. The Court also ruled that the regulations on the storage of DNA profiles did not provide the data subjects with sufficient protection, owing to its duration and the fact that the data could not be deleted. The regulations, therefore, failed to strike a fair balance between the competing public and private interests.

Another concern was that the application was developed by A2Z Advisors LLC and the app’s privacy policy was linked to the company’s website. The landing page of A2Z Advisors LLC, however, did not provide any information on the app’s privacy policy. At the time when the app was launched, AIW reached out for comment via email as per A2Z’s recommendation but never received a response.

Similarly, in the App Store for IOs when clicking on the “App Support” tab, the page once again led to the A2Z company website and once again failed to provide any information related to the App. Instead, the privacy policy was accessible via this link that a user had access to but only after downloading and launching the app. This in itself was contrary to the several articles of the Law on Personal Data.

According to Article 11 of the law, it is required, when collecting personal data, that the owner or operator, notifies the subject about the level of protection of personal data collected and processed in the information system [11.2.3.]; the information on the existence of a certificate of conformity of information systems and state examination [11.2.4.]; and the scope of the intended uses of personal data, including the information system for which the information is to be exchanged [11.2.5.]. However, no such information was provided in the app’s agreement.

The app was also not an open-source code and was licensed under the Ministry of Communication, Transportation, and High Technologies. This is contrary to the requirement [Article 6.22.,] of the Resolution of the Cabinet of Ministers about “Requirements on creation and management of Internet information resources of state bodies”, which requires that open source content management systems should not be used in internet information resources.

FaktYoxla, a fact-checking platform in Azerbaijan concluded after a detailed legal analysis over the license agreement that e-Tebib was not designed in accordance with the national legislation on data privacy. The fact-checking platform, having analyzed the respective case-law of the European Court, the EU Data Protection Directive, and the Council of Europe Treaty 108, concluded that the e-Tebib application contradicted the obligations imposed by international standards.

On July 10, 2020, following widespread privacy concerns and questions over the app’s transparency, changes were made to the terms of the agreement.

Originally users’ information was transferred to third parties, which were not explicitly defined in the agreement. At the time, independent experts and lawyers said this was against Article 32 of Azerbaijan’s state constitution and in violation of Article 8 of the European Convention on Human Rights. Azerbaijan’s constitution, namely, Article 8, stipulates that no one has a right to collect personal information without an individual’s permission. The convention, on the other hand, refers to respect for privacy.

***In Copland v. the United Kingdom case (no. 62617/00, ECHR 2007-I), the Court found that it was irrelevant that the data held by the college where the applicant worked was not disclosed or used against her in disciplinary or other proceedings. Just storing the data amounted to an interference with private life.

The updated license agreement said that only under necessary circumstances, and within the normative legal framework personal information may be transferred to third parties. The revised agreement, still, fails to explicitly mention the precise list of institutions considered under third parties.

Fuad Niftaliyev – the head of the app development project later explained that the third parties referred to in the agreement are the Ministry of Health, Tebib, and the Operational Headquarters [set up under the Cabinet of Ministers of the Republic of Azerbaijan]. Niftaliyev clarified that the collected information was stored on the servers operated by the Ministry of Communication and Information, however that too was problematic, given the questionable transparency of the government institutions in Azerbaijan especially as surveillance technology is widely used by the ministries alike.

Azerbaijan’s desire to regulate online hate speech: What problems should Azerbaijan fix first?

Posted on April 7, 2021April 13, 2021 by aiw_admin

This is part two in a series of detailed reports and analyses on existing legal amendments and new legislation affecting freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.

Background

On September 17, 2020, Zahid Oruc, member of the parliament and the head of the Human Rights Committee at the National Parliament, suggested parliament adopts a new law on hate speech. At the time, Oruc said the main goal was to prevent hate speech in the information space, possibly with the inclusion of social media platforms [several members of the parliament and government representatives have stressed that social networks should be regulated by law in Azerbaijan in recent years]. While stressing the urgency in adopting such a law, Oruc failed to address the exact nature of this urgency. In addition, likely in response to a possible backlash from the independent lawyers and civil society in Azerbaijan the MP said, the new bill, cannot be viewed “as a document against freedom of speech and expression”. Nevertheless, much of the responses that came following this announcement, were critical of the proposal especially in light of the legal context where plenty of other existing laws and procedures already address hate speech in one form or another.

In January 2020, the discussion on adopting the bill on hate speech was back on the agenda. Speaking at the first meeting of the spring session of the Parliamentary Committee on Human Rights the chairman of the committee Zahid Oruj noted that the spring session will focus on the analysis of world experience in the field of defamation and “hate speech” legislation.

But what about the analysis of Azerbaijan’s experience in the field of defamation?

In Azerbaijan, a number of conceptual elements of hate speech are envisaged in the different normative legal acts, including in the Code of Administrative Offences, Criminal Code, the law on Information, informatization and protection of information and Law on Mass-Media. In other words, several Azerbaijani laws include measures that are designed to address unacceptable online content (including hate speech), ranging from removing content, and making content temporarily inaccessible on the information-telecommunication network.

According to Article 47 of the Constitution of the Republic of Azerbaijan, everyone has the right to freedom of thought and speech. Agitation and propaganda, inciting racial, national, religious, social discord and animosity, or relying on any other criteria is inadmissible. Azerbaijan has also ratified the European Convention on Human Rights (hereinafter “ECHR”) where Article 10 provides that everyone has the right to freedom of expression.

Azerbaijan’s history is rich with examples where existing laws, were abused to restrict freedom of expression, and the national legislation so far failed to comply with international human rights standards with respect to the safety of the media workers or citizens who exercise their right to freedom of expression. That and the lack of independent judicial oversight over the restrictions to freedom of expression and thought post additional challenges in a current environment.

In 2017, when changes were made to the law on combating religious extremism, two prominent members of the Popular Front Party were arrested relying on the existing legislation, even though it was clear, it was a setup, as neither of the activists had any religious affiliation. In January 2017, a Baku court convicted senior opposition Popular Front member Fuad Gahramanli to 10 years in jail for inciting religious and ethnic hatred. Gahramanli was known for his criticisms of the government on Facebook. In July 2017 a court convicted Faig Amirli, another Popular Front member and financial director of the now-closed pro-opposition Azadlig newspaper, on bogus charges of inciting religious hatred and tax evasion. Amirli was handed a suspended sentence.

Four out of seven alerts in 2019 related to detention. Despite the March 2019 release of some wrongfully imprisoned journalists, including anti-corruption blogger Mehman Huseynov, the detention and harassment of journalists continue to this day.

During the height of the pandemic in Azerbaijan, the parliament introduced a series of amendments to existing laws that were then used to prosecute activists. Scores of activists were rounded up, including members of the opposition Popular Front [some of these arrests were captured here].

The government of Azerbaijan has consistently ignored the international calls, including the judgments of the European Court of Human Rights (ECtHR) requiring Azerbaijan to reform its domestic legislation with respect to freedom of expression and media rights in order to ensure that it is in line with the international standards. Instead of reforms, the government of Azerbaijan has aggravated the criminal liability for defamation and expanded the scope of the criminal liability to the online spaces (2016 amendments to the Criminal Code), adopted a criminal liability for extremist views on vague grounds, and established administrative liability for spreading false information.

These developments were contrary to the ECtHR’s findings in the Fatullayev, Mahmudov, and Agazade v. Azerbaijan cases (2008) where the Court found that application of provisions of the criminal law on defamation had been contrary to Article 10 of the Convention and the Council of Europe calls to the Member States that prison sentences for defamation should be abolished without further delay [Resolution 1577 (2007) of the Parliamentary Assembly, Towards decriminalization of defamation, to which the Strasbourg Court has referred on a number of occasions].

The country’s poor ranking on most of the rights and freedoms indexes attest to the grave reality in the country. It was also reflected in a statement issued following the Council of Europe Commissioner for Human Rights Dunja Mijatović’s visit to Azerbaijan in July 2019 where the Commissioner said, “Freedom of expression in Azerbaijan continued to be under threat”.

The key state obligations while regulating the online hate speech and general concerns for the Azerbaijani context

Despite the term “hate speech” widely used in legal, policy-making, and academic circles, there is often disagreement about its scope and about how it can best be countered [Dr. Tarlach McGonagle. The Council of Europe against online hate speech: Conundrums and challenges, p. 3.]

There is no international legal definition of hate speech, and the characterization of what is ‘hateful’ is controversial and disputed. However, in 1997 the Committee of Ministers of the Council of Europe adopted a Recommendation (No. R (97) 20) on hate speech which stated the term (non-binding) “shall be understood as covering all forms of expression which spread, incite, promote or justify racial hatred, xenophobia, anti-Semitism or other forms of hatred based on intolerance, including intolerance expressed by aggressive nationalism and ethnocentrism, discrimination and hostility against minorities, migrants and people of immigrant origin”.

In its case law the European Court of Human Rights, without adopting a precise definition, has regularly applied this term to forms of expression that spread, incite, promote or justify hatred founded on intolerance, including religious intolerance.

Key concerns for the abusive application of the hate-speech regulations

There have been growing concerns in many countries that hate speech regulations (both online and offline) are often misused or result in a violation of freedom of thought and expression. To this end, many international human rights organizations have often emphasized raising concerns on this matter and issued general recommendations, and developed standards for the regulation of hate speech to ensure that such regulations are in line with international human rights standards.

As noted, hate speech has threatened freedom of expression in many countries. Despite the importance “to prevent all forms of expression which spread, incite, promote or justify hatred based on intolerance …,” [Erbakan v. Turkey judgment of 6 July 2006, § 56] the presence of hate speech constitutes a serious threat for the freedom of expression in the process of potentially limiting the expression as such.

On May 13, 2020, Freedom of expression organization ARTICLE 19 has warned that France’s new “Avia” Law, will threaten freedom of speech in France. When a draft bill on hate speech was discussed in France, “the French government has ignored the concerns raised by digital rights and free speech groups, and the result will be a chilling effect on online freedom of expression in France”. Consequently, on June 18, 2020, the French Constitutional Council (Conseil constitutionnel) the highest constitutional authority in France, declared that the majority of the Law on Countering Online Hatred, more commonly known as the Avia Law, was unconstitutional. This declaration rendered the key provisions in the law invalid. In its decision, the Constitutional Council held that certain provisions infringe “on freedom of speech and communication, and are not necessary, appropriate and proportionate to the aim pursued”.

The international human rights law provides that states may restrict freedom of expression (only) where provided by law with the condition to meet the principles of legality or necessity and proportionality.

Alongside these principles, an effective judicial review is needed to prevent any abuses of laws capable to restrict freedom of expression. The judicial review of such a measure, based on a weighing-up of the competing interests at stake and designed to strike a balance between them, is inconceivable without a framework establishing precise and specific rules regarding the application of preventive restrictions on freedom of expression [Ahmet Yıldırım v. Turkey, § 64; Cengiz and Others v. Turkey, § 62, which concerns the freedom to receive and impart information and ideas; see also OOO Flavus and Others v. Russia, §§ 40-43]. Furthermore, in some cases, for determining the proportionality, the ECtHR assesses the quality of the parliamentary and judicial review of the necessity of the measure [Animal Defenders International v. the United Kingdom [GC], §§ 108-109].

The First and foremost among these safeguards is the guarantee of review by an impartial decision-making body that separate from the executive and other interested parties.

The UN Special Rapporteur notes that “any restriction imposed must be applied by a body that is independent of political, commercial or other unwarranted influences in a manner that is neither arbitrary nor discriminatory, and with adequate safeguards against abuse” (A/67/357, para. 42).

This is not the case in Azerbaijan. For instance, the Ministry of Communications and Information Technologies is the main body regulating the internet in Azerbaijan, something that experts have called to change and share this role with an organization that is not under state control. The ICT market is also fairly concentrated in the hands of the government.

In its report (A/74/486, 9 October 2019), the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression evaluates the human rights law that applies to the regulation of online “hate speech” and notes that any restriction – and any action taken against speech should meet the conditions of legality, necessity, and proportionality, and legitimacy [Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, A/74/486, 9 October 2019), para. 20] and to establish or strengthen independent judicial mechanisms to ensure that individuals may have access to justice and remedies in case of restrictions. The Special Rapporteur further notes that “as a first principle, States should not use Internet companies as tools to limit expression that they themselves would be precluded from limiting under international human rights law. [para, 29]. In the meantime, the same Recommendation envisages a principle [third principle] that requires from the governments that interference with freedom of expression, in the context of combating hate speech, are narrowly circumscribed and applied in a lawful and non-arbitrary manner on the basis of objective criteria and must be subject to independent judicial control.

In addition to discussions on adopting the law on Hate Speech, there are also plans to adopt a new law on Media at the moment. The consistent view of the government to regulate social networks with the “hate speech” law poses an additional risk to the systematically undermined freedom of expression in Azerbaijan. There is no guarantee that Azerbaijan’s government will not use lex ferenda regulations as a tool of oppression against its political opponents and civil society.

Without genuine consultations with civil society organizations, independent journalists, disregarding the constant calls of the human rights organizations and ECtHR judgments to reform the domestic laws to remove irrelevant and restrictive frameworks over freedom of expression, new hate speech, and media laws should be taken into account as a serious concern [Dr. Tarlach McGonagle. The Council of Europe against online hate speech: Conundrums and challenges, p. 29].

Instead of addressing the systematic shortcomings, in particular, rendering the restrictive legal frameworks in the sphere of freedom of conscience, freedom of expression and thought, and internet freedom, the government of Azerbaijan continues to add more restrictive regulations into its legislation that is likely to undermine last remnants of the freedom of expression – the online spaces.

In addition, while in a hurry to pass restrictive legislation against freedom of expression, the government of Azerbaijan remains inactive when it comes to the effective investigation of the smear campaigns and hateful attacks against minority groups, such as LGBTQ- communities, and feminists.

Finally, having reviewed the current environment of repression and crackdown, and specifically, in the absence of effective judicial oversight and a fully independent regulatory body accountable to the public, it can be concluded that there is no urgency for any new regulations at the moment in Azerbaijan.